feat(hosts/luna): implement basic monitoring

TODO: make grafana ingest data from prometheus
This commit is contained in:
Price Hiller 2024-01-31 23:37:28 -06:00
parent 091ca7b4e0
commit d89b75d438
Signed by: Price
SSH Key Fingerprint: SHA256:Y4S9ZzYphRn1W1kbJerJFO6GGsfu9O70VaBSxJO7dF8
6 changed files with 135 additions and 2 deletions

View File

@ -0,0 +1,27 @@
{ config, pkgs, fqdn, ... }:
let grafana_host = "grafana.${fqdn}";
in {
services = {
grafana = {
enable = true;
settings.server = {
domain = "${grafana_host}";
http_addr = "127.0.0.1";
http_port = 2342;
};
};
nginx.virtualHosts."${grafana_host}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass =
"http://${config.services.grafana.settings.server.http_addr}:${
builtins.toString config.services.grafana.settings.server.http_port
}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
};
}

View File

@ -0,0 +1,92 @@
{ config, fqdn, pkgs, ... }:
let prometheus_host = "prometheus.${fqdn}";
in {
services = {
prometheus = {
enable = true;
port = 9000;
scrapeConfigs = [{
job_name = "node-exporter";
static_configs = [{
targets = [
"127.0.0.1:${
toString config.services.prometheus.exporters.node.port
}"
];
}];
}];
exporters = {
node = {
enable = true;
port = 9001;
enabledCollectors = [
"arp"
"bcache"
"btrfs"
"bonding"
"cpu"
"cpufreq"
"diskstats"
"edac"
"entropy"
"fibrechannel"
"filefd"
"filesystem"
"hwmon"
"ipvs"
"loadavg"
"meminfo"
"mdadm"
"netclass"
"netdev"
"netstat"
"nfs"
"nfsd"
"nvme"
"os"
"powersupplyclass"
"pressure"
"rapl"
"schedstat"
"sockstat"
"softnet"
"stat"
"thermal_zone"
"time"
"udp_queues"
"uname"
"vmstat"
"systemd"
];
};
};
};
nginx = {
additionalModules = [ pkgs.nginxModules.pam ];
virtualHosts."${prometheus_host}" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
auth_pam "Password Required";
auth_pam_service_name "nginx";
'';
locations."/" = {
proxyPass = "http://${config.services.prometheus.listenAddress}:${
builtins.toString config.services.prometheus.port
}";
};
};
};
};
security.pam.services.nginx.setEnvironment = false;
systemd.services.nginx.serviceConfig = {
SupplementaryGroups = [ "shadow" ];
};
environment.persistence.save.directories = [{
directory = "/var/lib/${config.services.prometheus.stateDir}";
user = "prometheus";
group = "prometheus";
}];
}

View File

@ -2,11 +2,12 @@
{
security.sudo.wheelNeedsPassword = false;
users.users = {
root.hashedPasswordFile = config.age.secrets.root-pw.path;
root.hashedPasswordFile = config.age.secrets.users-root-pw.path;
price = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.bash;
hashedPasswordFile = config.age.secrets.users-price-pw.path;
openssh.authorizedKeys.keys = [
"no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ9ODXLAIfGH/7VNobQsp5nwBvNoh+pQMEH7s2jkHpkqAAAACHNzaDpsdW5h"
];

View File

@ -9,7 +9,8 @@ let
secrets = "luna";
in
{
root-pw = "${secrets}/root-hash-pw.age";
users-root-pw = "${secrets}/users-root-pw.age";
users-price-pw = "${secrets}/users-price-pw.age";
gitlab-runner-reg-config = "${secrets}/gitlab-runner-reg-config.age";
gitea-db-pass = "${secrets}/gitea-db-pass.age";
gitea-runner-token = "${secrets}/gitea-runner-token.age";

View File

@ -0,0 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBxWWpi
V2c2RkxLanlGYjZ6L2dPYmRHRWwxK0Q0aVNCakNzdFdtZ0k4dW1vCjcrQmptaGgz
SmpOb2RFTUlYM1ZWc2U2RkF5eGJzWkI3ekk5RTJXLytHYmcKLT4gcGl2LXAyNTYg
ckpzMUhBIEF4enp2K0FvSFlEWWowT3JSaGV0Rkd6WTlrMlRlZUlhK1B0bFRyWkhD
dTJ1CklMcFlLYTMwQ2YyZUdEaHZ2ZW10VEN0NCsxWGJQL2JvZG40NGtobVE0TXcK
LT4gZmtMNilcfS1ncmVhc2UgI3ZZX243IEkrUSRdblp6IC8KTC9FRERrUGNLTlJs
SEEKLS0tIFVHQlovUTVTMk9WY0NwN0cycjJEa0p1L0h0R1BpNFh4am5TVWp4WU5L
eGcKXXflLkUPB2sSYVNl+4O1QsWXEKtBItZbM7RP+glsuWQfHJBY133UzVMgXTy0
4yvEcD/ixQaKpSIkeOM+bz0IWjyU0y+zL8opR5xX0AMGJZfeNemIZAo8KpmQsoXC
7U0McvbgHkfakV1ONxYCgurPZPDW97Mk146oyU9bE/amgKh2MvNM14RmY4y2uw==
-----END AGE ENCRYPTED FILE-----