Move Grafana to hel1

2025-12-25 05:36:59 +01:00 · 2024-12-11 05:02:44 +01:00 · 2024-12-11 05:02:44 +01:00 · e7caa4e487
commit e7caa4e487
parent f18644f8a1
6 changed files with 241 additions and 242 deletions
--- a/modules/grafana.nix
+++ b/modules/grafana.nix
@ -1,7 +1,11 @@
 { config, lib, ... }:
-let cfg = config.custom.services.grafana;
-in {
-  options.custom.services.grafana = { enable = lib.mkEnableOption "grafana"; };
+let
+  cfg = config.custom.services.grafana;
+in
+{
+  options.custom.services.grafana = {
+    enable = lib.mkEnableOption "grafana";
+  };

  config = lib.mkIf cfg.enable {
    sops.secrets = {
@ -11,172 +15,171 @@ in {
      };
    };

-    services.grafana = {
-      enable = true;
-      dataDir = "/nix/var/data/grafana";
-      settings = {
-        server = { domain = "grafana.${config.networking.domain}"; };
-        security.admin_password =
-          "$__file{${config.sops.secrets.grafanaAdminPassword.path}}";
-      };
-      provision = {
+    services = {
+      grafana = {
        enable = true;
-        datasources.settings = {
-          datasources = [
+        dataDir = "/nix/var/data/grafana";
+        settings = {
+          server = {
+            domain = "grafana.${config.networking.domain}";
+          };
+          security.admin_password = "$__file{${config.sops.secrets.grafanaAdminPassword.path}}";
+        };
+        provision = {
+          enable = true;
+          datasources.settings = {
+            datasources = [
+              {
+                name = "Prometheus";
+                type = "prometheus";
+                url = "http://127.0.0.1:${toString config.services.prometheus.port}";
+                isDefault = true;
+              }
+              {
+                name = "Loki";
+                type = "loki";
+                access = "proxy";
+                url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
+              }
+            ];
+          };
+          dashboards.settings.providers = [
            {
-              name = "Prometheus";
-              type = "prometheus";
-              url =
-                "http://127.0.0.1:${toString config.services.prometheus.port}";
-              isDefault = true;
-            }
-            {
-              name = "Loki";
-              type = "loki";
-              access = "proxy";
-              url = "http://127.0.0.1:${
-                  toString
-                  config.services.loki.configuration.server.http_listen_port
-                }";
+              name = "Config";
+              options.path = ./dashboards;
            }
          ];
        };
-        dashboards.settings.providers = [{
-          name = "Config";
-          options.path = ./dashboards;
-        }];
      };
-    };

-    services.nginx = {
-      virtualHosts = {
-        "${config.services.grafana.settings.server.domain}" = {
+      nginx = {
+        virtualHosts = {
+          "${config.services.grafana.settings.server.domain}" = {

-          enableACME = true;
-          forceSSL = true;
+            enableACME = true;
+            forceSSL = true;

-          locations."/" = {
-            proxyPass = "http://127.0.0.1:${
-                toString config.services.grafana.settings.server.http_port
-              }";
-            proxyWebsockets = true;
+            locations."/" = {
+              proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+              proxyWebsockets = true;
+            };
          };
        };
      };
-    };

-    services.prometheus = {
-      enable = true;
-
-      scrapeConfigs = [
-        {
-          job_name = "node";
-          static_configs = [{
-            targets = [
-              "10.0.2.3:${
-                toString config.services.prometheus.exporters.node.port
-              }"
-              "10.0.1.1:${
-                toString config.services.prometheus.exporters.node.port
-              }"
-              "10.0.1.11:${
-                toString config.services.prometheus.exporters.node.port
-              }"
+      prometheus = {
+        enable = true;
+        scrapeConfigs = [
+          {
+            job_name = "node";
+            static_configs = [
+              {
+                targets = [
+                  "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
+                ];
+              }
            ];
-          }];
-        }
-        {
-          job_name = "synapse";
-          scrape_interval = "15s";
-          metrics_path = "/_synapse/metrics";
-          static_configs = [{ targets = [ "10.0.1.1:9000" ]; }];
-        }
-        {
-          job_name = "dmarc";
-          scrape_interval = "15s";
-          static_configs = [{
-            targets = [
-              "10.0.2.3:${
-                toString config.services.prometheus.exporters.dmarc.port
-              }"
+          }
+          {
+            job_name = "synapse";
+            scrape_interval = "15s";
+            metrics_path = "/_synapse/metrics";
+            static_configs = [ { targets = [ "127.0.0.1:9000" ]; } ];
+          }
+          {
+            job_name = "dmarc";
+            scrape_interval = "15s";
+            static_configs = [
+              {
+                targets = [
+                  "127.0.0.1:${toString config.services.prometheus.exporters.dmarc.port}"
+                ];
+              }
            ];
-          }];
-        }
-      ];
-    };
+          }
+        ];
+      };

