From eafb8ad1b702b8f0714005c5e08a6d4027306ef9 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sat, 8 Mar 2025 00:41:23 +0100
Subject: [PATCH] grafana: get grafana running
---
.sops.yaml | 2 +
secrets/passwords.yaml | 37 +++++++++++-------
systems/grafana.noc.eh22.intern.nix | 58 ++++++++++++++++++++---------
3 files changed, 65 insertions(+), 32 deletions(-)
diff --git a/.sops.yaml b/.sops.yaml
index 03121b3..87e3e16 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,9 +1,11 @@
keys:
- &ccchh_pass "age1egd6nutd7y8x5kd3uqxjpu326u9rz2vsqth2ss8nhvjlts3ukgrqsj2a92"
- &user_lilly "age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d"
+ - &host_grafana "age1kr0vjyd0fmpccshm4kl2uw5jujh48r7vzhecvqgaf58cvdha79csaw7hz5"
creation_rules:
- path_regex: secrets/passwords.yaml
key_groups:
- age:
- *ccchh_pass
- *user_lilly
+ - *host_grafana
\ No newline at end of file
diff --git a/secrets/passwords.yaml b/secrets/passwords.yaml
index c03559c..57dea97 100644
--- a/secrets/passwords.yaml
+++ b/secrets/passwords.yaml
@@ -4,6 +4,8 @@ services:
noc_token: ENC[AES256_GCM,data:7WrIXDtjYKRVgA+r2iVcaT4zf+ftRTEQDEduu77j3RkvSX1e2UCNvg==,iv:B1r+wHg3AJKVj7PKS34G9FD/2Q1yngXdueqVJ0JIfY0=,tag:1w9FO2fPPK0gkInrtEZyBg==,type:str]
proxmox:
root: ENC[AES256_GCM,data:RVv1d/nB9pgcERkujSasoLY+cR3OO3NWxw==,iv:EHkUDxP6XB2JWeDtno2rcVvBQdJ/jmG5HjRjPppfS0A=,tag:obzij0BkGLJoXfUbqWLRjw==,type:str]
+ grafana:
+ admin_password: ENC[AES256_GCM,data:EimHeXiWzrzDVHnqmfAs+6/jsNp0cyVRJQu8U7drsP4=,iv:WmpPZstgTru8AHg5VeKRhfFdc0r5J9OWhCHdCzw/g+E=,tag:uftQ1kgj8LAuFB+MLSqnJw==,type:str]
hardware:
proxmox_server:
ipmi:
@@ -12,8 +14,6 @@ vms:
__default__:
users:
noc: ENC[AES256_GCM,data:4XsNofA6Qk8MphMBDSUrAq43RF/d1x7lDg==,iv:ecS8GEZhK5X9GOq2SNDIh7ZWyfHA7kayszqCHyQj+Pc=,tag:fVC2+ztLpewhB9p6EwMtCg==,type:str]
- grafana:
- admin_password: ENC[AES256_GCM,data:xwjYXJkK+2PZ8uu8vnX4Gy5CRWXJuBfG+NBX+qIVruo=,iv:WWMjUmDZzjjvTjT5A1nEdpxgpWGWCc3D8k/kjrNxYtc=,tag:nbI+aCwN+n/iACjwvk0ljw==,type:str]
sops:
kms: []
gcp_kms: []
@@ -23,23 +23,32 @@ sops:
- recipient: age1egd6nutd7y8x5kd3uqxjpu326u9rz2vsqth2ss8nhvjlts3ukgrqsj2a92
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNlR6c1djamw2ZmpYb3pE
- TDZBSlI1emJRWlZGRmJJbElXRlp4V0lUVWhzCm9EeWxqKy8xaVpNUXRIcUNNZGRj
- R2dzN3IwZEJ4ajRMUmZnY2hwVWRNNlkKLS0tIE9TcE1NWUdaQ2x0My9QNDYwQjZO
- K2pYWmV3WjkyRmdPYlRqakRndlJ4V0UKERTgFxUlywU3zZZ1VFeBjPrMG1kbWM9u
- yz37P+dEj5c7djQFymyQInaAN9HgxoKZg+ouqaaUHIpp/pCGThFo3Q==
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4c0ZhN3QwVFZTYlFKbXk1
+ NzJQRlFlL1JydStkS1dTcGhlaHlGVGRSTEFVCjFRM2hjQThiRmZYNnltVVp1NzJx
+ alRPV0k1RW10THJWelREakw5Z2dldncKLS0tIFZjZno1M21pcjJnQTRYRElIYkJJ
+ K2VMREVlZXhLRG9xU25WaE4wakYwcVkKvyyTdK47i6+Ljc6HL7e0UZejQLA+H7Ve
+ s6Z0CIXUeEz5OM2G8+Wi6Fyjbk2QJXMjGdxp6KzKcl8k6/18u5K5PQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bU1Gd09tQ1FHYlJ2WWRZ
- Ni9RdVhMaUI0bEEyd0pZaWNqQVlOZGRUMGtRClFRV0todlpDYmkxVjE3OFRZa3VQ
- aXpLUGhlNFFGcjJHTzRlNk5qSEttSG8KLS0tIGJ5cFNhREw1KzZ5bjlBUFlLSzRs
- YW1BSERaOURtVGpMSnRiTkJyaDR3OTQK3pXGQU1SoUKdmLKUe88e8/BjqPjmdhke
- bP7DHbpvk4xG2Z3fnacihDCwiBASn2Wu350hl1WoM5pzMiqmS84X9Q==
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVmxSTGVxMUVUQ2dkRCtR
+ cUNvMllXcVZ4NzRMQUZ0TmovUmx3ejlDT0VZCmYrc2ZPUzgyV3I5M09KOVZtTzVJ
