RGBCube/ncc
1
Fork 0
mirror of https://github.com/RGBCube/ncc synced 2025-07-31 20:17:45 +00:00
Code Issues Activity

feat: move away from cube host

Browse source
This commit is contained in:
RGBCube 2025-02-28 00:29:52 +03:00
parent 07537d4889
commit 5125a31e7f
Signed by: RGBCube
SSH key fingerprint: SHA256:CzqbPcfwt+GxFYNnFVCqoN5Itn4YFrshg1TrnACpA5M
36 changed files with 97 additions and 165 deletions
Download patch file Download diff file Expand all files Collapse all files

86
hosts/best/grafana/default.nix Normal file
View file

@ -0,0 +1,86 @@
{ self, config, lib, ... }: let
inherit (config.networking) domain;
inherit (lib) const enabled genAttrs merge;
fqdn = "metrics.${domain}";
port = 8000;
in {
imports = [
(self + /modules/nginx.nix)
(self + /modules/postgresql.nix)
];
secrets.grafanaPassword = {
file = ./password.age;
owner = "grafana";
};
secrets.grafanaPasswordMail = {
file = self + /modules/mail/password.plain.age;
owner = "grafana";
};
services.postgresql.ensure = [ "grafana" ];
services.restic.backups = genAttrs config.services.restic.hosts <| const {
paths = [ "/var/lib/grafana" ];
};
systemd.services.grafana = {
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];
};
services.grafana = enabled {
provision = enabled;
settings = {
analytics.reporting_enabled = false;
database.host = "/run/postgresql";
database.type = "postgres";
database.user = "grafana";
server.domain = fqdn;
server.http_addr = "::1";
server.http_port = port;
users.default_theme = "system";
};
settings.security = {
admin_email = "metrics@${domain}";
admin_password = "$__file{${config.secrets.grafanaPassword.path}}";
admin_user = "admin";
cookie_secure = true;
disable_gravatar = true;
disable_initial_admin_creation = true; # Just in case.
};
settings.smtp = {
enabled = true;
password = "$__file{${config.secrets.grafanaPasswordMail.path}}";
startTLS_policy = "MandatoryStartTLS";
ehlo_identity = "metrics@${domain}";
from_address = "metrics@${domain}";
from_name = "Metrics";
host = "${self.disk.mailserver.fqdn}:${toString self.disk.services.postfix.relayPort}";
};
};
services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
locations."/" = {
extraConfig = /* nginx */ ''
# Grafana sets `nosniff` while not setting the content type properly,
# so everything breaks with it. Unset the header.
proxy_hide_header X-Content-Type-Options;
'';
proxyPass = "http://[::1]:${toString port}";
proxyWebsockets = true;
};
};
}

7
hosts/best/grafana/password.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 8y3T6w 1kO3fql8g9bmfuoLK2FUCmVBjgPHJ/51Yi+959QUSH0
gVMPYBnDW+iO0IStDXYPBkUcPqArBMiqOvChfbQb9nE
-> ssh-ed25519 CzqbPQ TUC1qiq9PXGmAkNkUBScYxK36X99xN7aBOsVUw6YFB0
9zk6II1eqtZztn6mf2BUwf9rYtrbnWkA9DBY/4H188I
--- +upO/vB2Q1tjXM7d+Zj9BnPwbRUs9lHTb+KU4vXrnQY
ÁngÆxߣS^8]ôìï(¨Ó“Ì@:¯~<7E>:2,žÈøÃŽ@<40>TxGÀ

44
hosts/best/grafana/prometheus.nix Normal file
View file

@ -0,0 +1,44 @@
{ self, config, lib, ... }: let
inherit (lib) enabled filterAttrs flatten mapAttrsToList;
in {
services.grafana.provision.datasources.settings = {
datasources = [{
name = "Prometheus";
type = "prometheus";
url = "http://[::1]:${toString config.services.prometheus.port}";
orgId = 1;
}];
deleteDatasources = [{
name = "Prometheus";
orgId = 1;
}];
};
services.prometheus = enabled {
listenAddress = "[::]";
retentionTime = "1w";
scrapeConfigs = let
configToScrapeConfig = hostName: { config, ... }: let
hostConfig = config;
in hostConfig.services.prometheus.exporters
|> filterAttrs (exporterName: exporterConfig:
exporterName != "minio" &&
exporterName != "unifi-poller" &&
exporterName != "tor" &&
exporterConfig.enable or false)
|> mapAttrsToList (exporterName: exporterConfig: {
job_name = "${exporterName}-${hostName}";
static_configs = [{
targets = [ "${hostName}:${toString exporterConfig.port}" ];
}];
});
in self.nixosConfigurations
|> mapAttrsToList configToScrapeConfig
|> flatten;
};
}