diff --git a/SwarselSystems.org b/SwarselSystems.org index 4b08fab..53c57c3 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -5540,6 +5540,7 @@ Also, the system state version is set here. No need to touch it. services.nginx = { enable = true; + statusPage = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedOptimisation = true; @@ -6173,7 +6174,11 @@ Also, the system state version is set here. No need to touch it. { config = lib.mkIf config.swarselsystems.server.nextcloud { - sops.secrets.nextcloudadminpass = { owner = "nextcloud"; }; + sops.secrets.nextcloudadminpass = { + owner = "nextcloud"; + group = "nextcloud"; + mode = "0440"; + }; services.nextcloud = { enable = true; @@ -6577,7 +6582,15 @@ Also, the system state version is set here. No need to touch it. grafanaadminpass = { owner = "grafana"; }; + prometheusadminpass = { + owner = "grafana"; + }; }; + + users.users.nextcloud-exporter = { + extraGroups = [ "nextcloud" ]; + }; + users.users.grafana = { extraGroups = [ "users" ]; }; @@ -6585,12 +6598,41 @@ Also, the system state version is set here. No need to touch it. services.grafana = { enable = true; dataDir = "/Vault/data/grafana"; + provision = { + enable = true; + datasources.settings = { + datasources = [ + { + name = "prometheus"; + type = "prometheus"; + url = "https://status.swarsel.win/prometheus"; + editable = false; + access = "proxy"; + basicAuth = true; + basicAuthUser = "admin"; + jsonData = { + httpMethod = "POST"; + manageAlerts = true; + prometheusType = "Prometheus"; + prometheusVersion = "> 2.50.x"; + cacheLevel = "High"; + disableRecordingRules = false; + incrementalQueryOverlapWindow = "10m"; + }; + secureJsonData = { + basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}"; + }; + } + ]; + }; + }; + settings = { security.admin_password = "$__file{/run/secrets/grafanaadminpass}"; server = { http_port = 3000; http_addr = "127.0.0.1"; - protocol = "https"; + protocol = "http"; domain = "status.swarsel.win"; }; }; @@ -6601,8 +6643,43 @@ Also, the system state version is set here. No need to touch it. webExternalUrl = "https://status.swarsel.win/prometheus"; port = 9090; listenAddress = "127.0.0.1"; - webConfigFile = /../../programs/server/prometheus/web.config; + globalConfig = { + scrape_interval = "10s"; + }; + webConfigFile = ../../../programs/server/prometheus/web.config; + scrapeConfigs = [ + { + job_name = "node"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + { + job_name = "zfs"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ]; + }]; + } + { + job_name = "nginx"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ]; + }]; + } + { + job_name = "nextcloud"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ]; + }]; + } + ]; exporters = { + node = { + enable = true; + port = 9000; + enabledCollectors = [ "systemd" ]; + extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ]; + }; zfs = { enable = true; port = 9134; @@ -6610,9 +6687,27 @@ Also, the system state version is set here. No need to touch it. "Vault" ]; }; + restic = { + enable = false; + port = 9753; + }; + nginx = { + enable = true; + port = 9113; + sslVerify = false; + scrapeUri = "http://localhost/nginx_status"; + }; + nextcloud = lib.mkIf config.swarselsystems.server.nextcloud { + enable = true; + port = 9205; + url = "https://stash.swarsel.win/ocs/v2.php/apps/serverinfo/api/v1/info"; + username = "admin"; + passwordFile = config.sops.secrets.nextcloudadminpass.path; + }; }; }; + services.nginx = { virtualHosts = { "status.swarsel.win" = { @@ -6620,17 +6715,17 @@ Also, the system state version is set here. No need to touch it. forceSSL = true; acmeRoot = null; locations = { - "/grafana" = { + "/" = { proxyPass = "http://localhost:3000"; extraConfig = '' - client_max_body_size 0; - ''; + client_max_body_size 0; + ''; }; "/prometheus" = { proxyPass = "http://localhost:9090"; extraConfig = '' - client_max_body_size 0; - ''; + client_max_body_size 0; + ''; }; }; }; diff --git a/profiles/server/common/monitoring.nix b/profiles/server/common/monitoring.nix index 15d80dc..b878464 100644 --- a/profiles/server/common/monitoring.nix +++ b/profiles/server/common/monitoring.nix @@ -6,7 +6,15 @@ grafanaadminpass = { owner = "grafana"; }; + prometheusadminpass = { + owner = "grafana"; + }; }; + + users.users.nextcloud-exporter = { + extraGroups = [ "nextcloud" ]; + }; + users.users.grafana = { extraGroups = [ "users" ]; }; @@ -14,12 +22,41 @@ services.grafana = { enable = true; dataDir = "/Vault/data/grafana"; + provision = { + enable = true; + datasources.settings = { + datasources = [ + { + name = "prometheus"; + type = "prometheus"; + url = "https://status.swarsel.win/prometheus"; + editable = false; + access = "proxy"; + basicAuth = true; + basicAuthUser = "admin"; + jsonData = { + httpMethod = "POST"; + manageAlerts = true; + prometheusType = "Prometheus"; + prometheusVersion = "> 2.50.x"; + cacheLevel = "High"; + disableRecordingRules = false; + incrementalQueryOverlapWindow = "10m"; + }; + secureJsonData = { + basicAuthPassword = "$__file{/run/secrets/prometheusadminpass}"; + }; + } + ]; + }; + }; + settings = { security.admin_password = "$__file{/run/secrets/grafanaadminpass}"; server = { http_port = 3000; http_addr = "127.0.0.1"; - protocol = "https"; + protocol = "http"; domain = "status.swarsel.win"; }; }; @@ -30,8 +67,43 @@ webExternalUrl = "https://status.swarsel.win/prometheus"; port = 9090; listenAddress = "127.0.0.1"; - webConfigFile = /../../programs/server/prometheus/web.config; + globalConfig = { + scrape_interval = "10s"; + }; + webConfigFile = ../../../programs/server/prometheus/web.config; + scrapeConfigs = [ + { + job_name = "node"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + { + job_name = "zfs"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ]; + }]; + } + { + job_name = "nginx"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ]; + }]; + } + { + job_name = "nextcloud"; + static_configs = [{ + targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ]; + }]; + } + ]; exporters = { + node = { + enable = true; + port = 9000; + enabledCollectors = [ "systemd" ]; + extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ]; + }; zfs = { enable = true; port = 9134; @@ -39,9 +111,27 @@ "Vault" ]; }; + restic = { + enable = false; + port = 9753; + }; + nginx = { + enable = true; + port = 9113; + sslVerify = false; + scrapeUri = "http://localhost/nginx_status"; + }; + nextcloud = lib.mkIf config.swarselsystems.server.nextcloud { + enable = true; + port = 9205; + url = "https://stash.swarsel.win/ocs/v2.php/apps/serverinfo/api/v1/info"; + username = "admin"; + passwordFile = config.sops.secrets.nextcloudadminpass.path; + }; }; }; + services.nginx = { virtualHosts = { "status.swarsel.win" = { @@ -49,7 +139,7 @@ forceSSL = true; acmeRoot = null; locations = { - "/grafana" = { + "/" = { proxyPass = "http://localhost:3000"; extraConfig = '' client_max_body_size 0; diff --git a/profiles/server/common/nextcloud.nix b/profiles/server/common/nextcloud.nix index fb1176e..f744d4c 100644 --- a/profiles/server/common/nextcloud.nix +++ b/profiles/server/common/nextcloud.nix @@ -2,7 +2,11 @@ { config = lib.mkIf config.swarselsystems.server.nextcloud { - sops.secrets.nextcloudadminpass = { owner = "nextcloud"; }; + sops.secrets.nextcloudadminpass = { + owner = "nextcloud"; + group = "nextcloud"; + mode = "0440"; + }; services.nextcloud = { enable = true; diff --git a/profiles/server/common/nginx.nix b/profiles/server/common/nginx.nix index 43920d3..fd0fbc9 100644 --- a/profiles/server/common/nginx.nix +++ b/profiles/server/common/nginx.nix @@ -24,6 +24,7 @@ services.nginx = { enable = true; + statusPage = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedOptimisation = true; diff --git a/secrets/server/winters/secrets.yaml b/secrets/server/winters/secrets.yaml index b700773..4ea790d 100644 --- a/secrets/server/winters/secrets.yaml +++ b/secrets/server/winters/secrets.yaml @@ -34,6 +34,7 @@ vpnloc: ENC[AES256_GCM,data:U8ModKho4vSHnMo9BOE978V6ZlMeQEoLaFW/,iv:Sw06YsWSZ4tG swarseluser: ENC[AES256_GCM,data:XvmOHYFNhb/bAYAZ/kmUWbbmRy/WrxSYri/Y5k+SH4N7ZIjuZDHOkWk93ERFuTb77HvhbPX/NRQraUoJoFsxGGg5co/gJnyfRg==,iv:J50PeDcC4PM3+yQ/YQNb8TW4kubwi2kjjSFU0RVFM30=,tag:ydLYkz1YKyguGZZZD/JcLA==,type:str] nextcloudadminpass: ENC[AES256_GCM,data:ZOCsu4/ijfheBfY9ZR5DBXSB,iv:bNlTLKQblnt2eYJqVgXwCaGAyAw2yhlb9Whsz0LBhm4=,tag:VQAWP/b8IghzXDFLJxXZ4Q==,type:str] grafanaadminpass: ENC[AES256_GCM,data:TBu0WOdvE+9CAH8EVm8=,iv:/usKOYscSXpo8tiSV/Las9eucBeYnpwG5DM9gJg8bfU=,tag:/LZqwuPWQyjSZURnsqq3hA==,type:str] +prometheusadminpass: ENC[AES256_GCM,data:NYUbSnAl0f3FUtvCjvJHFr2wMRsVsbVIeg==,iv:TP4NMwJsft8aEixxJBJCX/0I6BJVBnltFYJDKuXq1hM=,tag:yMY+KZsRjbn8ItgKgjzqSA==,type:str] sops: kms: [] gcp_kms: [] @@ -49,8 +50,8 @@ sops: SHJMUFJSeGRQcTIyU1U5RXkvQi9NMzQKm8SP9jQ4fuIuddzqP+m6EJg7+zkX53jz bHaMPuLTaIHaaSDlVYe5stpyPDlZQ0NSGWV+HaIXkLZNfNM71hWYBQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-18T19:30:49Z" - mac: ENC[AES256_GCM,data:2/OKp8nGwnllhsSn1KOG5OzzBRFVWF2Wi4Of+SsDE2EI91xHNt5DqNKES6xWH3sZMG0eKw4s4KCvMFGmZLkaoCanGscWe6GmZO6vOsTqI5261vJxFdJD40PPB5D2PywgfEIVR9elNDOLuXysekhSMg7497K5TvtQoJi0MXIDpvk=,iv:gW0/qEZwO0kPN0JynB/b8TjZJRYzaN8Qj7S7UWh5M+Q=,tag:UPOdYR7jJzevW3GJTySIUg==,type:str] + lastmodified: "2024-10-18T21:26:59Z" + mac: ENC[AES256_GCM,data:wvK/aa9ninmY+S66u6f2sP0bWV3bUbuEPS4J80M8YCA2J1p9mU5ndFWL6DSmzCslhO99a6+Y/AalLhkjVJn1Ok8CcxhCgbaSbZ7zniGe7sY0pK/6pPdSEHEzljNzx0M6KCoHeD9/a4VY5kPeq1t+IjqdtIBV3xhP0/SMaeypk0M=,iv:jTGcGnDZln3KZc6G8x0ENk6m5Zwq3Z+CafyATL4WbIc=,tag:i0ii+jwnyDCLxS07K82oIg==,type:str] pgp: - created_at: "2024-09-23T20:03:08Z" enc: |-