phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 13:46:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move Grafana to hel1

Browse source
This commit is contained in:
Paul-Henri Froidmont 2024-12-11 05:02:44 +01:00
parent f18644f8a1
commit e7caa4e487
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
6 changed files with 241 additions and 242 deletions
Download patch file Download diff file Expand all files Collapse all files

99
modules/grafana.nix
View file

@ -1,7 +1,11 @@
{ config, lib, ... }: { config, lib, ... }:
let cfg = config.custom.services.grafana; let
in { cfg = config.custom.services.grafana;
options.custom.services.grafana = { enable = lib.mkEnableOption "grafana"; }; in
{
options.custom.services.grafana = {
enable = lib.mkEnableOption "grafana";
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops.secrets = { sops.secrets = {
@ -11,13 +15,15 @@ in {
}; };
}; };
services.grafana = { services = {
grafana = {
enable = true; enable = true;
dataDir = "/nix/var/data/grafana"; dataDir = "/nix/var/data/grafana";
settings = { settings = {
server = { domain = "grafana.${config.networking.domain}"; }; server = {
security.admin_password = domain = "grafana.${config.networking.domain}";
"$__file{${config.sops.secrets.grafanaAdminPassword.path}}"; };
security.admin_password = "$__file{${config.sops.secrets.grafanaAdminPassword.path}}";
}; };
provision = { provision = {
enable = true; enable = true;
@ -26,29 +32,27 @@ in {
{ {
name = "Prometheus"; name = "Prometheus";
type = "prometheus"; type = "prometheus";
url = url = "http://127.0.0.1:${toString config.services.prometheus.port}";
"http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true; isDefault = true;
} }
{ {
name = "Loki"; name = "Loki";
type = "loki"; type = "loki";
access = "proxy"; access = "proxy";
url = "http://127.0.0.1:${ url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
toString
config.services.loki.configuration.server.http_listen_port
}";
} }
]; ];
}; };
dashboards.settings.providers = [{ dashboards.settings.providers = [
{
name = "Config"; name = "Config";
options.path = ./dashboards; options.path = ./dashboards;
}]; }
];
}; };
}; };
services.nginx = { nginx = {
virtualHosts = { virtualHosts = {
"${config.services.grafana.settings.server.domain}" = { "${config.services.grafana.settings.server.domain}" = {
@ -56,60 +60,49 @@ in {
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${ proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
toString config.services.grafana.settings.server.http_port
}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
}; };
}; };
services.prometheus = { prometheus = {
enable = true; enable = true;
scrapeConfigs = [ scrapeConfigs = [
{ {
job_name = "node"; job_name = "node";
static_configs = [{ static_configs = [
{
targets = [ targets = [
"10.0.2.3:${ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
toString config.services.prometheus.exporters.node.port ];
}" }
"10.0.1.1:${
toString config.services.prometheus.exporters.node.port
}"
"10.0.1.11:${
toString config.services.prometheus.exporters.node.port
}"
]; ];
}];
} }
{ {
job_name = "synapse"; job_name = "synapse";
scrape_interval = "15s"; scrape_interval = "15s";
metrics_path = "/_synapse/metrics"; metrics_path = "/_synapse/metrics";
static_configs = [{ targets = [ "10.0.1.1:9000" ]; }]; static_configs = [ { targets = [ "127.0.0.1:9000" ]; } ];
} }
{ {
job_name = "dmarc"; job_name = "dmarc";
scrape_interval = "15s"; scrape_interval = "15s";
static_configs = [{ static_configs = [
{
targets = [ targets = [
"10.0.2.3:${ "127.0.0.1:${toString config.services.prometheus.exporters.dmarc.port}"
toString config.services.prometheus.exporters.dmarc.port ];
}" }
]; ];
}];
} }
]; ];
}; };
services.loki = { loki = {
enable = true; enable = true;
dataDir = "/nix/var/data/loki";
configuration = { configuration = {
server.http_listen_port = 3100; server.http_listen_port = 3100;
auth_enabled = false; auth_enabled = false;
@ -118,7 +111,9 @@ in {
lifecycler = { lifecycler = {
address = "127.0.0.1"; address = "127.0.0.1";
ring = { ring = {
kvstore = { store = "inmemory"; }; kvstore = {
store = "inmemory";
};
replication_factor = 1; replication_factor = 1;
}; };
}; };
@ -134,7 +129,8 @@ in {
}; };
schema_config = { schema_config = {
configs = [{ configs = [
{
from = "2022-09-15"; from = "2022-09-15";
store = "boltdb-shipper"; store = "boltdb-shipper";
object_store = "filesystem"; object_store = "filesystem";
@ -143,13 +139,13 @@ in {
prefix = "index_"; prefix = "index_";
period = "24h"; period = "24h";
}; };
}]; }
];
}; };
storage_config = { storage_config = {
boltdb_shipper = { boltdb_shipper = {
active_index_directory = active_index_directory = "${config.services.loki.dataDir}/boltdb-index";
"${config.services.loki.dataDir}/boltdb-index";
cache_location = "${config.services.loki.dataDir}/boltdb-cache"; cache_location = "${config.services.loki.dataDir}/boltdb-cache";
cache_ttl = "24h"; cache_ttl = "24h";
}; };
@ -173,10 +169,17 @@ in {
compactor = { compactor = {
working_directory = "${config.services.loki.dataDir}"; working_directory = "${config.services.loki.dataDir}";
compactor_ring = { kvstore = { store = "inmemory"; }; }; compactor_ring = {
kvstore = {
store = "inmemory";
};
};
}; };
analytics = { reporting_enabled = false; }; analytics = {
reporting_enabled = false;
};
};
}; };
}; };
}; };

