blob: 0282b04cfb554778bcd5ed7ada4169a4a972e088 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
{ config, lib, pkgs, ... }:
# graphite-web on port 8080
# carbon cache on port 2003 (tcp/udp)
with config.krebs.lib;
let
sec = toString <secrets>;
acmepath = "/var/lib/acme/";
acmechall = acmepath + "/challenges/";
ext-dom = "stats.nsupdate.info";
#ssl_cert = "${sec}/wildcard.krebsco.de.crt";
#ssl_key = "${sec}/wildcard.krebsco.de.key";
ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem";
ssl_key = "${acmepath}/${ext-dom}/key.pem";
in {
networking.firewall = {
allowedTCPPorts = [ 2003 80 443 ];
allowedUDPPorts = [ 2003 ];
};
services.grafana = {
enable = true;
addr = "127.0.0.1";
extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; };
users.allowSignUp = false;
users.allowOrgCreate = false;
users.autoAssignOrg = false;
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
};
krebs.nginx = {
enable = true;
servers.elch-stats = {
server-names = [ ext-dom ];
listen = [ "80" "443 ssl" ];
ssl = {
enable = true;
# these certs will be needed if acme has not yet created certificates:
certificate = ssl_cert;
certificate_key = ssl_key;
force_encryption = true;
};
locations = [
(nameValuePair "/" ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:3000/;
'')
(nameValuePair "/.well-known/acme-challenge" ''
root ${acmechall}/${ext-dom}/;
'')
];
};
};
security.acme.certs."${ext-dom}" = {
email = "acme@syntax-fehler.de";
webroot = "${acmechall}/${ext-dom}/";
group = "nginx";
allowKeysForGroup = true;
postRun = "systemctl reload nginx.service";
extraDomains."${ext-dom}" = null ;
};
services.graphite = {
web = {
enable = true;
host = "127.0.0.1";
port = 8080;
};
carbon = {
enableCache = true;
# save disk usage by restricting to 1 bulk update per second
config = ''
[cache]
MAX_CACHE_SIZE = inf
MAX_UPDATES_PER_SECOND = 1
MAX_CREATES_PER_MINUTE = 500
'';
storageSchemas = ''
[carbon]
pattern = ^carbon\.
retentions = 60:90d
[elchos]
patterhn = ^elchos\.
retention = 10s:30d,60s:1y
[default]
pattern = .*
retentions = 30s:30d,300s:1y
'';
};
};
}
|
