Move Grafana to hel1

2025-12-25 05:36:59 +01:00 · 2024-12-11 05:02:44 +01:00 · 2024-12-11 05:02:44 +01:00 · e7caa4e487
commit e7caa4e487
parent f18644f8a1
6 changed files with 241 additions and 242 deletions
--- a/modules/grafana.nix
+++ b/modules/grafana.nix
@ -1,7 +1,11 @@
 { config, lib, ... }:
-let cfg = config.custom.services.grafana;
-in {
-  options.custom.services.grafana = { enable = lib.mkEnableOption "grafana"; };
+let
+  cfg = config.custom.services.grafana;
+in
+{
+  options.custom.services.grafana = {
+    enable = lib.mkEnableOption "grafana";
+  };

  config = lib.mkIf cfg.enable {
    sops.secrets = {
@ -11,13 +15,15 @@ in {
      };
    };

-    services.grafana = {
+    services = {
+      grafana = {
        enable = true;
        dataDir = "/nix/var/data/grafana";
        settings = {
-        server = { domain = "grafana.${config.networking.domain}"; };
-        security.admin_password =
-          "$__file{${config.sops.secrets.grafanaAdminPassword.path}}";
+          server = {
+            domain = "grafana.${config.networking.domain}";
+          };
+          security.admin_password = "$__file{${config.sops.secrets.grafanaAdminPassword.path}}";
        };
        provision = {
          enable = true;
@ -26,29 +32,27 @@ in {
              {
                name = "Prometheus";
                type = "prometheus";
-              url =
-                "http://127.0.0.1:${toString config.services.prometheus.port}";
+                url = "http://127.0.0.1:${toString config.services.prometheus.port}";
                isDefault = true;
              }
              {
                name = "Loki";
                type = "loki";
                access = "proxy";
-              url = "http://127.0.0.1:${
-                  toString
-                  config.services.loki.configuration.server.http_listen_port
-                }";
+                url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
              }
            ];
          };
-        dashboards.settings.providers = [{
+          dashboards.settings.providers = [
+            {
              name = "Config";
              options.path = ./dashboards;
-        }];
+            }
+          ];
        };
      };

-    services.nginx = {
+      nginx = {
        virtualHosts = {
          "${config.services.grafana.settings.server.domain}" = {

@ -56,60 +60,49 @@ in {
            forceSSL = true;

            locations."/" = {
-            proxyPass = "http://127.0.0.1:${
-                toString config.services.grafana.settings.server.http_port
-              }";
+              proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
              proxyWebsockets = true;
            };
          };
        };
      };

-    services.prometheus = {
+      prometheus = {
        enable = true;
-
        scrapeConfigs = [
          {
            job_name = "node";
-          static_configs = [{
+            static_configs = [
+              {
                targets = [
-              "10.0.2.3:${
-                toString config.services.prometheus.exporters.node.port
-              }"
-              "10.0.1.1:${
-                toString config.services.prometheus.exporters.node.port
-              }"
-              "10.0.1.11:${
-                toString config.services.prometheus.exporters.node.port
-              }"
+                  "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
+                ];
+              }
            ];
-          }];
          }
          {
            job_name = "synapse";
            scrape_interval = "15s";
            metrics_path = "/_synapse/metrics";
-          static_configs = [{ targets = [ "10.0.1.1:9000" ]; }];
+            static_configs = [ { targets = [ "127.0.0.1:9000" ]; } ];
          }
          {
            job_name = "dmarc";
            scrape_interval = "15s";
-          static_configs = [{
+            static_configs = [
+              {
                targets = [
-              "10.0.2.3:${
-                toString config.services.prometheus.exporters.dmarc.port
-              }"
+                  "127.0.0.1:${toString config.services.prometheus.exporters.dmarc.port}"
+                ];
+              }
            ];
-          }];
          }
        ];
      };

-    services.loki = {
+      loki = {
        enable = true;

