tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Try grafana LXC + Agenix (forgejo-runner not working)

Browse source
This commit is contained in:
Théo Barnouin 2024-10-23 15:52:13 +02:00
parent 7f7f604882
commit fa1821798d
4 changed files with 32 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
secrets/secrets.nix
View file

@ -2,14 +2,18 @@ let
tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"; tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos";
users = [ tbarnouin ]; users = [ tbarnouin ];
laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYomb5vtXsfYGZiVjSY7eOzWI+tp1YRLlPkpKDXIwGl root@nixos"; laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYomb5vtXsfYGZiVjSY7eOzWI+tp1YRLlPkpKDXIwGl root@nixos";
forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner";
grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana";
systems = [ laptop forgejo ]; systems = [ laptop forgejo grafana ];
in in
{ {
"forgejo-runner-token.age".publicKeys = [ tbarnouin forgejo ]; "forgejo-runner-token.age".publicKeys = [ tbarnouin forgejo ];
"../services/forgejo-runner/secrets/forgejo-runner-token.age".publicKeys = [ tbarnouin forgejo ]; "../services/forgejo-runner/secrets/forgejo-runner-token.age".publicKeys = [ tbarnouin forgejo ];
"../services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ];
"../services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ];
} }

47
services/grafana/default.nix
View file

@ -5,6 +5,10 @@ in
{ {
options.services.vm_grafana = { options.services.vm_grafana = {
enable = lib.mkEnableOption "Enable minimal config"; enable = lib.mkEnableOption "Enable minimal config";
vm_ip = lib.mkOption {
type = lib.types.str;
description = "The VM IP address";
};
proxy_ip = lib.mkOption { proxy_ip = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "The Nginx proxy IP address"; description = "The Nginx proxy IP address";
@ -14,7 +18,16 @@ in
description = "The PostgreSQL host IP address"; description = "The PostgreSQL host IP address";
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
age.secrets.grafana-db = {
file = ./secrets/grafana-db.age;
mode = "0660";
owner = "grafana";
};
age.secrets.kuma-token = {
file = ./secrets/kuma-token.age;
mode = "0660";
};
services.rsyslogd = { services.rsyslogd = {
enable = true; enable = true;
extraConfig = '' extraConfig = ''
@ -37,7 +50,7 @@ in
settings = { settings = {
server = { server = {
protocol = "http"; protocol = "http";
http_addr = "${config.services.vm.vm_ip}"; http_addr = "${cfg.vm_ip}";
http_port = 3000; http_port = 3000;
domain = "logs.le43.eu"; domain = "logs.le43.eu";
root_url = "https://logs.le43.eu"; root_url = "https://logs.le43.eu";
@ -48,26 +61,7 @@ in
host = "${cfg.pgsql_ip}:5432"; host = "${cfg.pgsql_ip}:5432";
name = "grafana"; name = "grafana";
user = "grafana"; user = "grafana";
password = "\$__file{/run/secrets/grafana/database_secret}"; password = "\$__file{${config.age.secrets.grafana-db.path}";
};
auth = {
signout_redirect_url = https://authentik.le43.eu/application/o/grafana/end-session/;
oauth_auto_login = true;
};
"oauth.generic_oauth" = {
name = "authentik";
enabled = true;
client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy";
client_secret = "\$__file{/run/secrets/grafana/client_secret}";
scopes = [
"openid"
"email"
"profile"
];
auth_url = "https://authentik.le43.eu/application/o/authorize/";
token_url = "https://authentik.le43.eu/application/o/token/";
api_url = "https://authentik.le43.eu/application/o/userinfo/";
role_attribute_path = "contains(groups, 'admin') && 'Admin' || 'Viewer'";
}; };
}; };
}; };
@ -83,7 +77,7 @@ in
targets = [ "192.168.1.90:3001" ]; targets = [ "192.168.1.90:3001" ];
}]; }];
basic_auth.username = "tbarnouin"; basic_auth.username = "tbarnouin";
basic_auth.password_file = "/run/secrets/grafana/kuma_token"; basic_auth.password_file = config.age.secrets.kuma-token.path;
} }
{ {
job_name = "grafana"; job_name = "grafana";
@ -170,13 +164,6 @@ in
}]; }];
} }
]; ];
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
}; };
services.loki = { services.loki = {
enable = true; enable = true;

8
services/grafana/secrets/grafana-db.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 OWkVXw 1n49CouMzxgvdrQ+7gIbilN2oRkG3lfTJehpVwxeLXw
NBB8G9JeEmvbfXk6WdaDPYTaSBsNtDyqdTkJKG3RNtw
-> ssh-ed25519 wnEUpw LepRS+v4Jq+Z4VBtyDRw1BQkGOwOzI5HsjRSFP9SLA4
hRZr5OauNH1VYHip7pifCuVxTTQa3S9VbjwjQEUuK00
--- G3K8IsDtSXZ7Cqp0ehe7eczyzzEsiwwV9xfenlBz0Vo
@²W £0ÊH%
ƒ·Õ8Š4¼Ã\»‚&È©´ I^˜@5©ÂƒÏF

BIN
services/grafana/secrets/kuma-token.age Normal file
View file

Binary file not shown.