feat: move away from cube host

2025-08-01 12:37:46 +00:00 · 2025-02-28 00:29:52 +03:00 · 2025-02-28 00:29:52 +03:00 · 5125a31e7f
commit 5125a31e7f
parent 07537d4889
36 changed files with 97 additions and 165 deletions
--- a/hosts/best/grafana/default.nix
+++ b/hosts/best/grafana/default.nix
@ -0,0 +1,86 @@
+{ self, config, lib, ... }: let
+  inherit (config.networking) domain;
+  inherit (lib) const enabled genAttrs merge;
+
+  fqdn = "metrics.${domain}";
+  port = 8000;
+in {
+  imports = [
+    (self + /modules/nginx.nix)
+    (self + /modules/postgresql.nix)
+  ];
+
+  secrets.grafanaPassword = {
+    file  = ./password.age;
+    owner = "grafana";
+  };
+  secrets.grafanaPasswordMail = {
+    file  = self + /modules/mail/password.plain.age;
+    owner = "grafana";
+  };
+
+  services.postgresql.ensure = [ "grafana" ];
+
+  services.restic.backups = genAttrs config.services.restic.hosts <| const {
+    paths = [ "/var/lib/grafana" ];
+  };
+
+  systemd.services.grafana = {
+    after    = [ "postgresql.service" ];
+    requires = [ "postgresql.service" ];
+  };
+
+  services.grafana = enabled {
+    provision = enabled;
+
+    settings = {
+      analytics.reporting_enabled = false;
+
+      database.host = "/run/postgresql";
+      database.type = "postgres";
+      database.user = "grafana";
+
+      server.domain    = fqdn;
+      server.http_addr = "::1";
+      server.http_port = port;
+
+      users.default_theme = "system";
+    };
+
+    settings.security = {
+      admin_email    = "metrics@${domain}";
+      admin_password = "$__file{${config.secrets.grafanaPassword.path}}";
+      admin_user     = "admin";
+
+      cookie_secure    = true;
+      disable_gravatar = true;
+
+      disable_initial_admin_creation = true; # Just in case.
+    };
+
+    settings.smtp = {
+      enabled = true;
+
+      password        = "$__file{${config.secrets.grafanaPasswordMail.path}}";
+      startTLS_policy = "MandatoryStartTLS";
+
+      ehlo_identity = "metrics@${domain}";
+      from_address  = "metrics@${domain}";
+      from_name     = "Metrics";
+      host          = "${self.disk.mailserver.fqdn}:${toString self.disk.services.postfix.relayPort}";
+    };
+  };
+
+  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+    locations."/" = {
+      extraConfig =  /* nginx */ ''
+        # Grafana sets `nosniff` while not setting the content type properly,
+        # so everything breaks with it. Unset the header.
+        proxy_hide_header X-Content-Type-Options;
+      '';
+
+      proxyPass       = "http://[::1]:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+}