infrastructure/machines/core-services-01/monitoring.nix

{ config, pkgs, lib, ... }:
let
  my = config.my;
  realm = "ClubReseau";
  mkChildNode = { uuid, allowFrom }: { ... }@options: ''
    [${uuid}]
      enabled = yes
      default history = 10000
      default memory mode = dbengine
      health enabled by default = auto
      allow from = ${allowFrom}
  '';
  testClusterHypervisors = lib.attrValues {
    pve01 = {
      uuid = "ff9a34ec-2bf4-4389-a01a-6e242424e675";
      allowFrom = "*";
      # allowFrom = "fd85:27e8:0fc9::2";
    };
    pve02 = {
      uuid = "ed393d76-e325-48c4-be90-3d7a1d3066ee";
      allowFrom = "*";
      # allowFrom = "fd85:27e8:0fc9::3";
    };
    pve03 = {
      uuid = "abeeab1f-d4f4-4ca7-aabb-54ff28031f82";
      allowFrom = "*";
      # allowFrom = "fd85:27e8:0fc9::4";
    };
    pve04 = {
      uuid = "ee0f7cec-86f8-4fa2-8258-f7bf4172eb4b";
      allowFrom = "*";
      # allowFrom = "fd85:27e8:0fc9::5";
    };
  };
in
{
  services.netdata = {
    enable = true;
    #package = pkgs.netdata.overrideAttrs (old: {
    #  version = "1.36.0-185-nightly";
    #  src = pkgs.fetchFromGitHub {
    #    owner = "netdata";
    #    repo = "netdata";
    #    rev = "284d5450ec938b667db9985aca6d3cd02b96487f";
    #    sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc=";
    #    fetchSubmodules = true;
    #  };
    #});
  };

  systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1";

  # Allow WireGuard VPN
  networking.firewall.allowedUDPPorts = [ 51820 ];
  # Allow access to the raw netdata
  networking.firewall.interfaces.wgmon.allowedUDPPorts = [ 19999 ];
  networking.firewall.interfaces.wgmon.allowedTCPPorts = [ 19999 ];
  networking.wireguard.interfaces.wgmon = {
    ips = [ "fd85:27e8:0fc9::1/48" ];

    listenPort = 51820;

    privateKeyFile = "/etc/secrets/wgmon";
    generatePrivateKeyFile = true;

    peers = [
      { publicKey = "6IHA4e+UcCSx9+e5BZwLvzeZv5RWwqO1CCLJedN2nU4="; allowedIPs = [ "fd85:27e8:fc9::2/128" ]; }
      { publicKey = "xRdfylDpi8c+BRwDCxenRs6i4XWesdd75keWfKItZFo="; allowedIPs = [ "fd85:27e8:fc9::3/128" ]; }
      { publicKey = "rjodopHTEyD+DyDsNp8xyNC0KeZGH462Ls495NXT1VI="; allowedIPs = [ "fd85:27e8:fc9::4/128" ];}
      { publicKey = "IJRsrhzCRAHpaEHLZRNdPuDp25FXzuAm+CGmZDsRThk="; allowedIPs = [ "fd85:27e8:fc9::5/128" ]; }
      { publicKey = "oYsN1Qy+a7dwVOKapN5s5KJOmhSflLHZqh+GLMeNpHw="; allowedIPs = [ "fd85:27e8:fc9::6/128" ]; }
      # { publicKey = ""; allowedIPs = [ "fd85:27e8:fc9::7/128" ]; }
    ];
  };

  environment.etc."netdata/netdata.conf" = lib.mkForce {
    user = "netdata";
    group = "netdata";
    mode = "0600";
    text = ''
      [db]
      mode = dbengine
      storage tiers = 3
      update every = 1
      dbengine multihost disk space MB = 23000
      dbengine page cache size MB = 384
      dbengine tier 1 update every iterations = 60
      dbengine tier 1 multihost disk space MB = 10000
      dbengine tier 1 page cache size MB = 384
      dbengine tier 2 update every iterations = 3600
      dbengine tier 2 multihost disk space MB = 5000
      dbengine tier 2 page cache size MB = 384
    '';
  };

  environment.etc."netdata/stream.conf" = {
    user = "netdata";
    group = "netdata";
    mode = "0600";
    text = (lib.concatMapStringsSep "\n" (cfg: mkChildNode cfg {})
      ([
        # PVE01 hypervisor
        {
          uuid = "e245097d-bf52-4f66-9c10-984e8d5ee178";
          allowFrom = "10.1.1.10";
        }
        # Public COF server
        {
          uuid = "c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe";
          allowFrom = "10.1.1.21";
        }
      ] ++ testClusterHypervisors));
  };

  environment.etc."netdata/health_alarm_notify.conf" = {
    user = "netdata";
    group = "netdata";
    mode = "0600";
    text = ''
      # External tools
      nc="${pkgs.nmap}/bin/nc --ssl"

