netdata

2025-01-24 23:29:51 -06:00
parent f9377df790
commit e983e5b47c
6 changed files with 52 additions and 2 deletions
--- a/hosts/nas/apps.nix
+++ b/hosts/nas/apps.nix
@@ -10,6 +10,8 @@
    ./apps/paperless-ai
    ./apps/traefik
    ../../modules
+
+    ./apps/netdata
  ];

  nas-apps = {
--- a/hosts/nas/apps/netdata/default.nix
+++ b/hosts/nas/apps/netdata/default.nix
@@ -0,0 +1,41 @@
+{ config, pkgs, ... }:
+{
+  services.netdata = {
+    enable = true;
+    # package = pkgs.netdataCloud;
+    package = pkgs.netdata.override {
+      withCloudUi = true;
+    };
+    configDir."python.d.conf" = pkgs.writeText "python.d.conf" ''
+      samba: yes
+    '';
+    # claimTokenFile = config.sops.secrets."jallen-nas/netdata-token".path;
+
+    config = {
+      # enable machine learning plugin
+      ml = {
+        "enabled" = "yes";
+      };
+
+      # enable samba plugin
+      plugins = {
+        "enable running new plugins" = "yes";
+        "ioping.plugin" = "yes";
+        "freeipmi.plugin" = "yes";
+        "perf.plugin" = "yes";
+      };
+    };
+  };
+
+  # add samba and sudo to path of python plugin
+  systemd.services.netdata.path = [  pkgs.samba "/run/wrappers" ];
+
+  # permit to run sudo smbstatus -P
+  security.sudo.extraConfig = ''
+    netdata ALL=(root) NOPASSWD: ${pkgs.samba}/bin/smbstatus
+  '';
+
+  # as documented here : https://github.com/netdata/netdata/blob/master/system/netdata.service.in
+  # review capabilityset above if other plugins are non functional
+  systemd.services.netdata.serviceConfig.CapabilityBoundingSet = ["CAP_SETGID"];
+}
--- a/hosts/nas/networking.nix
+++ b/hosts/nas/networking.nix
@@ -5,6 +5,7 @@ let
    9000 # authentik
    2342 # grafana
    51820 # wireguard
+    19999 # netdata
  ];
 in
 {
--- a/hosts/nas/sops.nix
+++ b/hosts/nas/sops.nix
@@ -65,6 +65,10 @@
    restartUnits = [ "open-webui.service" ];
  };