-    services.loki = {
-      enable = true;
+      loki = {
+        enable = true;

-      dataDir = "/nix/var/data/loki";
+        configuration = {
+          server.http_listen_port = 3100;
+          auth_enabled = false;

-      configuration = {
-        server.http_listen_port = 3100;
-        auth_enabled = false;
+          ingester = {
+            lifecycler = {
+              address = "127.0.0.1";
+              ring = {
+                kvstore = {
+                  store = "inmemory";
+                };
+                replication_factor = 1;
+              };
+            };
+            chunk_idle_period = "1h";
+            max_chunk_age = "1h";
+            chunk_target_size = 999999;
+            chunk_retain_period = "30s";
+          };

-        ingester = {
-          lifecycler = {
-            address = "127.0.0.1";
-            ring = {
-              kvstore = { store = "inmemory"; };
-              replication_factor = 1;
+          limits_config = {
+            ingestion_rate_mb = 16;
+            allow_structured_metadata = false;
+          };
+
+          schema_config = {
+            configs = [
+              {
+                from = "2022-09-15";
+                store = "boltdb-shipper";
+                object_store = "filesystem";
+                schema = "v11";
+                index = {
+                  prefix = "index_";
+                  period = "24h";
+                };
+              }
+            ];
+          };
+
+          storage_config = {
+            boltdb_shipper = {
+              active_index_directory = "${config.services.loki.dataDir}/boltdb-index";
+              cache_location = "${config.services.loki.dataDir}/boltdb-cache";
+              cache_ttl = "24h";
+            };
+
+            filesystem = {
+              directory = "${config.services.loki.dataDir}/chunks";
            };
          };
-          chunk_idle_period = "1h";
-          max_chunk_age = "1h";
-          chunk_target_size = 999999;
-          chunk_retain_period = "30s";
-        };

-        limits_config = {
-          ingestion_rate_mb = 16;
-          allow_structured_metadata = false;
-        };
+          limits_config = {
+            reject_old_samples = true;
+            reject_old_samples_max_age = "168h";
+          };

-        schema_config = {
-          configs = [{
-            from = "2022-09-15";
-            store = "boltdb-shipper";
-            object_store = "filesystem";
-            schema = "v11";
-            index = {
-              prefix = "index_";
-              period = "24h";
+          querier.engine.max_look_back_period = "0s";
+
+          table_manager = {
+            retention_deletes_enabled = false;
+            retention_period = "0s";
+          };
+
+          compactor = {
+            working_directory = "${config.services.loki.dataDir}";
+            compactor_ring = {
+              kvstore = {
+                store = "inmemory";
+              };
            };
-          }];
-        };
-
-        storage_config = {
-          boltdb_shipper = {
-            active_index_directory =
-              "${config.services.loki.dataDir}/boltdb-index";
-            cache_location = "${config.services.loki.dataDir}/boltdb-cache";
-            cache_ttl = "24h";
          };

-          filesystem = {
-            directory = "${config.services.loki.dataDir}/chunks";
+          analytics = {
+            reporting_enabled = false;
          };
        };
-
-        limits_config = {
-          reject_old_samples = true;
-          reject_old_samples_max_age = "168h";
-        };
-
-        querier.engine.max_look_back_period = "0s";
-
-        table_manager = {
-          retention_deletes_enabled = false;
-          retention_period = "0s";
-        };
-
-        compactor = {
-          working_directory = "${config.services.loki.dataDir}";
-          compactor_ring = { kvstore = { store = "inmemory"; }; };
-        };
-
-        analytics = { reporting_enabled = false; };
      };
    };
  };
--- a/modules/monitoring-exporters.nix
+++ b/modules/monitoring-exporters.nix
@ -1,6 +1,8 @@
 { config, lib, ... }:
-let cfg = config.custom.services.monitoring-exporters;
-in {
+let
+  cfg = config.custom.services.monitoring-exporters;
+in
+{
  options.custom.services.monitoring-exporters = {
    enable = lib.mkEnableOption "monitoring-exporters";
  };
@ -10,11 +12,30 @@ in {
      exporters = {
        node = {
          enable = true;
-          enabledCollectors = [ "systemd" "processes" ];
+          enabledCollectors = [
+            "systemd"
+            "processes"
+          ];
+        };
+        dmarc = {
+          enable = true;
+          debug = true;
+          imap = {
+            host = "mail.banditlair.com";
+            username = "paultrial@banditlair.com";
+            passwordFile = "/run/credentials/prometheus-dmarc-exporter.service/password";
+          };
+          folders = {
+            inbox = "dmarc_reports";
+            done = "Archives.dmarc_report_processed";
+            error = "Archives.dmarc_report_error";
+          };
        };
      };
    };

