From eb6eebde166112397e8711a16a8618a52ecbcaca Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Wed, 22 Mar 2023 15:20:22 +0300 Subject: 2023-03-22 --- modules/nixos/default.nix | 2 + modules/nixos/monitoring/default.nix | 154 ++++++++++++++++++----------------- modules/nixos/nsd.nix | 3 +- modules/nixos/ntfy.nix | 57 +++++++++++++ modules/nixos/redis.nix | 36 ++++++++ modules/nixos/unbound.nix | 39 +++------ modules/nixos/victoriametrics.nix | 46 +++++++++++ 7 files changed, 233 insertions(+), 104 deletions(-) create mode 100644 modules/nixos/ntfy.nix create mode 100644 modules/nixos/redis.nix create mode 100644 modules/nixos/victoriametrics.nix (limited to 'modules/nixos') diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 269ce39..3c4192d 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -36,6 +36,7 @@ _: { ./nginx.nix ./node-exporter.nix ./nsd.nix + ./ntfy.nix ./nullmailer.nix ./openssh.nix ./podman.nix @@ -46,6 +47,7 @@ _: { ./psd.nix ./radarr.nix ./radicale.nix + ./redis.nix ./rss-bridge.nix ./rtorrent.nix ./searx.nix diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix index 1108be6..6cdc2c9 100644 --- a/modules/nixos/monitoring/default.nix +++ b/modules/nixos/monitoring/default.nix @@ -1,78 +1,93 @@ { config, lib, + pkgs, ... }: with lib; let cfg = config.nixfiles.modules.monitoring; in { options.nixfiles.modules.monitoring.enable = mkEnableOption '' - a custom monitoring stack bas on the Grafana Labs toolkit + a glue to provision a monitoring stack ''; config = mkIf cfg.enable { nixfiles.modules = { + alertmanager.enable = true; grafana.enable = true; loki.enable = true; prometheus.enable = true; - alertmanager.enable = true; }; services = { - grafana.provision = { - enable = true; - - # https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources - datasources.settings.datasources = with config.nixfiles.modules; [ - { - name = "Prometheus"; - type = "prometheus"; - access = "proxy"; - url = "https://${prometheus.domain}"; - isDefault = true; - } - { - name = "Loki"; - type = "loki"; - access = "proxy"; - url = "https://${loki.domain}"; - } - { - name = "Alertmanager"; - type = "alertmanager"; - access = "proxy"; - jsonData.implementation = "prometheus"; - url = "https://${alertmanager.domain}"; - } + grafana = { + declarativePlugins = with pkgs.grafanaPlugins; [ + redis-app + redis-datasource + redis-explorer-app ]; - # https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards - dashboards.settings.providers = [ - # System dashboard is imported manually from here[1]. Too bad - # provisioned dashboards cannot properly integrate dynamic datasources - # yet. - # - # [1]: https://grafana.com/grafana/dashboards/1860-node-exporter-full - { - name = "endlessh"; - options.path = ./dashboards/endlessh.json; - } - { - name = "unbound"; - options.path = ./dashboards/unbound.json; - } - { - name = "nginx"; - options.path = ./dashboards/nginx.json; - } - { - name = "postgersql"; - options.path = ./dashboards/postgresql.json; - } - ]; + provision = { + enable = true; - alerting = { - contactPoints.settings.contactPoints = [ + # https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources + datasources.settings.datasources = with config.nixfiles.modules; [ + { + name = "Alertmanager"; + type = "alertmanager"; + access = "proxy"; + jsonData.implementation = "prometheus"; + url = "https://${alertmanager.domain}"; + } + { + name = "Loki"; + type = "loki"; + access = "proxy"; + url = "https://${loki.domain}"; + isDefault = true; + } + { + name = "Prometheus"; + type = "prometheus"; + access = "proxy"; + url = "https://${prometheus.domain}"; + } + (mkIf config.nixfiles.modules.redis.enable { + name = "Redis"; + type = "redis-datasource"; + access = "proxy"; + url = with config.services.redis.servers.default; "redis://${bind}:${toString port}"; + jsonData.client = "standalone"; + }) + ]; + + # https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards + dashboards.settings.providers = [ + # The System dashboard is imported manually from here[1]. Too bad + # provisioned dashboards cannot properly integrate dynamic datasources + # yet. + # + # [1]: https://grafana.com/grafana/dashboards/1860-node-exporter-full + { + name = "endlessh"; + options.path = ./dashboards/endlessh.json; + } + { + name = "unbound"; + options.path = ./dashboards/unbound.json; + } + { + name = "nginx"; + options.path = ./dashboards/nginx.json; + } + { + name = "postgersql"; + options.path = ./dashboards/postgresql.json; + } + ]; + + # https://grafana.com/docs/grafana/latest/administration/provisioning/#alerting + alerting.contactPoints.settings.contactPoints = [ { name = "Alertmanager"; receivers = [ @@ -84,25 +99,6 @@ in { ]; } ]; - muteTimings.settings.muteTimes = [ - { - name = "Sleep"; - time_intervals = [ - { - times = [ - { - start_time = "23:00"; - end_time = "24:00"; - } - { - start_time = "00:00"; - end_time = "09:00"; - } - ]; - } - ]; - } - ]; }; }; @@ -139,7 +135,6 @@ in { mkTargets [ manwe - varda yavanna ] nginx.port; @@ -174,6 +169,19 @@ in { } ]; } + { + job_name = "redis"; + static_configs = [ + { + targets = + mkTargets + [ + manwe + ] + redis.port; + } + ]; + } { job_name = "unbound"; static_configs = [ diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix index 0dade8f..d2ab117 100644 --- a/modules/nixos/nsd.nix +++ b/modules/nixos/nsd.nix @@ -112,13 +112,12 @@ in { gotify = manwe; grafana = manwe; loki = manwe; + ntfy = manwe; prometheus = manwe; radicale = manwe; rss-bridge = manwe; vaultwarden = manwe; - minecraft = varda; - flood = yavanna; }; } diff --git a/modules/nixos/ntfy.nix b/modules/nixos/ntfy.nix new file mode 100644 index 0000000..2fd3234 --- /dev/null +++ b/modules/nixos/ntfy.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + ... +}: +with lib; let + cfg = config.nixfiles.modules.ntfy; +in { + options.nixfiles.modules.ntfy = { + enable = mkEnableOption "ntfy"; + + port = mkOption { + description = "Port."; + type = types.port; + default = 2586; + }; + + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; str; + default = "ntfy.${config.networking.domain}"; + }; + }; + + config = mkIf cfg.enable { + nixfiles.modules.nginx = { + enable = true; + upstreams.ntfy.servers.${config.services.ntfy-sh.settings.listen-http} = {}; + virtualHosts.${cfg.domain} = { + locations."/" = { + proxyPass = "http://ntfy"; + proxyWebsockets = true; + }; + extraConfig = nginxInternalOnly; + }; + }; + + services.ntfy-sh = { + enable = true; + settings = { + listen-http = "127.0.0.1:${toString cfg.port}"; + base-url = "https://${cfg.domain}"; + cache-file = "/var/cache/ntfy/cache.db"; + behind-proxy = true; + attachment-cache-dir = "/var/cache/ntfy/attachments"; + auth-file = "/var/lib/ntfy/user.db"; + auth-default-access = "deny-all"; + }; + }; + + systemd.tmpfiles.rules = with config.services.ntfy-sh; [ + "d /var/lib/ntfy 0700 ${user} ${group} - -" + "d /var/cache/ntfy 0700 ${user} ${group} - -" + "d /var/cache/ntfy/attachments 0700 ${user} ${group} - -" + ]; + }; +} diff --git a/modules/nixos/redis.nix b/modules/nixos/redis.nix new file mode 100644 index 0000000..166407e --- /dev/null +++ b/modules/nixos/redis.nix @@ -0,0 +1,36 @@ +{ + config, + lib, + this, + ... +}: +with lib; let + cfg = config.nixfiles.modules.redis; +in { + options.nixfiles.modules.redis.enable = mkEnableOption "Redis"; + + config = mkIf cfg.enable { + services = { + redis = { + servers.default = { + enable = true; + bind = "127.0.0.1"; + port = 6379; + }; + vmOverCommit = true; + }; + + prometheus.exporters = { + redis = { + enable = true; + listenAddress = mkDefault this.wireguard.ipv4.address; + port = mkDefault 9121; + extraFlags = with config.services.redis.servers.default; [ + "--redis.addr=redis://${bind}:${toString port}" + "--redis.user=${user}" + ]; + }; + }; + }; + }; +} diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix index 103e375..2291cc7 100644 --- a/modules/nixos/unbound.nix +++ b/modules/nixos/unbound.nix @@ -22,6 +22,8 @@ in { adblock-conf = "${config.services.unbound.stateDir}/adblock.conf"; in mkIf cfg.enable { + nixfiles.modules.redis.enable = true; + services = { unbound = { enable = true; @@ -114,7 +116,7 @@ in { } ]; - cachedb = with config.services.redis.servers.unbound; { + cachedb = with config.services.redis.servers.default; { backend = "redis"; redis-server-host = bind; redis-server-port = port; @@ -124,34 +126,13 @@ in { localControlSocketPath = "/run/unbound/unbound.socket"; }; - redis = { - servers.unbound = { - enable = true; - bind = "127.0.0.1"; - port = 6379; - }; - vmOverCommit = mkForce true; - }; - - prometheus.exporters = { - unbound = { - enable = true; - listenAddress = mkDefault this.wireguard.ipv4.address; - port = 9167; - fetchType = "uds"; - controlInterface = config.services.unbound.localControlSocketPath; - inherit (config.services.unbound) group user; - }; - - redis = { - enable = true; - listenAddress = mkDefault this.wireguard.ipv4.address; - port = mkDefault 9121; - extraFlags = with config.services.redis.servers.unbound; [ - "--redis.addr=redis://${bind}:${toString port}" - "--redis.user=${user}" - ]; - }; + prometheus.exporters.unbound = { + enable = true; + listenAddress = mkDefault this.wireguard.ipv4.address; + port = 9167; + fetchType = "uds"; + controlInterface = config.services.unbound.localControlSocketPath; + inherit (config.services.unbound) group user; }; }; diff --git a/modules/nixos/victoriametrics.nix b/modules/nixos/victoriametrics.nix new file mode 100644 index 0000000..509ee17 --- /dev/null +++ b/modules/nixos/victoriametrics.nix @@ -0,0 +1,46 @@ +{ + config, + lib, + ... +}: +with lib; let + cfg = config.nixfiles.modules.prometheus; +in { + options.nixfiles.modules.prometheus = { + enable = mkEnableOption "VictoriaMetrics"; + + port = mkOption { + description = "Port."; + type = with types; port; + default = 30113; + }; + + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; str; + default = "victoriametrics.${config.networking.domain}"; + }; + }; + + config = mkIf cfg.enable { + nixfiles.modules.nginx = with cfg; { + enable = true; + upstreams.victoriametrics.servers."127.0.0.1:${toString cfg.port}" = {}; + virtualHosts.${domain} = { + locations."/".proxyPass = "http://victoriametrics"; + extraConfig = nginxInternalOnly; + }; + }; + + services.victoriametrics = { + enable = true; + + listenAddress = "127.0.0.1:${toString cfg.port}"; + + extraOptions = [ + "-loggerLevel=WARN" + # TODO scrape_config + ]; + }; + }; +} -- cgit 1.4.1