Torjus Håkestad
4f593126c0
Remove monitoring01 host configuration and unused service modules (prometheus, grafana, loki, tempo, pyroscope). Migrate blackbox, exportarr, and pve exporters to monitoring02 with scrape configs moved to VictoriaMetrics. Update alert rules, terraform vault policies/secrets, http-proxy entries, and documentation to reflect the monitoring02 migration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
118 lines
3.1 KiB
Nix
118 lines
3.1 KiB
Nix
{ config, pkgs, ... }:
|
|
{
|
|
services.grafana = {
|
|
enable = true;
|
|
settings = {
|
|
server = {
|
|
http_addr = "127.0.0.1";
|
|
http_port = 3000;
|
|
domain = "grafana-test.home.2rjus.net";
|
|
root_url = "https://grafana-test.home.2rjus.net/";
|
|
};
|
|
|
|
# Disable anonymous access
|
|
"auth.anonymous".enabled = false;
|
|
|
|
# OIDC authentication via Kanidm
|
|
"auth.generic_oauth" = {
|
|
enabled = true;
|
|
name = "Kanidm";
|
|
client_id = "grafana";
|
|
client_secret = "$__file{/run/secrets/grafana-oauth2}";
|
|
auth_url = "https://auth.home.2rjus.net/ui/oauth2";
|
|
token_url = "https://auth.home.2rjus.net/oauth2/token";
|
|
api_url = "https://auth.home.2rjus.net/oauth2/openid/grafana/userinfo";
|
|
scopes = "openid profile email groups";
|
|
use_pkce = true; # Required by Kanidm, more secure
|
|
# Extract user attributes from userinfo response
|
|
email_attribute_path = "email";
|
|
login_attribute_path = "preferred_username";
|
|
name_attribute_path = "name";
|
|
# Map admins group to Admin role, everyone else to Editor (for Explore access)
|
|
role_attribute_path = "contains(groups[*], 'admins') && 'Admin' || 'Editor'";
|
|
allow_sign_up = true;
|
|
};
|
|
};
|
|
|
|
# Declarative datasources
|
|
provision.datasources.settings = {
|
|
apiVersion = 1;
|
|
datasources = [
|
|
{
|
|
name = "VictoriaMetrics";
|
|
type = "prometheus";
|
|
url = "http://localhost:8428";
|
|
isDefault = true;
|
|
uid = "victoriametrics";
|
|
}
|
|
{
|
|
name = "Loki";
|
|
type = "loki";
|
|
url = "http://localhost:3100";
|
|
uid = "loki";
|
|
}
|
|
];
|
|
};
|
|
|
|
# Declarative dashboards
|
|
provision.dashboards.settings = {
|
|
apiVersion = 1;
|
|
providers = [
|
|
{
|
|
name = "homelab";
|
|
type = "file";
|
|
options.path = ./dashboards;
|
|
disableDeletion = true;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
# Vault secret for OAuth2 client secret
|
|
vault.secrets.grafana-oauth2 = {
|
|
secretPath = "services/grafana/oauth2-client-secret";
|
|
extractKey = "password";
|
|
services = [ "grafana" ];
|
|
owner = "grafana";
|
|
group = "grafana";
|
|
};
|
|
|
|
# Local Caddy for TLS termination
|
|
services.caddy = {
|
|
enable = true;
|
|
package = pkgs.unstable.caddy;
|
|
globalConfig = ''
|
|
acme_ca https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
|
|
metrics
|
|
'';
|
|
virtualHosts."grafana.home.2rjus.net".extraConfig = ''
|
|
log {
|
|
output file /var/log/caddy/grafana.log {
|
|
mode 644
|
|
}
|
|
}
|
|
reverse_proxy http://127.0.0.1:3000
|
|
'';
|
|
virtualHosts."grafana-test.home.2rjus.net".extraConfig = ''
|
|
log {
|
|
output file /var/log/caddy/grafana.log {
|
|
mode 644
|
|
}
|
|
}
|
|
reverse_proxy http://127.0.0.1:3000
|
|
'';
|
|
# Metrics endpoint on plain HTTP for Prometheus scraping
|
|
extraConfig = ''
|
|
http://${config.networking.hostName}.home.2rjus.net/metrics {
|
|
metrics
|
|
}
|
|
'';
|
|
};
|
|
|
|
# Expose Caddy metrics for Prometheus
|
|
homelab.monitoring.scrapeTargets = [{
|
|
job_name = "caddy";
|
|
port = 80;
|
|
}];
|
|
}
|