+    systemd.services.prometheus-dmarc-exporter.serviceConfig.LoadCredential = "password:${config.sops.secrets.dmarcExporterPassword.path}";
+
    services.promtail = {
      enable = true;
      configuration = {
@ -22,7 +43,7 @@ in {
          http_listen_port = 3101;
          grpc_listen_port = 0;
        };
-        clients = [{ url = "http://10.0.2.3:3100/loki/api/v1/push"; }];
+        clients = [ { url = "http://127.0.0.1:3100/loki/api/v1/push"; } ];
        scrape_configs = [
          {
            job_name = "journal";
@ -33,21 +54,25 @@ in {
                host = "${config.networking.hostName}";
              };
            };
-            relabel_configs = [{
-              source_labels = [ "__journal__systemd_unit" ];
-              target_label = "unit";
-            }];
+            relabel_configs = [
+              {
+                source_labels = [ "__journal__systemd_unit" ];
+                target_label = "unit";
+              }
+            ];
          }
          (lib.mkIf config.services.nginx.enable {
            job_name = "nginx";
-            static_configs = [{
-              targets = [ "localhost" ];
-              labels = {
-                job = "nginx";
-                host = "${config.networking.hostName}";
-                __path__ = "/var/log/nginx/*.log";
-              };
-            }];
+            static_configs = [
+              {
+                targets = [ "localhost" ];
+                labels = {
+                  job = "nginx";
+                  host = "${config.networking.hostName}";
+                  __path__ = "/var/log/nginx/*.log";
+                };
+              }
+            ];
          })
        ];
      };
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@ -33,10 +33,15 @@ in
      forceSSL = true;
    };

+    # Can't change home dir for now, use bind mount as workaround
+    # https://github.com/NixOS/nixpkgs/issues/356973
+    fileSystems."/var/lib/nextcloud" = {
+      device = "/nix/var/data/nextcloud";
+      options = [ "bind" ];
+    };
+
    services.nextcloud = {
      enable = true;
-      # Can't be changed for now, could use a bind mount as workaround
-      # https://github.com/NixOS/nixpkgs/issues/356973
      # home = "/nix/var/data/nextcloud";
      package = pkgs.nextcloud29;
      hostName = "cloud.${config.networking.domain}";
--- a/profiles/hel.nix
+++ b/profiles/hel.nix
@ -15,6 +15,9 @@
      owner = config.users.users.gitlab-runner.name;
      key = "gitlab/runner_registration_config/hel1";
    };
+    dmarcExporterPassword = {
+      key = "dmarc_exporter/password";
+    };
  };

  time.timeZone = "Europe/Amsterdam";
@ -180,26 +183,29 @@
    };
  };

-  custom = {
-    services.nginx.enable = true;
-    services.postgresql.enable = true;
-    services.dokuwiki.enable = true;
-    services.openssh.enable = true;
-    services.gitlab-runner = {
+  custom.services = {
+    nginx.enable = true;
+    postgresql.enable = true;
+    dokuwiki.enable = true;
+    openssh.enable = true;
+    gitlab-runner = {
      enable = true;
      runnerRegistrationConfigFile = config.sops.secrets.runnerRegistrationConfig.path;
    };
-    services.jellyfin.enable = true;
-    services.torrents.enable = true;
-    services.foundryvtt.enable = true;
-    services.jitsi.enable = true;
-    services.stb.enable = true;
-    services.murmur.enable = true;
-    services.synapse.enable = true;
-    services.nextcloud.enable = true;
-    services.roundcube.enable = true;
+    jellyfin.enable = true;
+    torrents.enable = true;
+    foundryvtt.enable = true;
+    jitsi.enable = true;
+    stb.enable = true;
+    murmur.enable = true;
+    synapse.enable = true;
+    nextcloud.enable = true;
+    roundcube.enable = true;
+    monero.enable = true;
+    grafana.enable = true;
+    monitoring-exporters.enable = true;

-    services.backup-job = {
+    backup-job = {
      enable = true;
      repoName = "bl";
      additionalPaths = [
@ -235,7 +241,7 @@
      sshKey = config.sops.secrets.borgSshKey.path;
    };

