{ lib, config, pkgs, ... }: let cfg = config.services.vm_grafana; in { options.services.vm_grafana = { enable = lib.mkEnableOption "Enable minimal config"; proxy_ip = lib.mkOption { type = lib.types.str; description = "The Nginx proxy IP address"; }; pgsql_ip = lib.mkOption { type = lib.types.str; description = "The PostgreSQL host IP address"; }; }; config = lib.mkIf cfg.enable { services.rsyslogd = { enable = true; extraConfig = '' ruleset(name="remote"){ action(type="omfwd" Target="localhost" Port="1514" Protocol="tcp" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted") } module(load="imudp") input(type="imudp" port="514" ruleset="remote") module(load="imtcp") input(type="imtcp" port="514" ruleset="remote") ''; }; services.influxdb2 = { enable = true; }; services.grafana = { enable = true; settings = { server = { protocol = "http"; http_addr = "${config.services.vm.vm_ip}"; http_port = 3000; domain = "logs.le43.eu"; root_url = "https://logs.le43.eu"; serve_from_sub_path = false; }; database = { type = "postgres"; host = "${cfg.pgsql_ip}:5432"; name = "grafana"; user = "grafana"; password = "\$__file{/run/secrets/grafana/database_secret}"; }; auth = { signout_redirect_url = https://authentik.le43.eu/application/o/grafana/end-session/; oauth_auto_login = true; }; "oauth.generic_oauth" = { name = "authentik"; enabled = true; client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy"; client_secret = "\$__file{/run/secrets/grafana/client_secret}"; scopes = [ "openid" "email" "profile" ]; auth_url = "https://authentik.le43.eu/application/o/authorize/"; token_url = "https://authentik.le43.eu/application/o/token/"; api_url = "https://authentik.le43.eu/application/o/userinfo/"; role_attribute_path = "contains(groups, 'admin') && 'Admin' || 'Viewer'"; }; }; }; services.prometheus = { enable = true; port = 9001; scrapeConfigs = [ { job_name = "grafana"; static_configs = [{ targets = [ "127.0.0.1:9002" ]; }]; } { job_name = "nginx"; static_configs = [{ targets = [ "${cfg.proxy_ip}:9002" ]; }]; } { job_name = "redis"; static_configs = [{ targets = [ "192.168.1.16:9002" ]; }]; } { job_name = "authentik"; static_configs = [{ targets = [ "192.168.1.25:9002" ]; }]; } ]; exporters = { node = { enable = true; enabledCollectors = [ "systemd" ]; port = 9002; }; }; }; services.loki = { enable = true; configuration = { server.http_listen_port = 3100; server.grpc_listen_port = 9096; auth_enabled = false; ingester = { lifecycler = { address = "127.0.0.1"; ring = { kvstore = { store = "inmemory"; }; replication_factor = 1; }; }; chunk_idle_period = "1h"; max_chunk_age = "1h"; chunk_target_size = 999999; chunk_retain_period = "30s"; }; schema_config = { configs = [{ from = "2022-06-06"; store = "boltdb-shipper"; object_store = "filesystem"; schema = "v13"; index = { prefix = "index_"; period = "24h"; }; }]; }; storage_config = { boltdb_shipper = { active_index_directory = "/var/lib/loki/boltdb-shipper-active"; cache_location = "/var/lib/loki/boltdb-shipper-cache"; cache_ttl = "24h"; }; filesystem = { directory = "/var/lib/loki/chunks"; }; }; limits_config = { reject_old_samples = true; reject_old_samples_max_age = "168h"; allow_structured_metadata = false; }; table_manager = { retention_deletes_enabled = false; retention_period = "0s"; }; compactor = { working_directory = "/var/lib/loki"; compactor_ring = { kvstore = { store = "inmemory"; }; }; }; }; }; services.promtail = { enable = true; configuration = { server = { http_listen_port = 3101; grpc_listen_port = 9095; }; positions = { filename = "/tmp/positions.yaml"; }; clients = [{ url = "http://127.0.0.1:3100/loki/api/v1/push"; }]; scrape_configs = [ { job_name = "syslog"; syslog = { listen_address = "0.0.0.0:1514"; listen_protocol = "tcp"; idle_timeout = "60s"; labels = { job = "syslog"; }; }; relabel_configs = [ { source_labels = [ "__syslog_message_hostname" ]; target_label = "host"; } { source_labels = [ "__syslog_message_hostname" ]; target_label = "hostname"; } { source_labels = [ "__syslog_message_severity" ]; target_label = "level"; } { source_labels = [ "__syslog_message_app_name" ]; target_label = "application"; } { source_labels = [ "__syslog_message_facility" ]; target_label = "facility"; } { source_labels = [ "__syslog_connection_hostname" ]; target_label = "connection_hostname"; } ]; } ]; }; }; # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 3000 3100 3101 8086 9001 1514 514 ]; networking.firewall.allowedUDPPorts = [ 514 ]; }; }