grafana

modules/nixos/services/grafana/default.nix

@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  pkgs,
   namespace,
   ...
 }:
@@ -9,6 +10,83 @@ let
   name = "grafana";
   cfg = config.${namespace}.services.${name};
 
+  # ---------------------------------------------------------------------------
+  # Community dashboards — fetched at build time, pinned by hash.
+  # ---------------------------------------------------------------------------
+  communityDashboards = pkgs.linkFarm "grafana-community-dashboards" [
+    {
+      # Node Exporter Full — https://grafana.com/grafana/dashboards/1860
+      name = "node-exporter-full.json";
+      path = pkgs.fetchurl {
+        url = "https://grafana.com/api/dashboards/1860/revisions/latest/download";
+        sha256 = "sha256-pNgn6xgZBEu6LW0lc0cXX2gRkQ8lg/rer34SPE3yEl4=";
+      };
+    }
+    {
+      # PostgreSQL Database — https://grafana.com/grafana/dashboards/9628
+      name = "postgresql.json";
+      path = pkgs.fetchurl {
+        url = "https://grafana.com/api/dashboards/9628/revisions/latest/download";
+        sha256 = "sha256-UhusNAZbyt7fJV/DhFUK4FKOmnTpG0R15YO2r+nDnMc=";
+      };
+    }
+    {
+      # Redis Dashboard for prometheus-redis-exporter 1.x — https://grafana.com/grafana/dashboards/763
+      name = "redis.json";
+      path = pkgs.fetchurl {
+        url = "https://grafana.com/api/dashboards/763/revisions/latest/download";
+        sha256 = "sha256-pThz+zHjcTT9vf8fpUuZK/ejNnH9GwEZVXOY27c9Aw8=";
+      };
+    }
+    {
+      # MySQL Overview — https://grafana.com/grafana/dashboards/7362
+      name = "mysql.json";
+      path = pkgs.fetchurl {
+        url = "https://grafana.com/api/dashboards/7362/revisions/latest/download";
+        sha256 = "sha256-WW7g60KY20XAdyUpumA0hBrjFC9MQGuGjiJKUhSVBXI=";
+      };
+    }
+    {
+      # Nextcloud — https://grafana.com/grafana/dashboards/9632
+      name = "nextcloud.json";
+      path = pkgs.fetchurl {
+        url = "https://grafana.com/api/dashboards/9632/revisions/latest/download";
+        sha256 = "sha256-Z28Q/sMg3jxglkszAs83IpL8f4p9loNnTQzjc3S/SAQ=";
+      };
+    }
+  ];
+
+  # ---------------------------------------------------------------------------
+  # Custom dashboards — maintained in this repo under dashboards/
+  # ---------------------------------------------------------------------------
+  customDashboards = pkgs.linkFarm "grafana-custom-dashboards" [
+    {
+      name = "nut.json";
+      path = ./dashboards/nut.json;
+    }
+    {
+      name = "caddy.json";
+      path = ./dashboards/caddy.json;
+    }
+    {
+      name = "gitea.json";
+      path = ./dashboards/gitea.json;
+    }
+    {
+      name = "nas-overview.json";
+      path = ./dashboards/nas-overview.json;
+    }
+  ];
+
+  # Minimal .my.cnf for the mysqld exporter.  No credentials are needed
+  # because runAsLocalSuperUser = true runs as the mysql OS user, which
+  # MariaDB authenticates via the unix_socket plugin automatically.
+  mysqldExporterCnf = pkgs.writeText "prometheus-mysqld-exporter.cnf" ''
+    [client]
+    user=root
+    socket=/run/mysqld/mysqld.sock
+  '';
+
   giteaPort = config.${namespace}.services.gitea.port;
   resticPort = config.${namespace}.services.restic.port;
   nextcloudPort = config.${namespace}.services.nextcloud.port;
@@ -21,6 +99,10 @@ let
       services = {
         prometheus = {
           enable = true;
+          # bearer_token_file paths (e.g. Gitea metrics key) are SOPS secrets
+          # that only exist at runtime, not in the Nix build sandbox.
+          # "syntax-only" still catches config errors without stat-ing the files.
+          checkConfig = "syntax-only";
           exporters = {
             node = {
               enable = true;
@@ -64,11 +146,12 @@ let
               # No fixed --redis.addr: multi-target mode uses ?target= param.
             };
 
-            # MariaDB — runs as the mysql OS user so it can connect via Unix
-            # socket without a password.
+            # MariaDB — runs as the mysql OS user so it can connect via the
+            # Unix socket without a password (unix_socket auth).
             mysqld = {
               enable = true;
               runAsLocalSuperUser = true;
+              configFile = mysqldExporterCnf;
             };
 
             # Nextcloud — authenticates with the admin account.
@@ -201,6 +284,12 @@ let
               http_port = cfg.port;
               http_addr = "0.0.0.0";
             };
+            security = {
+              # Read the secret key from a SOPS-managed file at runtime so it
+              # never appears in the Nix store.  The "$__file{}" syntax is
+              # Grafana's built-in file provider.
+              secret_key = "$__file{${config.sops.secrets."jallen-nas/grafana/secret-key".path}}";
+            };
           };
 
           dataDir = "${cfg.configDir}/grafana";
@@ -215,6 +304,26 @@ let
                 url = "http://localhost:${toString config.services.prometheus.port}";
               }
             ];
+            dashboards.settings.providers = [
+              {
+                name = "community";
+                orgId = 1;
+                type = "file";
+                disableDeletion = true;
+                updateIntervalSeconds = 60;
+                allowUiUpdates = false;
+                options.path = communityDashboards;
+              }
+              {
+                name = "custom";
+                orgId = 1;
+                type = "file";
+                disableDeletion = true;
+                updateIntervalSeconds = 60;
+                allowUiUpdates = false;
+                options.path = customDashboards;
+              }
+            ];
           };
         };
       };