      # IRC configuration
      SEND_IRC="YES"
      DEFAULT_RECIPIENT_IRC="#réseau"
      IRC_NETWORK="ens.wtf"
      IRC_NICKNAME="core-services-01"
      IRC_REALNAME="KlubRZ Core Services 01"
    '';
  };

  services.oauth2_proxy = {
    enable = true;
    keyFile = config.age.secrets.oauth2ProxyKeyFile.path;
    provider = "keycloak-oidc";
    email.domains = [ "*" ];
    cookie = {
      name = "_oauth2_proxy_ensrz";
      domain = ".rz.ens.wtf";
    };
    setXauthrequest = true;
    scope = "openid";
    redirectURL = "https://monitoring.${my.subZone}/oauth2/callback";
    reverseProxy = true;
    passHostHeader = true;

    extraConfig = {
      whitelist-domain = [ ".rz.ens.wtf" ];
      oidc-issuer-url = "https://auth.${my.subZone}/auth/realms/${realm}";
      # insecure-oidc-allow-unverified-email = true;
      show-debug-on-error = true;
    };

    nginx = {
      virtualHosts = [ "monitoring.${my.subZone}" ];
    };
  };

  services.nginx = {
    enable = true;

    virtualHosts."monitoring.${my.subZone}" = {
      enableACME = true;
      forceSSL = true;

      locations."/" = {
        proxyPass = "http://localhost:19999";
        extraConfig = ''
          # For large authentication-authorization headers
          proxy_buffer_size          128k;
          proxy_buffers              4 256k;
          proxy_busy_buffers_size    256k;
        '';
      };
    };
  };