41
modules/monitoring-exporters.nix
View file

@ -1,6 +1,8 @@
{ config, lib, ... }: { config, lib, ... }:
let cfg = config.custom.services.monitoring-exporters; let
in { cfg = config.custom.services.monitoring-exporters;
in
{
options.custom.services.monitoring-exporters = { options.custom.services.monitoring-exporters = {
enable = lib.mkEnableOption "monitoring-exporters"; enable = lib.mkEnableOption "monitoring-exporters";
}; };
@ -10,10 +12,29 @@ in {
exporters = { exporters = {
node = { node = {
enable = true; enable = true;
enabledCollectors = [ "systemd" "processes" ]; enabledCollectors = [
"systemd"
"processes"
];
};
dmarc = {
enable = true;
debug = true;
imap = {
host = "mail.banditlair.com";
username = "paultrial@banditlair.com";
passwordFile = "/run/credentials/prometheus-dmarc-exporter.service/password";
};
folders = {
inbox = "dmarc_reports";
done = "Archives.dmarc_report_processed";
error = "Archives.dmarc_report_error";
}; };
}; };
}; };
};
systemd.services.prometheus-dmarc-exporter.serviceConfig.LoadCredential = "password:${config.sops.secrets.dmarcExporterPassword.path}";
services.promtail = { services.promtail = {
enable = true; enable = true;
@ -22,7 +43,7 @@ in {
http_listen_port = 3101; http_listen_port = 3101;
grpc_listen_port = 0; grpc_listen_port = 0;
}; };
clients = [{ url = "http://10.0.2.3:3100/loki/api/v1/push"; }]; clients = [ { url = "http://127.0.0.1:3100/loki/api/v1/push"; } ];
scrape_configs = [ scrape_configs = [
{ {
job_name = "journal"; job_name = "journal";
@ -33,21 +54,25 @@ in {
host = "${config.networking.hostName}"; host = "${config.networking.hostName}";
}; };
}; };
relabel_configs = [{ relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ]; source_labels = [ "__journal__systemd_unit" ];
target_label = "unit"; target_label = "unit";
}]; }
];
} }
(lib.mkIf config.services.nginx.enable { (lib.mkIf config.services.nginx.enable {
job_name = "nginx"; job_name = "nginx";
static_configs = [{ static_configs = [
{
targets = [ "localhost" ]; targets = [ "localhost" ];
labels = { labels = {
job = "nginx"; job = "nginx";
host = "${config.networking.hostName}"; host = "${config.networking.hostName}";
__path__ = "/var/log/nginx/*.log"; __path__ = "/var/log/nginx/*.log";
}; };
}]; }
];
}) })
]; ];
}; };

