EH22/nox
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

grafana: get grafana running

Browse source
This commit is contained in:
chris 2025-03-08 00:41:23 +01:00
parent 47d2d6db2e
commit eafb8ad1b7
Signed by: c6ristian
SSH key fingerprint: SHA256:B3m+yzpaxGXSEcDBpPHfvza/DNC0wuX+CKMeGq8wgak
3 changed files with 65 additions and 32 deletions

2
.sops.yaml
View file

@ -1,9 +1,11 @@
keys: keys:
- &ccchh_pass "age1egd6nutd7y8x5kd3uqxjpu326u9rz2vsqth2ss8nhvjlts3ukgrqsj2a92" - &ccchh_pass "age1egd6nutd7y8x5kd3uqxjpu326u9rz2vsqth2ss8nhvjlts3ukgrqsj2a92"
- &user_lilly "age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d" - &user_lilly "age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d"
- &host_grafana "age1kr0vjyd0fmpccshm4kl2uw5jujh48r7vzhecvqgaf58cvdha79csaw7hz5"
creation_rules: creation_rules:
- path_regex: secrets/passwords.yaml - path_regex: secrets/passwords.yaml
key_groups: key_groups:
- age: - age:
- *ccchh_pass - *ccchh_pass
- *user_lilly - *user_lilly
- *host_grafana

37
secrets/passwords.yaml
View file

@ -4,6 +4,8 @@ services:
noc_token: ENC[AES256_GCM,data:7WrIXDtjYKRVgA+r2iVcaT4zf+ftRTEQDEduu77j3RkvSX1e2UCNvg==,iv:B1r+wHg3AJKVj7PKS34G9FD/2Q1yngXdueqVJ0JIfY0=,tag:1w9FO2fPPK0gkInrtEZyBg==,type:str] noc_token: ENC[AES256_GCM,data:7WrIXDtjYKRVgA+r2iVcaT4zf+ftRTEQDEduu77j3RkvSX1e2UCNvg==,iv:B1r+wHg3AJKVj7PKS34G9FD/2Q1yngXdueqVJ0JIfY0=,tag:1w9FO2fPPK0gkInrtEZyBg==,type:str]
proxmox: proxmox:
root: ENC[AES256_GCM,data:RVv1d/nB9pgcERkujSasoLY+cR3OO3NWxw==,iv:EHkUDxP6XB2JWeDtno2rcVvBQdJ/jmG5HjRjPppfS0A=,tag:obzij0BkGLJoXfUbqWLRjw==,type:str] root: ENC[AES256_GCM,data:RVv1d/nB9pgcERkujSasoLY+cR3OO3NWxw==,iv:EHkUDxP6XB2JWeDtno2rcVvBQdJ/jmG5HjRjPppfS0A=,tag:obzij0BkGLJoXfUbqWLRjw==,type:str]
grafana:
admin_password: ENC[AES256_GCM,data:EimHeXiWzrzDVHnqmfAs+6/jsNp0cyVRJQu8U7drsP4=,iv:WmpPZstgTru8AHg5VeKRhfFdc0r5J9OWhCHdCzw/g+E=,tag:uftQ1kgj8LAuFB+MLSqnJw==,type:str]
hardware: hardware:
proxmox_server: proxmox_server:
ipmi: ipmi:
@ -12,8 +14,6 @@ vms:
__default__: __default__:
users: users:
noc: ENC[AES256_GCM,data:4XsNofA6Qk8MphMBDSUrAq43RF/d1x7lDg==,iv:ecS8GEZhK5X9GOq2SNDIh7ZWyfHA7kayszqCHyQj+Pc=,tag:fVC2+ztLpewhB9p6EwMtCg==,type:str] noc: ENC[AES256_GCM,data:4XsNofA6Qk8MphMBDSUrAq43RF/d1x7lDg==,iv:ecS8GEZhK5X9GOq2SNDIh7ZWyfHA7kayszqCHyQj+Pc=,tag:fVC2+ztLpewhB9p6EwMtCg==,type:str]
grafana:
admin_password: ENC[AES256_GCM,data:xwjYXJkK+2PZ8uu8vnX4Gy5CRWXJuBfG+NBX+qIVruo=,iv:WWMjUmDZzjjvTjT5A1nEdpxgpWGWCc3D8k/kjrNxYtc=,tag:nbI+aCwN+n/iACjwvk0ljw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -23,23 +23,32 @@ sops:
- recipient: age1egd6nutd7y8x5kd3uqxjpu326u9rz2vsqth2ss8nhvjlts3ukgrqsj2a92 - recipient: age1egd6nutd7y8x5kd3uqxjpu326u9rz2vsqth2ss8nhvjlts3ukgrqsj2a92
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNlR6c1djamw2ZmpYb3pE YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4c0ZhN3QwVFZTYlFKbXk1
TDZBSlI1emJRWlZGRmJJbElXRlp4V0lUVWhzCm9EeWxqKy8xaVpNUXRIcUNNZGRj NzJQRlFlL1JydStkS1dTcGhlaHlGVGRSTEFVCjFRM2hjQThiRmZYNnltVVp1NzJx
R2dzN3IwZEJ4ajRMUmZnY2hwVWRNNlkKLS0tIE9TcE1NWUdaQ2x0My9QNDYwQjZO alRPV0k1RW10THJWelREakw5Z2dldncKLS0tIFZjZno1M21pcjJnQTRYRElIYkJJ
K2pYWmV3WjkyRmdPYlRqakRndlJ4V0UKERTgFxUlywU3zZZ1VFeBjPrMG1kbWM9u K2VMREVlZXhLRG9xU25WaE4wakYwcVkKvyyTdK47i6+Ljc6HL7e0UZejQLA+H7Ve
yz37P+dEj5c7djQFymyQInaAN9HgxoKZg+ouqaaUHIpp/pCGThFo3Q== s6Z0CIXUeEz5OM2G8+Wi6Fyjbk2QJXMjGdxp6KzKcl8k6/18u5K5PQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d - recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bU1Gd09tQ1FHYlJ2WWRZ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVmxSTGVxMUVUQ2dkRCtR
Ni9RdVhMaUI0bEEyd0pZaWNqQVlOZGRUMGtRClFRV0todlpDYmkxVjE3OFRZa3VQ cUNvMllXcVZ4NzRMQUZ0TmovUmx3ejlDT0VZCmYrc2ZPUzgyV3I5M09KOVZtTzVJ
aXpLUGhlNFFGcjJHTzRlNk5qSEttSG8KLS0tIGJ5cFNhREw1KzZ5bjlBUFlLSzRs b2J4d1lBOUkyOFdlNzZ2UkJITXJpVXcKLS0tIGFTRytiQjI5bEtKQVAwODd3ZWxk
YW1BSERaOURtVGpMSnRiTkJyaDR3OTQK3pXGQU1SoUKdmLKUe88e8/BjqPjmdhke c3hDOEdrYktaOVNMN0tncWlJbFd6WVkK2fbjE4ARoMbyhBKwQY4GFolX//T7nWAC
bP7DHbpvk4xG2Z3fnacihDCwiBASn2Wu350hl1WoM5pzMiqmS84X9Q== 5r57ObE1a6ENdTNA/IzmegWqEb6ZIWlkZSf8eHlYhVgtT4uib7HZng==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-04T21:26:03Z" - recipient: age1kr0vjyd0fmpccshm4kl2uw5jujh48r7vzhecvqgaf58cvdha79csaw7hz5
mac: ENC[AES256_GCM,data:QS1Aq8aUqfOmBwOAbZDlG3Y5CLKWk9u5YQkqzp1i8RvbeXMOOgPj+73kshI8m5QOtMiOGNlnkR0gMD3XIuK/57yte1ir0oWtlrT88yyPLLqwDA16XjPQ61iCHoZQUg8au/+bzYe1uswiKme80FYTIFQfxqtByxFg66244wLiAPE=,iv:e86pdwGXrEMiFj0Rzrz//UKBTCyN63EA1KGJS1x+YQo=,tag:zuIVf2kMQEZReGL72dOj5A==,type:str] enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQb0ZlU2dzT0w2djBub2Rx
ZmV5aStZOTlSdXZEbXNxYXBESmpCckwzWDNFCmIxQjRuakR4aWVnM3E0elkvd2xX
ZGJuK3NEL1RBZDB0WXV5M2VieHBnUkEKLS0tIEtXN2xQVVVjamtPSDhNVW5qaXdC
SHhiSU5PZmpUakZvQVNtYk5nUk1tZjAKyHND2LZuuBciy7toDLrAH47kyWcGAN7c
ORrD03DBoEV7mjBY86Hl3SaLKHxlBXsB93OOWqeZrvHlbki+qn/OZA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-07T23:08:48Z"
mac: ENC[AES256_GCM,data:lUivE03Wq9mRDLwVpazQFrc0XxqXhK0pFLYvU+Y/dMB+z7LJ1Y9S9uGmaZwApwv3FTiSiCjBqVse4ok2FXokvxAPoCnJ5tGw7gq93XY/e/MBXDO40C9ltc1ilmsueCX7f8ZDjg2LfH2LRLYltVhyAekpaiaY9Cv5EUOU635xRp4=,iv:QH9ot5PiWQ+IuOdA6Hv3PuHgw5BnN1PsZe0032IJjjI=,tag:5HU0UNHVm4AxcyUxBbRuGQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4

