diff --git a/hosts/franz/arion/stats/arion-compose.nix b/hosts/franz/arion/stats/arion-compose.nix index c3d662b..7642306 100644 --- a/hosts/franz/arion/stats/arion-compose.nix +++ b/hosts/franz/arion/stats/arion-compose.nix @@ -22,6 +22,22 @@ "traefik.http.routers.grafana.tls" = "true"; "traefik.http.routers.grafana.tls.certresolver" = "letsencrypt"; }; + environment = { + GF_SERVER_ROOT_URL = "https://grafana.ghoscht.com"; + + GF_AUTH_GENERIC_OAUTH_NAME = "authentik"; + GF_AUTH_GENERIC_OAUTH_ENABLED = "true"; + GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP = "true"; + GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email"; + GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://auth.ghoscht.com/application/o/authorize/"; + GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://auth.ghoscht.com/application/o/token/"; + GF_AUTH_GENERIC_OAUTH_API_URL = "https://auth.ghoscht.com/application/o/userinfo/"; + + # GF_AUTH_OAUTH_AUTO_LOGIN = "true"; + }; + env_file = [ + "/home/ghoscht/.docker/stats/grafana.env" + ]; volumes = [ "/storage/dataset/docker/stats/grafana_data:/var/lib/grafana" ]; @@ -47,12 +63,58 @@ image = "grafana/promtail:3.0.0"; volumes = [ "/var/log:/var/log" - "/storage/dataset/docker/stats/promtail_data:/etc/promtail" + "/storage/dataset/docker/stats/promtail_data/promtail-config.yml:/etc/promtail/promtail-config.yml" ]; command = "-config.file=/etc/promtail/promtail-config.yml"; networks = [ "internal" ]; }; + prometheus.service = { + image = "prom/prometheus:v2.53.0"; + volumes = [ + "/storage/dataset/docker/stats/prometheus_config/prometheus.yml:/etc/prometheus/prometheus.yml" + "/storage/dataset/docker/stats/prometheus_data:/prometheus" + ]; + command = [ + "--config.file=/etc/prometheus/prometheus.yml" + "--web.console.libraries=/etc/prometheus/console_libraries" + "--web.console.templates=/etc/prometheus/consoles" + ]; + networks = [ + "internal" + ]; + }; + node-exporter.service = { + image = "prom/node-exporter:v1.8.1"; + volumes = [ + "/proc:/host/proc:ro" + "/sys:/host/sys:ro" + "/:/rootfs:ro" + ]; + command = [ + "--path.procfs=/host/proc" + "--path.rootfs=/rootfs" + "--path.sysfs=/host/sys" + "--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)" + ]; + networks = [ + "internal" + ]; + }; + # cadvisor.service = { + # image = "gcr.io/cadvisor/cadvisor:v0.49.1"; + # volumes = [ + # "/:/rootfs:ro" + # "/var/run:/var/run:ro" + # "/sys:/sys:ro" + # "/var/lib/docker:/var/lib/docker:ro" + # "/dev/disk:/dev/disk:ro" + # ]; + # devices = ["/dev/kmsg"]; + # networks = [ + # "internal" + # ]; + # }; }; } diff --git a/hosts/franz/arion/stats/default.nix b/hosts/franz/arion/stats/default.nix index c78eb75..8ed479b 100644 --- a/hosts/franz/arion/stats/default.nix +++ b/hosts/franz/arion/stats/default.nix @@ -7,6 +7,23 @@ in { }; }; + sops.secrets."stats/oidc_client_id" = { + owner = vars.user; + }; + sops.secrets."stats/oidc_client_secret" = { + owner = vars.user; + }; + + sops.templates."grafana.env" = { + path = "/home/${vars.user}/.docker/stats/grafana.env"; + owner = vars.user; + mode = "0775"; + content = '' + GF_AUTH_GENERIC_OAUTH_CLIENT_ID="${config.sops.placeholder."stats/oidc_client_id"}" + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET="${config.sops.placeholder."stats/oidc_client_secret"}" + ''; + }; + systemd.services.add-loki-logging-driver = { description = "Add grafana loki docker driver"; after = ["network.target"]; diff --git a/secrets/franz.yaml b/secrets/franz.yaml index 930ba60..fdc3721 100644 --- a/secrets/franz.yaml +++ b/secrets/franz.yaml @@ -53,6 +53,9 @@ diun: ntfy_access_token: ENC[AES256_GCM,data:37UYgaMlmpoMW74LqtxkuMqGQmCvLpVdJAgEmVxSULY=,iv:tZPlfIgo1vWvMPlQzCBPXj5xYDiTWJOsVwkxBjGNMDk=,tag:882g2UxFfg5VSKqAtEMk2Q==,type:str] crowdsec: traefik_bouncer_api_key: ENC[AES256_GCM,data:qNY3cWNxG2pyrTN1UnYCGWCmx1Yue1WAJZ8DEsLqnZ+RDoaJfvqqJazJUg==,iv:x0K9Vq+ZuojmeHSbS/0PoOQdLIRDMtGdmU+msv4PWzI=,tag:qgxQIBHtARTNv17x7N6zyw==,type:str] +stats: + oidc_client_id: ENC[AES256_GCM,data:/0Y/qLyxGTKskcoQVdlQkEYHa1P7+0PYwv1GoXV5r48btzpPHYysLA==,iv:QT6GM3I38/kSDrzm5phPWnGQxjds0qamduYuIvj4dig=,tag:yGnM4jOwDtC81jrXUG6r+w==,type:str] + oidc_client_secret: ENC[AES256_GCM,data:ETl5Lm8GSk/xwD9+TZZlPwNA8CxdQ2teyjWVWShXrx0o0qdE72lIBnW7mW9bklx1RMhSBvhArZPMA9fFN29nCJ4E9zXNTxFFviHUZTr+8mdm5g9TYu4WJxiJ3rzIavgx4DQR0FIQyXzXXMSoLDpOl+u4oT8vfb3ef4bKIDktBGU=,iv:KMy70+IA8KKj4mjB4sV3uXg8iDjponO+AzYlNYvv3pE=,tag:WMsUg0PNILBz1jNyV6PggQ==,type:str] wiki: aws_access_key_id: ENC[AES256_GCM,data:Fqfa6XcDDpQ0l+/entQh6sxobBM=,iv:gbfHxTy0Oj9xYlucpN98CjNIURDrx9BuFF4Pfo90V0M=,tag:df8Z3J2ovO1MHPnzOsCtpg==,type:str] aws_secret_access_key: ENC[AES256_GCM,data:sbgzvlN5dP4jZIGKtDsMn5o2RqWTl+XNi80ydnOgrQkgnQ/HxluWWA==,iv:xyCKfbf/UF9cFunCYHwVBw4eVvOeZQtfPtrz2s6zIII=,tag:S0wzL8d5iEn20VbOVfrZBw==,type:str] @@ -78,8 +81,8 @@ sops: VUUxcEhvYi8zeXlCUUViUTl0eWdhcU0KXOfbnDc+zc8lnBcyEAV5EiJSjcSU6AgI EfeRw8qVqwChrYn1agslcNnDbE0WQsOCBuA6cE4V3kRofp9HU949ig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-14T16:33:02Z" - mac: ENC[AES256_GCM,data:tifzRssqaaej73Tm8bqcms0hrjQ27E7VY1UwfQ/oPXGYxtEdI3FRdDie7yRxOuaquX5JXcJquQyTKrHEXbUakwqddSsws3uKkdy8dfjmTbpGWjKUPnPASsix2l028ov1jIeQ80/QfMavtSmy/1ZI7O/cVGy9FMV0wFysEWMJ+KI=,iv:Nolz/xL+jifstC1sw1IzI7Fu3fR+6+TBMWjl7PQZGh4=,tag:jxVt7kCQwfTKdbd8CLmesA==,type:str] + lastmodified: "2024-08-09T13:53:16Z" + mac: ENC[AES256_GCM,data:5pANdrfnPuDf2mai0UgcFbwr4OzjLzLWraKOt38fX2MySYH2EryMzsk4prhehXPTkD3soMFwaVbuuqZUbkWCWM3CtjuyCisQH4uiZZw+slw6g8atr4h3tpHtD2SwgGVESMJouVQyfb9ko4O1ArBvml/0a6DAGmwoxlQwGboZR5M=,iv:oiZx4BsRBNAn+hjhzhV6oVZrYQJ32DAQlyNNsevaLpc=,tag:A0EsGeaP5vy9vA8WZjbxIQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1