From c7222d950098a8eb00f51ab58805b9b2d575742b Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Fri, 7 Nov 2025 15:10:36 +0100
Subject: [PATCH] Add Grafana to iron

---
 hosts/iron/ports.nix            |   1 +
 hosts/iron/secrets.yaml         |   8 +-
 hosts/iron/services/default.nix |   1 +
 hosts/iron/services/grafana.nix | 146 ++++++++++++++++++++++++++++++++
 4 files changed, 153 insertions(+), 3 deletions(-)
 create mode 100644 hosts/iron/services/grafana.nix

diff --git a/hosts/iron/ports.nix b/hosts/iron/ports.nix
index 2b2b495..7a60b1f 100644
--- a/hosts/iron/ports.nix
+++ b/hosts/iron/ports.nix
@@ -5,6 +5,7 @@
     calibre-server.tcp = 8081;
     calibre-web.tcp = 8082;
     esphome.tcp = 6052;
+    grafana.tcp = 3001;
     home-assistant.tcp = 8123;
     jellyfin.tcp = 8096;
     matrix-synapse.tcp = 8008;
diff --git a/hosts/iron/secrets.yaml b/hosts/iron/secrets.yaml
index 90e5c61..3a51f2f 100644
--- a/hosts/iron/secrets.yaml
+++ b/hosts/iron/secrets.yaml
@@ -23,6 +23,8 @@ prometheus:
         vodafone-station: ENC[AES256_GCM,data:eaFqYEuK3UU=,iv:BauymCkvj33TmZLyii367uVEc4Iq4GGcik4nbyT9Fpk=,tag:poB+qh5tAdv/dEt3WN6yVw==,type:str]
         unpoller: ENC[AES256_GCM,data:WI1oUKHW4ef4pBk+mGM=,iv:C1LykPf1/ypUmy3ZCQzjfSjkpxhUukDNnfJnZLp2CJg=,tag:mSnZJKl9IHcx7I7GpFherw==,type:str]
 tvproxy: ENC[AES256_GCM,data:MbXEmgerpUiwDgcUKF2y1+Cc+d43sKPfGGTEkvNoZFFS4rzDWw4Udg==,iv:ZDsfSb3HK008e7/J/61iqVRafIzKbtPEdhH7ixo9lSY=,tag:3JbJ+2DJKQ9G2ui6VuWbOw==,type:str]
+grafana:
+    secret-key: ENC[AES256_GCM,data:RX0ox0r3Jwm9DMIfBnsL7ydarlrYSVBjbVXbooHR1Ms=,iv:l8Aud8VyGtz3dNARh6s8/Y6MBtc4xj1Wu/LLJv1e+KA=,tag:+7TFyRPhBS1Tvn2JLBEeAQ==,type:str]
 sops:
     age:
         - recipient: age1hx7fdu4mcha7kkxe7yevtvs6xgzgaafgenm3drhvr609wlj94sgqm497je
@@ -34,8 +36,8 @@ sops:
             SU1USkxFUUY2NVhmUHBhZkdrNDR1Q0kKiXIicInELRjDR3tuyA+lnXeCcd9lYvbV
             GnBRGPM7BNO/6AA7HhAei48Kt+XE6+jQX66yTXyviKhK7Lpjrlb2YQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-23T17:32:09Z"
-    mac: ENC[AES256_GCM,data:D4I6ayuLKBIxvEQopWXYHB/2fojEPn3oARU+9AiOrqX35Ue5BXZc08dmz+0J+RHjX5dA78xG6FGI3x4TtGeBwkMHeXwwwzRBuLDoGBGVngwLKvf21To6051A201EFqV7RKa5L8WruaJoeNLylH1K1B4nOrpv7G/81yCdpjmctQ0=,iv:QChpkOanDVj0PHykmA1MvDAYwiWawEmZ3h0s40U9joA=,tag:WluhQpBonORXgA9i01kTpw==,type:str]
+    lastmodified: "2025-11-04T17:52:25Z"
+    mac: ENC[AES256_GCM,data:/q98uwoYJsPRLlWxxDn7gJQ0jRxlAfVxEmUw8ayP8gIkWzGN1DCR0jx2LFlSlWEuaPScThw5IhGxbBlBxX2wV952MC7tEoHAAMvMJberG1a6do8zSvotDHocdXVlyj4jJZhQvjUVAmeVsYBY3oRwOHdzis0JO5IW0hxgs3x+xoQ=,iv:9BR0ws9ZzukjxLpPjvl73B3RmLA+c9e7F3AVk5l0SGc=,tag:OJ/iGy/Umlj/82EtZxjLSg==,type:str]
     pgp:
         - created_at: "2024-01-31T01:20:30Z"
           enc: |-
@@ -49,4 +51,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0
diff --git a/hosts/iron/services/default.nix b/hosts/iron/services/default.nix
index 6c0e206..29cd267 100644
--- a/hosts/iron/services/default.nix
+++ b/hosts/iron/services/default.nix
@@ -5,6 +5,7 @@
     ./dnsmasq.nix
     ./dyndns.nix
     ./esphome
+    ./grafana.nix
     ./home-assistant.nix
     ./jellyfin
     ./mail.nix
diff --git a/hosts/iron/services/grafana.nix b/hosts/iron/services/grafana.nix
new file mode 100644
index 0000000..15e1571
--- /dev/null
+++ b/hosts/iron/services/grafana.nix
@@ -0,0 +1,146 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+let
+  inherit (config.networking) ports;
+  domain = "grafana.jalr.de";
+  cfg = config.services.grafana;
+in
+{
+  sops.secrets = {
+    "grafana/secret-key" = {
+      sopsFile = ../secrets.yaml;
+      owner = config.systemd.services.grafana.serviceConfig.User;
+    };
+  };
