feat(gs/mugwump): Add prometheus+grafana

Add config for prometheus+grafana to mugwump, served at metrics.gws.fyi with an Acme SSL cert. Change-Id: Icc22b5079a24edbc4469233e938f926d92f63eb3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2024 Reviewed-by: glittershark <grfn@gws.fyi> Tested-by: BuildkiteCI
2020-10-05 10:44:22 -04:00 · 2020-10-05 10:44:22 -04:00 · ca4d698cb0
commit ca4d698cb0
parent bc8bac74d7
1 changed files with 77 additions and 2 deletions
--- a/users/glittershark/system/system/machines/mugwump.nix
+++ b/users/glittershark/system/system/machines/mugwump.nix
@ -1,9 +1,10 @@
 { config, lib, pkgs, modulesPath, ... }:

+with lib;
+
 {
  imports = [
    ../modules/common.nix
-    ../modules/tvl.nix
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

@ -52,7 +53,7 @@
  };

  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 22 ];
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];

  security.sudo.extraRules = [{
    groups = ["wheel"];
@ -71,4 +72,78 @@
    passwordAuthentication = false;
    permitRootLogin = "no";
  };
+
+  services.grafana = {
+    enable = true;
+    port = 3000;
+    domain = "metrics.gws.fyi";
+    rootUrl = "https://metrics.gws.fyi";
+    dataDir = "/var/lib/grafana";
+    analytics.reporting.enable = false;
+
+    provision = {
+      enable = true;
+      datasources = [{
+        name = "Prometheus";
+        type = "prometheus";
+        url = "localhost:9090";
+      }];
+    };
+  };
+
+  security.acme.email = "root@gws.fyi";
+  security.acme.acceptTerms = true;
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      "metrics.gws.fyi" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.grafana.port}";
+        };
+      };
+    };
+  };
+
+  services.prometheus = {
+    enable = true;
+    exporters = {
+      node = {
+        enable = true;
+        openFirewall = false;
+
+        enabledCollectors = [
+          "processes"
+          "systemd"
+          "tcpstat"
+          "wifi"
+        ];
+      };
+
+      nginx = {
+        enable = true;
+        openFirewall = true;
+      };
+    };
+
+    scrapeConfigs = [{
+      job_name = "node";
+      scrape_interval = "5s";
+      static_configs = [{
+        targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"];
+      }];
+    }];
+  };
+
+  security.acme.certs."metrics.gws.fyi" = {
+    dnsProvider = "namecheap";
+    credentialsFile = "/etc/secrets/namecheap.env";
+    webroot = mkForce null;
+  };
 }