homelab/lxc-metrics.nix

{
  config,
  inputs,
  pkgs,
  lib,
  ...
}:

{
  imports = [
    ./lxc-base.nix
  ];

  config = {
    my.vm = {
      name = "metrics01";
      ip4 = "192.168.0.6";
    };

    environment.systemPackages = with pkgs; [
      grafana-to-ntfy
    ];

    networking.extraHosts = ''
      192.168.0.2    xalicas
      192.168.0.3    proxmox
      192.168.0.4    craft01
      192.168.0.5    lab01
      192.168.0.6    metrics01
      192.168.0.100  unifi
    '';

    networking.firewall.allowedTCPPorts = [ 3000 ];

    services.grafana = {
      enable = true;
      settings = {
        server = {
          http_addr = "0.0.0.0";
          http_port = 3000;

          enable_gzip = true;
          enforce_domain = false;
          domain = "metrics.rperce.net";
        };
      };
    };

    ## grafana-to-ntfy config is broken in nixpkgs, so we hardcode our own
    systemd.services.grafana-to-ntfy = {
      wantedBy = [ "multi-user.target" ];
      script = "exec ${lib.getExe pkgs.grafana-to-ntfy}";
      environment = {
        NTFY_URL = "https://ntfy.sh/99ecef2d-05c1-4e73-9cc5-c9a1e6d0adf0";
        BAUTH_USER = "grafana";
        BAUTH_PASS = "grafana";
      };
      serviceConfig = {
        DynamicUser = true;
        CapabilityBoundingSet = [ "" ];
        DeviceAllow = "";
        LockPersonality = true;
        PrivateDevices = true;
        PrivateUsers = true;
        ProcSubset = "pid";
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_UNIX"
        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        MemoryDenyWriteExecute = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service"
          "~@privileged"
        ];
        UMask = "0077";
      };
    };

    services.prometheus = {
      enable = true;
      port = 9001;
      scrapeConfigs = [
        {
          job_name = "nodes";
          static_configs = [
            {
              targets = [
                "xalicas:9100"
                "proxmox:9100"
                "craft01:9100"
                "lab01:9100"
                "127.0.0.1:9100"
                "unifi:9100"
              ];
            }
          ];
        }
      ];
    };
  };
}
grafana-to-ntfy conf 2025-08-24 01:23:15 -05:00			`{`
			`config,`
			`inputs,`
			`pkgs,`
			`lib,`
			`...`
			`}:`
metrics lxc 2025-08-23 23:14:40 -05:00
			`{`
			`imports = [`
			`./lxc-base.nix`
			`];`

			`config = {`
			`my.vm = {`
			`name = "metrics01";`
			`ip4 = "192.168.0.6";`
			`};`

grafana-to-ntfy conf 2025-08-24 01:23:15 -05:00			`environment.systemPackages = with pkgs; [`
			`grafana-to-ntfy`
			`];`
metrics lxc 2025-08-23 23:14:40 -05:00
			`networking.extraHosts = ''`
			`192.168.0.2 xalicas`
			`192.168.0.3 proxmox`
			`192.168.0.4 craft01`
			`192.168.0.5 lab01`
			`192.168.0.6 metrics01`
			`192.168.0.100 unifi`
			`'';`

			`networking.firewall.allowedTCPPorts = [ 3000 ];`

			`services.grafana = {`
			`enable = true;`
			`settings = {`
			`server = {`
			`http_addr = "0.0.0.0";`
			`http_port = 3000;`

			`enable_gzip = true;`
			`enforce_domain = false;`
			`domain = "metrics.rperce.net";`
			`};`
			`};`
			`};`

grafana-to-ntfy conf 2025-08-24 01:23:15 -05:00			`## grafana-to-ntfy config is broken in nixpkgs, so we hardcode our own`
			`systemd.services.grafana-to-ntfy = {`
			`wantedBy = [ "multi-user.target" ];`
			`script = "exec ${lib.getExe pkgs.grafana-to-ntfy}";`
			`environment = {`
			`NTFY_URL = "https://ntfy.sh/99ecef2d-05c1-4e73-9cc5-c9a1e6d0adf0";`
			`BAUTH_USER = "grafana";`
			`BAUTH_PASS = "grafana";`
			`};`
			`serviceConfig = {`
			`DynamicUser = true;`
			`CapabilityBoundingSet = [ "" ];`
			`DeviceAllow = "";`
			`LockPersonality = true;`
			`PrivateDevices = true;`
			`PrivateUsers = true;`
			`ProcSubset = "pid";`
			`ProtectClock = true;`
			`ProtectControlGroups = true;`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
			`ProtectProc = "invisible";`
			`RestrictAddressFamilies = [`
			`"AF_INET"`
			`"AF_INET6"`
			`"AF_UNIX"`
			`];`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`MemoryDenyWriteExecute = true;`
			`SystemCallArchitectures = "native";`
			`SystemCallFilter = [`
			`"@system-service"`
			`"~@privileged"`
			`];`
			`UMask = "0077";`
			`};`
			`};`

metrics lxc 2025-08-23 23:14:40 -05:00			`services.prometheus = {`
			`enable = true;`
			`port = 9001;`
			`scrapeConfigs = [`
grafana-to-ntfy conf 2025-08-24 01:23:15 -05:00			`{`
			`job_name = "nodes";`
			`static_configs = [`
			`{`
			`targets = [`
			`"xalicas:9100"`
			`"proxmox:9100"`
			`"craft01:9100"`
			`"lab01:9100"`
			`"127.0.0.1:9100"`
			`"unifi:9100"`
			`];`
			`}`
			`];`
metrics lxc 2025-08-23 23:14:40 -05:00			`}`
			`];`
			`};`
			`};`
			`}`