From 8deefff11f92dc28424580989193e09c61906151 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 31 Dec 2021 17:01:36 +0100
Subject: vidhar: grafana

---
 hosts/vidhar/default.nix            | 31 +++++++++++++++++++++++++++++++
 hosts/vidhar/grafana-admin-password | 26 ++++++++++++++++++++++++++
 hosts/vidhar/grafana-secret-key     | 26 ++++++++++++++++++++++++++
 hosts/vidhar/zfs.nix                |  6 ++++++
 modules/yggdrasil-wg/default.nix    |  5 ++++-
 5 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 hosts/vidhar/grafana-admin-password
 create mode 100644 hosts/vidhar/grafana-secret-key

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 29cd96db..ee67d254 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -119,5 +119,36 @@
 
       cpuFreqGovernor = "schedutil";
     };
+
+    services.nginx = {
+      enable = true;
+      upstreams.grafana = {
+        servers = { "unix:${config.services.grafana.socket}" = {}; };
+      };
+      virtualHosts = {
+        ${config.services.grafana.domain} = {
+          locations."/" = {
+            proxyPass = "http://grafana";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+    services.grafana = {
+      enable = true;
+      analytics.reporting.enable = false;
+      domain = "grafana.vidhar.yggdrasil";
+      security.adminPasswordFile = config.sops.secrets."grafana-admin-password".path;
+      security.secretKeyFile = config.sops.secrets."grafana-secret-key".path;
+      protocol = "socket";
+    };
+    sops.secrets."grafana-admin-password" = {
+      format = "binary";
+      sopsFile = ./grafana-admin-password;
+    };
+    sops.secrets."grafana-secret-key" = {
+      format = "binary";
+      sopsFile = ./grafana-secret-key;
+    };
   };
 }
diff --git a/hosts/vidhar/grafana-admin-password b/hosts/vidhar/grafana-admin-password
new file mode 100644
index 00000000..56a69070
--- /dev/null
+++ b/hosts/vidhar/grafana-admin-password
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:HHEQGFQxEfyuQZIHjvS4kw==,iv:04dLr3xnha39cObi9LXjzhbfxIcy13tgNm510e/WQfw=,tag:SnVtPyjmtcfjdc4fsDEMpg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2021-12-31T15:57:51Z",
+		"mac": "ENC[AES256_GCM,data:Dqp4zA7D/hV5FQsp0czjym4MOjusC1CkmsitIHsD2XE87PN0LdAKTL/8tYSH+UGRdoSAnjyPYL5EastF5l4ubWNibom0R/it+TotvFBfaD27DWquZ3zvrwgjBXjaswGPYD5YbRocUmi1kOmZQtjegb6KTGpKicxwKbxg0xU/oHk=,iv:oHCqnCCSmwz23FItsThtNZC2J4doebMNVdhNkGv5+UM=,tag:u3owTxS9FHCZtG7YmDGbuw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2021-12-31T15:57:38Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAQzuwBJzuzxQRohpEqMZtMaJo3c7FWAxJ1BrC0zOAJCQw\nzLfsrjUWCsxqBJkbK4h84Iun8OdulMHyAbg2knSGNWOQoe7ec1cGl06gFhuxkXzy\n0l4BEW/pamCejbYKw+OISBBB6atjs4b3aOzSbnJSBjauommsCnn8aJtZt1ZfctiY\nNo6tawcodNzYCzVmVDjfBM1270yrIP3W0hsttoyO/DQeZn2vB9YiFI59xnVqhrE7\n=tNlA\n-----END PGP MESSAGE-----\n",
+				"fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
+			},
+			{
+				"created_at": "2021-12-31T15:57:38Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA10EukKZpWrIMHrNrhbGBjKMvpco+UusoYebYNuSi9RAw\nc+UuuxmshOxq0n0RTjNBZvhixPcj7P9t12ldk1V1NYlHOocMFf5te1wPbkMoqZKz\n0l4Bl93nSz43RQYjeoQWleUSrBchNQ/WOs7Wr4DKgoZ5nC3q+Pn6qQ/yYayhDjpW\nHR+06wk41uF3lnoa1vhu43eK/7CbaqzUZPInBrYbkat7MvE33Mq9rcoXBomNT4eO\n=dSyp\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.1"
+	}
+}
\ No newline at end of file
diff --git a/hosts/vidhar/grafana-secret-key b/hosts/vidhar/grafana-secret-key
new file mode 100644
index 00000000..aea7a8b6
--- /dev/null
+++ b/hosts/vidhar/grafana-secret-key
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:wX0eku+X3z11qszRjbzANkpnzb0UPA==,iv:vDFM+mK0ylbzsm8bqUfByAylxJW36AM4O96ThbPVEps=,tag:fu2hHRhNCO4AAmXswWOr+w==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2021-12-31T15:58:23Z",
+		"mac": "ENC[AES256_GCM,data:6UhUWxJ1IAgM4tubK0dD1bTQwmJZCZ6KkLTlkPRkbVRpN6zQAK/RT665Ok2lGpxEZ2yYrAMUMGs4Kvpii7NwEd6vj2Ad+4rKZygJ1V2hnmSCN0AUC/EdzGorFheMy+yjqJSJIZTc+ZIpQ7n/mtdPe6SyxJfzJOLXIZ6xFlteAhQ=,iv:3Xwa0pBwieGDmPTCD1i8qavRI5oa1Bm8AIz+EA/l2X4=,tag:X0s9WfxtlaR6GKtnmnFvDg==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2021-12-31T15:57:56Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdA9CYiNCA1h7DNMvPg4qeFT1Yg1v3HdQRgUEj48QIYrDAw\navNJMsqFby1udTs4j80eY7hUm6FbD98MIr/Od0Pb1RznrLPcmTWYbSM6dHKLUjav\n0l4BJkl3Q8AiLsSWMfg9YQ7s5kBpzWmdajRJnV41lbMBKph0tRzzf/DvGjm9dDe2\nUS+rzi7WzWlmQS1ekMwNKAzz3ip4yJA4J591JOhtt96SqmQAHV8ww2q9IE6bOw6k\n=LmRs\n-----END PGP MESSAGE-----\n",
+				"fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
+			},
+			{
+				"created_at": "2021-12-31T15:57:56Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAQbyLmRaWWln+lPYj5lAtbcQ4KQ7ntPyJJIsMl2kkBFYw\nIedaJ+SpExs2kXTlAWxa5B74RFmAPRlCq+ByErWDorovhn1uYI2ljeYIHKvrcgbY\n0l4B7XQlAV3pz3v/ZwUhB20zatPCprUWdJH+3Gd8xQr46djdHGK9WQSetxxEuL8j\nyfENUOu/jnPlfMVyDwRHbweq7Ar60GXVfs2UrjsL7yRjr0FpMNu3Ho4O4kO9HBn6\n=B+g2\n-----END PGP MESSAGE-----\n",
+				"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.1"
+	}
+}
\ No newline at end of file
diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix
index 38c3a4e8..53ba5120 100644
--- a/hosts/vidhar/zfs.nix
+++ b/hosts/vidhar/zfs.nix
@@ -83,6 +83,12 @@ in {
           options = [ "zfsutil" ];
         };
 
