feat(hosts/luna): implement basic monitoring

TODO: make grafana ingest data from prometheus
2024-01-31 23:37:28 -06:00 · 2024-01-31 23:37:28 -06:00 · d89b75d438
commit d89b75d438
parent 091ca7b4e0
6 changed files with 135 additions and 2 deletions
--- a/hosts/luna/modules/monitoring/grafana.nix
+++ b/hosts/luna/modules/monitoring/grafana.nix
@ -0,0 +1,27 @@
 { config, pkgs, fqdn, ... }:
 let grafana_host = "grafana.${fqdn}";
 in {
  services = {
    grafana = {
      enable = true;
      settings.server = {
        domain = "${grafana_host}";
        http_addr = "127.0.0.1";
        http_port = 2342;
      };
    };
    nginx.virtualHosts."${grafana_host}" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass =
          "http://${config.services.grafana.settings.server.http_addr}:${
            builtins.toString config.services.grafana.settings.server.http_port
          }";
        proxyWebsockets = true;
        recommendedProxySettings = true;
      };
    };
  };
 }
--- a/hosts/luna/modules/monitoring/prometheus.nix
+++ b/hosts/luna/modules/monitoring/prometheus.nix
@ -0,0 +1,92 @@
 { config, fqdn, pkgs, ... }:
 let prometheus_host = "prometheus.${fqdn}";
 in {
  services = {
    prometheus = {
      enable = true;
      port = 9000;
      scrapeConfigs = [{
        job_name = "node-exporter";
        static_configs = [{
          targets = [
            "127.0.0.1:${
              toString config.services.prometheus.exporters.node.port
            }"
          ];
        }];
      }];
      exporters = {
        node = {
          enable = true;
          port = 9001;
          enabledCollectors = [
            "arp"
            "bcache"
            "btrfs"
            "bonding"
            "cpu"
            "cpufreq"
            "diskstats"
            "edac"
            "entropy"
            "fibrechannel"
            "filefd"
            "filesystem"
            "hwmon"
            "ipvs"
            "loadavg"
            "meminfo"
            "mdadm"
            "netclass"
            "netdev"
            "netstat"
            "nfs"
            "nfsd"
            "nvme"
            "os"
            "powersupplyclass"
            "pressure"
            "rapl"
            "schedstat"
            "sockstat"
            "softnet"
            "stat"
            "thermal_zone"
            "time"
            "udp_queues"
            "uname"
            "vmstat"
            "systemd"
          ];
        };
      };
    };
    nginx = {
      additionalModules = [ pkgs.nginxModules.pam ];
      virtualHosts."${prometheus_host}" = {
        enableACME = true;
        forceSSL = true;
        extraConfig = ''
          auth_pam "Password Required";
          auth_pam_service_name "nginx";
        '';
        locations."/" = {
          proxyPass = "http://${config.services.prometheus.listenAddress}:${
              builtins.toString config.services.prometheus.port
            }";
        };
      };
    };
  };
  security.pam.services.nginx.setEnvironment = false;
  systemd.services.nginx.serviceConfig = {
    SupplementaryGroups = [ "shadow" ];
  };
  environment.persistence.save.directories = [{
    directory = "/var/lib/${config.services.prometheus.stateDir}";
    user = "prometheus";
    group = "prometheus";
  }];
 }
--- a/hosts/luna/modules/users.nix
+++ b/hosts/luna/modules/users.nix
@ -2,11 +2,12 @@
 {
  security.sudo.wheelNeedsPassword = false;
  users.users = {
-    root.hashedPasswordFile = config.age.secrets.root-pw.path;
+    root.hashedPasswordFile = config.age.secrets.users-root-pw.path;
    price = {
      isNormalUser = true;
      extraGroups = [ "wheel" ];
      shell = pkgs.bash;
      hashedPasswordFile = config.age.secrets.users-price-pw.path;
      openssh.authorizedKeys.keys = [
        "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ9ODXLAIfGH/7VNobQsp5nwBvNoh+pQMEH7s2jkHpkqAAAACHNzaDpsdW5h"
      ];
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -9,7 +9,8 @@ let
        secrets = "luna";
      in
      {
-        root-pw = "${secrets}/root-hash-pw.age";
+        users-root-pw = "${secrets}/users-root-pw.age";
        users-price-pw = "${secrets}/users-price-pw.age";
        gitlab-runner-reg-config = "${secrets}/gitlab-runner-reg-config.age";
        gitea-db-pass = "${secrets}/gitea-db-pass.age";
        gitea-runner-token = "${secrets}/gitea-runner-token.age";
--- a/secrets/luna/users-price-pw.age
+++ b/secrets/luna/users-price-pw.age
@ -0,0 +1,12 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBxWWpi
 V2c2RkxLanlGYjZ6L2dPYmRHRWwxK0Q0aVNCakNzdFdtZ0k4dW1vCjcrQmptaGgz
 SmpOb2RFTUlYM1ZWc2U2RkF5eGJzWkI3ekk5RTJXLytHYmcKLT4gcGl2LXAyNTYg
 ckpzMUhBIEF4enp2K0FvSFlEWWowT3JSaGV0Rkd6WTlrMlRlZUlhK1B0bFRyWkhD
 dTJ1CklMcFlLYTMwQ2YyZUdEaHZ2ZW10VEN0NCsxWGJQL2JvZG40NGtobVE0TXcK
 LT4gZmtMNilcfS1ncmVhc2UgI3ZZX243IEkrUSRdblp6IC8KTC9FRERrUGNLTlJs
 SEEKLS0tIFVHQlovUTVTMk9WY0NwN0cycjJEa0p1L0h0R1BpNFh4am5TVWp4WU5L
 eGcKXXflLkUPB2sSYVNl+4O1QsWXEKtBItZbM7RP+glsuWQfHJBY133UzVMgXTy0
 4yvEcD/ixQaKpSIkeOM+bz0IWjyU0y+zL8opR5xX0AMGJZfeNemIZAo8KpmQsoXC
 7U0McvbgHkfakV1ONxYCgurPZPDW97Mk146oyU9bE/amgKh2MvNM14RmY4y2uw==
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/luna/users-root-pw.age
+++ b/secrets/luna/users-root-pw.age