grafana

newinfra/nix/hive.nix

@@ -148,13 +148,13 @@
       ./modules/ingress
       ./modules/garage
       ./modules/podman
+      ./modules/registry
 
       # apps
       ./apps/widetom
       ./apps/hugo-chat
       ./apps/uptime
       ./apps/cargo-bisect-rustc-service
-      ./apps/registry
     ];
 
     deployment.tags = [ "ingress" "eu" "apps" "wg" ];

newinfra/nix/modules/dns/noratrieb.dev.nix

@@ -61,6 +61,7 @@ let
         ];
 
         # --- infra
+        grafana = vps3;
         infra.subdomains = hostsToDns;
       };
     };

newinfra/nix/modules/ingress/default.nix

@@ -71,8 +71,8 @@ in
           }
 
           ${
-            if name == "vps1" then
+            if name == "vps1" || name == "vps3" then
-            builtins.readFile ./Caddyfile else ""
+            builtins.readFile ./${name}.Caddyfile else ""
           }
         ''
       );

newinfra/nix/modules/ingress/vps3.Caddyfile

@@ -0,0 +1,4 @@
+grafana.noratrieb.dev {
+	encode zstd gzip
+	reverse_proxy * localhost:3000
+}

newinfra/nix/modules/prometheus/default.nix

@@ -1,4 +1,4 @@
-{ ... }: {
+{ config, ... }: {
   services.prometheus = {
     enable = true;
     globalConfig = { };
@@ -27,6 +27,46 @@
           { targets = [ "vps5.local:9010" ]; }
         ];
       }
+      {
+        job_name = "docker-registry";
+        static_configs = [
+          { targets = [ "vps1.local:9011" ]; }
+        ];
+      }
     ];
   };
+
+  age.secrets.grafana_admin_password.file = ../../secrets/grafana_admin_password.age;
+
+  systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana_admin_password.path;
+  services.grafana = {
+    enable = true;
+    settings = {
+      security = {
+        admin_user = "admin";
+      };
+      server = {
+        root_url = "https://grafana.noratrieb.dev";
+      };
+    };
+
+    provision = {
+      enable = true;
+      datasources.settings = {
+        apiVersion = 1;
+        datasources = [
+          {
+            name = "Prometheus";
+            type = "prometheus";
+            access = "proxy";
+            url = "http://vps3.local:9090";
+            jsonData = {
+              httpMethod = "POST";
+              prometheusType = "Prometheus";
+            };
+          }
+        ];
+      };
+    };
+  };
 }

newinfra/nix/modules/registry/default.nix

@@ -10,6 +10,8 @@
     };
   };
 
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ]; # metrics
+
   systemd.services.docker-registry.serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path;
   services.dockerRegistry = {
     enable = true;
@@ -37,6 +39,13 @@
       http = {
         host = "https://docker.noratrieb.dev";
         draintimeout = "60s";
+        debug = {
+          addr = ":9011";
+          prometheus = {
+            enabled = true;
+            path = "/metrics";
+          };
+        };
       };
       auth.htpasswd = {
         # TODO: ugh :(

newinfra/nix/secrets/secrets.nix

@@ -14,6 +14,7 @@ in
   "caddy_s3_key_secret.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
   "registry_htpasswd.age".publicKeys = [ vps1 ];
   "registry_s3_key_secret.age".publicKeys = [ vps1 ];
+  "grafana_admin_password.age".publicKeys = [ vps3 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];
   "wg_private_vps3.age".publicKeys = [ vps3 ];
   "wg_private_vps4.age".publicKeys = [ vps4 ];

newinfra/nix/secrets/wg_private_vps1.age

@@ -1,5 +1,6 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg O7IcxaeSOGfOmQJudTMomwnl/bsPhAUKCPeidwbThXs
+-> ssh-ed25519 qM6TYg vqaZ8FrH2/iw1skzhxcDVtTGNrvgacXe6yZ6FLR5NxA
-e4Llj1rpB0QtY08AOQYSr9450fdLd7Io8MpXzCAma5c
+YsksjwIhIsGqSuHsgE2bxEChfhezUiab1KCR2JwGJog
---- DnobWf9zRcr2T9fV32wFhZDmHoXdrLGoEbiOMg+ixyE
+--- tBUyV+jlTZVRhpzYloVwoKozRDOgOv6lLsLj9y8yxqI
-’ÓZŸeÆúNKÚh,Ÿðû $Æ!Ϲ¶ÿ<>bÿz‹/Û:—q–Ÿ^¹u1®ŒÌÉõqEíÇÿF-‹ƒ<E280B9>«F=7‰¤C%ІÚ¥q®
+%xTEÀâÿcÉ<63>cÃ1eó#È=¡
)ùh&•<>¡ÇKU㆑­
GÔ}J™o<14>¿„ê®Ã|4M*¸Ô©]xh
pë›oð±Ãe
+)œ<1A>

newinfra/nix/secrets/wg_private_vps4.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 51bcvA CjxIs41xJfD5FLvhNePVx4Z+oxLNGs18rIqA1oePZUA
+-> ssh-ed25519 51bcvA cvlpm3reQDmA9Faca2wB1M8a4diEUTAYnZ7scmbt+i0
-vbbgC5XDSpheko+opZcGdGOLRTkpy9oOKUDqJB5mHrA
+DNQrAzPoVvbDR7UVCft8m/6kjHySIpT1l+xl22TW9bk
---- zIA/cJR2IvTe9PrxvsqYUtx3CVDMadur9Zab5yklQHk
+--- PELEXNV7Ottz1Jgc+5U0ew9t2YEKfUVSsiaYehvwqnc
-9öÖÞ_n5Ù~¡â\ÊÅC'qŠ±]Ù+~jwº&âO4¸‚Ÿ‚NÁ
v‚ï<E2809A>€Uo$ÔÊ<C394>¤béÕØùˆEÍ…Gì¥kmkÞ\ú
+WßÂLşŚ…Ł˙e·‘7Mč?Ěí™VŰý¬69)†ÚY%yú1›<31>J(uë<75>ż¸‚0)x@Y~Ąóhâ”<C3A2>żŽˇ çŇY5îËNÎd

newinfra/nix/secrets/wg_private_vps5.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 vT7ExA hiEMWjjGY/Elfd8oc9gB7p1bcV0G4u+NpvcChl06Kko
+-> ssh-ed25519 vT7ExA ZtMI/PoOE6fF7heY5Eq12bhzgn/ViE/PzeLRJlFOZxo
-TANojl91jyH5dIjj0e7FlyvWfblRWd1psLerI3AxKe4
+kdRK08mwj0vCjhvJzX4TmI4H0dnRbnDC7kK+U7BW4mM
---- EZL4OcGAkc70DMOiFaiZab64IX+Cv952bGXgF/5XZNc
+--- QSYK8SFsCQK0hrCG2ZjAG3KIpXPQTJqolMLj6aWHkcs
-{KŸ¶´›Nnþ0§oí½íšjM£½r§ÕTOqÈ3ÂðMa‰p­&;D	qû–ASãótr<1E>©‚YÏ@åùúƒm4ñ©r®Om
+ ՚<>b<EFBFBD>C<EFBFBD>C<>x<EFBFBD><78>T<EFBFBD><54><EFBFBD>><05>I<EFBFBD><49>n<EFBFBD><6E>e<0E><>
<01><>3<EFBFBD><33><EFBFBD><EFBFBD>F<EFBFBD><46>n.<2E><>=<3D><>V~<7E><>(G<>8ӚGi<47><69>(<28><>3Yd:e<>u<EFBFBD>