+
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        inherit domain;
+        root_url = "https://%(domain)s";
+        http_addr = "127.0.0.1";
+        http_port = ports.grafana.tcp;
+      };
+      security = {
+        content_security_policy = true;
+        cookie_samesite = "strict";
+        cookie_secure = true;
+        secret_key = "$__file{${config.sops.secrets."grafana/secret-key".path}}";
+        strict_transport_security = true;
+        strict_transport_security_preload = true;
+        strict_transport_security_subdomains = true;
+      };
+      analytics = {
+        reporting_enabled = false;
+        check_for_updates = false;
+        check_for_plugin_updates = false;
+      };
+    };
+    provision = {
+      datasources.settings = {
+        apiVersion = 1;
+        datasources = with config.services.prometheus;
+          (
+            lib.lists.optional enable {
+              name = "Prometheus";
+              type = "prometheus";
+              url = "http://${listenAddress}:${toString port}";
+              orgId = 1;
+            }
+          )
+          ++ (with config.services.prometheus.alertmanager; (
+            lib.lists.optional enable {
+              name = "Alertmanager";
+              type = "alertmanager";
+              url = "http://${listenAddress}:${toString port}";
+              orgId = 1;
+            }
+          ));
+        deleteDatasources = [
+          {
+            name = "Prometheus";
+            orgId = 1;
+          }
+          {
+            name = "Alertmanager";
+            orgId = 1;
+          }
+        ];
+      };
+
+      dashboards.settings.providers =
+        let
+          # https://grafana.com/grafana/dashboards/
+          fetchDashboard =
+            { name
+            , hash
+            , id
+            , version
+            ,
+            }:
+            pkgs.fetchurl {
+              inherit name hash;
+              url = "https://grafana.com/api/dashboards/${toString id}/revisions/${toString version}/download";
+              recursiveHash = true;
+              postFetch = ''
+                mv "$out" temp
+                mkdir -p "$out"
+                mv temp "$out/${name}.json";
+              '';
+            };
+          dashboard = name: fetchArgs: {
+            inherit name;
+            options.path = fetchDashboard fetchArgs;
+          };
+        in
+        [
+          (dashboard "Node Exporter Full"
+            {
+              name = "node-exporter-full";
+              hash = "sha256-QTHG9ioy7E8U8O8x/qFabOxK2qBjlGlzuEvwYKug0CQ=";
+              id = 1860;
+              version = 36;
+            })
+          (dashboard "Node Exporter"
+            {
+              name = "node-exporter";
+              hash = "sha256-2xgE0m3SUFiux501uCVb4aH3zGfapW/SmfxRsFC/514=";
+              id = 13978;
+              version = 2;
+            })
+          (dashboard "AlertManager"
+            {
+              name = "alertmanager";
+              hash = "sha256-Yvw0DGQJpqBYNzE4ES/x7ZAYF7iJ4SUNBKB+sJRuGBw=";
+              id = 9578;
+              version = 4;
+            })
+        ];
+    };
+  };
+  services.nginx.virtualHosts = {
+    "${domain}" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://${cfg.settings.server.http_addr}:${toString cfg.settings.server.http_port}";
+        proxyWebsockets = true;
+        recommendedProxySettings = true;
+      };
+    };
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/grafana";
+      user = "grafana";
+      group = "grafana";
+      mode = "u=rwx,g=,o=";
+    }
+  ];
+}