+      "/var/lib/grafana" =
+        { device = "ssd-raid1/local/var-lib-grafana";
+          fsType = "zfs";
+          options = [ "zfsutil" ];
+        };
+
       "/var/log" =
         { device = "ssd-raid1/local/var-log";
           fsType = "zfs";
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index 3690964f..16f8d3a9 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -77,6 +77,9 @@ let
     sif = ["${batSubnet}:2::/${toString batHostLength}"];
   };
   routers = [ "surtr" ];
+  hostNames = {
+    vidhar = [ "grafana.vidhar.yggdrasil" ];
+  };
 
   mkPublicKeyPath = family: host: ./hosts + "/${family}" + "/${host}.pub";
   mkPrivateKeyPath = family: host: ./hosts + "/${family}" + "/${host}.priv";
@@ -241,7 +244,7 @@ in {
 
     sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies);
 
-    networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) ["${name}.yggdrasil"]) value) (mapAttrsToList nameValuePair batHostIPs)));
+    networking.hosts = mkIf inNetwork (listToAttrs (concatMap ({name, value}: map (ip: nameValuePair (stripSubnet ip) (["${name}.yggdrasil"] ++ (hostNames.${name} or []))) value) (mapAttrsToList nameValuePair batHostIPs)));
 
     boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv];
     environment.systemPackages = with pkgs; [ wireguard-tools batctl ];
-- 
cgit v1.2.3