mirror of
https://github.com/nmasur/dotfiles
synced 2024-11-22 14:35:37 +00:00
add victoriametrics
This commit is contained in:
parent
edb4ec77ca
commit
0f0a64b5c4
@ -57,7 +57,8 @@ inputs.nixpkgs.lib.nixosSystem {
|
|||||||
services.nextcloud.enable = true;
|
services.nextcloud.enable = true;
|
||||||
services.calibre-web.enable = true;
|
services.calibre-web.enable = true;
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
services.prometheus.enable = true;
|
services.prometheus.enable = false;
|
||||||
|
services.vmagent.enable = true;
|
||||||
services.samba.enable = true;
|
services.samba.enable = true;
|
||||||
|
|
||||||
cloudflareTunnel = {
|
cloudflareTunnel = {
|
||||||
|
@ -10,8 +10,9 @@
|
|||||||
config.boot.zfs.package.latestCompatibleLinuxPackages;
|
config.boot.zfs.package.latestCompatibleLinuxPackages;
|
||||||
boot.kernelParams = [ "nohibernate" ];
|
boot.kernelParams = [ "nohibernate" ];
|
||||||
boot.supportedFilesystems = [ "zfs" ];
|
boot.supportedFilesystems = [ "zfs" ];
|
||||||
services.prometheus.exporters.zfs.enable = true;
|
services.prometheus.exporters.zfs.enable =
|
||||||
scrapeTargets = [
|
config.prometheus.exporters.enable;
|
||||||
|
prometheus.scrapeTargets = [
|
||||||
"127.0.0.1:${
|
"127.0.0.1:${
|
||||||
builtins.toString config.services.prometheus.exporters.zfs.port
|
builtins.toString config.services.prometheus.exporters.zfs.port
|
||||||
}"
|
}"
|
||||||
|
@ -24,6 +24,7 @@
|
|||||||
./sshd.nix
|
./sshd.nix
|
||||||
./transmission.nix
|
./transmission.nix
|
||||||
./vaultwarden.nix
|
./vaultwarden.nix
|
||||||
|
./victoriametrics.nix
|
||||||
./wireguard.nix
|
./wireguard.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -13,7 +13,12 @@
|
|||||||
match = [{ host = [ config.hostnames.metrics ]; }];
|
match = [{ host = [ config.hostnames.metrics ]; }];
|
||||||
handle = [{
|
handle = [{
|
||||||
handler = "reverse_proxy";
|
handler = "reverse_proxy";
|
||||||
upstreams = [{ dial = "localhost:3000"; }];
|
upstreams = [{
|
||||||
|
dial = "localhost:${
|
||||||
|
builtins.toString
|
||||||
|
config.services.grafana.settings.server.http_port
|
||||||
|
}";
|
||||||
|
}];
|
||||||
}];
|
}];
|
||||||
}];
|
}];
|
||||||
|
|
||||||
|
@ -1,4 +1,10 @@
|
|||||||
{ config, pkgs, lib, ... }: {
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
|
||||||
|
port = 8080;
|
||||||
|
|
||||||
|
in {
|
||||||
|
|
||||||
config = lib.mkIf config.services.nextcloud.enable {
|
config = lib.mkIf config.services.nextcloud.enable {
|
||||||
|
|
||||||
@ -18,7 +24,7 @@
|
|||||||
# Don't let Nginx use main ports (using Caddy instead)
|
