From 03c2ff373df68ac40f565ff5d2a556b8258c95ab Mon Sep 17 00:00:00 2001 From: Robert Perce Date: Sun, 24 Aug 2025 01:23:15 -0500 Subject: [PATCH] grafana-to-ntfy conf --- Taskfile | 8 ++--- lxc-metrics.nix | 80 ++++++++++++++++++++++++++++++++++++++++--------- vm-homelab.nix | 7 +++-- 3 files changed, 75 insertions(+), 20 deletions(-) diff --git a/Taskfile b/Taskfile index 3a212c5..bdb82b4 100755 --- a/Taskfile +++ b/Taskfile @@ -12,9 +12,9 @@ build() { dump() { build "$@" - if [ -a "vm-$1.nix" ]; then + if [ -e "vm-$1.nix" ]; then sudo cp -f result/vzdump* /mnt/share/proxmox/dump/ - elif [ -a "lxc-$1.nix" ]; then + elif [ -e "lxc-$1.nix" ]; then sudo cp -f result/tarball/nixos-system-x86_64-linux.tar.xz "/mnt/share/proxmox/dump/$1.tar.xz" fi } @@ -24,9 +24,9 @@ get-ip() { if [[ "$file" = "proxmox" ]]; then echo 192.168.0.3 return - elif [[ "$file" != *.nix && -a "vm-$1.nix" ]]; then + elif [[ "$file" != *.nix && -e "vm-$1.nix" ]]; then file="vm-$1.nix" - elif [[ "$file" != *.nix && -a "lxc-$1.nix" ]]; then + elif [[ "$file" != *.nix && -e "lxc-$1.nix" ]]; then file="lxc-$1.nix" fi grep ip4 "$file" | grep -Po "[0-9]+(\.[0-9]+){3}" diff --git a/lxc-metrics.nix b/lxc-metrics.nix index 1735011..ed0c3c8 100644 --- a/lxc-metrics.nix +++ b/lxc-metrics.nix @@ -1,4 +1,10 @@ -{ config, inputs, pkgs, ... }: +{ + config, + inputs, + pkgs, + lib, + ... +}: { imports = [ @@ -11,9 +17,10 @@ ip4 = "192.168.0.6"; }; - # environment.systemPackages = with pkgs; [ + environment.systemPackages = with pkgs; [ + grafana-to-ntfy + ]; - # ] networking.extraHosts = '' 192.168.0.2 xalicas 192.168.0.3 proxmox @@ -39,21 +46,66 @@ }; }; + ## grafana-to-ntfy config is broken in nixpkgs, so we hardcode our own + systemd.services.grafana-to-ntfy = { + wantedBy = [ "multi-user.target" ]; + script = "exec ${lib.getExe pkgs.grafana-to-ntfy}"; + environment = { + NTFY_URL = "https://ntfy.sh/99ecef2d-05c1-4e73-9cc5-c9a1e6d0adf0"; + BAUTH_USER = "grafana"; + BAUTH_PASS = "grafana"; + }; + serviceConfig = { + DynamicUser = true; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = ""; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + MemoryDenyWriteExecute = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + }; + }; + services.prometheus = { enable = true; port = 9001; scrapeConfigs = [ - { job_name = "nodes"; - static_configs = [{ - targets = [ - "xalicas:9100" - "proxmox:9100" - "craft01:9100" - "lab01:9100" - "127.0.0.1:9100" - "unifi:9100" - ]; - }]; + { + job_name = "nodes"; + static_configs = [ + { + targets = [ + "xalicas:9100" + "proxmox:9100" + "craft01:9100" + "lab01:9100" + "127.0.0.1:9100" + "unifi:9100" + ]; + } + ]; } ]; }; diff --git a/vm-homelab.nix b/vm-homelab.nix index 5ebd4a1..cf7bc73 100644 --- a/vm-homelab.nix +++ b/vm-homelab.nix @@ -12,10 +12,13 @@ }; # environment.systemPackages = with pkgs; [ - + # # ]; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; services.caddy = { enable = true;