Torjus Håkestad
65acf13e6f
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Update all dashboard datasource references from "prometheus" to "victoriametrics" to match the declared datasource UID. Enable prune and deleteDatasources to clean up the old Prometheus (monitoring01) datasource from Grafana's database. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
122 lines
3.3 KiB
Nix
122 lines
3.3 KiB
Nix
{ config, pkgs, ... }:
|
|
{
|
|
services.grafana = {
|
|
enable = true;
|
|
settings = {
|
|
server = {
|
|
http_addr = "127.0.0.1";
|
|
http_port = 3000;
|
|
domain = "grafana-test.home.2rjus.net";
|
|
root_url = "https://grafana-test.home.2rjus.net/";
|
|
};
|
|
|
|
# Disable anonymous access
|
|
"auth.anonymous".enabled = false;
|
|
|
|
# OIDC authentication via Kanidm
|
|
"auth.generic_oauth" = {
|
|
enabled = true;
|
|
name = "Kanidm";
|
|
client_id = "grafana";
|
|
client_secret = "$__file{/run/secrets/grafana-oauth2}";
|
|
auth_url = "https://auth.home.2rjus.net/ui/oauth2";
|
|
token_url = "https://auth.home.2rjus.net/oauth2/token";
|
|
api_url = "https://auth.home.2rjus.net/oauth2/openid/grafana/userinfo";
|
|
scopes = "openid profile email groups";
|
|
use_pkce = true; # Required by Kanidm, more secure
|
|
# Extract user attributes from userinfo response
|
|
email_attribute_path = "email";
|
|
login_attribute_path = "preferred_username";
|
|
name_attribute_path = "name";
|
|
# Map admins group to Admin role, everyone else to Editor (for Explore access)
|
|
role_attribute_path = "contains(groups[*], 'admins') && 'Admin' || 'Editor'";
|
|
allow_sign_up = true;
|
|
};
|
|
};
|
|
|
|
# Declarative datasources
|
|
provision.datasources.settings = {
|
|
apiVersion = 1;
|
|
prune = true;
|
|
deleteDatasources = [
|
|
{ name = "Prometheus (monitoring01)"; orgId = 1; }
|
|
];
|
|
datasources = [
|
|
{
|
|
name = "VictoriaMetrics";
|
|
type = "prometheus";
|
|
url = "http://localhost:8428";
|
|
isDefault = true;
|
|
uid = "victoriametrics";
|
|
}
|
|
{
|
|
name = "Loki";
|
|
type = "loki";
|
|
url = "http://localhost:3100";
|
|
uid = "loki";
|
|
}
|
|
];
|
|
};
|
|
|
|
# Declarative dashboards
|
|
provision.dashboards.settings = {
|
|
apiVersion = 1;
|
|
providers = [
|
|
{
|
|
name = "homelab";
|
|
type = "file";
|
|
options.path = ./dashboards;
|
|
disableDeletion = true;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
# Vault secret for OAuth2 client secret
|
|
vault.secrets.grafana-oauth2 = {
|
|
secretPath = "services/grafana/oauth2-client-secret";
|
|
extractKey = "password";
|
|
services = [ "grafana" ];
|
|
owner = "grafana";
|
|
group = "grafana";
|
|
};
|
|
|
|
# Local Caddy for TLS termination
|
|
services.caddy = {
|
|
enable = true;
|
|
package = pkgs.unstable.caddy;
|
|
globalConfig = ''
|
|
acme_ca https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
|
|
metrics
|
|
'';
|
|
virtualHosts."grafana.home.2rjus.net".extraConfig = ''
|
|
log {
|
|
output file /var/log/caddy/grafana.log {
|
|
mode 644
|
|
}
|
|
}
|
|
reverse_proxy http://127.0.0.1:3000
|
|
'';
|
|
virtualHosts."grafana-test.home.2rjus.net".extraConfig = ''
|
|
log {
|
|
output file /var/log/caddy/grafana.log {
|
|
mode 644
|
|
}
|
|
}
|
|
reverse_proxy http://127.0.0.1:3000
|
|
'';
|
|
# Metrics endpoint on plain HTTP for Prometheus scraping
|
|
extraConfig = ''
|
|
http://${config.networking.hostName}.home.2rjus.net/metrics {
|
|
metrics
|
|
}
|
|
'';
|
|
};
|
|
|
|
# Expose Caddy metrics for Prometheus
|
|
homelab.monitoring.scrapeTargets = [{
|
|
job_name = "caddy";
|
|
port = 80;
|
|
}];
|
|
}
|