feat(gs/mugwump): Add prometheus+grafana

Add config for prometheus+grafana to mugwump, served at metrics.gws.fyi
with an Acme SSL cert.

Change-Id: Icc22b5079a24edbc4469233e938f926d92f63eb3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2024
Reviewed-by: glittershark <grfn@gws.fyi>
Tested-by: BuildkiteCI
This commit is contained in:
Griffin Smith 2020-10-05 10:44:22 -04:00 committed by glittershark
parent bc8bac74d7
commit ca4d698cb0

View file

@ -1,9 +1,10 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
with lib;
{ {
imports = [ imports = [
../modules/common.nix ../modules/common.nix
../modules/tvl.nix
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
@ -52,7 +53,7 @@
}; };
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 22 ]; networking.firewall.allowedTCPPorts = [ 22 80 443 ];
security.sudo.extraRules = [{ security.sudo.extraRules = [{
groups = ["wheel"]; groups = ["wheel"];
@ -71,4 +72,78 @@
passwordAuthentication = false; passwordAuthentication = false;
permitRootLogin = "no"; permitRootLogin = "no";
}; };
services.grafana = {
enable = true;
port = 3000;
domain = "metrics.gws.fyi";
rootUrl = "https://metrics.gws.fyi";
dataDir = "/var/lib/grafana";
analytics.reporting.enable = false;
provision = {
enable = true;
datasources = [{
name = "Prometheus";
type = "prometheus";
url = "localhost:9090";
}];
};
};
security.acme.email = "root@gws.fyi";
security.acme.acceptTerms = true;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts = {
"metrics.gws.fyi" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.grafana.port}";
};
};
};
};
services.prometheus = {
enable = true;
exporters = {
node = {
enable = true;
openFirewall = false;
enabledCollectors = [
"processes"
"systemd"
"tcpstat"
"wifi"
];
};
nginx = {
enable = true;
openFirewall = true;
};
};
scrapeConfigs = [{
job_name = "node";
scrape_interval = "5s";
static_configs = [{
targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"];
}];
}];
};
security.acme.certs."metrics.gws.fyi" = {
dnsProvider = "namecheap";
credentialsFile = "/etc/secrets/namecheap.env";
webroot = mkForce null;
};
} }