foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-07 06:19:00 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

hosts/plover/services/grafana: update config

Browse Source
This commit is contained in:
Gabriel Arazas 2024-10-02 21:17:22 +08:00
parent 7537f77e40
commit a99f06b7a9
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
1 changed files with 39 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
configs/nixos/plover/modules/services/grafana.nix
View File

@ -5,33 +5,31 @@ let
cfg = hostCfg.services.grafana; cfg = hostCfg.services.grafana;
monitoringDomain = "monitoring.${config.networking.domain}"; monitoringDomain = "monitoring.${config.networking.domain}";
grafanaDatabaseUser = config.services.grafana.settings.database.user;
grafanaDatabaseName = config.services.grafana.settings.database.name;
authDomain = "auth.${config.networking.domain}"; authDomain = "auth.${config.networking.domain}";
authSubpath = path: "${authDomain}/${path}"; authSubpath = path: "${authDomain}/${path}";
vouchDomain = "vouch.${config.networking.domain}"; vouchDomain = "vouch.${config.networking.domain}";
vouchSettings = config.services.vouch-proxy.instances."${vouchDomain}".settings; vouchSettings =
in config.services.vouch-proxy.instances."${vouchDomain}".settings;
{ in {
options.hosts.plover.services.grafana.enable = options.hosts.plover.services.grafana.enable =
lib.mkEnableOption "monitoring dashboard for ${config.networking.hostName}"; lib.mkEnableOption "monitoring dashboard for ${config.networking.hostName}";
config = lib.mkIf cfg.enable (lib.mkMerge [ config = lib.mkIf cfg.enable (lib.mkMerge [
{ {
sops.secrets = state.ports.grafana.value = 3000;
let
grafanaFileAttributes = { sops.secrets = let
owner = config.users.users.grafana.name; grafanaFileAttributes = {
group = config.users.users.grafana.group; owner = config.users.users.grafana.name;
mode = "0400"; group = config.users.users.grafana.group;
}; mode = "0400";
in
foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
"grafana/database/password" = grafanaFileAttributes;
"grafana/users/admin/password" = grafanaFileAttributes;
}; };
in foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
"grafana/database/password" = grafanaFileAttributes;
"grafana/users/admin/password" = grafanaFileAttributes;
};
services.grafana = { services.grafana = {
enable = true; enable = true;
@ -44,8 +42,11 @@ in
}; };
database = rec { database = rec {
host = "127.0.0.1:${builtins.toString config.services.postgresql.port}"; host =
password = "$__file{${config.sops.secrets."grafana/database/password".path}}"; "127.0.0.1:${builtins.toString config.services.postgresql.port}";
password = "$__file{${
config.sops.secrets."grafana/database/password".path
}}";
type = "postgres"; type = "postgres";
name = "grafana"; name = "grafana";
user = name; user = name;
@ -58,12 +59,12 @@ in
security = { security = {
admin_email = config.security.acme.defaults.email; admin_email = config.security.acme.defaults.email;
admin_password = "$__file{${config.sops.secrets."grafana/users/admin/password".path}}"; admin_password = "$__file{${
config.sops.secrets."grafana/users/admin/password".path
}}";
cookie_secure = true; cookie_secure = true;
csrf_trusted_origins = [ csrf_trusted_origins =
vouchDomain [ vouchDomain "auth.${config.networking.domain}" ];
"auth.${config.networking.domain}"
];
strict_transport_security = true; strict_transport_security = true;
strict_transport_security_subdomains = true; strict_transport_security_subdomains = true;
}; };
@ -77,7 +78,7 @@ in
enable_gzip = true; enable_gzip = true;
enforce_domain = true; enforce_domain = true;
http_addr = "127.0.0.1"; http_addr = "127.0.0.1";
http_port = 3000; http_port = config.state.ports.grafana.value;
root_url = "${monitoringDomain}/grafana"; root_url = "${monitoringDomain}/grafana";
serve_from_sub_path = true; serve_from_sub_path = true;
}; };
@ -103,7 +104,9 @@ in
locations = { locations = {
"= /validate" = { "= /validate" = {
proxyPass = "http://${vouchSettings.vouch.listen}:${builtins.toString vouchSettings.vouch.port}"; proxyPass = "http://${vouchSettings.vouch.listen}:${
builtins.toString vouchSettings.vouch.port
}";
extraConfig = '' extraConfig = ''
proxy_pass_request_body off; proxy_pass_request_body off;
@ -133,27 +136,18 @@ in
zone services; zone services;
''; '';
servers = { servers = {
"localhost:${builtins.toString config.services.grafana.settings.server.http_port}" = { }; "localhost:${
builtins.toString config.services.grafana.settings.server.http_port
}" = { };
}; };
}; };
}) })
(lib.mkIf hostCfg.services.database.enable { (lib.mkIf hostCfg.services.database.enable {
# Setting up with secure schema usage pattern. services.postgresql = let
systemd.services.grafana = { grafanaDatabaseName = config.services.grafana.settings.database.name;
preStart = in {
let
psql = lib.getExe' config.services.postgresql.package "psql";
in
lib.mkBefore ''
# Setting up the appropriate schema for PostgreSQL secure schema usage.
${psql} -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${grafanaDatabaseUser};"
'';
};
# Setting up PostgreSQL with secure schema.
services.postgresql = {
ensureDatabases = [ grafanaDatabaseName ]; ensureDatabases = [ grafanaDatabaseName ];
ensureUsers = lib.singleton { ensureUsers = lib.singleton {
name = grafanaDatabaseName; name = grafanaDatabaseName;
@ -163,10 +157,14 @@ in
}) })
(lib.mkIf hostCfg.services.vouch-proxy.enable { (lib.mkIf hostCfg.services.vouch-proxy.enable {
systemd.services.grafana.serviceConfig.SupplementaryGroups = [ "vouch-proxy" ];
services.grafana.settings."auth.generic_oauth" = { services.grafana.settings."auth.generic_oauth" = {
api_url = authSubpath "oauth2/authorise"; api_url = authSubpath "oauth2/authorise";
client_id = "grafana"; client_id = "grafana";
client_secret = "$__file{${config.sops.secrets."vouch-proxy/domains/${config.networking.domain}/jwt-secret".path}"; client_secret = "$__file{${
config.sops.secrets."vouch-proxy/domains/${config.networking.domain}/jwt-secret".path
}}";
enabled = true; enabled = true;
name = "Kanidm"; name = "Kanidm";
oauth_url = authSubpath "ui/oauth2"; oauth_url = authSubpath "ui/oauth2";