selfhostblocks/modules/monitoring.nix

{ config, pkgs, lib, ... }:

let
  cfg = config.shb.monitoring;

  fqdn = "${cfg.subdomain}.${cfg.domain}";
in
{
  options.shb.monitoring = {
    enable = lib.mkEnableOption "selfhostblocks.monitoring";

    # sopsFile = lib.mkOption {
    #   type = lib.types.path;
    #   description = "Sops file location";
    #   example = "secrets/monitoring.yaml";
    # };

    subdomain = lib.mkOption {
      type = lib.types.str;
      description = "Subdomain under which home-assistant will be served.";
      example = "grafana";
    };

    domain = lib.mkOption {
      type = lib.types.str;
      description = "domain under which home-assistant will be served.";
      example = "mydomain.com";
    };

    debugLog = lib.mkOption {
      type = lib.types.bool;
      description = "Set to true to enable debug logging of the infrastructure serving Grafana.";
      default = false;
      example = true;
    };
  };

  config = lib.mkIf cfg.enable {
    services.postgresql = {
      enable = true;
      ensureDatabases = [ "grafana" ];
      ensureUsers = [
        {
          name = "grafana";
          ensurePermissions = {
            "DATABASE grafana" = "ALL PRIVILEGES";
          };
          ensureClauses = {
            "login" = true;
          };
        }
      ];
    };

    services.grafana = {
      enable = true;

      settings = {
        database = {
          host = "/run/postgresql";
          user = "grafana";
          name = "grafana";
          type = "postgres";
          # Uses peer auth for local users, so we don't need a password.
          # Here's the syntax anyway for future refence:
          # password = "$__file{/run/secrets/homeassistant/dbpass}";
        };

        server = {
          http_addr = "127.0.0.1";
          http_port = 3000;
          domain = fqdn;
          root_url = "https://${fqdn}";
          router_logging = cfg.debugLog;
        };
      };
    };

    services.prometheus = {
      enable = true;
      port = 3001;
    };

    services.nginx = {
      enable = true;
      # recommendedProxySettings = true;

      virtualHosts.${fqdn} = {
        forceSSL = true;
        sslCertificate = "/var/lib/acme/${cfg.domain}/cert.pem";
        sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem";
        locations."/" = {
          proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
          proxyWebsockets = true;
        };
      };
    };

    services.prometheus.scrapeConfigs = [
      {
        job_name = "node";
        static_configs = [
          {
            targets = ["127.0.0.1:9115"];
          }
        ];
      }
      {
        job_name = "prometheus_internal";
        static_configs = [
          {
            targets = ["127.0.0.1:${toString config.services.prometheus.port}"];
          }
        ];
      }
    ] ++ (lib.lists.optional config.services.nginx.enable {
        job_name = "nginx";
        static_configs = [
          {
            targets = ["127.0.0.1:9113"];
          }
        ];
      });
    services.prometheus.exporters.nginx = lib.mkIf config.services.nginx.enable {
      enable = true;
      port = 9113;
      listenAddress = "127.0.0.1";
      scrapeUri = "http://localhost:80/nginx_status";
    };
    services.prometheus.exporters.node = {
      enable = true;
      enabledCollectors = ["systemd"];
      port = 9115;
      listenAddress = "127.0.0.1";
    };
    services.nginx.statusPage = lib.mkDefault config.services.nginx.enable;

    # sops.secrets."grafana" = {
    #   inherit (cfg) sopsFile;
    #   mode = "0440";
    #   owner = "grafana";
    #   group = "grafana";
    #   # path = "${config.services.home-assistant.configDir}/secrets.yaml";
    #   restartUnits = [ "grafana.service" ];
    # };
  };
}
add monitoring 2023-07-01 19:12:36 +02:00			`{ config, pkgs, lib, ... }:`

			`let`
			`cfg = config.shb.monitoring;`
replace haproxy with nginx as the main reverseproxy 2023-07-16 00:09:54 +02:00
			`fqdn = "${cfg.subdomain}.${cfg.domain}";`
add monitoring 2023-07-01 19:12:36 +02:00			`in`
			`{`
			`options.shb.monitoring = {`
			`enable = lib.mkEnableOption "selfhostblocks.monitoring";`

			`# sopsFile = lib.mkOption {`
			`# type = lib.types.path;`
			`# description = "Sops file location";`
			`# example = "secrets/monitoring.yaml";`
			`# };`
replace haproxy with nginx as the main reverseproxy 2023-07-16 00:09:54 +02:00
			`subdomain = lib.mkOption {`
			`type = lib.types.str;`
			`description = "Subdomain under which home-assistant will be served.";`
			`example = "grafana";`
			`};`

			`domain = lib.mkOption {`
			`type = lib.types.str;`
			`description = "domain under which home-assistant will be served.";`
			`example = "mydomain.com";`
			`};`
add option to enable debug logging in grafana 2023-08-25 18:41:36 +02:00
			`debugLog = lib.mkOption {`
			`type = lib.types.bool;`
			`description = "Set to true to enable debug logging of the infrastructure serving Grafana.";`
			`default = false;`
			`example = true;`
			`};`
add monitoring 2023-07-01 19:12:36 +02:00			`};`