+  sops.secrets."jallen-nas/netdata-token" = {
+    restartUnits = [ "netdata.service" ];
+  };
+
  sops.secrets."jallen-nas/paperless/secret" = {
    restartUnits = [ "container@paperless.service" ];
  };
--- a/modules/samba/default.nix
+++ b/modules/samba/default.nix
@@ -65,6 +65,7 @@ in
              "fruit:time machine" = if share.enableTimeMachine then "yes" else "no";
              "vfs objects" = "catia fruit streams_xattr";
              "fruit:time machine max size" = share.timeMachineMaxSize;
+              # "smbd profiling level" = "on";
            };
        in
        mapAttrs' make cfg.shares;
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -26,6 +26,7 @@ jallen-nas:
        secret: ENC[AES256_GCM,data:qrwi13OLSM1Oww4pttfblrjvsdPR,iv:IITw2M6YfoSP3nECeUPWlhr56n7u03ivp8+fx5MDd54=,tag:4thPUaa2ueO95LOB5SiL6w==,type:str]
        authentik-client-id: ENC[AES256_GCM,data:8kHTmnT4kbxrN7Kyet1eu1KB+jA7bBx1Zs64cn5VZm0VjdSfYOwxxA==,iv:iTgsd9XWnRCQoBxj0QVjbIrSjPoYdnXv4lmn3qfllUA=,tag:CDAWMAOQ6X2sbu8RD8oiBw==,type:str]
        authentik-client-secret: ENC[AES256_GCM,data:WROqpqGQrZ8+Xy6v4dxABfqWs4lPDnl/OdsD2xvw5nqZ8mD66IJMx5eoS9UJ1aIOAr0bvQCUyMtC+xzSMcEORCmMoxT7qfg2rV6KZgRzDtRGt1loYdHECXpz1hGAc87YwiD8fVrEsuTAmlK8N6tmmfie5o6QakcFeoTpZSlAUJ0=,iv:fQg5itx52OIZeqBSylSbwtR7FD/8kF0YiDZ0jguIKus=,tag:yIm8q0PJQVDt7F4IIljbdg==,type:str]
+    netdata-token: ENC[AES256_GCM,data:kQiSTLxIztDoka5aa4/ymdp6Xyhc9VC2hwmr/afelGifjN7V7MgzhlMT6xfKoIQ+6RboH6kq50pS5A0AmY/ojog8QEP3k6zGjEsvlV3kNCGWvBU97L+7PH4okIApSYu+Hq996121rSOof+Pgk5mbG7Of5DZGeAJPXe9Dc9Z0cSLJrO6s6zCd,iv:0csCFa1XshbuGp0O3Kxs/NvQsJmadB091ZPSPAnuBL4=,tag:roTlcbeRwA/26G2GkhaaqA==,type:str]
    wireguard:
        private: ENC[AES256_GCM,data:/nOkn5nMrEEeKi1ySo9fAp+r1lQL02k0FZA99hUIKq7THvVWNaQ/Z6paoJU=,iv:iCTfGSdjJ0wMwv/34dv2ygKSm3qAJq6czOErMaFqHtg=,tag:EJZzBlVB5FSvveo5MWtC1g==,type:str]
        public: ENC[AES256_GCM,data:rOmyhwpolxNV2JroLdh90gYAuCGNZu/gY5NBxkHHNJ+qEblmDsom9alNHMQ=,iv:bF+XCO9lPHopLCEILTT4gA349d/Sa5qReSKN70EA3d4=,tag:Yx2TL/37n5Uohlwnlx97vg==,type:str]
@@ -65,8 +66,8 @@ sops:
            UGhsN2N0Mjl3UEJvUVlGRlJiN05WaUkKW37lU4G4CLTo6JoHC2OyhKsG/FuO+BiN
            pzlVJwzRnmAqwklRbc6RMbQLl2EQrp6KQcgYsUxCMH9OQ/9WJ98dxQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-22T23:41:50Z"
-    mac: ENC[AES256_GCM,data:Sim5O8dLkq4k4TTTqCSvtiPxUpIJKKhhBcUsQFPkvyaHfLriDawhDANFY9c2DZHIDN0pQJuQ8h/a3AsXqq+lfXAtOGQeMkrDaEG6L9rk22QPKpXcPlRfF940r1CUYY1bmjxSd6+8fIYJPyPE7svPzseIyPFfmM9vNZmOhyXmeJ4=,iv:v0UoG3iGWzZS46LctHKF+4cEw/6Er0NKOKJiIX8OD6Y=,tag:LUk7aUdbIjdX1w6aeu5h5A==,type:str]
+    lastmodified: "2025-01-25T05:08:43Z"
+    mac: ENC[AES256_GCM,data:TFwJdmF0M4s3etKYXZAsMsEqcn7pt2Z6wgxPnLOpukFCGpNBorVsSWiFa/0UbvpZ7QRzNIEucEGAk0rspgnk0t+1EDxsW/UqXmieoLIQy317UHI/PVPprG6HPH/PHPCyhp/U4ddM94lKbxnEgf4kQDmL8Hl90vSWQs+8hOoByUk=,iv:1MjcEx4InMaDFStTLLvb/e0vAWyXoVb24dh2XwHvg3A=,tag:ZQQsuON1DFFD4aRWD2GTyg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.3