{ config, pkgs, ... }: { imports = [ ./hardware.nix ./networking.nix # generated at runtime by nixos-infect ]; age.secrets.healthchecks-secret = { file = ../../secrets/monitoring-healthchecks-secret.age; owner = "healthchecks"; }; age.secrets.prometheus-webconfig-secret = { file = ../../secrets/monitoring-prometheus-webconfig.age; owner = "prometheus"; }; boot.tmp.cleanOnBoot = true; zramSwap.enable = true; networking.hostName = "monitoring"; networking.domain = ""; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ ''ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDjEgtIWPA5Ncs/KOcMeT6Q/HACJJetDOLjMvXXwUE+08oTX1EpHrWPpy8J+UHKIyErCNPYq8dgtrbhnMRlxHqI='' ]; networking.firewall.enable = false; services.grafana = { enable = true; settings.server = { domain = "grafana.gmem.ca"; http_port = 2342; http_addr = "127.0.0.1"; }; }; services.prometheus = { enable = true; webConfigFile = config.age.secrets.prometheus-webconfig-secret.path; globalConfig = { scrape_interval = "15s"; }; # alertmanager = { # enable = true; # listenAddress = "localhost"; # }; port = 9001; extraFlags = [ "--web.enable-remote-write-receiver" ]; scrapeConfigs = [ { job_name = "personal_hardware"; static_configs = [ { targets = [ "london:9100" "vancouver:9100" "localhost:9100" ]; } ]; } { job_name = "speedtest-exporter"; scrape_interval = "1h"; scrape_timeout = "1m"; static_configs = [ { targets = [ "vancouver:9798" ]; } ]; } { job_name = "syncthing"; static_configs = [ { targets = [ "vancouver:8384" "london:8384" ]; } ]; } { job_name = "forgejo"; static_configs = [ { targets = [ "git.gmem.ca" ]; } ]; } { job_name = "healthchecks"; scrape_interval = "60s"; metrics_path = "/projects/5f1de50f-a52d-4215-961f-aae7cc6cf6c9/metrics/TbMoU7SUdknzMe-H5Q4HzmKl3itOIrJk"; static_configs = [ { targets = [ "localhost:8000" ]; } ]; } { job_name = "blackbox"; metrics_path = "/probe"; params = { "modules" = [ "http_2xx" ]; }; static_configs = [ { targets = [ "google.com" "gabrielsimmer.com" "artbybecki.com" ]; } ]; relabel_configs = [ { source_labels = ["__address__"]; target_label = "__param_target"; } { source_labels = ["__param_target"]; target_label = "instance"; } { source_labels = []; target_label = "__address__"; replacement = "vancouver:9115"; } ]; } ]; exporters.node = { enable = true; listenAddress = "127.0.0.1"; enabledCollectors = [ "systemd" "processes" ]; }; }; services.tailscale.enable = true; services.healthchecks = { enable = true; settings = { SECRET_KEY_FILE = config.age.secrets.healthchecks-secret.path; SITE_ROOT = "https://healthchecks.gmem.ca"; SITE_NAME = "Arch's Healthchecks"; }; }; # nginx reverse proxy services.nginx = { enable = true; recommendedGzipSettings = true; recommendedBrotliSettings = true; recommendedZstdSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; recommendedProxySettings = true; virtualHosts.${config.services.grafana.settings.server.domain} = { default = true; enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; proxyWebsockets = true; }; }; virtualHosts."healthchecks.gmem.ca" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8000"; proxyWebsockets = true; }; locations."~ \/projects\/.+\/metrics\/.+" = { extraConfig = "deny all;"; }; }; }; security.acme.acceptTerms = true; security.acme.defaults.email = "acme@gmem.ca"; system.stateVersion = "23.11"; }