diff --git a/users/glittershark/system/system/machines/mugwump.nix b/users/glittershark/system/system/machines/mugwump.nix index 9521f5788..a2c207c4b 100644 --- a/users/glittershark/system/system/machines/mugwump.nix +++ b/users/glittershark/system/system/machines/mugwump.nix @@ -1,9 +1,10 @@ { config, lib, pkgs, modulesPath, ... }: +with lib; + { imports = [ ../modules/common.nix - ../modules/tvl.nix (modulesPath + "/installer/scan/not-detected.nix") ]; @@ -52,7 +53,7 @@ }; networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 22 ]; + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; security.sudo.extraRules = [{ groups = ["wheel"]; @@ -71,4 +72,78 @@ passwordAuthentication = false; permitRootLogin = "no"; }; + + services.grafana = { + enable = true; + port = 3000; + domain = "metrics.gws.fyi"; + rootUrl = "https://metrics.gws.fyi"; + dataDir = "/var/lib/grafana"; + analytics.reporting.enable = false; + + provision = { + enable = true; + datasources = [{ + name = "Prometheus"; + type = "prometheus"; + url = "localhost:9090"; + }]; + }; + }; + + security.acme.email = "root@gws.fyi"; + security.acme.acceptTerms = true; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts = { + "metrics.gws.fyi" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.grafana.port}"; + }; + }; + }; + }; + + services.prometheus = { + enable = true; + exporters = { + node = { + enable = true; + openFirewall = false; + + enabledCollectors = [ + "processes" + "systemd" + "tcpstat" + "wifi" + ]; + }; + + nginx = { + enable = true; + openFirewall = true; + }; + }; + + scrapeConfigs = [{ + job_name = "node"; + scrape_interval = "5s"; + static_configs = [{ + targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; + }]; + }]; + }; + + security.acme.certs."metrics.gws.fyi" = { + dnsProvider = "namecheap"; + credentialsFile = "/etc/secrets/namecheap.env"; + webroot = mkForce null; + }; }