diff options
author | tv <tv@krebsco.de> | 2016-10-20 20:22:29 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-10-20 20:22:29 +0200 |
commit | 9329c1e47ddda0653d7e9824a01632ce3766e8f0 (patch) | |
tree | 2bfb70737a757d0bd61ca0aa895c77d740b21e73 /makefu/2configs/elchos | |
parent | 844d347ce7cf0b7646e9ecba3fbdc0b90e608501 (diff) | |
parent | 0f2a9778315c3126794c0f1ad63710d38e7a67f7 (diff) |
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'makefu/2configs/elchos')
-rw-r--r-- | makefu/2configs/elchos/stats.nix | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix new file mode 100644 index 000000000..0282b04cf --- /dev/null +++ b/makefu/2configs/elchos/stats.nix @@ -0,0 +1,96 @@ +{ config, lib, pkgs, ... }: + +# graphite-web on port 8080 +# carbon cache on port 2003 (tcp/udp) +with config.krebs.lib; +let + sec = toString <secrets>; + acmepath = "/var/lib/acme/"; + acmechall = acmepath + "/challenges/"; + ext-dom = "stats.nsupdate.info"; + #ssl_cert = "${sec}/wildcard.krebsco.de.crt"; + #ssl_key = "${sec}/wildcard.krebsco.de.key"; + ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem"; + ssl_key = "${acmepath}/${ext-dom}/key.pem"; +in { + networking.firewall = { + allowedTCPPorts = [ 2003 80 443 ]; + allowedUDPPorts = [ 2003 ]; + }; + + services.grafana = { + enable = true; + addr = "127.0.0.1"; + extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; }; + users.allowSignUp = false; + users.allowOrgCreate = false; + users.autoAssignOrg = false; + security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} + }; + krebs.nginx = { + enable = true; + servers.elch-stats = { + server-names = [ ext-dom ]; + listen = [ "80" "443 ssl" ]; + ssl = { + enable = true; + # these certs will be needed if acme has not yet created certificates: + certificate = ssl_cert; + certificate_key = ssl_key; + force_encryption = true; + }; + + locations = [ + (nameValuePair "/" '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:3000/; + '') + (nameValuePair "/.well-known/acme-challenge" '' + root ${acmechall}/${ext-dom}/; + '') + ]; + }; + }; + + security.acme.certs."${ext-dom}" = { + email = "acme@syntax-fehler.de"; + webroot = "${acmechall}/${ext-dom}/"; + group = "nginx"; + allowKeysForGroup = true; + postRun = "systemctl reload nginx.service"; + extraDomains."${ext-dom}" = null ; + }; + + services.graphite = { + web = { + enable = true; + host = "127.0.0.1"; + port = 8080; + }; + carbon = { + enableCache = true; + # save disk usage by restricting to 1 bulk update per second + config = '' + [cache] + MAX_CACHE_SIZE = inf + MAX_UPDATES_PER_SECOND = 1 + MAX_CREATES_PER_MINUTE = 500 + ''; + storageSchemas = '' + [carbon] + pattern = ^carbon\. + retentions = 60:90d + + [elchos] + patterhn = ^elchos\. + retention = 10s:30d,60s:1y + + [default] + pattern = .* + retentions = 30s:30d,300s:1y + ''; + }; + }; +} |