diff --git a/hosts/flora-6/apps/caddy.nix b/hosts/flora-6/apps/caddy.nix index a241de2..bc6fac3 100644 --- a/hosts/flora-6/apps/caddy.nix +++ b/hosts/flora-6/apps/caddy.nix @@ -27,6 +27,14 @@ reverse_proxy :4000 ''; }; + "grafana.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy :${toString config.services.grafana.settings.server.http_port} + ''; + }; "obs-portal.pub.solar" = { logFormat = lib.mkForce '' output discard diff --git a/hosts/flora-6/apps/grafana.nix b/hosts/flora-6/apps/grafana.nix new file mode 100644 index 0000000..2727b8e --- /dev/null +++ b/hosts/flora-6/apps/grafana.nix @@ -0,0 +1,67 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: { + age.secrets.grafana-admin-password = { + file = "${flake.self}/secrets/grafana-admin-password.age"; + mode = "644"; + owner = "grafana"; + }; + age.secrets.grafana-smtp-password = { + file = "${flake.self}/secrets/grafana-smtp-password.age"; + mode = "644"; + owner = "grafana"; + }; + age.secrets.grafana-keycloak-client-secret = { + file = "${flake.self}/secrets/grafana-keycloak-client-secret.age"; + mode = "644"; + owner = "grafana"; + }; + + services.grafana = { + enable = true; + settings = { + server = { + # Listening Address + http_addr = "127.0.0.1"; + # and Port + http_port = 3000; + # Grafana needs to know on which domain and URL it's running + domain = "grafana.pub.solar"; + enable_gzip = true; + }; + smtp = { + enabled = true; + host = "mx2.greenbaum.cloud:465"; + user = "admins@pub.solar"; + password = "\$__file{${config.age.secrets.grafana-smtp-password.path}}"; + from_address = "no-reply@pub.solar"; + from_name = "grafana.pub.solar"; + ehlo_identity = "flora-6.pub.solar"; + }; + security = { + admin_email = "crew@pub.solar"; + admin_password = "\$__file{${config.age.secrets.grafana-admin-password.path}}"; + }; + "auth.generic_oauth" = { + enabled = true; + name = "pub.solar ID"; + allow_sign_up = true; + client_id = "grafana"; + client_secret = "\$__file{${config.age.secrets.grafana-keycloak-client-secret.path}}"; + scopes = "openid email profile offline_access roles"; + email_attribute_path = "email"; + login_attribute_path = "preferred_username"; + name_attribute_path = "full_name"; + auth_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/auth"; + token_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/token"; + api_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/userinfo"; + role_attribute_path = "contains(info.roles[*], 'admin') && 'GrafanaAdmin' || contains(info.roles[*], 'editor') && 'Editor' || 'Viewer'"; + allow_assign_grafana_admin = true; + }; + }; + }; +} diff --git a/hosts/flora-6/apps/prometheus.nix b/hosts/flora-6/apps/prometheus.nix new file mode 100644 index 0000000..7ae27ea --- /dev/null +++ b/hosts/flora-6/apps/prometheus.