1 files changed, 119 insertions, 0 deletions

diff --git a/modules/nixos/grafana.nix b/modules/nixos/grafana.nix
new file mode 100644
index 0000000..a614502
--- /dev/null
+++ b/modules/nixos/grafana.nix
@@ -0,0 +1,119 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.grafana;
+in {
+  options.nixfiles.modules.grafana = {
+    enable = mkEnableOption "Grafana";
+
+    port = mkOption {
+      description = "Port.";
+      type = with types; port;
+      default = 30101;
+    };
+
+    domain = mkOption {
+      description = "Domain name sans protocol scheme.";
+      type = with types; nullOr str;
+      default = "grafana.${config.networking.domain}";
+    };
+  };
+
+  config = let
+    db = "grafana";
+  in
+    mkIf cfg.enable {
+      secrets = {
+        grafana-key = {
+          file = "${inputs.self}/secrets/grafana-key";
+          owner = "grafana";
+          group = "grafana";
+        };
+        grafana-admin-password = {
+          file = "${inputs.self}/secrets/grafana-admin-password";
+          owner = "grafana";
+          group = "grafana";
+        };
+        grafana-smtp-password = {
+          file = "${inputs.self}/secrets/grafana-smtp-password";
+          owner = "grafana";
+          group = "grafana";
+        };
+      };
+
+      nixfiles.modules = {
+        nginx = {
+          enable = true;
+          upstreams.grafana.servers."127.0.0.1:${toString cfg.port}" = {};
+          virtualHosts.${cfg.domain} = {
+            locations."/" = {
+              proxyPass = "http://grafana";
+              proxyWebsockets = true;
+            };
+            extraConfig = nginxInternalOnly;
+          };
+        };
+        postgresql = {
+          enable = true;
+          extraPostStart = [
+            ''
+              $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"'
+            ''
+          ];
+        };
+      };
+
+      services = {
+        grafana = {
+          enable = true;
+
+          settings = {
+            server = with cfg; {
+              protocol = "http";
+              http_addr = "127.0.0.1";
+              http_port = port;
+              inherit domain;
+              enable_gzip = true;
+            };
+            database = {
+              type = "postgres";
+              host = "/run/postgresql";
+              name = db;
+              user = db;
+            };
+            smtp = {
+              enable = true;
+              user = "azahi@shire.me";
+              host = my.domain.shire;
+              password = "$__file{${config.secrets.grafana-smtp-password.path}}";
+            };
+            user = {
+              allow_org_create = false;
+              allow_sign_up = false;
+              auto_assign_org = false;
+              auto_assign_org_role = "Viewer";
+            };
+            security = with config.secrets; {
+              secret_key = grafana-key.path;
+              admin_password = grafana-admin-password.path;
+            };
+            analytics.reporting_enable = false;
+          };
+        };
+
+        postgresql = {
+          ensureDatabases = [db];
+          ensureUsers = [
+            {
+              name = db;
+              ensurePermissions."DATABASE \"${db}\"" = "ALL";
+            }
+          ];
+        };
+      };
+    };
+}