			`config = lib.mkIf cfg.enable {`
			`services.postgresql = {`
			`enable = true;`
			`ensureDatabases = [ "grafana" ];`
			`ensureUsers = [`
			`{`
			`name = "grafana";`
			`ensurePermissions = {`
			`"DATABASE grafana" = "ALL PRIVILEGES";`
			`};`
			`ensureClauses = {`
			`"login" = true;`
			`};`
			`}`
			`];`
			`};`

			`services.grafana = {`
			`enable = true;`

			`settings = {`
replace haproxy with nginx as the main reverseproxy 2023-07-16 00:09:54 +02:00			`database = {`
			`host = "/run/postgresql";`
			`user = "grafana";`
			`name = "grafana";`
			`type = "postgres";`
			`# Uses peer auth for local users, so we don't need a password.`
			`# Here's the syntax anyway for future refence:`
			`# password = "$__file{/run/secrets/homeassistant/dbpass}";`
			`};`

add monitoring 2023-07-01 19:12:36 +02:00			`server = {`
			`http_addr = "127.0.0.1";`
			`http_port = 3000;`
replace haproxy with nginx as the main reverseproxy 2023-07-16 00:09:54 +02:00			`domain = fqdn;`
			`root_url = "https://${fqdn}";`
add option to enable debug logging in grafana 2023-08-25 18:41:36 +02:00			`router_logging = cfg.debugLog;`
add monitoring 2023-07-01 19:12:36 +02:00			`};`
			`};`
			`};`

replace haproxy with nginx as the main reverseproxy 2023-07-16 00:09:54 +02:00			`services.prometheus = {`
			`enable = true;`
			`port = 3001;`
			`};`

			`services.nginx = {`
			`enable = true;`
			`# recommendedProxySettings = true;`

			`virtualHosts.${fqdn} = {`
force ssl everywhere instead of adding the option 2023-08-12 00:53:05 +02:00			`forceSSL = true;`
replace haproxy with nginx as the main reverseproxy 2023-07-16 00:09:54 +02:00			`sslCertificate = "/var/lib/acme/${cfg.domain}/cert.pem";`
			`sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem";`
			`locations."/" = {`
remove extra header for grafana that is set later automatically This prevented us to access grafana at all through nginx. 2023-08-14 01:11:23 +02:00			`proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";`
replace haproxy with nginx as the main reverseproxy 2023-07-16 00:09:54 +02:00			`proxyWebsockets = true;`
add monitoring 2023-07-01 19:12:36 +02:00			`};`
			`};`
replace haproxy with nginx as the main reverseproxy 2023-07-16 00:09:54 +02:00			`};`

add systemd node exporter 2023-07-30 07:14:38 +02:00			`services.prometheus.scrapeConfigs = [`
			`{`
			`job_name = "node";`
			`static_configs = [`
			`{`
			`targets = ["127.0.0.1:9115"];`
			`}`
			`];`
			`}`
add scraping of prometheus' own metrics 2023-08-25 18:41:54 +02:00			`{`
			`job_name = "prometheus_internal";`
			`static_configs = [`
			`{`
			`targets = ["127.0.0.1:${toString config.services.prometheus.port}"];`
			`}`
			`];`
			`}`
add systemd node exporter 2023-07-30 07:14:38 +02:00			`] ++ (lib.lists.optional config.services.nginx.enable {`
replace haproxy with nginx as the main reverseproxy 2023-07-16 00:09:54 +02:00			`job_name = "nginx";`
			`static_configs = [`
add monitoring 2023-07-01 19:12:36 +02:00			`{`
replace haproxy with nginx as the main reverseproxy 2023-07-16 00:09:54 +02:00			`targets = ["127.0.0.1:9113"];`
add monitoring 2023-07-01 19:12:36 +02:00			`}`
			`];`
replace haproxy with nginx as the main reverseproxy 2023-07-16 00:09:54 +02:00			`});`
			`services.prometheus.exporters.nginx = lib.mkIf config.services.nginx.enable {`
			`enable = true;`
			`port = 9113;`
			`listenAddress = "127.0.0.1";`
			`scrapeUri = "http://localhost:80/nginx_status";`
add monitoring 2023-07-01 19:12:36 +02:00			`};`
add systemd node exporter 2023-07-30 07:14:38 +02:00			`services.prometheus.exporters.node = {`
			`enable = true;`
			`enabledCollectors = ["systemd"];`
			`port = 9115;`
			`listenAddress = "127.0.0.1";`
			`};`
replace haproxy with nginx as the main reverseproxy 2023-07-16 00:09:54 +02:00			`services.nginx.statusPage = lib.mkDefault config.services.nginx.enable;`
add monitoring 2023-07-01 19:12:36 +02:00
			`# sops.secrets."grafana" = {`
			`# inherit (cfg) sopsFile;`
			`# mode = "0440";`
			`# owner = "grafana";`
			`# group = "grafana";`
			`# # path = "${config.services.home-assistant.configDir}/secrets.yaml";`
			`# restartUnits = [ "grafana.service" ];`
			`# };`
			`};`
			`}`