9
modules/nextcloud.nix
View file

@ -33,10 +33,15 @@ in
forceSSL = true; forceSSL = true;
}; };
# Can't change home dir for now, use bind mount as workaround
# https://github.com/NixOS/nixpkgs/issues/356973
fileSystems."/var/lib/nextcloud" = {
device = "/nix/var/data/nextcloud";
options = [ "bind" ];
};
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
# Can't be changed for now, could use a bind mount as workaround
# https://github.com/NixOS/nixpkgs/issues/356973
# home = "/nix/var/data/nextcloud"; # home = "/nix/var/data/nextcloud";
package = pkgs.nextcloud29; package = pkgs.nextcloud29;
hostName = "cloud.${config.networking.domain}"; hostName = "cloud.${config.networking.domain}";

65
profiles/hel.nix
View file

@ -15,6 +15,9 @@
owner = config.users.users.gitlab-runner.name; owner = config.users.users.gitlab-runner.name;
key = "gitlab/runner_registration_config/hel1"; key = "gitlab/runner_registration_config/hel1";
}; };
dmarcExporterPassword = {
key = "dmarc_exporter/password";
};
}; };
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
@ -180,26 +183,29 @@
}; };
}; };
custom = { custom.services = {
services.nginx.enable = true; nginx.enable = true;
services.postgresql.enable = true; postgresql.enable = true;
services.dokuwiki.enable = true; dokuwiki.enable = true;
services.openssh.enable = true; openssh.enable = true;
services.gitlab-runner = { gitlab-runner = {
enable = true; enable = true;
runnerRegistrationConfigFile = config.sops.secrets.runnerRegistrationConfig.path; runnerRegistrationConfigFile = config.sops.secrets.runnerRegistrationConfig.path;
}; };
services.jellyfin.enable = true; jellyfin.enable = true;
services.torrents.enable = true; torrents.enable = true;
services.foundryvtt.enable = true; foundryvtt.enable = true;
services.jitsi.enable = true; jitsi.enable = true;
services.stb.enable = true; stb.enable = true;
services.murmur.enable = true; murmur.enable = true;
services.synapse.enable = true; synapse.enable = true;
services.nextcloud.enable = true; nextcloud.enable = true;
services.roundcube.enable = true; roundcube.enable = true;
monero.enable = true;
grafana.enable = true;
monitoring-exporters.enable = true;
services.backup-job = { backup-job = {
enable = true; enable = true;
repoName = "bl"; repoName = "bl";
additionalPaths = [ additionalPaths = [
@ -235,7 +241,7 @@
sshKey = config.sops.secrets.borgSshKey.path; sshKey = config.sops.secrets.borgSshKey.path;
}; };
services.monit = { monit = {
enable = true; enable = true;
additionalConfig = '' additionalConfig = ''
check host nextcloud with address cloud.banditlair.com check host nextcloud with address cloud.banditlair.com
@ -331,6 +337,31 @@
''; '';
}; };
}; };
# services.minecraft-server = {
# enable = false;
# package = pkgs-unstable.minecraft-server;
# eula = true;
# openFirewall = false;
# declarative = true;
# serverProperties = {
# enable-rcon = true;
# "rcon.port" = 25575;
# "rcon.password" = "password";
# server-port = 23363;
# online-mode = true;
# force-gamemode = true;
# white-list = true;
# diffuculty = "hard";
# };
# whitelist = {
# paulplay15 = "1d5abc95-2fdb-4dcb-98e8-4fb5a0fba953";
# Xavier1258 = "e9059cf3-00ef-47a3-92ee-4e4a3fea0e6d";
# denisjulien3333 = "3c93e1a2-42d8-4a51-9fe3-924c8e8d5b07";
# };
# dataDir = "/nix/var/data/minecraft";
# };
# virtualisation.oci-containers.containers = { # virtualisation.oci-containers.containers = {
# "minecraft" = { # "minecraft" = {
# image = "itzg/minecraft-server"; # image = "itzg/minecraft-server";

