diff --git a/modules/nixos/services/grafana/default.nix b/modules/nixos/services/grafana/default.nix new file mode 100755 index 0000000..628568f --- /dev/null +++ b/modules/nixos/services/grafana/default.nix @@ -0,0 +1,98 @@ +{ config, lib, namespace, ... }: +with lib; +let + # inherit (lib.${namespace}) mkModule mkOpt mkBoolOpt enableForSystem; + cfg = config.${namespace}.services.grafana; + upsUser = "nas-admin"; +in +{ + options.${namespace}.services.grafana = { + enable = mkEnableOption "enable grafana"; + }; + + config = lib.mkIf cfg.enable { + services = { + prometheus = { + enable = true; + exporters = { + node = { + enable = true; + enabledCollectors = [ + "filesystem" + "diskstats" + "meminfo" + "cpu" + "systemd" # Ensures systemd collector is enabled + "processes" + ]; + extraFlags = [ + "--collector.filesystem.mount-points-exclude=^/(dev|proc|sys|run)($|/)" + ]; + }; + libvirt = { + enable = false; + openFirewall = true; + }; + nut = { + enable = true; + openFirewall = true; + passwordPath = config.sops.secrets."jallen-nas/ups_password".path; + nutUser = upsUser; + }; + # restic = { + # enable = true; + # openFirewall = true; + # resticPort = 8008; + # }; + }; + scrapeConfigs = [ + { + job_name = "node"; + static_configs = [ + { + targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; + } + ]; + } + { + job_name = "traefik"; + static_configs = [ + { + targets = [ "localhost:8082" ]; + } + ]; + } + ]; + }; + + grafana = { + enable = true; + settings = { + server = { + http_port = 9999; + http_addr = "0.0.0.0"; + }; + }; + + dataDir = "/media/nas/main/nix-app-data/grafana"; + + provision = { + enable = true; + datasources.settings.datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + access = "proxy"; + url = "http://localhost:${toString config.services.prometheus.port}"; + } + ]; + }; + }; + }; + # Open firewall ports for Grafana + networking.firewall = { + allowedTCPPorts = [ 9999 ]; + allowedUDPPorts = [ 9999 ]; + }; + }; +} diff --git a/systems/x86_64-linux/jallen-nas/boot.nix b/systems/x86_64-linux/jallen-nas/boot.nix index fc96903..cbdc76c 100755 --- a/systems/x86_64-linux/jallen-nas/boot.nix +++ b/systems/x86_64-linux/jallen-nas/boot.nix @@ -5,19 +5,12 @@ ... }: let - configLimit = 50; kernel = pkgs.linuxPackages; # linuxPackages_latest; in { # Configure bootloader with lanzaboot and secureboot boot = { - kernelModules = [ "nct6775" ]; loader = { - systemd-boot = { - enable = false; - configurationLimit = configLimit; - }; - efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; @@ -51,7 +44,6 @@ in ]; systemd = { enable = true; - # tpm2.enable = true; tpm2.enable = true; }; clevis = { @@ -67,8 +59,4 @@ in }; environment.etc."clevis/nas_pool.jwe".source = config.sops.secrets."jallen-nas/nas_pool".path; - - zramSwap = { - enable = true; - }; } diff --git a/systems/x86_64-linux/jallen-nas/default.nix b/systems/x86_64-linux/jallen-nas/default.nix index 97ac32e..25dcb4b 100755 --- a/systems/x86_64-linux/jallen-nas/default.nix +++ b/systems/x86_64-linux/jallen-nas/default.nix @@ -3,6 +3,7 @@ # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { + config, pkgs, namespace, ... @@ -14,8 +15,6 @@ ./filesystems.nix ./boot.nix ./apps.nix - ./grafana.nix - ./networking.nix # - moved to modules/nixos/network ./ups.nix ./users.nix ./samba.nix @@ -28,9 +27,22 @@ powerManagement.cpuFreqGovernor = "powersave"; ${namespace} = { + # ################################################### + # # Boot # # + # ################################################### + bootloader.lanzaboote.enable = true; - impermanence.enable = true; + + # ################################################### + # # Desktop # # + # ################################################### + desktop.cosmic.enable = false; + + # ################################################### + # # Development # # + # ################################################### + development = { enable = true; includeLanguages = [ @@ -39,7 +51,11 @@ ]; includeContainers = true; }; - monitoring.enable = true; + + # ################################################### + # # Hardware # # + # ################################################### + hardware.nvidia = { enable = true; enableBeta = true; @@ -47,6 +63,23 @@ nvidiaSettings = true; enableNvidiaDocker = true; }; + + # ################################################### + # # Impermanence # # + # ################################################### + + impermanence.enable = true; + + # ################################################### + # # Monitoring # # + # ################################################### + + monitoring.enable = true; + + # ################################################### + # # Network # # + # ################################################### + network = { ipv4 = { address = "10.0.1.3/24"; @@ -54,7 +87,6 @@ gateway = "10.0.1.1"; interface = "wlp6s0"; }; - useNetworkd = true; hostId = "4b501480"; nat = { enable = true; @@ -66,12 +98,50 @@ enable = true; allowPing = true; trustedInterfaces = [ "tailscale0" ]; + allowedTCPPorts = [ + 8008 # restic + 9000 # authentik + 2342 # grafana + 51820 # wireguard + 1025 + 1143 + 10200 + 10300 + 8127 + 9943 # onlyoffice + 4000 # netbootxyz + 4080 # netbootxyz + 3000 # gitea + 2222 # gitea ssh + 3300 + 9898 + 6754 # lubelogger + 2283 # immich + 4444 # code-server + 9012 + + 8192 + ]; + allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts; }; }; + + # ################################################### + # # User # # + # ################################################### + user = { name = "admin"; linger = true; }; + + # ################################################### + # # Services # # + # ################################################### + + services = { + grafana.enable = true; + }; }; security.tpm2 = { @@ -115,7 +185,4 @@ nvidiaSupport = true; }; }; - - # Additional virtualization beyond what's in development module - virtualisation.libvirtd.enable = true; } diff --git a/systems/x86_64-linux/jallen-nas/grafana.nix b/systems/x86_64-linux/jallen-nas/grafana.nix deleted file mode 100755 index b4f5898..0000000 --- a/systems/x86_64-linux/jallen-nas/grafana.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ config, ... }: -let - upsUser = "nas-admin"; -in -{ - services = { - prometheus = { - enable = true; - exporters = { - node = { - enable = true; - enabledCollectors = [ - "filesystem" - "diskstats" - "meminfo" - "cpu" - "systemd" # Ensures systemd collector is enabled - "processes" - ]; - extraFlags = [ - "--collector.filesystem.mount-points-exclude=^/(dev|proc|sys|run)($|/)" - ]; - }; - libvirt = { - enable = false; - openFirewall = true; - }; - nut = { - enable = true; - openFirewall = true; - passwordPath = config.sops.secrets."jallen-nas/ups_password".path; - nutUser = upsUser; - }; - # restic = { - # enable = true; - # openFirewall = true; - # resticPort = 8008; - # }; - }; - scrapeConfigs = [ - { - job_name = "node"; - static_configs = [ - { - targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; - } - ]; - } - { - job_name = "traefik"; - static_configs = [ - { - targets = [ "localhost:8082" ]; - } - ]; - } - ]; - }; - - grafana = { - enable = true; - settings = { - server = { - http_port = 9999; - http_addr = "0.0.0.0"; - }; - }; - - dataDir = "/media/nas/main/nix-app-data/grafana"; - - provision = { - enable = true; - datasources.settings.datasources = [ - { - name = "Prometheus"; - type = "prometheus"; - access = "proxy"; - url = "http://localhost:${toString config.services.prometheus.port}"; - } - ]; - }; - }; - }; - # Open firewall ports for Grafana - networking.firewall = { - allowedTCPPorts = [ 9999 ]; - allowedUDPPorts = [ 9999 ]; - }; -} diff --git a/systems/x86_64-linux/jallen-nas/networking.nix b/systems/x86_64-linux/jallen-nas/networking.nix deleted file mode 100755 index 6eb8083..0000000 --- a/systems/x86_64-linux/jallen-nas/networking.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ ... }: -let - ports = [ - 8008 # restic - 9000 # authentik - 2342 # grafana - 51820 # wireguard - 1025 - 1143 - 10200 - 10300 - 8127 - 9943 # onlyoffice - 4000 # netbootxyz - 4080 # netbootxyz - 3000 # gitea - 2222 # gitea ssh - 3300 - 9898 - 6754 # lubelogger - 2283 # immich - 4444 # code-server - 9012 - - 8192 - ]; -in -{ - # Networking configs - networking = { - # useNetworkd = true; - - # hostId = "4b501480"; - - # nat = { - # enable = true; - # internalInterfaces = [ "ve-+" ]; - # externalInterface = "wlp6s0"; - # # Lazy IPv6 connectivity for the container - # enableIPv6 = true; - # }; - - firewall = { - # enable = true; - # allowPing = true; - - allowedTCPPorts = ports; - allowedUDPPorts = ports; - - # # always allow traffic from your Tailscale network - # trustedInterfaces = [ "tailscale0" ]; - }; - }; -} diff --git a/systems/x86_64-linux/nuc/boot.nix b/systems/x86_64-linux/nuc/boot.nix index 2173425..0a5aad9 100755 --- a/systems/x86_64-linux/nuc/boot.nix +++ b/systems/x86_64-linux/nuc/boot.nix @@ -51,8 +51,4 @@ in }; }; }; - - zramSwap = { - enable = true; - }; }