jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add Grafana to iron

Browse source
This commit is contained in:
Jakob Lechner 2025-11-07 15:10:36 +01:00
parent 4bf2bd7925
commit c7222d9500
4 changed files with 153 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/iron/ports.nix
View file

@ -5,6 +5,7 @@
calibre-server.tcp = 8081;
calibre-web.tcp = 8082;
esphome.tcp = 6052;
grafana.tcp = 3001;
home-assistant.tcp = 8123;
jellyfin.tcp = 8096;
matrix-synapse.tcp = 8008;

8
hosts/iron/secrets.yaml
View file

@ -23,6 +23,8 @@ prometheus:
vodafone-station: ENC[AES256_GCM,data:eaFqYEuK3UU=,iv:BauymCkvj33TmZLyii367uVEc4Iq4GGcik4nbyT9Fpk=,tag:poB+qh5tAdv/dEt3WN6yVw==,type:str]
unpoller: ENC[AES256_GCM,data:WI1oUKHW4ef4pBk+mGM=,iv:C1LykPf1/ypUmy3ZCQzjfSjkpxhUukDNnfJnZLp2CJg=,tag:mSnZJKl9IHcx7I7GpFherw==,type:str]
tvproxy: ENC[AES256_GCM,data:MbXEmgerpUiwDgcUKF2y1+Cc+d43sKPfGGTEkvNoZFFS4rzDWw4Udg==,iv:ZDsfSb3HK008e7/J/61iqVRafIzKbtPEdhH7ixo9lSY=,tag:3JbJ+2DJKQ9G2ui6VuWbOw==,type:str]
grafana:
secret-key: ENC[AES256_GCM,data:RX0ox0r3Jwm9DMIfBnsL7ydarlrYSVBjbVXbooHR1Ms=,iv:l8Aud8VyGtz3dNARh6s8/Y6MBtc4xj1Wu/LLJv1e+KA=,tag:+7TFyRPhBS1Tvn2JLBEeAQ==,type:str]
sops:
age:
- recipient: age1hx7fdu4mcha7kkxe7yevtvs6xgzgaafgenm3drhvr609wlj94sgqm497je
@ -34,8 +36,8 @@ sops:
SU1USkxFUUY2NVhmUHBhZkdrNDR1Q0kKiXIicInELRjDR3tuyA+lnXeCcd9lYvbV
GnBRGPM7BNO/6AA7HhAei48Kt+XE6+jQX66yTXyviKhK7Lpjrlb2YQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-23T17:32:09Z"
mac: ENC[AES256_GCM,data:D4I6ayuLKBIxvEQopWXYHB/2fojEPn3oARU+9AiOrqX35Ue5BXZc08dmz+0J+RHjX5dA78xG6FGI3x4TtGeBwkMHeXwwwzRBuLDoGBGVngwLKvf21To6051A201EFqV7RKa5L8WruaJoeNLylH1K1B4nOrpv7G/81yCdpjmctQ0=,iv:QChpkOanDVj0PHykmA1MvDAYwiWawEmZ3h0s40U9joA=,tag:WluhQpBonORXgA9i01kTpw==,type:str]
lastmodified: "2025-11-04T17:52:25Z"
mac: ENC[AES256_GCM,data:/q98uwoYJsPRLlWxxDn7gJQ0jRxlAfVxEmUw8ayP8gIkWzGN1DCR0jx2LFlSlWEuaPScThw5IhGxbBlBxX2wV952MC7tEoHAAMvMJberG1a6do8zSvotDHocdXVlyj4jJZhQvjUVAmeVsYBY3oRwOHdzis0JO5IW0hxgs3x+xoQ=,iv:9BR0ws9ZzukjxLpPjvl73B3RmLA+c9e7F3AVk5l0SGc=,tag:OJ/iGy/Umlj/82EtZxjLSg==,type:str]
pgp:
- created_at: "2024-01-31T01:20:30Z"
enc: |-
@ -49,4 +51,4 @@ sops:
-----END PGP MESSAGE-----
fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.11.0

1
hosts/iron/services/default.nix
View file

@ -5,6 +5,7 @@
./dnsmasq.nix
./dyndns.nix
./esphome
./grafana.nix
./home-assistant.nix
./jellyfin
./mail.nix

146
hosts/iron/services/grafana.nix Normal file
View file

@ -0,0 +1,146 @@
{ config
, lib
, pkgs
, ...
}:
let
inherit (config.networking) ports;
domain = "grafana.jalr.de";
cfg = config.services.grafana;
in
{
sops.secrets = {
"grafana/secret-key" = {
sopsFile = ../secrets.yaml;
owner = config.systemd.services.grafana.serviceConfig.User;
};
};
services.grafana = {
enable = true;
settings = {
server = {
inherit domain;
root_url = "https://%(domain)s";
http_addr = "127.0.0.1";
http_port = ports.grafana.tcp;
};
security = {
content_security_policy = true;
cookie_samesite = "strict";
cookie_secure = true;
secret_key = "$__file{${config.sops.secrets."grafana/secret-key".path}}";
strict_transport_security = true;
strict_transport_security_preload = true;
strict_transport_security_subdomains = true;
};
analytics = {
reporting_enabled = false;
check_for_updates = false;
check_for_plugin_updates = false;
};
};
provision = {
datasources.settings = {
apiVersion = 1;
datasources = with config.services.prometheus;
(
lib.lists.optional enable {
name = "Prometheus";
type = "prometheus";
url = "http://${listenAddress}:${toString port}";
orgId = 1;
}
)
++ (with config.services.prometheus.alertmanager; (
lib.lists.optional enable {
name = "Alertmanager";
type = "alertmanager";
url = "http://${listenAddress}:${toString port}";
orgId = 1;
}
));
deleteDatasources = [
{
name = "Prometheus";
orgId = 1;
}
{
name = "Alertmanager";
orgId = 1;
}
];
};
dashboards.settings.providers =
let
# https://grafana.com/grafana/dashboards/
fetchDashboard =
{ name
, hash
, id
, version
,
}:
pkgs.fetchurl {
inherit name hash;
url = "https://grafana.com/api/dashboards/${toString id}/revisions/${toString version}/download";
recursiveHash = true;
postFetch = ''
mv "$out" temp
mkdir -p "$out"
mv temp "$out/${name}.json";
'';
};
dashboard = name: fetchArgs: {
inherit name;
options.path = fetchDashboard fetchArgs;
};
in
[
(dashboard "Node Exporter Full"
{
name = "node-exporter-full";
hash = "sha256-QTHG9ioy7E8U8O8x/qFabOxK2qBjlGlzuEvwYKug0CQ=";
id = 1860;
version = 36;
})
(dashboard "Node Exporter"
{
name = "node-exporter";
hash = "sha256-2xgE0m3SUFiux501uCVb4aH3zGfapW/SmfxRsFC/514=";
id = 13978;
version = 2;
})
(dashboard "AlertManager"
{
name = "alertmanager";
hash = "sha256-Yvw0DGQJpqBYNzE4ES/x7ZAYF7iJ4SUNBKB+sJRuGBw=";
id = 9578;
version = 4;
})
];
};
};
services.nginx.virtualHosts = {
"${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${cfg.settings.server.http_addr}:${toString cfg.settings.server.http_port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/grafana";
user = "grafana";
group = "grafana";
mode = "u=rwx,g=,o=";
}
];
}