# Don't let Nginx use main ports (using Caddy instead)
|
||||||
services.nginx.virtualHosts."localhost".listen = [{
|
services.nginx.virtualHosts."localhost".listen = [{
|
||||||
addr = "127.0.0.1";
|
addr = "127.0.0.1";
|
||||||
port = 8080;
|
port = port;
|
||||||
}];
|
}];
|
||||||
|
|
||||||
# Point Caddy to Nginx
|
# Point Caddy to Nginx
|
||||||
@ -26,7 +32,7 @@
|
|||||||
match = [{ host = [ config.hostnames.content ]; }];
|
match = [{ host = [ config.hostnames.content ]; }];
|
||||||
handle = [{
|
handle = [{
|
||||||
handler = "reverse_proxy";
|
handler = "reverse_proxy";
|
||||||
upstreams = [{ dial = "localhost:8080"; }];
|
upstreams = [{ dial = "localhost:${builtins.toString port}"; }];
|
||||||
}];
|
}];
|
||||||
}];
|
}];
|
||||||
|
|
||||||
@ -77,18 +83,20 @@
|
|||||||
|
|
||||||
# Log metrics to prometheus
|
# Log metrics to prometheus
|
||||||
services.prometheus.exporters.nextcloud = {
|
services.prometheus.exporters.nextcloud = {
|
||||||
enable = true;
|
enable = config.prometheus.exporters.enable;
|
||||||
username = config.services.nextcloud.config.adminuser;
|
username = config.services.nextcloud.config.adminuser;
|
||||||
url = "http://localhost:8080";
|
url = "http://localhost:${builtins.toString port}";
|
||||||
passwordFile = config.services.nextcloud.config.adminpassFile;
|
passwordFile = config.services.nextcloud.config.adminpassFile;
|
||||||
};
|
};
|
||||||
scrapeTargets = [
|
prometheus.scrapeTargets = [
|
||||||
"127.0.0.1:${
|
"127.0.0.1:${
|
||||||
builtins.toString config.services.prometheus.exporters.nextcloud.port
|
builtins.toString config.services.prometheus.exporters.nextcloud.port
|
||||||
}"
|
}"
|
||||||
];
|
];
|
||||||
# Allows nextcloud-exporter to read passwordFile
|
# Allows nextcloud-exporter to read passwordFile
|
||||||
users.users.nextcloud-exporter.extraGroups = [ "nextcloud" ];
|
users.users.nextcloud-exporter.extraGroups =
|
||||||
|
lib.mkIf config.services.prometheus.exporters.nextcloud.enable
|
||||||
|
[ "nextcloud" ];
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -1,9 +1,12 @@
|
|||||||
{ config, pkgs, lib, ... }: {
|
{ config, pkgs, lib, ... }: {
|
||||||
|
|
||||||
options.scrapeTargets = lib.mkOption {
|
options.prometheus = {
|
||||||
type = lib.types.listOf lib.types.str;
|
exporters.enable = lib.mkEnableOption "Enable Prometheus exporters";
|
||||||
description = "Prometheus scrape targets";
|
scrapeTargets = lib.mkOption {
|
||||||
default = [ ];
|
type = lib.types.listOf lib.types.str;
|
||||||
|
description = "Prometheus scrape targets";
