diff --git a/hosts/cumulus/default.nix b/hosts/cumulus/default.nix index afb4d3e..c8b334c 100644 --- a/hosts/cumulus/default.nix +++ b/hosts/cumulus/default.nix @@ -47,6 +47,11 @@ domain = "alerts.${config.custom.services.tailscale.domain}"; }; + grafana = { + enable = true; + domain = "grafana.${config.custom.services.tailscale.domain}"; + }; + caddy.virtualHosts = { gatus = { inherit (config.custom.services.gatus) domain port; @@ -54,6 +59,9 @@ ntfy = { inherit (config.custom.services.ntfy) domain port; }; + grafana = { + inherit (config.custom.services.grafana) domain port; + }; }; }; }; diff --git a/hosts/cumulus/secrets.json b/hosts/cumulus/secrets.json index a7b845f..c17d21d 100644 --- a/hosts/cumulus/secrets.json +++ b/hosts/cumulus/secrets.json @@ -7,6 +7,9 @@ "healthchecks": { "ping-key": "ENC[AES256_GCM,data:wlrgEbJ9B57kjmB+0hof/fJOBb4tcA==,iv:ibMBpcrSocLBhtumsSV00+KVN6Pi4SzE7soCkZcU4fY=,tag:wqYBB0Bi3M+UYinhd8pY+w==,type:str]" }, + "grafana": { + "admin-password": "ENC[AES256_GCM,data:VXM9heVazDBVltWvzlMrKTjeSmpArPvz9ZhTlPs=,iv:owHyuoupNQO09aRBgU2phIwxg22U1rUqKyYbw2193m4=,tag:EPiRny2k2Gw2kONyyzLpug==,type:str]" + }, "sops": { "age": [ { @@ -18,8 +21,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSDhRQmpXaGdocDMvaS9u\na0ZyOEtNT2N4bG01NERFQTErc1hFaE1xWFFVClA4YjBwdGVhbTZ3dE9ZSFV2M1Zu\nZCtuVHN4R0NMQU16UXFRdVVqQlJLazgKLS0tIDdmWVc4ejFNRWVhY1piSTBXU0cx\nV1F2cjlmRWNKWkN1U3hwNWl6U2lEb1kKgsj22mpgxpgA5oXTXhoA5DtkySqqcn17\nOrpUiZmfOABXEZ0b5pnkAD06aW+7j2SqajYpvguxIrD9x1w562FmZA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-07-20T17:35:21Z", - "mac": "ENC[AES256_GCM,data:02nsVlOpVzSCXNlLtLAEwHyaYD9+6CUUWF/t0zjIBnXtbcQYjDKG6o3b3b9kJI+mVXUhHt9JLTIVwy4QrQ/zfm1p6CVQPmtGQILADBtoC19+zwlomzo8Mq0oXYpNxut0UtKlZcHqijgbYkj1cjtLlMLltdU9M0rns8/RXZttdyo=,iv:HbDNgd7VfscKewPj1hKu5sEkACwwWER0FaAwamuQsHM=,tag:mYtc0x3R6FBBjVWyhoE4hQ==,type:str]", + "lastmodified": "2025-08-15T16:43:35Z", + "mac": "ENC[AES256_GCM,data:T8KGPxXrtL2BsBQHJM9StM2m+/cbvWUJTRcxFoOYzqphkU+ePeffVOpRvP+dftb6yQ+PUm7fHATCkRrhJ4uWmHp2baiC/2g9102ebb1bzzIJ+Aj9+167/JoeWa+c+UIFAIv5nBn2Wl759eghLI8tNRW0q4F9LR8Tc1q/BK0BCqE=,iv:hxy7RnPsnX7Ua2I9zMGMYQUx5Jhm6YPBdXAmX1+pZKo=,tag:4/eQmA8O114cR41husA/UA==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.10.2" } diff --git a/modules/system/services/grafana.nix b/modules/system/services/grafana.nix new file mode 100644 index 0000000..7fe7567 --- /dev/null +++ b/modules/system/services/grafana.nix @@ -0,0 +1,42 @@ +{ config, lib, ... }: +let + cfg = config.custom.services.grafana; +in +{ + options.custom.services.grafana = { + enable = lib.mkEnableOption ""; + doBackups = lib.mkEnableOption ""; + domain = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + port = lib.mkOption { + type = lib.types.port; + default = 3000; + }; + }; + + config = lib.mkIf cfg.enable { + meta = { + domains.list = [ cfg.domain ]; + ports.list = [ cfg.port ]; + }; + + sops.secrets."grafana/admin-password".owner = config.users.users.grafana.name; + + services.grafana = { + enable = true; + settings = { + server = { + inherit (cfg) domain; + http_port = cfg.port; + enforce_domain = true; + enable_gzip = true; + }; + security.admin_password = "$__file{${config.sops.secrets."grafana/admin-password".path}}"; + users.default_theme = "system"; + analytics.reporting_enabled = false; + }; + }; + }; +}