65
profiles/storage.nix
View file

@ -19,9 +19,6 @@
nixCacheKey = { nixCacheKey = {
key = "nix/cache_secret_key"; key = "nix/cache_secret_key";
}; };
dmarcExporterPassword = {
key = "dmarc_exporter/password";
};
paultrialPassword = { paultrialPassword = {
key = "email/accounts_passwords/paultrial"; key = "email/accounts_passwords/paultrial";
}; };
@ -75,9 +72,6 @@
services.nginx.enable = true; services.nginx.enable = true;
services.openssh.enable = true; services.openssh.enable = true;
services.monero.enable = false;
services.grafana.enable = true;
services.monitoring-exporters.enable = true;
}; };
mailserver = { mailserver = {
@ -157,22 +151,6 @@
certificateScheme = "acme-nginx"; certificateScheme = "acme-nginx";
}; };
services.prometheus.exporters.dmarc = {
enable = true;
debug = true;
imap = {
host = "mail.banditlair.com";
username = "paultrial@banditlair.com";
passwordFile = "/run/credentials/prometheus-dmarc-exporter.service/password";
};
folders = {
inbox = "dmarc_reports";
done = "Archives.dmarc_report_processed";
error = "Archives.dmarc_report_error";
};
};
systemd.services.prometheus-dmarc-exporter.serviceConfig.LoadCredential = "password:${config.sops.secrets.dmarcExporterPassword.path}";
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
443 443
@ -182,9 +160,6 @@
networking.firewall.allowedUDPPorts = [ networking.firewall.allowedUDPPorts = [
23363 # Minecraft 23363 # Minecraft
]; ];
networking.firewall.interfaces.vlan4001.allowedTCPPorts = [
config.services.loki.configuration.server.http_listen_port
];
networking.nat.enable = true; networking.nat.enable = true;
networking.nat.internalInterfaces = [ "ve-+" ]; networking.nat.internalInterfaces = [ "ve-+" ];
@ -221,46 +196,6 @@
}; };
users.groups.steam = { }; users.groups.steam = { };
services.minecraft-server = {
enable = false;
package = pkgs-unstable.minecraft-server;
eula = true;
openFirewall = false;
declarative = true;
serverProperties = {
enable-rcon = true;
"rcon.port" = 25575;
"rcon.password" = "password";
server-port = 23363;
online-mode = true;
force-gamemode = true;
white-list = true;
diffuculty = "hard";
};
whitelist = {
paulplay15 = "1d5abc95-2fdb-4dcb-98e8-4fb5a0fba953";
Xavier1258 = "e9059cf3-00ef-47a3-92ee-4e4a3fea0e6d";
denisjulien3333 = "3c93e1a2-42d8-4a51-9fe3-924c8e8d5b07";
};
dataDir = "/nix/var/data/minecraft";
};
# virtualisation.oci-containers.containers = {
# "minecraft" = {
# image = "itzg/minecraft-server";
# environment = {
# EULA = "TRUE";
# VERSION = "1.18.2";
# TYPE = "AUTO_CURSEFORGE";
# MEMORY = "4G";
# CF_SLUG = "modecube"; # https://www.curseforge.com/minecraft/modpacks/modecube/files
# };
# ports = [ "25565:25565" ];
# volumes = [ "/nix/var/data/minecraft-modded:/data" ];
# autoStart = true;
# };
# };
# services.rustdesk-server = { # services.rustdesk-server = {
# enable = true; # enable = true;
# openFirewall = true; # openFirewall = true;

2
terraform/dns.tf
View file

@ -72,7 +72,7 @@ resource "hetznerdns_record" "hel1_a" {
resource "hetznerdns_record" "grafana_a" { resource "hetznerdns_record" "grafana_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "grafana" name = "grafana"
value = local.storage1_ip value = local.hel1_ip
type = "A" type = "A"
ttl = 600 ttl = 600
} }