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = let
|
config = let
|
||||||
@ -12,9 +15,16 @@
|
|||||||
# not hosting Grafana, send remote Prometheus writes to primary host.
|
# not hosting Grafana, send remote Prometheus writes to primary host.
|
||||||
isServer = config.services.grafana.enable;
|
isServer = config.services.grafana.enable;
|
||||||
|
|
||||||
in lib.mkIf config.services.prometheus.enable {
|
in {
|
||||||
|
|
||||||
scrapeTargets = [
|
# Turn on exporters if any Prometheus scraper is running
|
||||||
|
prometheus.exporters.enable = builtins.any (x: x) [
|
||||||
|
config.services.prometheus.enable
|
||||||
|
config.services.victoriametrics.enable
|
||||||
|
config.services.vmagent.enable
|
||||||
|
];
|
||||||
|
|
||||||
|
prometheus.scrapeTargets = [
|
||||||
"127.0.0.1:${
|
"127.0.0.1:${
|
||||||
builtins.toString config.services.prometheus.exporters.node.port
|
builtins.toString config.services.prometheus.exporters.node.port
|
||||||
}"
|
}"
|
||||||
@ -27,9 +37,9 @@
|
|||||||
];
|
];
|
||||||
|
|
||||||
services.prometheus = {
|
services.prometheus = {
|
||||||
exporters.node.enable = true;
|
exporters.node.enable = config.prometheus.exporters.enable;
|
||||||
exporters.systemd.enable = true;
|
exporters.systemd.enable = config.prometheus.exporters.enable;
|
||||||
exporters.process.enable = true;
|
exporters.process.enable = config.prometheus.exporters.enable;
|
||||||
exporters.process.settings.process_names = [
|
exporters.process.settings.process_names = [
|
||||||
# Remove nix store path from process name
|
# Remove nix store path from process name
|
||||||
{
|
{
|
||||||
@ -66,19 +76,21 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
# Create credentials file for remote Prometheus push
|
# Create credentials file for remote Prometheus push
|
||||||
secrets.prometheus = lib.mkIf (!isServer) {
|
secrets.prometheus =
|
||||||
source = ../../../private/prometheus.age;
|
lib.mkIf (config.services.prometheus.enable && !isServer) {
|
||||||
dest = "${config.secretsDirectory}/prometheus";
|
source = ../../../private/prometheus.age;
|
||||||
owner = "prometheus";
|
dest = "${config.secretsDirectory}/prometheus";
|
||||||
group = "prometheus";
|
owner = "prometheus";
|
||||||
permissions = "0440";
|
group = "prometheus";
|
||||||
};
|
permissions = "0440";
|
||||||
systemd.services.prometheus-secret = lib.mkIf (!isServer) {
|
};
|
||||||
requiredBy = [ "prometheus.service" ];
|
systemd.services.prometheus-secret =
|
||||||
before = [ "prometheus.service" ];
|
lib.mkIf (config.services.prometheus.enable && !isServer) {
|
||||||
};
|
requiredBy = [ "prometheus.service" ];
|
||||||
|
before = [ "prometheus.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
caddy.routes = lib.mkIf isServer [{
|
caddy.routes = lib.mkIf (config.services.prometheus.enable && isServer) [{
|
||||||
match = [{ host = [ config.hostnames.prometheus ]; }];
|
match = [{ host = [ config.hostnames.prometheus ]; }];
|
||||||
handle = [{
|
handle = [{
|
||||||
handler = "reverse_proxy";
|
handler = "reverse_proxy";
|
||||||
|
@ -39,6 +39,11 @@
|
|||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "Permissions expressed as octal.";
|
description = "Permissions expressed as octal.";
|
||||||
};
|
};
|
||||||
|
prefix = lib.mkOption {
|
||||||
|
default = "";
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Prefix for secret value (for environment files).";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
description = "Set of secrets to decrypt to disk.";
|
description = "Set of secrets to decrypt to disk.";
|
||||||
@ -65,10 +70,10 @@
|
|||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
serviceConfig.Type = "oneshot";
|
serviceConfig.Type = "oneshot";
|
||||||
script = ''
|
script = ''
|
||||||
${pkgs.age}/bin/age --decrypt \
|
echo "${attrs.prefix}$(
|
||||||
--identity ${config.identityFile} \
|
${pkgs.age}/bin/age --decrypt \
