Add Grafana to iron

2025-11-07 15:10:36 +01:00 · 2025-11-07 15:10:36 +01:00 · c7222d9500
commit c7222d9500
parent 4bf2bd7925
4 changed files with 153 additions and 3 deletions
--- a/hosts/iron/ports.nix
+++ b/hosts/iron/ports.nix
@ -5,6 +5,7 @@
    calibre-server.tcp = 8081;
    calibre-web.tcp = 8082;
    esphome.tcp = 6052;
    grafana.tcp = 3001;
    home-assistant.tcp = 8123;
    jellyfin.tcp = 8096;
    matrix-synapse.tcp = 8008;
--- a/hosts/iron/secrets.yaml
+++ b/hosts/iron/secrets.yaml
@ -23,6 +23,8 @@ prometheus:
        vodafone-station: ENC[AES256_GCM,data:eaFqYEuK3UU=,iv:BauymCkvj33TmZLyii367uVEc4Iq4GGcik4nbyT9Fpk=,tag:poB+qh5tAdv/dEt3WN6yVw==,type:str]
        unpoller: ENC[AES256_GCM,data:WI1oUKHW4ef4pBk+mGM=,iv:C1LykPf1/ypUmy3ZCQzjfSjkpxhUukDNnfJnZLp2CJg=,tag:mSnZJKl9IHcx7I7GpFherw==,type:str]
 tvproxy: ENC[AES256_GCM,data:MbXEmgerpUiwDgcUKF2y1+Cc+d43sKPfGGTEkvNoZFFS4rzDWw4Udg==,iv:ZDsfSb3HK008e7/J/61iqVRafIzKbtPEdhH7ixo9lSY=,tag:3JbJ+2DJKQ9G2ui6VuWbOw==,type:str]
 grafana:
    secret-key: ENC[AES256_GCM,data:RX0ox0r3Jwm9DMIfBnsL7ydarlrYSVBjbVXbooHR1Ms=,iv:l8Aud8VyGtz3dNARh6s8/Y6MBtc4xj1Wu/LLJv1e+KA=,tag:+7TFyRPhBS1Tvn2JLBEeAQ==,type:str]
 sops:
    age:
        - recipient: age1hx7fdu4mcha7kkxe7yevtvs6xgzgaafgenm3drhvr609wlj94sgqm497je
@ -34,8 +36,8 @@ sops:
            SU1USkxFUUY2NVhmUHBhZkdrNDR1Q0kKiXIicInELRjDR3tuyA+lnXeCcd9lYvbV
            GnBRGPM7BNO/6AA7HhAei48Kt+XE6+jQX66yTXyviKhK7Lpjrlb2YQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-23T17:32:09Z"
+    lastmodified: "2025-11-04T17:52:25Z"
-    mac: ENC[AES256_GCM,data:D4I6ayuLKBIxvEQopWXYHB/2fojEPn3oARU+9AiOrqX35Ue5BXZc08dmz+0J+RHjX5dA78xG6FGI3x4TtGeBwkMHeXwwwzRBuLDoGBGVngwLKvf21To6051A201EFqV7RKa5L8WruaJoeNLylH1K1B4nOrpv7G/81yCdpjmctQ0=,iv:QChpkOanDVj0PHykmA1MvDAYwiWawEmZ3h0s40U9joA=,tag:WluhQpBonORXgA9i01kTpw==,type:str]
+    mac: ENC[AES256_GCM,data:/q98uwoYJsPRLlWxxDn7gJQ0jRxlAfVxEmUw8ayP8gIkWzGN1DCR0jx2LFlSlWEuaPScThw5IhGxbBlBxX2wV952MC7tEoHAAMvMJberG1a6do8zSvotDHocdXVlyj4jJZhQvjUVAmeVsYBY3oRwOHdzis0JO5IW0hxgs3x+xoQ=,iv:9BR0ws9ZzukjxLpPjvl73B3RmLA+c9e7F3AVk5l0SGc=,tag:OJ/iGy/Umlj/82EtZxjLSg==,type:str]
    pgp:
        - created_at: "2024-01-31T01:20:30Z"
          enc: |-
@ -49,4 +51,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
    unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0
--- a/hosts/iron/services/default.nix
+++ b/hosts/iron/services/default.nix
@ -5,6 +5,7 @@
    ./dnsmasq.nix
    ./dyndns.nix
    ./esphome
    ./grafana.nix
    ./home-assistant.nix
    ./jellyfin
    ./mail.nix
--- a/hosts/iron/services/grafana.nix
+++ b/hosts/iron/services/grafana.nix
@ -0,0 +1,146 @@
 { config
 , lib
 , pkgs
 , ...