-      dataDir = "/nix/var/data/loki";
-
        configuration = {
          server.http_listen_port = 3100;
          auth_enabled = false;
@ -118,7 +111,9 @@ in {
            lifecycler = {
              address = "127.0.0.1";
              ring = {
-              kvstore = { store = "inmemory"; };
+                kvstore = {
+                  store = "inmemory";
+                };
                replication_factor = 1;
              };
            };
@ -134,7 +129,8 @@ in {
          };

          schema_config = {
-          configs = [{
+            configs = [
+              {
                from = "2022-09-15";
                store = "boltdb-shipper";
                object_store = "filesystem";
@ -143,13 +139,13 @@ in {
                  prefix = "index_";
                  period = "24h";
                };
-          }];
+              }
+            ];
          };

          storage_config = {
            boltdb_shipper = {
-            active_index_directory =
-              "${config.services.loki.dataDir}/boltdb-index";
+              active_index_directory = "${config.services.loki.dataDir}/boltdb-index";
              cache_location = "${config.services.loki.dataDir}/boltdb-cache";
              cache_ttl = "24h";
            };
@ -173,10 +169,17 @@ in {

          compactor = {
            working_directory = "${config.services.loki.dataDir}";
-          compactor_ring = { kvstore = { store = "inmemory"; }; };
+            compactor_ring = {
+              kvstore = {
+                store = "inmemory";
+              };
+            };
          };

-        analytics = { reporting_enabled = false; };
+          analytics = {
+            reporting_enabled = false;
+          };
+        };
      };
    };
  };
--- a/modules/monitoring-exporters.nix
+++ b/modules/monitoring-exporters.nix
@ -1,6 +1,8 @@
 { config, lib, ... }:
-let cfg = config.custom.services.monitoring-exporters;
-in {
+let
+  cfg = config.custom.services.monitoring-exporters;
+in
+{
  options.custom.services.monitoring-exporters = {
    enable = lib.mkEnableOption "monitoring-exporters";
  };
@ -10,10 +12,29 @@ in {
      exporters = {
        node = {
          enable = true;
-          enabledCollectors = [ "systemd" "processes" ];
+          enabledCollectors = [
+            "systemd"
+            "processes"
+          ];
+        };
+        dmarc = {
+          enable = true;
+          debug = true;
+          imap = {
+            host = "mail.banditlair.com";
+            username = "paultrial@banditlair.com";
+            passwordFile = "/run/credentials/prometheus-dmarc-exporter.service/password";
+          };
+          folders = {
+            inbox = "dmarc_reports";
+            done = "Archives.dmarc_report_processed";
+            error = "Archives.dmarc_report_error";
          };
        };
      };
+    };
+
+    systemd.services.prometheus-dmarc-exporter.serviceConfig.LoadCredential = "password:${config.sops.secrets.dmarcExporterPassword.path}";

    services.promtail = {
      enable = true;
@ -22,7 +43,7 @@ in {
          http_listen_port = 3101;
          grpc_listen_port = 0;
        };
-        clients = [{ url = "http://10.0.2.3:3100/loki/api/v1/push"; }];
+        clients = [ { url = "http://127.0.0.1:3100/loki/api/v1/push"; } ];
        scrape_configs = [
          {
            job_name = "journal";
@ -33,21 +54,25 @@ in {
                host = "${config.networking.hostName}";
              };
            };
-            relabel_configs = [{
+            relabel_configs = [
+              {
                source_labels = [ "__journal__systemd_unit" ];
                target_label = "unit";
-            }];
+              }
+            ];
          }
          (lib.mkIf config.services.nginx.enable {
            job_name = "nginx";
-            static_configs = [{
+            static_configs = [
+              {
                targets = [ "localhost" ];
                labels = {
                  job = "nginx";
                  host = "${config.networking.hostName}";
                  __path__ = "/var/log/nginx/*.log";
                };
-            }];
+              }
+            ];
          })
        ];
      };
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@ -33,10 +33,15 @@ in
      forceSSL = true;
    };

