From 11e159c7c9b5a63b9ac7d8f762f33213664f9545 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 11 Sep 2024 14:31:48 -0500 Subject: [PATCH] Hide prometheus --- nixos/beefcake.nix | 75 +++++++++++++++++++++++++++++++++++++++++++--- nixos/router.nix | 2 ++ 2 files changed, 73 insertions(+), 4 deletions(-) diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix index 8f42d5d..d14604f 100644 --- a/nixos/beefcake.nix +++ b/nixos/beefcake.nix @@ -448,7 +448,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 { # family storage systemd.tmpfiles.settings = { - "10-backups" = { + "10-family" = { "/storage/family" = { "d" = { mode = "0770"; @@ -479,7 +479,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 { # daniel augments systemd.tmpfiles.settings = { - "10-backups" = { + "10-daniel" = { "/storage/daniel" = { "d" = { mode = "0700"; @@ -586,7 +586,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 } { systemd.tmpfiles.settings = { - "10-backups" = { + "10-postgres" = { "/storage/postgres" = { "d" = { mode = "0750"; @@ -676,7 +676,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 openssh.authorizedKeys.keys = [] ++ config.users.users.daniel.openssh.authorizedKeys.keys; }; systemd.tmpfiles.settings = { - "10-caddy" = { + "10-backups-local" = { "/storage/backups/local" = { "d" = { mode = "0750"; @@ -1441,6 +1441,73 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 extraConfig = ''reverse_proxy :${toString config.services.audiobookshelf.port}''; }; } + { + # prometheus + services.restic.commonPaths = [ + # TODO: do I want this backed up? + # "/var/lib/prometheus" + ]; + services.prometheus = { + enable = true; + checkConfig = true; + listenAddress = "127.0.0.1"; + port = 9090; + exporters = { + postgres = { + enable = true; + # runAsLocalSuperUser = true; + }; + }; + # alertmanager.enable = true; # grafana for alerts? + }; + # services.node-exporter.enable = true; # TODO: node-exporter? + # TODO: exporters.zfs? + # TODO: promtail? + # idrac exporter? + # restic exporter? + # smartctl exporter? + # systemd exporter? + # NOTE: we probably don't want this exposed + # services.caddy.virtualHosts."prometheus.h.lyte.dev" = { + # extraConfig = ''reverse_proxy :${toString config.services.prometheus.port}''; + # }; + } + { + # grafana + systemd.tmpfiles.settings = { + "10-grafana" = { + "/storage/grafana" = { + "d" = { + mode = "0750"; + user = "root"; + group = "family"; + }; + }; + }; + }; + services.restic.commonPaths = [ + # TODO: do I want this backed up? + # "/storage/grafana" + ]; + services.grafana = { + enable = true; + dataDir = "/storage/grafana"; + provision = { + enable = true; + }; + settings = { + server = { + http_port = 3814; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ + 9000 + ]; + services.caddy.virtualHosts."grafana.h.lyte.dev" = { + extraConfig = ''reverse_proxy :${toString config.services.grafana.settings.server.http_port}''; + }; + } ]; # TODO: non-root processes and services that access secrets need to be part of diff --git a/nixos/router.nix b/nixos/router.nix index 3dca964..084fbd7 100644 --- a/nixos/router.nix +++ b/nixos/router.nix @@ -55,6 +55,8 @@ "files.lyte.dev" "vpn.h.lyte.dev" "atuin.h.lyte.dev" + "grafana.h.lyte.dev" + "prometheus.h.lyte.dev" "a.lyte.dev" ]; };