Commit 16d1248
Changed files (6)
hosts
chaser-pardofelis
monitoring
modules
hosts
chaser-pardofelis
services
victoriametrics
hosts/chaser-pardofelis/monitoring/default.nix
@@ -1,5 +0,0 @@
-{...}: {
- imports = [
- ./victoriametrics.nix
- ];
-}
hosts/chaser-pardofelis/monitoring/victoriametrics.nix
@@ -1,100 +0,0 @@
-{
- lib,
- config,
- ...
-}:
-# let
-# isSecret = v: lib.isAttrs v && v ? "secretName";
-# hosts = config.modules.my-hosts;
-# managedHosts = lib.filterAttrs (name: host: !builtins.isNull host.network.ipv4) hosts;
-# in
-lib.mkMerge [
- {
- services.victoriametrics = {
- enable = true;
- listenAddress = "127.0.0.1:9020";
- checkConfig = false; # Disable it because env `CREDENTIALS_DIRECTORY` not loaded in check
-
- extraOptions = [
- # Allowed percent of system memory VictoriaMetrics caches may occupy.
- "-memory.allowedPercent=30"
- ];
-
- prometheusConfig.scrape_configs = [
- {
- job_name = "node-exporter-local";
- scrape_interval = "30s";
- metrics_path = "/metrics";
- static_configs = [
- {
- # All my NixOS hosts.
- targets = ["127.0.0.1:${builtins.toString config.services.prometheus.exporters.node.port}"];
- labels.type = "node";
- labels.host = "pardofelis";
- }
- ];
- }
- {
- job_name = "gotosocial-trinnon";
- scrape_interval = "30s";
- metrics_path = "/metrics";
- scheme = "https";
- basic_auth = {
- username = config.services.gotosocial.settings.metrics-auth-username;
- password_file = "%{CREDENTIALS_DIRECTORY}/GTS_AUTH_PASSWD";
- };
- static_configs = [
- {
- targets = ["trin.one"];
- labels.type = "gotosocial";
- labels.host = "pardofelis";
- }
- ];
- }
- ];
- };
-
- systemd.services.victoriametrics.serviceConfig = {
- LoadCredential = "GTS_AUTH_PASSWD:${config.sops.secrets.gotosocial-metrics-password.path}";
- };
- }
- # TODO: Complete below before I have another remote host running NixOS
- # (
- # lib.concatMapAttrs
- # (host: cfg: let
- # templateName = "prometheus-node-exporter-${host}.json";
- # nodeExporterPort = builtins.toString config.services.prometheus.exporters.node.port;
- # in {
- # services.victoriametrics.prometheusConfig.scrape_configs = [
- # {
- # job_name = "node-exporter-${host}";
- # scrape_interval = "30s";
- # metrics_path = "/metrics";
- # static_configs = lib.mkIf (!isSecret cfg.network.ipv4) [
- # {
- # targets = ["${cfg.network.ipv4}:${nodeExporterPort}"];
- # labels.type = "node";
- # labels.host = host;
- # }
- # ];
- # file_sd_configs = lib.mkIf (isSecret cfg.network.ipv4) [
- # {files = config.sops.templates.${templateName}.path;}
- # ];
- # }
- # ];
- # sops.templates.${templateName} = lib.mkIf (isSecret cfg.network.ipv4) {
- # content = ''
- # [${builtins.toJSON {
- # targets = ["${config.sops.placeholder."${host}-ipv4"}:${nodeExporterPort}"];
- # labels.type = "node";
- # labels.host = host;
- # }}]
- # '';
- # user = "root";
- # group = "victoriametrics";
- # mode = "0440";
- # };
- # })
- # managedHosts
- # )
-]
hosts/chaser-pardofelis/caddy.nix
@@ -18,7 +18,6 @@ in {
# Assuming address start with `tcp://`.
builtins.substring 6 (-1) config.services.authelia.instances.main.settings.server.address
}";
- prometheus = "http://${config.services.victoriametrics.listenAddress}";
};
in {
"phanpy.trin.one".extraConfig = ''
@@ -38,10 +37,6 @@ in {
}
}
'';
- "prometheus.hpcesia.com".extraConfig = ''
- encode zstd gzip
- reverse_proxy ${localAddress.prometheus}
- '';
};
};
}
modules/hosts/chaser-pardofelis/default.nix
@@ -37,6 +37,7 @@
"podman"
"restic"
"vaultwarden"
+ "victoriametrics"
]
)
++ (map (lib.path.append config.flake.meta.rootPath) [
modules/services/victoriametrics/default.nix
@@ -0,0 +1,64 @@
+{lib, ...}: {
+ flake.modules.nixos."services/victoriametrics" = {config, ...}: {
+ services.victoriametrics = {
+ enable = true;
+ listenAddress = "127.0.0.1:9020";
+ checkConfig = false; # Disable it because env `CREDENTIALS_DIRECTORY` not loaded in check
+
+ extraOptions = [
+ # Allowed percent of system memory VictoriaMetrics caches may occupy.
+ "-memory.allowedPercent=30"
+ ];
+
+ prometheusConfig.scrape_configs =
+ [
+ {
+ job_name = "gotosocial-trinnon";
+ scrape_interval = "30s";
+ metrics_path = "/metrics";
+ scheme = "https";
+ basic_auth = {
+ username = "trinnon-metrics";
+ password_file = "%{CREDENTIALS_DIRECTORY}/GTS_AUTH_PASSWD";
+ };
+ static_configs = [
+ {
+ targets = ["trin.one"];
+ labels.type = "gotosocial";
+ labels.host = "pardofelis";
+ }
+ ];
+ }
+ ]
+ ++ (lib.optional config.services.prometheus.exporters.node.enable {
+ job_name = "node-exporter-local";
+ scrape_interval = "30s";
+ metrics_path = "/metrics";
+ static_configs = [
+ {
+ targets = ["127.0.0.1:${builtins.toString config.services.prometheus.exporters.node.port}"];
+ labels.type = "node";
+ labels.host = config.networking.hostName;
+ }
+ ];
+ });
+ };
+
+ systemd.services.victoriametrics.serviceConfig = {
+ LoadCredential = "GTS_AUTH_PASSWD:${config.vaultix.secrets.gotosocial-metrics-password.path}";
+ };
+
+ services.caddy.virtualHosts."prometheus.hpcesia.com".extraConfig =
+ lib.mkIf config.services.caddy.enable
+ (let
+ localAddress = "http://${config.services.victoriametrics.listenAddress}";
+ in ''
+ encode zstd gzip
+ reverse_proxy ${localAddress}
+ '');
+
+ # Use mkDefault because GtS defined this secret too.
+ # This secret file is a relative system link to GtS's secret file.
+ vaultix.secrets.gotosocial-metrics-password.file = lib.mkDefault ./gotosocial-metrics-password.age;
+ };
+}
modules/services/victoriametrics/metrics-password.age
@@ -0,0 +1,1 @@
+../gotosocial/metrics-password.age
\ No newline at end of file