rob/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
homelab/lxc-metrics.nix

113 lines
2.5 KiB
Nix
Raw Blame History

{
config,
inputs,
pkgs,
lib,
...
}:
{
imports = [
./lxc-base.nix
];
config = {
my.vm = {
name = "metrics01";
ip4 = "192.168.0.6";
};
environment.systemPackages = with pkgs; [
grafana-to-ntfy
];
networking.extraHosts = ''
192.168.0.2 xalicas
192.168.0.3 proxmox
192.168.0.4 craft01
192.168.0.5 lab01
192.168.0.6 metrics01
192.168.0.100 unifi
'';
networking.firewall.allowedTCPPorts = [ 3000 ];
services.grafana = {
enable = true;
settings = {
server = {
http_addr = "0.0.0.0";
http_port = 3000;
enable_gzip = true;
enforce_domain = false;
domain = "metrics.rperce.net";
};
};
};
## grafana-to-ntfy config is broken in nixpkgs, so we hardcode our own
systemd.services.grafana-to-ntfy = {
wantedBy = [ "multi-user.target" ];
script = "exec ${lib.getExe pkgs.grafana-to-ntfy}";
environment = {
NTFY_URL = "https://ntfy.sh/99ecef2d-05c1-4e73-9cc5-c9a1e6d0adf0";
BAUTH_USER = "grafana";
BAUTH_PASS = "grafana";
};
serviceConfig = {
DynamicUser = true;
CapabilityBoundingSet = [ "" ];
DeviceAllow = "";
LockPersonality = true;
PrivateDevices = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
};
services.prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [
{
job_name = "nodes";
static_configs = [
{
targets = [
"xalicas:9100"
"proxmox:9100"
"craft01:9100"
"lab01:9100"
"127.0.0.1:9100"
"unifi:9100"
];
}
];
}
];
};
};
}
Reference in a new issue View git blame Copy permalink