 }:
 let
  inherit (config.networking) ports;
  domain = "grafana.jalr.de";
  cfg = config.services.grafana;
 in
 {
  sops.secrets = {
    "grafana/secret-key" = {
      sopsFile = ../secrets.yaml;
      owner = config.systemd.services.grafana.serviceConfig.User;
    };
  };
  services.grafana = {
    enable = true;
    settings = {
      server = {
        inherit domain;
        root_url = "https://%(domain)s";
        http_addr = "127.0.0.1";
        http_port = ports.grafana.tcp;
      };
      security = {
        content_security_policy = true;
        cookie_samesite = "strict";
        cookie_secure = true;
        secret_key = "$__file{${config.sops.secrets."grafana/secret-key".path}}";
        strict_transport_security = true;
        strict_transport_security_preload = true;
        strict_transport_security_subdomains = true;
      };
      analytics = {
        reporting_enabled = false;
        check_for_updates = false;
        check_for_plugin_updates = false;
      };
    };
    provision = {
      datasources.settings = {
        apiVersion = 1;
        datasources = with config.services.prometheus;
          (
            lib.lists.optional enable {
              name = "Prometheus";
              type = "prometheus";
              url = "http://${listenAddress}:${toString port}";
              orgId = 1;
            }
          )
          ++ (with config.services.prometheus.alertmanager; (
            lib.lists.optional enable {
              name = "Alertmanager";
              type = "alertmanager";
              url = "http://${listenAddress}:${toString port}";
              orgId = 1;
            }
          ));
        deleteDatasources = [
          {
            name = "Prometheus";
            orgId = 1;
          }
          {
            name = "Alertmanager";
            orgId = 1;
          }
        ];
      };
      dashboards.settings.providers =
        let
          # https://grafana.com/grafana/dashboards/
          fetchDashboard =
            { name
            , hash
            , id
            , version
            ,
            }:
            pkgs.fetchurl {
              inherit name hash;
              url = "https://grafana.com/api/dashboards/${toString id}/revisions/${toString version}/download";
              recursiveHash = true;
              postFetch = ''
                mv "$out" temp
                mkdir -p "$out"
                mv temp "$out/${name}.json";
              '';
            };
          dashboard = name: fetchArgs: {
            inherit name;
            options.path = fetchDashboard fetchArgs;
          };
        in
        [
          (dashboard "Node Exporter Full"
            {
              name = "node-exporter-full";
              hash = "sha256-QTHG9ioy7E8U8O8x/qFabOxK2qBjlGlzuEvwYKug0CQ=";
              id = 1860;
              version = 36;
            })
          (dashboard "Node Exporter"
            {
              name = "node-exporter";
              hash = "sha256-2xgE0m3SUFiux501uCVb4aH3zGfapW/SmfxRsFC/514=";
              id = 13978;
              version = 2;
            })
          (dashboard "AlertManager"
            {
              name = "alertmanager";
              hash = "sha256-Yvw0DGQJpqBYNzE4ES/x7ZAYF7iJ4SUNBKB+sJRuGBw=";
              id = 9578;
              version = 4;
            })
        ];
    };
  };
  services.nginx.virtualHosts = {
    "${domain}" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://${cfg.settings.server.http_addr}:${toString cfg.settings.server.http_port}";
        proxyWebsockets = true;
        recommendedProxySettings = true;
      };
    };
  };
  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/grafana";
      user = "grafana";
      group = "grafana";
      mode = "u=rwx,g=,o=";
    }
  ];
 }