  # services.smartd = {
  #   enable = true;
  #   extraOptions = [ "-A /var/log/smartd/" ]; # For netdata
  # };
}
core01: generalize monitoring, open up a wgmon for external nodes 2022-05-14 20:21:12 +02:00			`{ config, pkgs, lib, ... }:`
Integrate core-services-01 in a nice workflow (#1) This enables the tracking of core-services-01 over the infrastructure repository. Co-authored-by: Gabriel DORIATH DOHLER <gabriel.doriath.dohler@ens.psl.eu> Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/1 Co-authored-by: raito <raito@noreply.git.rz.ens.wtf> Co-committed-by: raito <raito@noreply.git.rz.ens.wtf> 2021-07-26 01:29:05 +02:00			`let`
			`my = config.my;`
			`realm = "ClubReseau";`
core01: generalize monitoring, open up a wgmon for external nodes 2022-05-14 20:21:12 +02:00			`mkChildNode = { uuid, allowFrom }: { ... }@options: ''`
			`[${uuid}]`
			`enabled = yes`
			`default history = 10000`
			`default memory mode = dbengine`
			`health enabled by default = auto`
			`allow from = ${allowFrom}`
			`'';`
			`testClusterHypervisors = lib.attrValues {`
			`pve01 = {`
			`uuid = "ff9a34ec-2bf4-4389-a01a-6e242424e675";`
core01: allow *, unfirewall wgmon 2022-05-15 00:08:46 +02:00			`allowFrom = "*";`
			`# allowFrom = "fd85:27e8:0fc9::2";`
core01: generalize monitoring, open up a wgmon for external nodes 2022-05-14 20:21:12 +02:00			`};`
			`pve02 = {`
			`uuid = "ed393d76-e325-48c4-be90-3d7a1d3066ee";`
core01: allow *, unfirewall wgmon 2022-05-15 00:08:46 +02:00			`allowFrom = "*";`
			`# allowFrom = "fd85:27e8:0fc9::3";`
core01: generalize monitoring, open up a wgmon for external nodes 2022-05-14 20:21:12 +02:00			`};`
			`pve03 = {`
			`uuid = "abeeab1f-d4f4-4ca7-aabb-54ff28031f82";`
core01: allow *, unfirewall wgmon 2022-05-15 00:08:46 +02:00			`allowFrom = "*";`
			`# allowFrom = "fd85:27e8:0fc9::4";`
core01: generalize monitoring, open up a wgmon for external nodes 2022-05-14 20:21:12 +02:00			`};`
			`pve04 = {`
			`uuid = "ee0f7cec-86f8-4fa2-8258-f7bf4172eb4b";`
core01: allow *, unfirewall wgmon 2022-05-15 00:08:46 +02:00			`allowFrom = "*";`
			`# allowFrom = "fd85:27e8:0fc9::5";`
core01: generalize monitoring, open up a wgmon for external nodes 2022-05-14 20:21:12 +02:00			`};`
			`};`
Integrate core-services-01 in a nice workflow (#1) This enables the tracking of core-services-01 over the infrastructure repository. Co-authored-by: Gabriel DORIATH DOHLER <gabriel.doriath.dohler@ens.psl.eu> Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/1 Co-authored-by: raito <raito@noreply.git.rz.ens.wtf> Co-committed-by: raito <raito@noreply.git.rz.ens.wtf> 2021-07-26 01:29:05 +02:00			`in`
			`{`
monitoring: move to tiered dbengine with netdata nightly 2022-08-05 18:52:06 +02:00			`services.netdata = {`
			`enable = true;`
core-01: make it work for 23.05 2023-07-23 16:55:26 +02:00			`#package = pkgs.netdata.overrideAttrs (old: {`
			`# version = "1.36.0-185-nightly";`
			`# src = pkgs.fetchFromGitHub {`
			`# owner = "netdata";`
			`# repo = "netdata";`
			`# rev = "284d5450ec938b667db9985aca6d3cd02b96487f";`
			`# sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc=";`
			`# fetchSubmodules = true;`
			`# };`
			`#});`
monitoring: move to tiered dbengine with netdata nightly 2022-08-05 18:52:06 +02:00			`};`
Integrate core-services-01 in a nice workflow (#1) This enables the tracking of core-services-01 over the infrastructure repository. Co-authored-by: Gabriel DORIATH DOHLER <gabriel.doriath.dohler@ens.psl.eu> Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/1 Co-authored-by: raito <raito@noreply.git.rz.ens.wtf> Co-committed-by: raito <raito@noreply.git.rz.ens.wtf> 2021-07-26 01:29:05 +02:00
core01: try latest nightly for netdata and disable cloud 2022-10-09 14:43:29 +02:00			`systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1";`

core01: allow *, unfirewall wgmon 2022-05-15 00:08:46 +02:00			`# Allow WireGuard VPN`
			`networking.firewall.allowedUDPPorts = [ 51820 ];`
			`# Allow access to the raw netdata`
			`networking.firewall.interfaces.wgmon.allowedUDPPorts = [ 19999 ];`
			`networking.firewall.interfaces.wgmon.allowedTCPPorts = [ 19999 ];`
			`networking.wireguard.interfaces.wgmon = {`
core01: generalize monitoring, open up a wgmon for external nodes 2022-05-14 20:21:12 +02:00			`ips = [ "fd85:27e8:0fc9::1/48" ];`

			`listenPort = 51820;`

			`privateKeyFile = "/etc/secrets/wgmon";`
			`generatePrivateKeyFile = true;`

core01: allow *, unfirewall wgmon 2022-05-15 00:08:46 +02:00			`peers = [`
			`{ publicKey = "6IHA4e+UcCSx9+e5BZwLvzeZv5RWwqO1CCLJedN2nU4="; allowedIPs = [ "fd85:27e8:fc9::2/128" ]; }`
			`{ publicKey = "xRdfylDpi8c+BRwDCxenRs6i4XWesdd75keWfKItZFo="; allowedIPs = [ "fd85:27e8:fc9::3/128" ]; }`
			`{ publicKey = "rjodopHTEyD+DyDsNp8xyNC0KeZGH462Ls495NXT1VI="; allowedIPs = [ "fd85:27e8:fc9::4/128" ];}`
			`{ publicKey = "IJRsrhzCRAHpaEHLZRNdPuDp25FXzuAm+CGmZDsRThk="; allowedIPs = [ "fd85:27e8:fc9::5/128" ]; }`
			`{ publicKey = "oYsN1Qy+a7dwVOKapN5s5KJOmhSflLHZqh+GLMeNpHw="; allowedIPs = [ "fd85:27e8:fc9::6/128" ]; }`
			`# { publicKey = ""; allowedIPs = [ "fd85:27e8:fc9::7/128" ]; }`
			`];`
core01: generalize monitoring, open up a wgmon for external nodes 2022-05-14 20:21:12 +02:00			`};`

