grafana

newinfra/nix/modules/dns/noratrieb.dev.nix

@@ -61,6 +61,7 @@ let
         ];
 
         # --- infra
+        grafana = vps3;
         infra.subdomains = hostsToDns;
       };
     };

newinfra/nix/modules/ingress/default.nix

@@ -71,8 +71,8 @@ in
           }
 
           ${
-            if name == "vps1" then
-            builtins.readFile ./Caddyfile else ""
+            if name == "vps1" || name == "vps3" then
+            builtins.readFile ./${name}.Caddyfile else ""
           }
         ''
       );

newinfra/nix/modules/ingress/vps3.Caddyfile

@@ -0,0 +1,4 @@
+grafana.noratrieb.dev {
+	encode zstd gzip
+	reverse_proxy * localhost:3000
+}

newinfra/nix/modules/prometheus/default.nix

@@ -1,4 +1,4 @@
-{ ... }: {
+{ config, ... }: {
   services.prometheus = {
     enable = true;
     globalConfig = { };
@@ -27,6 +27,46 @@
           { targets = [ "vps5.local:9010" ]; }
         ];
       }
+      {
+        job_name = "docker-registry";
+        static_configs = [
+          { targets = [ "vps1.local:9011" ]; }
+        ];
+      }
     ];
   };
+
+  age.secrets.grafana_admin_password.file = ../../secrets/grafana_admin_password.age;
+
+  systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana_admin_password.path;
+  services.grafana = {
+    enable = true;
+    settings = {
+      security = {
+        admin_user = "admin";
+      };
+      server = {
+        root_url = "https://grafana.noratrieb.dev";
+      };
+    };
+
+    provision = {
+      enable = true;
+      datasources.settings = {
+        apiVersion = 1;
+        datasources = [
+          {
+            name = "Prometheus";
+            type = "prometheus";
+            access = "proxy";
+            url = "http://vps3.local:9090";
+            jsonData = {
+              httpMethod = "POST";
+              prometheusType = "Prometheus";
+            };
+          }
+        ];
+      };
+    };
+  };
 }

newinfra/nix/modules/registry/default.nix

@@ -0,0 +1,57 @@
+{ config, lib, ... }: {
+  age.secrets = {
+    registry_htpasswd = {
+      file = ../../secrets/registry_htpasswd.age;
+      owner = config.users.users.docker-registry.name;
+    };
+    registry_s3_key_secret = {
+      file = ../../secrets/registry_s3_key_secret.age;
+      owner = config.users.users.docker-registry.name;
+    };
+  };
+
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ]; # metrics
+
+  systemd.services.docker-registry.serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path;
+  services.dockerRegistry = {
+    enable = true;
+    storagePath = null;
+    port = 5000;
+    extraConfig = {
+      log = {
+        accesslog.disabled = false;
+        level = "info";
+        formatter = "text";
+        fields.service = "registry";
+      };
+      redis = lib.mkForce null;
+      storage = {
+        s3 = {
+          regionendpoint = "http://127.0.0.1:3900";
+          region = "garage";
+          bucket = "docker-registry";
+          # accesskey = ""; ENV REGISTRY_STORAGE_S3_ACCESSKEY
+          # secretkey = ""; ENV REGISTRY_STORAGE_S3_SECRETKEY
+          secure = false;
+        };
+        redirect.disable = true;
+      };
+      http = {
+        host = "https://docker.noratrieb.dev";
+        draintimeout = "60s";
+        debug = {
+          addr = ":9011";
+          prometheus = {
+            enabled = true;
+            path = "/metrics";
+          };
+        };
+      };
+      auth.htpasswd = {
+        # TODO: ugh :(
+        realm = "nilstrieb-registry";
+        path = config.age.secrets.registry_htpasswd.path;
+      };
+    };
+  };
+}