From e6ed60548397627bf10f561f9438201dbba0a36e Mon Sep 17 00:00:00 2001
From: Azat Bahawi <azat@bahawi.net>
Date: Sun, 21 Apr 2024 02:15:42 +0300
Subject: 2024-04-21

---
 modules/grafana.nix | 125 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 125 insertions(+)
 create mode 100644 modules/grafana.nix

(limited to 'modules/grafana.nix')

diff --git a/modules/grafana.nix b/modules/grafana.nix
new file mode 100644
index 0000000..233c9e5
--- /dev/null
+++ b/modules/grafana.nix
@@ -0,0 +1,125 @@
+{
+  config,
+  inputs,
+  lib,
+  libNginx,
+  ...
+}:
+with lib;
+let
+  cfg = config.nixfiles.modules.grafana;
+in
+{
+  options.nixfiles.modules.grafana = {
+    enable = mkEnableOption "Grafana";
+
+    port = mkOption {
+      description = "Port.";
+      type = with types; port;
+      default = 30101;
+    };
+
+    domain = mkOption {
+      description = "Domain name sans protocol scheme.";
+      type = with types; nullOr str;
+      default = "grafana.${config.networking.domain}";
+    };
+  };
+
+  config =
+    let
+      db = "grafana";
+    in
+    mkIf cfg.enable {
+      ark.directories = [ config.services.grafana.dataDir ];
+
+      secrets = {
+        grafana-key = {
+          file = "${inputs.self}/secrets/grafana-key";
+          owner = "grafana";
+          group = "grafana";
+        };
+        grafana-admin-password = {
+          file = "${inputs.self}/secrets/grafana-admin-password";
+          owner = "grafana";
+          group = "grafana";
+        };
+        grafana-smtp-password = {
+          file = "${inputs.self}/secrets/smtp-password";
+          owner = "grafana";
+          group = "grafana";
+        };
+      };
+
+      nixfiles.modules = {
+        nginx = {
+          enable = true;
+          upstreams.grafana.servers."127.0.0.1:${toString cfg.port}" = { };
+          virtualHosts.${cfg.domain} = {
+            locations."/" = {
+              proxyPass = "http://grafana";
+              proxyWebsockets = true;
+            };
+            extraConfig = libNginx.config.internalOnly;
+          };
+        };
+        postgresql = {
+          enable = true;
+          extraPostStart = [
+            ''
+              $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"'
+            ''
+          ];
+        };
+      };
+
+      services = {
+        grafana = {
+          enable = true;
+
+          settings = {
+            server = with cfg; {
+              protocol = "http";
+              http_addr = "127.0.0.1";
+              http_port = port;
+              inherit domain;
+              enable_gzip = true;
+            };
+            database = {
+              type = "postgres";
+              host = "/run/postgresql";
+              name = db;
+              user = db;
+            };
+            smtp = {
+              enable = true;
+              user = "azahi@shire.net";
+              host = my.domain.shire;
+              password = "$__file{${config.secrets.grafana-smtp-password.path}}";
+            };
+            user = {
+              allow_org_create = false;
+              allow_sign_up = false;
+              auto_assign_org = false;
+              auto_assign_org_role = "Viewer";
+            };
+            security = with config.secrets; {
+              secret_key = "$__file{${grafana-key.path}}";
+              admin_password = "$__file{${grafana-admin-password.path}}";
+            };
+            analytics.reporting_enable = false;
+          };
+        };
+
+        postgresql = {
+          ensureDatabases = [ db ];
+          ensureUsers = [
+            {
+              name = db;
+              ensureDBOwnership = true;
+            }
+          ];
+        };
+      };
+    };
+}
-- 
cgit v1.2.3