Headscale support (upgrade to latest nixpkgs) (#9) This adds Headscale support. It provides also an upgrade to Keycloak 18.0.0 (Quarkus distribution). It upgrades NextCloud from 22 to 23. Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/9 Co-authored-by: Ryan Lahfa <raito@noreply.git.rz.ens.wtf> Co-committed-by: Ryan Lahfa <raito@noreply.git.rz.ens.wtf> 2022-06-26 23:48:43 +02:00			`environment.etc."netdata/netdata.conf" = lib.mkForce {`
netdata: monitor pve01, alert #réseau over IRC, store more metrics (~2GiB) 2021-07-28 23:10:45 +02:00			`user = "netdata";`
			`group = "netdata";`
			`mode = "0600";`
			`text = ''`
monitoring: move to tiered dbengine with netdata nightly 2022-08-05 18:52:06 +02:00			`[db]`
			`mode = dbengine`
			`storage tiers = 3`
			`update every = 1`
			`dbengine multihost disk space MB = 23000`
			`dbengine page cache size MB = 384`
			`dbengine tier 1 update every iterations = 60`
			`dbengine tier 1 multihost disk space MB = 10000`
			`dbengine tier 1 page cache size MB = 384`
			`dbengine tier 2 update every iterations = 3600`
			`dbengine tier 2 multihost disk space MB = 5000`
			`dbengine tier 2 page cache size MB = 384`
netdata: monitor pve01, alert #réseau over IRC, store more metrics (~2GiB) 2021-07-28 23:10:45 +02:00			`'';`
			`};`

			`environment.etc."netdata/stream.conf" = {`
			`user = "netdata";`
			`group = "netdata";`
			`mode = "0600";`
core01: allow *, unfirewall wgmon 2022-05-15 00:08:46 +02:00			`text = (lib.concatMapStringsSep "\n" (cfg: mkChildNode cfg {})`
			`([`
			`# PVE01 hypervisor`
			`{`
			`uuid = "e245097d-bf52-4f66-9c10-984e8d5ee178";`
			`allowFrom = "10.1.1.10";`
			`}`
			`# Public COF server`
			`{`
			`uuid = "c48e6ef1-5cdf-408d-ae2f-86aadb14e3fe";`
			`allowFrom = "10.1.1.21";`
			`}`
			`] ++ testClusterHypervisors));`
netdata: monitor pve01, alert #réseau over IRC, store more metrics (~2GiB) 2021-07-28 23:10:45 +02:00			`};`

			`environment.etc."netdata/health_alarm_notify.conf" = {`
			`user = "netdata";`
			`group = "netdata";`
			`mode = "0600";`
			`text = ''`
			`# External tools`
core01: try latest nightly for netdata and disable cloud 2022-10-09 14:43:29 +02:00			`nc="${pkgs.nmap}/bin/nc --ssl"`
netdata: monitor pve01, alert #réseau over IRC, store more metrics (~2GiB) 2021-07-28 23:10:45 +02:00
			`# IRC configuration`
			`SEND_IRC="YES"`
			`DEFAULT_RECIPIENT_IRC="#réseau"`
			`IRC_NETWORK="ens.wtf"`
			`IRC_NICKNAME="core-services-01"`
			`IRC_REALNAME="KlubRZ Core Services 01"`
			`'';`
			`};`

