ops/modules/monitoring.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

# Runs the TVL Monitoring setup (currently Grafana + Prometheus).
{ depot, pkgs, config, lib, ... }:

{
  # Required for prometheus to be able to scrape stats
  services.nginx.statusPage = true;

  # Configure Prometheus & Grafana. Exporter configuration for
  # Prometheus is inside the respective service modules.
  services.prometheus = {
    enable = true;
    retentionTime = "90d";

    exporters = {
      node = {
        enable = true;

        enabledCollectors = [
          "logind"
          "processes"
          "systemd"
        ];
      };

      nginx = {
        enable = true;
        sslVerify = false;
        constLabels = [ "host=${config.networking.hostName}" ];
      };
    };

    scrapeConfigs = [{
      job_name = "node";
      scrape_interval = "5s";
      static_configs = [{
        targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
      }];
    }
      {
        job_name = "nginx";
        scrape_interval = "5s";
        static_configs = [{
          targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
        }];
      }];
  };

  services.grafana = {
    enable = true;

    settings = {
      server = {
        http_port = 4723; # "graf" on phone keyboard
        domain = "status.tvl.su";
        root_url = "https://status.tvl.su";
      };

      # TODO(sterni): is former default of NixOS module, rotate key
      security.secret_key = "SW2YcwTIb9zpOOhoPsMm";

      analytics.reporting_enabled = false;

      "auth.generic_oauth" = {
        enabled = true;
        client_id = "grafana";
        scopes = "openid profile email";
        name = "TVL";
        email_attribute_path = "mail";
        login_attribute_path = "sub";
        name_attribute_path = "displayName";
        auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth";
        token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token";
        api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo";

        # Give lukegb, aspen, tazjin "Admin" rights.
        role_attribute_path = "((sub == 'lukegb' || sub == 'aspen' || sub == 'tazjin') && 'Admin') || 'Editor'";

        # Allow creating new Grafana accounts from OAuth accounts.
        allow_sign_up = true;
      };

      "auth.anonymous" = {
        enabled = true;
        org_name = "The Virus Lounge";
        org_role = "Viewer";
      };

      "auth.basic".enabled = false;

      auth = {
        oauth_auto_login = true;
        disable_login_form = true;
      };
    };

    provision = {
      enable = true;
      datasources.settings.datasources = [{
        name = "Prometheus";
        type = "prometheus";
        url = "http://localhost:9090";
      }];
    };
  };

  # Contains GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET.
  systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secretsDir + "/grafana";
}