summaryrefslogtreecommitdiffstats
path: root/makefu/2configs/elchos
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2016-10-20 20:22:29 +0200
committertv <tv@krebsco.de>2016-10-20 20:22:29 +0200
commit9329c1e47ddda0653d7e9824a01632ce3766e8f0 (patch)
tree2bfb70737a757d0bd61ca0aa895c77d740b21e73 /makefu/2configs/elchos
parent844d347ce7cf0b7646e9ecba3fbdc0b90e608501 (diff)
parent0f2a9778315c3126794c0f1ad63710d38e7a67f7 (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'makefu/2configs/elchos')
-rw-r--r--makefu/2configs/elchos/stats.nix96
1 files changed, 96 insertions, 0 deletions
diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix
new file mode 100644
index 000000000..0282b04cf
--- /dev/null
+++ b/makefu/2configs/elchos/stats.nix
@@ -0,0 +1,96 @@
+{ config, lib, pkgs, ... }:
+
+# graphite-web on port 8080
+# carbon cache on port 2003 (tcp/udp)
+with config.krebs.lib;
+let
+ sec = toString <secrets>;
+ acmepath = "/var/lib/acme/";
+ acmechall = acmepath + "/challenges/";
+ ext-dom = "stats.nsupdate.info";
+ #ssl_cert = "${sec}/wildcard.krebsco.de.crt";
+ #ssl_key = "${sec}/wildcard.krebsco.de.key";
+ ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem";
+ ssl_key = "${acmepath}/${ext-dom}/key.pem";
+in {
+ networking.firewall = {
+ allowedTCPPorts = [ 2003 80 443 ];
+ allowedUDPPorts = [ 2003 ];
+ };
+
+ services.grafana = {
+ enable = true;
+ addr = "127.0.0.1";
+ extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; };
+ users.allowSignUp = false;
+ users.allowOrgCreate = false;
+ users.autoAssignOrg = false;
+ security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
+ };
+ krebs.nginx = {
+ enable = true;
+ servers.elch-stats = {
+ server-names = [ ext-dom ];
+ listen = [ "80" "443 ssl" ];
+ ssl = {
+ enable = true;
+ # these certs will be needed if acme has not yet created certificates:
+ certificate = ssl_cert;
+ certificate_key = ssl_key;
+ force_encryption = true;
+ };
+
+ locations = [
+ (nameValuePair "/" ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_pass http://localhost:3000/;
+ '')
+ (nameValuePair "/.well-known/acme-challenge" ''
+ root ${acmechall}/${ext-dom}/;
+ '')
+ ];
+ };
+ };
+
+ security.acme.certs."${ext-dom}" = {
+ email = "acme@syntax-fehler.de";
+ webroot = "${acmechall}/${ext-dom}/";
+ group = "nginx";
+ allowKeysForGroup = true;
+ postRun = "systemctl reload nginx.service";
+ extraDomains."${ext-dom}" = null ;
+ };
+
+ services.graphite = {
+ web = {
+ enable = true;
+ host = "127.0.0.1";
+ port = 8080;
+ };
+ carbon = {
+ enableCache = true;
+ # save disk usage by restricting to 1 bulk update per second
+ config = ''
+ [cache]
+ MAX_CACHE_SIZE = inf
+ MAX_UPDATES_PER_SECOND = 1
+ MAX_CREATES_PER_MINUTE = 500
+ '';
+ storageSchemas = ''
+ [carbon]
+ pattern = ^carbon\.
+ retentions = 60:90d
+
+ [elchos]
+ patterhn = ^elchos\.
+ retention = 10s:30d,60s:1y
+
+ [default]
+ pattern = .*
+ retentions = 30s:30d,300s:1y
+ '';
+ };
+ };
+}