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: { + services.prometheus = { + enable = true; + port = 9001; + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + scrapeConfigs = [ + { + job_name = "flora-6"; + static_configs = [{ + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + ]; + }; +} diff --git a/hosts/flora-6/default.nix b/hosts/flora-6/default.nix index 6511a00..6478858 100644 --- a/hosts/flora-6/default.nix +++ b/hosts/flora-6/default.nix @@ -11,5 +11,7 @@ ./apps/drone.nix ./apps/forgejo-actions-runner.nix + ./apps/grafana.nix + ./apps/prometheus.nix ]; } diff --git a/secrets/grafana-admin-password.age b/secrets/grafana-admin-password.age new file mode 100644 index 0000000..9ce754d Binary files /dev/null and b/secrets/grafana-admin-password.age differ diff --git a/secrets/grafana-keycloak-client-secret.age b/secrets/grafana-keycloak-client-secret.age new file mode 100644 index 0000000..b4c01fa --- /dev/null +++ b/secrets/grafana-keycloak-client-secret.age @@ -0,0 +1,28 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw M6ha3gQ4Oq4PdymYZ5ZG0qGwFlpCYfJdhOBwH9n1gxg +zCtB0PJanufNdV0ShynDT0Z/2jxMFDRby8xsfv6YPaA +-> ssh-ed25519 uYcDNw V89Ll4HJ3ZkQegiCI6gswz736domVgDGSDCA8bZBwHs +W7IrEL+1xUXuVdy6A61z6P+pS/ajTGPL+qv+9Jh8UxI +-> ssh-rsa kFDS0A +SV6QVIW8MCQVB8ABiOGxLTXEMO6rfeG82CktBFtf76WeIYzlkho/IaGgWXoqoIQ0 +KC/ev7vNGnB01AOWe/xkuMZDRvK+qGaOLB7wpZG1cJhqSon9oZtztoDjd/Crp5K0 +nfeHjY9E/jgFr0KYeaLedw5OJuaOw4YiuKyTThVbpRZwbof30nvHXqrYKPZJi1gq +s5spoWYH2ijZi9mrJojP2ZqK5DJjCteXqP1YHdz3LjxomoDyl5cv/tLNsvrptfxD +FvZMcPrvrC/IWqJ8qGW+f8ENUGyjXxx6jFQ2WN9IMIdJYk5bz458ip3GKqnAlwi3 +SZbaxRuEYEoy6ikKGRuXMAwpJd3YXcRcaRdetw0a4grdD6hF21bTl2+LnTb1ydnb +frzeoXaqbBdhEyLpZFAmGLydteIyA/Kl/D/PEJ0MHc0G0EGofMm6YsNJJrP3mQgi +mXC2Kto6WV/JLVEnURayf12rPR1T/VPIyYZ/Xi9HfPh0p3Y21nadPAcEq/PltWgR +AqELfBbVpNtcxTP2pjEJqGskJCYKAmMeM+yQ0moKVmuMWicahMqjQRJO1jnvTwwd +GhJlUO32EuI6Fn6sApthv2FfLrle+x0H4/v9xvHDJIVSmLYtzK+9ueUPn/A1x8X1 +lGeJh+ecEV2r630insGAp8WQzyXhraHrn3lgyacwRmA +-> ssh-ed25519 YFSOsg KKhXh/XW7iF7wMA7JD9fbgmty5yVPaSS1vGdHz0Xh0M +eLJc+F/yIR1ckZX/npLI+l3I2iB+OrKBkJAQTkbWVF4 +-> ssh-ed25519 iHV63A xoJ7Tr8mKgYVPPeJYBnOHLBY5E0i34vEQR3pMVKxbAc +TKqc9Y/RpnfTP3CNvCearB4FuvNmW0mcGVLh7Ebjzeo +-> ssh-ed25519 BVsyTA LaMK6X/MJyQTQ24p9uHXh75leMcp/akCA2YZACEG03M +psw6sVlNGT8WsG3L9kbXdrhqxp8hIdSF7s4o60jTYgY +-> vcxmk`-grease 8^p$~+LB -G)+N&$^ P)7#7[wX +8TyK2RrSHFuMyFy9YY7ZI6RSduF5hw6xZKhiysVkif4Husb1flN8QVmWtoW8laWz +n8772TmNTcfq5ebUp+UA+S6MVgf75D1GnDumEDH/LbM4LNjRZzyw3nBGu/Q +--- Ouu56e69gTpAY1ouLPlzI/n6geKz1CMmTl8wAVyIDPM +57W>J@jl_/=ջ4(KѥzSs \ No newline at end of file diff --git a/secrets/grafana-smtp-password.age b/secrets/grafana-smtp-password.age new file mode 100644 index 0000000..44cf171 Binary files /dev/null and b/secrets/grafana-smtp-password.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 594748b..3abf74f 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -62,4 +62,8 @@ in { "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys; "coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ baseKeys; + + "grafana-admin-password.age".publicKeys = flora6Keys ++ baseKeys; + "grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ baseKeys; + "grafana-smtp-password.age".publicKeys = flora6Keys ++ baseKeys; } diff --git a/terraform/dns.tf b/terraform/dns.tf index 85ee9e0..41eed78 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -83,6 +83,11 @@ resource "namecheap_domain_records" "pub-solar" { address = "138.201.80.102" ttl = 300 } + record { + hostname = "grafana" + type = "CNAME" + address = "nachtigall.pub.solar." + } record { hostname = "hpb" type = "A"