Skip to content
Snippets Groups Projects
Normal view Permalink
grafana.nix 2.65 KiB
Newer Older
Florian Sesser's avatar
Copy over nixos modules for the monitoring server
Florian Sesser committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 
# Grafana Server
#
# Scope: Beautiful plots of time series data retrieved from Prometheus
# See https://christine.website/blog/prometheus-grafana-loki-nixos-2020-11-20

{ config, lib, ... }:

let
  cfg = config.services.private-storage.monitoring.grafana;

in {
  options.services.private-storage.monitoring.grafana = {
    domain = lib.mkOption
    { type = lib.types.str;
      example = lib.literalExample "grafana.grid.private.storage";
      description = "The FQDN of the Grafana host";
    };
    prometheusUrl = lib.mkOption
    { type = lib.types.str;
      example = lib.literalExample "http://prometheus:9090/";
Florian Sesser's avatar
Make localhost the default for Grafana's TSDBs  
Florian Sesser committed
21 
      default = "http://localhost:9090/";
Florian Sesser's avatar
Copy over nixos modules for the monitoring server
Florian Sesser committed
22 23 24 25 26 
      description = "The URL of the Prometheus host to access";
    };
    lokiUrl = lib.mkOption
    { type = lib.types.str;
      example = lib.literalExample "http://loki:3100/";
Florian Sesser's avatar
Make localhost the default for Grafana's TSDBs  
Florian Sesser committed
27 
      default = "http://localhost:3100/";
Florian Sesser's avatar
Copy over nixos modules for the monitoring server
Florian Sesser committed
28 29 30 31 32 
      description = "The URL of the Loki host to access";
    };
  };

  config = {
Florian Sesser's avatar
Make Nginx reverse proxy reachable from outside  
Florian Sesser committed
33 34 
    # Port 80 for ACME ssl retrieval only. 443 for nginx -> grafana.
    networking.firewall.allowedTCPPorts = [ 80 443 ];
Florian Sesser's avatar
Copy over nixos modules for the monitoring server
Florian Sesser committed
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 

    services.grafana = {
      enable = true;
      domain = cfg.domain;
      port = 2342;
      addr = "127.0.0.1";

      # All three are required to forego the user/pass prompt:
      auth.anonymous.enable = true;
      auth.anonymous.org_role = "Admin";
      auth.anonymous.org_name = "Main Org.";
    };

    services.grafana.provision = {
      enable = true;
      # See https://grafana.com/docs/grafana/latest/administration/provisioning/#datasources
      datasources = [{
        name = "Prometheus";
        type = "prometheus";
        access = "proxy";
        url = cfg.prometheusUrl;
        isDefault = true;
      } {
        name = "Loki";
        type = "loki";
        access = "proxy";
        url = cfg.lokiUrl;
      }];
      # See https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards
      dashboards = [{
        name = "provisioned";
        options.path = ./grafana-config;
      }];
    };

    # nginx reverse proxy
Florian Sesser's avatar
Make Nginx reverse proxy reachable from outside  
Florian Sesser committed
71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 
    services.nginx = {
      enable = true;

      # Yes, use the NixOS recommended settings:
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;

      # Only allow PFS-enabled ciphers with AES256:
      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

      virtualHosts.${config.services.grafana.domain} = {
        enableACME = true;
        onlySSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
          proxyWebsockets = true;
        };
Florian Sesser's avatar
Copy over nixos modules for the monitoring server
Florian Sesser committed
90 91 92 93 94 
      };
    };
  };
}