torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

monitoring02: enable alerting and migrate CNAMEs from http-proxy
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Details

Browse Source 
- Switch vmalert from blackhole mode to sending alerts to local
  Alertmanager
- Import alerttonotify service so alerts route to NATS notifications
- Move alertmanager and grafana CNAMEs from http-proxy to monitoring02
- Add monitoring CNAME to monitoring02
- Add Caddy reverse proxy entries for alertmanager and grafana
- Remove prometheus, alertmanager, and grafana Caddy entries from
  http-proxy (now served directly by monitoring02)
- Move monitoring02 Vault AppRole to hosts-generated.tf and add
  shared/nats/nkey access

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-17 20:56:55 +01:00
parent 7f69c0738a
commit 1496081c64
8 changed files with 27 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
hosts/http-proxy/configuration.nix
View File

@@ -18,9 +18,6 @@
"sonarr" "sonarr"
"ha" "ha"
"z2m" "z2m"
"grafana"
"prometheus"
"alertmanager"
"jelly" "jelly"
"pyroscope" "pyroscope"
"pushgw" "pushgw"

2
hosts/monitoring02/configuration.nix
View File

@@ -18,7 +18,7 @@
role = "monitoring"; role = "monitoring";
}; };
homelab.dns.cnames = [ "grafana-test" "metrics" "vmalert" "loki" ]; homelab.dns.cnames = [ "monitoring" "alertmanager" "grafana" "grafana-test" "metrics" "vmalert" "loki" ];
# Enable Vault integration # Enable Vault integration
vault.enable = true; vault.enable = true;

1
hosts/monitoring02/default.nix
View File

@@ -4,5 +4,6 @@
../../services/grafana ../../services/grafana
../../services/victoriametrics ../../services/victoriametrics
../../services/loki ../../services/loki
../../services/monitoring/alerttonotify.nix
]; ];
} }

8
services/grafana/default.nix
View File

@@ -91,6 +91,14 @@
acme_ca https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory acme_ca https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
metrics metrics
''; '';
virtualHosts."grafana.home.2rjus.net".extraConfig = ''
log {
output file /var/log/caddy/grafana.log {
mode 644
}
}
reverse_proxy http://127.0.0.1:3000
'';
virtualHosts."grafana-test.home.2rjus.net".extraConfig = '' virtualHosts."grafana-test.home.2rjus.net".extraConfig = ''
log { log {
output file /var/log/caddy/grafana.log { output file /var/log/caddy/grafana.log {

25
services/http-proxy/proxy.nix
View File

@@ -54,30 +54,7 @@
} }
reverse_proxy http://ha1.home.2rjus.net:8080 reverse_proxy http://ha1.home.2rjus.net:8080
} }
prometheus.home.2rjus.net {
log {
output file /var/log/caddy/prometheus.log {
mode 644
}
}
reverse_proxy http://monitoring01.home.2rjus.net:9090
}
alertmanager.home.2rjus.net {
log {
output file /var/log/caddy/alertmanager.log {
mode 644
}
}
reverse_proxy http://monitoring01.home.2rjus.net:9093
}
grafana.home.2rjus.net {
log {
output file /var/log/caddy/grafana.log {
mode 644
}
}
reverse_proxy http://monitoring01.home.2rjus.net:3000
}
jelly.home.2rjus.net { jelly.home.2rjus.net {
log { log {
output file /var/log/caddy/jelly.log { output file /var/log/caddy/jelly.log {

14
services/victoriametrics/default.nix
View File

@@ -170,15 +170,12 @@ in
}; };
}; };
# vmalert for alerting rules - no notifier during parallel operation # vmalert for alerting rules
services.vmalert.instances.default = { services.vmalert.instances.default = {
enable = true; enable = true;
settings = { settings = {
"datasource.url" = "http://localhost:8428"; "datasource.url" = "http://localhost:8428";
# Blackhole notifications during parallel operation to prevent duplicate alerts. "notifier.url" = [ "http://localhost:9093" ];
# Replace with notifier.url after cutover from monitoring01:
# "notifier.url" = [ "http://localhost:9093" ];
"notifier.blackhole" = true;
"rule" = [ ../monitoring/rules.yml ]; "rule" = [ ../monitoring/rules.yml ];
}; };
}; };
@@ -191,8 +188,11 @@ in
reverse_proxy http://127.0.0.1:8880 reverse_proxy http://127.0.0.1:8880
''; '';
# Alertmanager - same config as monitoring01 but will only receive # Alertmanager
# alerts after cutover (vmalert notifier is disabled above) services.caddy.virtualHosts."alertmanager.home.2rjus.net".extraConfig = ''
reverse_proxy http://127.0.0.1:9093
'';
services.prometheus.alertmanager = { services.prometheus.alertmanager = {
enable = true; enable = true;
configuration = { configuration = {

9
terraform/vault/approle.tf
View File

@@ -115,15 +115,6 @@ locals {
] ]
} }
# monitoring02: Grafana + VictoriaMetrics
"monitoring02" = {
paths = [
"secret/data/hosts/monitoring02/*",
"secret/data/hosts/monitoring01/apiary-token",
"secret/data/services/grafana/*",
]
}
} }
} }

10
terraform/vault/hosts-generated.tf
View File

@@ -44,7 +44,15 @@ locals {
"secret/data/hosts/garage01/*", "secret/data/hosts/garage01/*",
] ]
} }
"monitoring02" = {
paths = [
"secret/data/hosts/monitoring02/*",
"secret/data/hosts/monitoring01/apiary-token",
"secret/data/services/grafana/*",
"secret/data/shared/nats/nkey",
]
}
} }
# Placeholder secrets - user should add actual secrets manually or via tofu # Placeholder secrets - user should add actual secrets manually or via tofu