+    # Can't change home dir for now, use bind mount as workaround
+    # https://github.com/NixOS/nixpkgs/issues/356973
+    fileSystems."/var/lib/nextcloud" = {
+      device = "/nix/var/data/nextcloud";
+      options = [ "bind" ];
+    };
+
    services.nextcloud = {
      enable = true;
-      # Can't be changed for now, could use a bind mount as workaround
-      # https://github.com/NixOS/nixpkgs/issues/356973
      # home = "/nix/var/data/nextcloud";
      package = pkgs.nextcloud29;
      hostName = "cloud.${config.networking.domain}";
--- a/profiles/hel.nix
+++ b/profiles/hel.nix
@ -15,6 +15,9 @@
      owner = config.users.users.gitlab-runner.name;
      key = "gitlab/runner_registration_config/hel1";
    };
+    dmarcExporterPassword = {
+      key = "dmarc_exporter/password";
+    };
  };

  time.timeZone = "Europe/Amsterdam";
@ -180,26 +183,29 @@
    };
  };

-  custom = {
-    services.nginx.enable = true;
-    services.postgresql.enable = true;
-    services.dokuwiki.enable = true;
-    services.openssh.enable = true;
-    services.gitlab-runner = {
+  custom.services = {
+    nginx.enable = true;
+    postgresql.enable = true;
+    dokuwiki.enable = true;
+    openssh.enable = true;
+    gitlab-runner = {
      enable = true;
      runnerRegistrationConfigFile = config.sops.secrets.runnerRegistrationConfig.path;
    };
-    services.jellyfin.enable = true;
-    services.torrents.enable = true;
-    services.foundryvtt.enable = true;
-    services.jitsi.enable = true;
-    services.stb.enable = true;
-    services.murmur.enable = true;
-    services.synapse.enable = true;
-    services.nextcloud.enable = true;
-    services.roundcube.enable = true;
+    jellyfin.enable = true;
+    torrents.enable = true;
+    foundryvtt.enable = true;
+    jitsi.enable = true;
+    stb.enable = true;
+    murmur.enable = true;
+    synapse.enable = true;
+    nextcloud.enable = true;
+    roundcube.enable = true;
+    monero.enable = true;
+    grafana.enable = true;
+    monitoring-exporters.enable = true;

-    services.backup-job = {
+    backup-job = {
      enable = true;
      repoName = "bl";
      additionalPaths = [
@ -235,7 +241,7 @@
      sshKey = config.sops.secrets.borgSshKey.path;
    };

-    services.monit = {
+    monit = {
      enable = true;
      additionalConfig = ''
        check host nextcloud with address cloud.banditlair.com
@ -331,6 +337,31 @@
      '';
    };
  };
+
+  # services.minecraft-server = {
+  #   enable = false;
+  #   package = pkgs-unstable.minecraft-server;
+  #   eula = true;
+  #   openFirewall = false;
+  #   declarative = true;
+  #   serverProperties = {
+  #     enable-rcon = true;
+  #     "rcon.port" = 25575;
+  #     "rcon.password" = "password";
+  #     server-port = 23363;
+  #     online-mode = true;
+  #     force-gamemode = true;
+  #     white-list = true;
+  #     diffuculty = "hard";
+  #   };
+  #   whitelist = {
+  #     paulplay15 = "1d5abc95-2fdb-4dcb-98e8-4fb5a0fba953";
+  #     Xavier1258 = "e9059cf3-00ef-47a3-92ee-4e4a3fea0e6d";
+  #     denisjulien3333 = "3c93e1a2-42d8-4a51-9fe3-924c8e8d5b07";
+  #   };
+  #   dataDir = "/nix/var/data/minecraft";
+  # };
+
  # virtualisation.oci-containers.containers = {
  #   "minecraft" = {
  #     image = "itzg/minecraft-server";
--- a/profiles/storage.nix
+++ b/profiles/storage.nix
@ -19,9 +19,6 @@
    nixCacheKey = {
      key = "nix/cache_secret_key";
    };
-    dmarcExporterPassword = {
-      key = "dmarc_exporter/password";
-    };
    paultrialPassword = {
      key = "email/accounts_passwords/paultrial";
    };
@ -75,9 +72,6 @@
    services.nginx.enable = true;
    services.openssh.enable = true;