Integrate core-services-01 in a nice workflow (#1) This enables the tracking of core-services-01 over the infrastructure repository. Co-authored-by: Gabriel DORIATH DOHLER <gabriel.doriath.dohler@ens.psl.eu> Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/1 Co-authored-by: raito <raito@noreply.git.rz.ens.wtf> Co-committed-by: raito <raito@noreply.git.rz.ens.wtf> 2021-07-26 01:29:05 +02:00			`services.oauth2_proxy = {`
			`enable = true;`
			`keyFile = config.age.secrets.oauth2ProxyKeyFile.path;`
monitoring: fix authentication via oauth2_proxy by moving to Keycloak-OIDC + many proxy buffer hacks 2022-08-05 17:52:21 +02:00			`provider = "keycloak-oidc";`
Integrate core-services-01 in a nice workflow (#1) This enables the tracking of core-services-01 over the infrastructure repository. Co-authored-by: Gabriel DORIATH DOHLER <gabriel.doriath.dohler@ens.psl.eu> Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/1 Co-authored-by: raito <raito@noreply.git.rz.ens.wtf> Co-committed-by: raito <raito@noreply.git.rz.ens.wtf> 2021-07-26 01:29:05 +02:00			`email.domains = [ "*" ];`
oauth2_proxy: add a cookie specific to *.rz.ens.wtf 2022-08-05 16:34:22 +02:00			`cookie = {`
			`name = "_oauth2_proxy_ensrz";`
			`domain = ".rz.ens.wtf";`
			`};`
Integrate core-services-01 in a nice workflow (#1) This enables the tracking of core-services-01 over the infrastructure repository. Co-authored-by: Gabriel DORIATH DOHLER <gabriel.doriath.dohler@ens.psl.eu> Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/1 Co-authored-by: raito <raito@noreply.git.rz.ens.wtf> Co-committed-by: raito <raito@noreply.git.rz.ens.wtf> 2021-07-26 01:29:05 +02:00			`setXauthrequest = true;`
monitoring: fix authentication via oauth2_proxy by moving to Keycloak-OIDC + many proxy buffer hacks 2022-08-05 17:52:21 +02:00			`scope = "openid";`
Integrate core-services-01 in a nice workflow (#1) This enables the tracking of core-services-01 over the infrastructure repository. Co-authored-by: Gabriel DORIATH DOHLER <gabriel.doriath.dohler@ens.psl.eu> Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/1 Co-authored-by: raito <raito@noreply.git.rz.ens.wtf> Co-committed-by: raito <raito@noreply.git.rz.ens.wtf> 2021-07-26 01:29:05 +02:00			`redirectURL = "https://monitoring.${my.subZone}/oauth2/callback";`
			`reverseProxy = true;`
			`passHostHeader = true;`

monitoring: fix authentication via oauth2_proxy by moving to Keycloak-OIDC + many proxy buffer hacks 2022-08-05 17:52:21 +02:00			`extraConfig = {`
			`whitelist-domain = [ ".rz.ens.wtf" ];`
			`oidc-issuer-url = "https://auth.${my.subZone}/auth/realms/${realm}";`
			`# insecure-oidc-allow-unverified-email = true;`
			`show-debug-on-error = true;`
			`};`

Integrate core-services-01 in a nice workflow (#1) This enables the tracking of core-services-01 over the infrastructure repository. Co-authored-by: Gabriel DORIATH DOHLER <gabriel.doriath.dohler@ens.psl.eu> Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/1 Co-authored-by: raito <raito@noreply.git.rz.ens.wtf> Co-committed-by: raito <raito@noreply.git.rz.ens.wtf> 2021-07-26 01:29:05 +02:00			`nginx = {`
			`virtualHosts = [ "monitoring.${my.subZone}" ];`
			`};`
			`};`

			`services.nginx = {`
			`enable = true;`

			`virtualHosts."monitoring.${my.subZone}" = {`
			`enableACME = true;`
			`forceSSL = true;`

monitoring: fix authentication via oauth2_proxy by moving to Keycloak-OIDC + many proxy buffer hacks 2022-08-05 17:52:21 +02:00			`locations."/" = {`
			`proxyPass = "http://localhost:19999";`
			`extraConfig = ''`
			`# For large authentication-authorization headers`
monitoring: move to tiered dbengine with netdata nightly 2022-08-05 18:52:06 +02:00			`proxy_buffer_size 128k;`
			`proxy_buffers 4 256k;`
			`proxy_busy_buffers_size 256k;`
monitoring: fix authentication via oauth2_proxy by moving to Keycloak-OIDC + many proxy buffer hacks 2022-08-05 17:52:21 +02:00			`'';`
			`};`
Integrate core-services-01 in a nice workflow (#1) This enables the tracking of core-services-01 over the infrastructure repository. Co-authored-by: Gabriel DORIATH DOHLER <gabriel.doriath.dohler@ens.psl.eu> Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/1 Co-authored-by: raito <raito@noreply.git.rz.ens.wtf> Co-committed-by: raito <raito@noreply.git.rz.ens.wtf> 2021-07-26 01:29:05 +02:00			`};`
			`};`

			`# services.smartd = {`
			`# enable = true;`
			`# extraOptions = [ "-A /var/log/smartd/" ]; # For netdata`
			`# };`
			`}`