38
systems/grafana.noc.eh22.intern.nix
View file

@ -1,8 +1,6 @@
{ {
pkgs, pkgs,
config, config,
modulesPath,
lib,
... ...
}: }:
{ {
@ -10,7 +8,7 @@
sops = { sops = {
defaultSopsFile = ../secrets/passwords.yaml; defaultSopsFile = ../secrets/passwords.yaml;
secrets."vms/grafana/admin_password" = { secrets."services/grafana/admin_password" = {
mode = "0440"; mode = "0440";
owner = "grafana"; owner = "grafana";
group = "grafana"; group = "grafana";
@ -33,24 +31,48 @@
networking.firewall.allowedTCPPorts = [ 80 ]; networking.firewall.allowedTCPPorts = [ 80 ];
services.grafana = { services = {
grafana = {
enable = true; enable = true;
settings = { settings = {
security.admin_password = "$__file{${config.sops.secrets."vms/grafana/admin_password".path}}"; security.admin_password = "$__file{${config.sops.secrets."services/grafana/admin_password".path}}";
server = { server = {
domain = "grafana.noc.eh22.intern"; domain = "grafana.noc.eh22.intern";
root_url = "http://grafana.noc.eh22.intern/"; root_url = "http://grafana.noc.eh22.intern/";
http_addr = "127.0.0.1";
http_port = 2342;
};
database = {
type = "postgres";
user = "grafana";
host = "/run/postgresql";
}; };
}; };
}; };
services.nginx.virtualHosts.${config.services.grafana.domain} = { postgresql = {
enable = true;
ensureDatabases = [ "grafana" ];
ensureUsers = [
{
name = "grafana";
ensureDBOwnership = true;
}
];
};
nginx = {
enable = true;
virtualHosts.${config.services.grafana.settings.server.domain} = {
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}"; proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
};
};
# DO NOT CHANGE # DO NOT CHANGE
# this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
home-manager.users.noc.home.stateVersion = "24.11"; home-manager.users.noc.home.stateVersion = "24.11";