nixfiles/hosts/kaon/monitoring.nix

{ config, pkgs, lib, ... }:

with lib;

let
  hosts = (import ../../lib/hosts.nix { inherit pkgs; }).hosts;

  monitoringHosts = filterAttrs (name: host:
    attrByPath ["clerie" "monitoring" "enable"] false host.config)
    hosts;

  monitoringHostsNames = mapAttrs' (name: host:
    nameValuePair "${host.config.clerie.monitoring.networkBase}${host.config.clerie.monitoring.id}"  ["${host.config.networking.hostName}.mon.entr0py.de"])
    monitoringHosts;

  monitoringPeers = mapAttrsToList (name: host: {
      allowedIPs = [ "${host.config.clerie.monitoring.networkBase}${host.config.clerie.monitoring.id}/128" ];
      publicKey = host.config.clerie.monitoring.pubkey;
    })
    monitoringHosts;

  monitoringTargets = mapAttrsToList (name: host:
    "${host.config.networking.hostName}.mon.entr0py.de:9100")
    monitoringHosts;

in {

  networking.hosts = {
    "fd00:23:23:23::1" = [ "monitoring-1.mon.entr0py.de" ];
  }
  // monitoringHostsNames;

  networking.wireguard.enable = true;
  networking.wireguard.interfaces = {
    wg-monitoring = {
      ips = [ "fd00:23:23:23::1/64" ];
      listenPort = 51820;
      peers = monitoringPeers;
      privateKeyFile = "/run/keys/wg-mon_priv";
    };
  };

  networking.firewall.allowedUDPPorts = [ config.networking.wireguard.interfaces.wg-monitoring.listenPort ];

  services.prometheus.exporters.node.enable = true;

  services.prometheus = {
    enable = true;
    listenAddress = "[::1]";
    scrapeConfigs = [
      {
        job_name = "prometheus";
        scrape_interval = "20s";
        scheme = "http";
        static_configs = [
          {
            targets = [
              "[::1]:9090"
            ];
          }
        ];
      }
      {
        job_name = "node-exporter";
        scrape_interval = "60s";
        static_configs = [
          {
            targets = [
              "monitoring-1.mon.entr0py.de:9100"
            ]
            ++ monitoringTargets;
          }
        ];
      }
    ];
  };

  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_12;
    ensureDatabases = [ "grafana" ];
    ensureUsers = [
      {
        name = "grafana";
        ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES";
      }
    ];
  };
  services.grafana = {
    enable  = true;
    domain  = "grafana.monitoring.entr0py.de";
    rootUrl = "https://grafana.monitoring.entr0py.de";
    port    = 3001;
    addr = "::1";

    database = {
      type = "postgres";
      name = "grafana";
      user = "grafana";
      host = "/run/postgresql";
    };

    auth.anonymous.enable = true;
    security = {
      adminUser = "garionion";
      adminPasswordFile = "/run/keys/grafana-admin";
    };

    provision = {
      enable = true;
      datasources = [
        {
          type = "prometheus";
          name = "Prometheus";
          url = "http://[::1]:9090";
          isDefault = true;
        }
      ];
      dashboards = [
        {
          options.path = ./dashboards;
        }
      ];
    };
  };
  systemd.services.grafana.after = ["postgresql.service"];


  services.nginx = {
    enable = true;

    virtualHosts = {
      "prometheus.monitoring.entr0py.de" = {
        enableACME = true;
        forceSSL   = true;
        locations."/".proxyPass = "http://[::1]:9090/";
      };
      "grafana.monitoring.entr0py.de" = {
        enableACME = true;
        forceSSL   = true;
        locations."/".proxyPass = "http://[::1]:${toString config.services.grafana.port}/";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
}