+ b2J4d1lBOUkyOFdlNzZ2UkJITXJpVXcKLS0tIGFTRytiQjI5bEtKQVAwODd3ZWxk
+ c3hDOEdrYktaOVNMN0tncWlJbFd6WVkK2fbjE4ARoMbyhBKwQY4GFolX//T7nWAC
+ 5r57ObE1a6ENdTNA/IzmegWqEb6ZIWlkZSf8eHlYhVgtT4uib7HZng==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2025-03-04T21:26:03Z"
- mac: ENC[AES256_GCM,data:QS1Aq8aUqfOmBwOAbZDlG3Y5CLKWk9u5YQkqzp1i8RvbeXMOOgPj+73kshI8m5QOtMiOGNlnkR0gMD3XIuK/57yte1ir0oWtlrT88yyPLLqwDA16XjPQ61iCHoZQUg8au/+bzYe1uswiKme80FYTIFQfxqtByxFg66244wLiAPE=,iv:e86pdwGXrEMiFj0Rzrz//UKBTCyN63EA1KGJS1x+YQo=,tag:zuIVf2kMQEZReGL72dOj5A==,type:str]
+ - recipient: age1kr0vjyd0fmpccshm4kl2uw5jujh48r7vzhecvqgaf58cvdha79csaw7hz5
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQb0ZlU2dzT0w2djBub2Rx
+ ZmV5aStZOTlSdXZEbXNxYXBESmpCckwzWDNFCmIxQjRuakR4aWVnM3E0elkvd2xX
+ ZGJuK3NEL1RBZDB0WXV5M2VieHBnUkEKLS0tIEtXN2xQVVVjamtPSDhNVW5qaXdC
+ SHhiSU5PZmpUakZvQVNtYk5nUk1tZjAKyHND2LZuuBciy7toDLrAH47kyWcGAN7c
+ ORrD03DBoEV7mjBY86Hl3SaLKHxlBXsB93OOWqeZrvHlbki+qn/OZA==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-03-07T23:08:48Z"
+ mac: ENC[AES256_GCM,data:lUivE03Wq9mRDLwVpazQFrc0XxqXhK0pFLYvU+Y/dMB+z7LJ1Y9S9uGmaZwApwv3FTiSiCjBqVse4ok2FXokvxAPoCnJ5tGw7gq93XY/e/MBXDO40C9ltc1ilmsueCX7f8ZDjg2LfH2LRLYltVhyAekpaiaY9Cv5EUOU635xRp4=,iv:QH9ot5PiWQ+IuOdA6Hv3PuHgw5BnN1PsZe0032IJjjI=,tag:5HU0UNHVm4AxcyUxBbRuGQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4
diff --git a/systems/grafana.noc.eh22.intern.nix b/systems/grafana.noc.eh22.intern.nix
index f77c534..0b7f35c 100644
--- a/systems/grafana.noc.eh22.intern.nix
+++ b/systems/grafana.noc.eh22.intern.nix
@@ -1,8 +1,6 @@
{
pkgs,
config,
- modulesPath,
- lib,
...
}:
{
@@ -10,7 +8,7 @@
sops = {
defaultSopsFile = ../secrets/passwords.yaml;
- secrets."vms/grafana/admin_password" = {
+ secrets."services/grafana/admin_password" = {
mode = "0440";
owner = "grafana";
group = "grafana";
@@ -33,24 +31,48 @@
networking.firewall.allowedTCPPorts = [ 80 ];
- services.grafana = {
- enable = true;
- settings = {
- security.admin_password = "$__file{${config.sops.secrets."vms/grafana/admin_password".path}}";
- server = {
- domain = "grafana.noc.eh22.intern";
- root_url = "http://grafana.noc.eh22.intern/";
+ services = {
+ grafana = {
+ enable = true;
+ settings = {
+ security.admin_password = "$__file{${config.sops.secrets."services/grafana/admin_password".path}}";
+
+ server = {
+ domain = "grafana.noc.eh22.intern";
+ root_url = "http://grafana.noc.eh22.intern/";
+ http_addr = "127.0.0.1";
+ http_port = 2342;
+ };
+
+ database = {
+ type = "postgres";
+ user = "grafana";
+ host = "/run/postgresql";
+ };
+ };
+ };
+
+ postgresql = {
+ enable = true;
+ ensureDatabases = [ "grafana" ];
+ ensureUsers = [
+ {
+ name = "grafana";
+ ensureDBOwnership = true;
+ }
+ ];
+ };
+
+ nginx = {
+ enable = true;
+ virtualHosts.${config.services.grafana.settings.server.domain} = {
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+ proxyWebsockets = true;
+ };
};
};
};
-
- services.nginx.virtualHosts.${config.services.grafana.domain} = {
- locations."/" = {
- proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
- proxyWebsockets = true;
- };
- };
-
# DO NOT CHANGE
# this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
home-manager.users.noc.home.stateVersion = "24.11";