initial commit

2021-03-13 15:32:44 +01:00 · 2021-03-13 15:32:44 +01:00 · 0e480bb6b6
commit 0e480bb6b6
36 changed files with 13615 additions and 0 deletions
--- a/hosts/kaon/configuration.nix
+++ b/hosts/kaon/configuration.nix
@ -0,0 +1,33 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+        ./hardware-configuration.nix
+        ../../common/common.nix
+        ../../common/netdata.nix
+        ../../common/kvm.nix
+        ./monitoring.nix
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "kaon";
+  networking.useDHCP = false;
+  networking.interfaces.ens18.useDHCP = true;
+  networking.interfaces.ens18.ipv6.addresses = [{
+    address = "2a01:4f8:c010:61dc:200::42:1";
+    prefixLength = 72;
+  }];
+
+  networking.defaultGateway6 = {
+    address = "2a01:4f8:c010:61dc:200::1";
+    interface = "ens18";
+  };
+}
--- a/hosts/kaon/dashboards/node-exporter.json
+++ b/hosts/kaon/dashboards/node-exporter.json
--- a/hosts/kaon/hardware-configuration.nix
+++ b/hosts/kaon/hardware-configuration.nix
@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/f48111ec-6b98-47f6-a8c6-4a447a78a2e0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B6B1-63E8";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/d6bcd29a-401b-4e84-9328-f03fc589e652"; }
+    ];
+
+}
--- a/hosts/kaon/monitoring.nix
+++ b/hosts/kaon/monitoring.nix
@ -0,0 +1,147 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  hosts = (import ../../lib/hosts.nix { inherit pkgs; }).hosts;
+
+  monitoringHosts = filterAttrs (name: host:
+    attrByPath ["clerie" "monitoring" "enable"] false host.config)
+    hosts;
+
+  monitoringHostsNames = mapAttrs' (name: host:
+    nameValuePair "${host.config.clerie.monitoring.networkBase}${host.config.clerie.monitoring.id}"  ["${host.config.networking.hostName}.mon.entr0py.de"])
+    monitoringHosts;
+
+  monitoringPeers = mapAttrsToList (name: host: {
+      allowedIPs = [ "${host.config.clerie.monitoring.networkBase}${host.config.clerie.monitoring.id}/128" ];
+      publicKey = host.config.clerie.monitoring.pubkey;
+    })
+    monitoringHosts;
+
+  monitoringTargets = mapAttrsToList (name: host:
+    "${host.config.networking.hostName}.mon.entr0py.de:9100")
+    monitoringHosts;
+
+in {
+
+  networking.hosts = {
+    "fd00:23:23:23::1" = [ "monitoring-1.mon.entr0py.de" ];
+  }
+  // monitoringHostsNames;
+
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces = {
+    wg-monitoring = {
+      ips = [ "fd00:23:23:23::1/64" ];
+      listenPort = 51820;
+      peers = monitoringPeers;
+      privateKeyFile = "/run/keys/wg-mon_priv";
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ config.networking.wireguard.interfaces.wg-monitoring.listenPort ];
+
+  services.prometheus.exporters.node.enable = true;
+
+  services.prometheus = {
+    enable = true;
+    listenAddress = "[::1]";
+    scrapeConfigs = [
+      {
+        job_name = "prometheus";
+        scrape_interval = "20s";
+        scheme = "http";
+        static_configs = [
+          {
+            targets = [
+              "monitoring-1.mon.entr0py.de:9090"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "node-exporter";
+        scrape_interval = "60s";
+        static_configs = [
+          {
+            targets = [
+              "monitoring-1.mon.entr0py.de:9100"
+            ]
+            ++ monitoringTargets;
+          }
+        ];
+      }
+    ];
+  };
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_12;
+    ensureDatabases = [ "grafana" ];
+    ensureUsers = [
+      {
+        name = "grafana";
+        ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+  services.grafana = {
+    enable  = true;
+    domain  = "grafana.monitoring.entr0py.de";
+    rootUrl = "https://grafana.monitoring.entr0py.de";
+    port    = 3001;
+    addr = "::1";
+
+    database = {
+      type = "postgres";
+      name = "grafana";
+      user = "grafana";
+      host = "/run/postgresql";
+    };
+
+    auth.anonymous.enable = true;
+    security = {
+      adminUser = "garionion";
+      adminPasswordFile = "/run/keys/grafana-admin";
+    };
+
+    provision = {
+      enable = true;
+      datasources = [
+        {
+          type = "prometheus";
+          name = "Prometheus";
+          url = "http://[::1]:9090";
+          isDefault = true;
+        }
+      ];
+      dashboards = [
+        {
+          options.path = ./dashboards;
+        }
+      ];
+    };
+  };
+  systemd.services.grafana.after = ["postgresql.service"];
+
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "prometheus.monitoring.entr0py.de" = {
+        enableACME = true;
+        forceSSL   = true;
+        locations."/".proxyPass = "http://[::1]:9090/";
+      };
+      "grafana.monitoring.entr0py.de" = {
+        enableACME = true;
+        forceSSL   = true;
+        locations."/".proxyPass = "http://[::1]:${toString config.services.grafana.port}/";
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}