|
||||||
--output ${attrs.dest} \
|
--identity ${config.identityFile} ${attrs.source}
|
||||||
${attrs.source}
|
)" > ${attrs.dest}
|
||||||
|
|
||||||
chown '${attrs.owner}':'${attrs.group}' '${attrs.dest}'
|
chown '${attrs.owner}':'${attrs.group}' '${attrs.dest}'
|
||||||
chmod '${attrs.permissions}' '${attrs.dest}'
|
chmod '${attrs.permissions}' '${attrs.dest}'
|
||||||
|
95
modules/nixos/services/victoriametrics.nix
Normal file
95
modules/nixos/services/victoriametrics.nix
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
|
||||||
|
username = "prometheus";
|
||||||
|
|
||||||
|
prometheusConfig = (pkgs.formats.yaml { }).generate "prometheus.yml" {
|
||||||
|
scrape_configs = [{
|
||||||
|
job_name = config.networking.hostName;
|
||||||
|
stream_parse = true;
|
||||||
|
static_configs = [{ targets = config.prometheus.scrapeTargets; }];
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
|
||||||
|
authConfig = (pkgs.formats.yaml { }).generate "auth.yml" {
|
||||||
|
users = [{
|
||||||
|
username = username;
|
||||||
|
password = "%{PASSWORD}";
|
||||||
|
url_prefix =
|
||||||
|
"http://localhost${config.services.victoriametrics.listenAddress}";
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
|
||||||
|
authPort = "8427";
|
||||||
|
|
||||||
|
in {
|
||||||
|
|
||||||
|
config = {
|
||||||
|
|
||||||
|
services.victoriametrics.extraOptions =
|
||||||
|
[ "-promscrape.config=${prometheusConfig}" ];
|
||||||
|
|
||||||
|
systemd.services.vmauth = lib.mkIf config.services.victoriametrics.enable {
|
||||||
|
description = "VictoriaMetrics basic auth proxy";
|
||||||
|
after = [ "network.target" ];
|
||||||
|
startLimitBurst = 5;
|
||||||
|
serviceConfig = {
|
||||||
|
Restart = "on-failure";
|
||||||
|
RestartSec = 1;
|
||||||
|
DynamicUser = true;
|
||||||
|
EnvironmentFile = config.secrets.vmauth.dest;
|
||||||
|
ExecStart = ''
|
||||||
|
${pkgs.victoriametrics}/bin/vmauth \
|
||||||
|
-auth.config=${authConfig} \
|
||||||
|
-httpListenAddr=:${authPort}'';
|
||||||
|
};
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
secrets.vmauth = lib.mkIf config.services.victoriametrics.enable {
|
||||||
|
source = ../../../private/prometheus.age;
|
||||||
|
dest = "${config.secretsDirectory}/vmauth";
|
||||||
|
prefix = "PASSWORD=";
|
||||||
|
};
|
||||||
|
systemd.services.vmauth-secret =
|
||||||
|
lib.mkIf config.services.victoriametrics.enable {
|
||||||
|
requiredBy = [ "vmauth.service" ];
|
||||||
|
before = [ "vmauth.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
caddy.routes = lib.mkIf config.services.victoriametrics.enable [{
|
||||||
|
match = [{ host = [ config.hostnames.prometheus ]; }];
|
||||||
|
handle = [{
|
||||||
|
handler = "reverse_proxy";
|
||||||
|
upstreams = [{ dial = "localhost:${authPort}"; }];
|
||||||
|
}];
|
||||||
|
}];
|
||||||
|
|
||||||
|
# VMAgent
|
||||||
|
|
||||||
|
services.vmagent.prometheusConfig = prometheusConfig; # Overwritten below
|
||||||
|
systemd.services.vmagent.serviceConfig =
|
||||||
|
lib.mkIf config.services.vmagent.enable {
|
||||||
|
ExecStart = lib.mkForce ''
|
||||||
|
${pkgs.victoriametrics}/bin/vmagent \
|
||||||
|
-promscrape.config=${prometheusConfig} \
|
||||||
|
-remoteWrite.url="https://${config.hostnames.prometheus}/api/v1/write" \
|
||||||
|
-remoteWrite.basicAuth.username=${username} \
|
||||||
|
-remoteWrite.basicAuth.passwordFile=${config.secrets.vmagent.dest}'';
|
||||||
|
};
|
||||||
|
|
||||||
|
secrets.vmagent = lib.mkIf config.services.vmagent.enable {
|
||||||
|
source = ../../../private/prometheus.age;
|
||||||
|
dest = "${config.secretsDirectory}/vmagent";
|
||||||
|
owner = "vmagent";
|
||||||
|
group = "vmagent";
|
||||||
|
};
|
||||||
|
systemd.services.vmagent-secret = lib.mkIf config.services.vmagent.enable {
|
||||||
|
requiredBy = [ "vmagent.service" ];
|
||||||
|
before = [ "vmagent.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user