# Define a function which returns a value which fills in all the holes left by
# ``monitoring.nix``.
{
# A set mapping VPN IP addresses as strings to lists of hostnames as
# strings. The system's ``/etc/hosts`` will be populated with this
# information. Apart from helping with normal forward resolution, this
# *also* gives us reverse resolution from the VPN IPs to hostnames which
# allows Grafana to show us hostnames instead of VPN IP addresses.
hostsMap
# See ``customize-issuer.nix``.
, publicKeyPath
, privateKeyPath
, monitoringvpnIPv4
, domain
, letsEncryptAdminEmail
# A list of VPN IP addresses as strings indicating which clients will be
# allowed onto the VPN.
, vpnClientIPs
# A list of VPN clients (IP addresses or hostnames) as strings indicating
# which nodes to scrape "nodeExporter" metrics from.
, nodeExporterTargets
# A list of VPN clients (IP addresses or hostnames) as strings indicating
# which nodes to scrape "nginxExporter" metrics from.
, nginxExporterTargets ? []
# A list of VPN clients (IP addresses or hostnames) as strings indicating
# which nodes to scrape PaymentServer metrics from.
, paymentExporterTargets ? []
# A string containing the GSuite OAuth2 ClientID to use to authenticate
# logins to Grafana.
, googleOAuthClientID
# A string giving the NixOS state version for the system.
, stateVersion
, ...
}:
{ config, ... }: {
# See customize-issuer.nix for an explanatoin of targetHost value.
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
deployment.secrets = let
# When Grafana SSO is disabled there is not necessarily any client secret
# available. Avoid telling morph that there is one in this case (so it
# avoids trying to read it and then failing). Even if the secret did
# exist, if SSO is disabled there's no point sending the secret to the
# server.
#
# Also, we have to define this whole secret here so that we can configure
# it completely or not at all. morph gets angry if we half configure it
# (say, by just omitting the "source" value).
grafanaSSO =
if googleOAuthClientID == ""
then { }
else {
"grafana-google-sso-secret" = {
source = "${privateKeyPath}/grafana-google-sso.secret";
destination = "/run/keys/grafana-google-sso.secret";
owner.user = config.systemd.services.grafana.serviceConfig.User;
owner.group = config.users.users.grafana.group;
permissions = "0400";
action = ["sudo" "systemctl" "restart" "grafana.service"];
};
"grafana-admin-password" = {
source = "${privateKeyPath}/grafana-admin.password";
destination = "/run/keys/grafana-admin.password";
owner.user = config.systemd.services.grafana.serviceConfig.User;
owner.group = config.users.users.grafana.group;
permissions = "0400";
action = ["sudo" "systemctl" "restart" "grafana.service"];
};
};
monitoringvpn = {
"monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
"monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
};
in
grafanaSSO // monitoringvpn;
networking.domain = domain;
networking.hosts = hostsMap;
services.private-storage.monitoring.vpn.server = {
enable = true;
ip = monitoringvpnIPv4;
inherit vpnClientIPs;
pubKeysPath = "${publicKeyPath}/monitoringvpn";
};
services.private-storage.monitoring.prometheus = {
inherit nodeExporterTargets;
inherit nginxExporterTargets;
inherit paymentExporterTargets;
};
services.private-storage.monitoring.grafana = {
inherit letsEncryptAdminEmail;
inherit googleOAuthClientID;
domain = "${config.networking.hostName}.${config.networking.domain}";
};
system.stateVersion = stateVersion;
}