-    services.monero.enable = false;
-    services.grafana.enable = true;
-    services.monitoring-exporters.enable = true;
  };

  mailserver = {
@ -157,22 +151,6 @@
    certificateScheme = "acme-nginx";
  };

-  services.prometheus.exporters.dmarc = {
-    enable = true;
-    debug = true;
-    imap = {
-      host = "mail.banditlair.com";
-      username = "paultrial@banditlair.com";
-      passwordFile = "/run/credentials/prometheus-dmarc-exporter.service/password";
-    };
-    folders = {
-      inbox = "dmarc_reports";
-      done = "Archives.dmarc_report_processed";
-      error = "Archives.dmarc_report_error";
-    };
-  };
-  systemd.services.prometheus-dmarc-exporter.serviceConfig.LoadCredential = "password:${config.sops.secrets.dmarcExporterPassword.path}";
-
  networking.firewall.allowedTCPPorts = [
    80
    443
@ -182,9 +160,6 @@
  networking.firewall.allowedUDPPorts = [
    23363 # Minecraft
  ];
-  networking.firewall.interfaces.vlan4001.allowedTCPPorts = [
-    config.services.loki.configuration.server.http_listen_port
-  ];

  networking.nat.enable = true;
  networking.nat.internalInterfaces = [ "ve-+" ];
@ -221,46 +196,6 @@
  };
  users.groups.steam = { };

-  services.minecraft-server = {
-    enable = false;
-    package = pkgs-unstable.minecraft-server;
-    eula = true;
-    openFirewall = false;
-    declarative = true;
-    serverProperties = {
-      enable-rcon = true;
-      "rcon.port" = 25575;
-      "rcon.password" = "password";
-      server-port = 23363;
-      online-mode = true;
-      force-gamemode = true;
-      white-list = true;
-      diffuculty = "hard";
-    };
-    whitelist = {
-      paulplay15 = "1d5abc95-2fdb-4dcb-98e8-4fb5a0fba953";
-      Xavier1258 = "e9059cf3-00ef-47a3-92ee-4e4a3fea0e6d";
-      denisjulien3333 = "3c93e1a2-42d8-4a51-9fe3-924c8e8d5b07";
-    };
-    dataDir = "/nix/var/data/minecraft";
-  };
-
-  # virtualisation.oci-containers.containers = {
-  #   "minecraft" = {
-  #     image = "itzg/minecraft-server";
-  #     environment = {
-  #       EULA = "TRUE";
-  #       VERSION = "1.18.2";
-  #       TYPE = "AUTO_CURSEFORGE";
-  #       MEMORY = "4G";
-  #       CF_SLUG = "modecube"; # https://www.curseforge.com/minecraft/modpacks/modecube/files
-  #     };
-  #     ports = [ "25565:25565" ];
-  #     volumes = [ "/nix/var/data/minecraft-modded:/data" ];
-  #     autoStart = true;
-  #   };
-  # };
-
  # services.rustdesk-server = {
  #   enable = true;
  #   openFirewall = true;
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@ -72,7 +72,7 @@ resource "hetznerdns_record" "hel1_a" {
 resource "hetznerdns_record" "grafana_a" {
  zone_id = data.hetznerdns_zone.banditlair_zone.id
  name    = "grafana"
-  value   = local.storage1_ip
+  value   = local.hel1_ip
  type    = "A"
  ttl     = 600
 }