feat(hosts/luna): implement basic monitoring

TODO: make grafana ingest data from prometheus
2024-01-31 23:37:28 -06:00 · 2024-01-31 23:37:28 -06:00 · d89b75d438
commit d89b75d438
parent 091ca7b4e0
6 changed files with 135 additions and 2 deletions
--- a/hosts/luna/modules/monitoring/grafana.nix
+++ b/hosts/luna/modules/monitoring/grafana.nix
@ -0,0 +1,27 @@
+{ config, pkgs, fqdn, ... }:
+let grafana_host = "grafana.${fqdn}";
+in {
+  services = {
+    grafana = {
+      enable = true;
+      settings.server = {
+        domain = "${grafana_host}";
+        http_addr = "127.0.0.1";
+        http_port = 2342;
+      };
+    };
+
+    nginx.virtualHosts."${grafana_host}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass =
+          "http://${config.services.grafana.settings.server.http_addr}:${
+            builtins.toString config.services.grafana.settings.server.http_port
+          }";
+        proxyWebsockets = true;
+        recommendedProxySettings = true;
+      };
+    };
+  };
+}
--- a/hosts/luna/modules/monitoring/prometheus.nix
+++ b/hosts/luna/modules/monitoring/prometheus.nix
@ -0,0 +1,92 @@
+{ config, fqdn, pkgs, ... }:
+let prometheus_host = "prometheus.${fqdn}";
+in {
+  services = {
+    prometheus = {
+      enable = true;
+      port = 9000;
+      scrapeConfigs = [{
+        job_name = "node-exporter";
+        static_configs = [{
+          targets = [
+            "127.0.0.1:${
+              toString config.services.prometheus.exporters.node.port
+            }"
+          ];
+        }];
+      }];
+      exporters = {
+        node = {
+          enable = true;
+          port = 9001;
+          enabledCollectors = [
+            "arp"
+            "bcache"
+            "btrfs"
+            "bonding"
+            "cpu"
+            "cpufreq"
+            "diskstats"
+            "edac"
+            "entropy"
+            "fibrechannel"
+            "filefd"
+            "filesystem"
+            "hwmon"
+            "ipvs"
+            "loadavg"
+            "meminfo"
+            "mdadm"
+            "netclass"
+            "netdev"
+            "netstat"
+            "nfs"
+            "nfsd"
+            "nvme"
+            "os"
+            "powersupplyclass"
+            "pressure"
+            "rapl"
+            "schedstat"
+            "sockstat"
+            "softnet"
+            "stat"
+            "thermal_zone"
+            "time"
+            "udp_queues"
+            "uname"
+            "vmstat"
+            "systemd"
+          ];
+        };
+      };
+    };
+
+    nginx = {
+      additionalModules = [ pkgs.nginxModules.pam ];
+      virtualHosts."${prometheus_host}" = {
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          auth_pam "Password Required";
+          auth_pam_service_name "nginx";
+        '';
+        locations."/" = {
+          proxyPass = "http://${config.services.prometheus.listenAddress}:${
+              builtins.toString config.services.prometheus.port
+            }";
+        };
+      };
+    };
+  };
+  security.pam.services.nginx.setEnvironment = false;
+  systemd.services.nginx.serviceConfig = {
+    SupplementaryGroups = [ "shadow" ];
+  };
+
+  environment.persistence.save.directories = [{
+    directory = "/var/lib/${config.services.prometheus.stateDir}";
+    user = "prometheus";
+    group = "prometheus";
+  }];
+}
--- a/hosts/luna/modules/users.nix
+++ b/hosts/luna/modules/users.nix
@ -2,11 +2,12 @@
 {
  security.sudo.wheelNeedsPassword = false;
  users.users = {
-    root.hashedPasswordFile = config.age.secrets.root-pw.path;
+    root.hashedPasswordFile = config.age.secrets.users-root-pw.path;
    price = {
      isNormalUser = true;
      extraGroups = [ "wheel" ];
      shell = pkgs.bash;
+      hashedPasswordFile = config.age.secrets.users-price-pw.path;
      openssh.authorizedKeys.keys = [
        "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ9ODXLAIfGH/7VNobQsp5nwBvNoh+pQMEH7s2jkHpkqAAAACHNzaDpsdW5h"
      ];
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -9,7 +9,8 @@ let
        secrets = "luna";
      in
      {
-        root-pw = "${secrets}/root-hash-pw.age";
+        users-root-pw = "${secrets}/users-root-pw.age";
+        users-price-pw = "${secrets}/users-price-pw.age";
        gitlab-runner-reg-config = "${secrets}/gitlab-runner-reg-config.age";
        gitea-db-pass = "${secrets}/gitea-db-pass.age";
        gitea-runner-token = "${secrets}/gitea-runner-token.age";
--- a/secrets/luna/users-price-pw.age
+++ b/secrets/luna/users-price-pw.age
@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBxWWpi
+V2c2RkxLanlGYjZ6L2dPYmRHRWwxK0Q0aVNCakNzdFdtZ0k4dW1vCjcrQmptaGgz
+SmpOb2RFTUlYM1ZWc2U2RkF5eGJzWkI3ekk5RTJXLytHYmcKLT4gcGl2LXAyNTYg
+ckpzMUhBIEF4enp2K0FvSFlEWWowT3JSaGV0Rkd6WTlrMlRlZUlhK1B0bFRyWkhD
+dTJ1CklMcFlLYTMwQ2YyZUdEaHZ2ZW10VEN0NCsxWGJQL2JvZG40NGtobVE0TXcK
+LT4gZmtMNilcfS1ncmVhc2UgI3ZZX243IEkrUSRdblp6IC8KTC9FRERrUGNLTlJs
+SEEKLS0tIFVHQlovUTVTMk9WY0NwN0cycjJEa0p1L0h0R1BpNFh4am5TVWp4WU5L
+eGcKXXflLkUPB2sSYVNl+4O1QsWXEKtBItZbM7RP+glsuWQfHJBY133UzVMgXTy0
+4yvEcD/ixQaKpSIkeOM+bz0IWjyU0y+zL8opR5xX0AMGJZfeNemIZAo8KpmQsoXC
+7U0McvbgHkfakV1ONxYCgurPZPDW97Mk146oyU9bE/amgKh2MvNM14RmY4y2uw==
+-----END AGE ENCRYPTED FILE-----
--- a/secrets/luna/users-root-pw.age
+++ b/secrets/luna/users-root-pw.age