-    services.monit = {
+    monit = {
      enable = true;
      additionalConfig = ''
        check host nextcloud with address cloud.banditlair.com
@ -331,6 +337,31 @@
      '';
    };
  };
+
+  # services.minecraft-server = {
+  #   enable = false;
+  #   package = pkgs-unstable.minecraft-server;
+  #   eula = true;
+  #   openFirewall = false;
+  #   declarative = true;
+  #   serverProperties = {
+  #     enable-rcon = true;
+  #     "rcon.port" = 25575;
+  #     "rcon.password" = "password";
+  #     server-port = 23363;
+  #     online-mode = true;
+  #     force-gamemode = true;
+  #     white-list = true;
+  #     diffuculty = "hard";
+  #   };
+  #   whitelist = {
+  #     paulplay15 = "1d5abc95-2fdb-4dcb-98e8-4fb5a0fba953";
+  #     Xavier1258 = "e9059cf3-00ef-47a3-92ee-4e4a3fea0e6d";
+  #     denisjulien3333 = "3c93e1a2-42d8-4a51-9fe3-924c8e8d5b07";
+  #   };
+  #   dataDir = "/nix/var/data/minecraft";
+  # };
+
  # virtualisation.oci-containers.containers = {
  #   "minecraft" = {
  #     image = "itzg/minecraft-server";
--- a/profiles/storage.nix
+++ b/profiles/storage.nix
@ -19,9 +19,6 @@
    nixCacheKey = {
      key = "nix/cache_secret_key";
    };
-    dmarcExporterPassword = {
-      key = "dmarc_exporter/password";
-    };
    paultrialPassword = {
      key = "email/accounts_passwords/paultrial";
    };
@ -75,9 +72,6 @@
    services.nginx.enable = true;
    services.openssh.enable = true;

-    services.monero.enable = false;
-    services.grafana.enable = true;
-    services.monitoring-exporters.enable = true;
  };

  mailserver = {
@ -157,22 +151,6 @@
    certificateScheme = "acme-nginx";
  };

-  services.prometheus.exporters.dmarc = {
-    enable = true;
-    debug = true;
-    imap = {
-      host = "mail.banditlair.com";
-      username = "paultrial@banditlair.com";
-      passwordFile = "/run/credentials/prometheus-dmarc-exporter.service/password";
-    };
-    folders = {
-      inbox = "dmarc_reports";
-      done = "Archives.dmarc_report_processed";
-      error = "Archives.dmarc_report_error";
-    };
-  };
-  systemd.services.prometheus-dmarc-exporter.serviceConfig.LoadCredential = "password:${config.sops.secrets.dmarcExporterPassword.path}";
-
  networking.firewall.allowedTCPPorts = [
    80
    443
@ -182,9 +160,6 @@
  networking.firewall.allowedUDPPorts = [
    23363 # Minecraft
  ];
-  networking.firewall.interfaces.vlan4001.allowedTCPPorts = [
-    config.services.loki.configuration.server.http_listen_port
-  ];

  networking.nat.enable = true;
  networking.nat.internalInterfaces = [ "ve-+" ];
@ -221,46 +196,6 @@
  };
  users.groups.steam = { };

-  services.minecraft-server = {
-    enable = false;
-    package = pkgs-unstable.minecraft-server;
-    eula = true;
-    openFirewall = false;
-    declarative = true;
-    serverProperties = {
-      enable-rcon = true;
-      "rcon.port" = 25575;
-      "rcon.password" = "password";
-      server-port = 23363;
-      online-mode = true;
-      force-gamemode = true;
-      white-list = true;
-      diffuculty = "hard";
-    };
-    whitelist = {
-      paulplay15 = "1d5abc95-2fdb-4dcb-98e8-4fb5a0fba953";
-      Xavier1258 = "e9059cf3-00ef-47a3-92ee-4e4a3fea0e6d";
-      denisjulien3333 = "3c93e1a2-42d8-4a51-9fe3-924c8e8d5b07";
-    };
-    dataDir = "/nix/var/data/minecraft";
-  };
-
-  # virtualisation.oci-containers.containers = {
-  #   "minecraft" = {
-  #     image = "itzg/minecraft-server";
-  #     environment = {
-  #       EULA = "TRUE";
-  #       VERSION = "1.18.2";
-  #       TYPE = "AUTO_CURSEFORGE";
-  #       MEMORY = "4G";
-  #       CF_SLUG = "modecube"; # https://www.curseforge.com/minecraft/modpacks/modecube/files
-  #     };
-  #     ports = [ "25565:25565" ];
-  #     volumes = [ "/nix/var/data/minecraft-modded:/data" ];
-  #     autoStart = true;
-  #   };
-  # };
-
  # services.rustdesk-server = {
  #   enable = true;
  #   openFirewall = true;
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@ -72,7 +72,7 @@ resource "hetznerdns_record" "hel1_a" {
 resource "hetznerdns_record" "grafana_a" {
  zone_id = data.hetznerdns_zone.banditlair_zone.id
  name    = "grafana"
-  value   = local.storage1_ip
+  value   = local.hel1_ip
  type    = "A"
  ttl     = 600
 }