76 lines
1.8 KiB
Nix
76 lines
1.8 KiB
Nix
{ config, my, secrets, ... }:
|
|
|
|
let fqdn = "grafana.${my.domain}";
|
|
in {
|
|
sops.secrets."grafana/secret-key" = {
|
|
sopsFile = ../secrets/sops/grafana.yaml;
|
|
owner = "grafana";
|
|
restartUnits = [ "grafana.service" ];
|
|
};
|
|
|
|
services.grafana = {
|
|
enable = true;
|
|
settings = {
|
|
database = {
|
|
host = "/run/postgresql";
|
|
user = "grafana";
|
|
type = "postgres";
|
|
name = "grafana";
|
|
};
|
|
server = {
|
|
http_addr = "::1";
|
|
domain = fqdn;
|
|
root_url = "https://${fqdn}";
|
|
serve_from_sub_path = true;
|
|
enforce_domain = true;
|
|
};
|
|
security = {
|
|
secret_key = "$__file{${secrets."grafana/secret-key".path}}";
|
|
disable_gravatar = true;
|
|
cookie_secure = true;
|
|
content_security_policy = true;
|
|
allow_embedding = true;
|
|
admin_user = "christoph";
|
|
};
|
|
analytics = {
|
|
reporting_enabled = false;
|
|
feedback_links_enabled = false;
|
|
};
|
|
};
|
|
provision = {
|
|
datasources.settings = {
|
|
apiVersion = 1;
|
|
datasources = [{
|
|
name = "Prometheus";
|
|
type = "prometheus";
|
|
url = "http://[::1]:${
|
|
toString config.services.prometheus.port
|
|
}/prometheus";
|
|
}];
|
|
};
|
|
};
|
|
};
|
|
|
|
services.postgresql = {
|
|
ensureDatabases = [ "grafana" ];
|
|
ensureUsers = [{
|
|
name = "grafana";
|
|
ensureDBOwnership = true;
|
|
ensureClauses.login = true;
|
|
}];
|
|
};
|
|
|
|
services.nginx.virtualHosts.${fqdn} =
|
|
let serverCfg = config.services.grafana.settings.server;
|
|
in {
|
|
forceSSL = true;
|
|
useACMEHost = my.domain;
|
|
kTLS = true;
|
|
locations."/" = {
|
|
proxyPass =
|
|
"http://[${serverCfg.http_addr}]:${toString serverCfg.http_port}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
}
|