feat(access): monitoring

2026-02-09 04:19:19 -08:00 · 2024-05-30 15:09:27 -07:00 · 2024-05-30 15:09:27 -07:00 · 0397043f88
commit 0397043f88
parent 511a02931a
13 changed files with 323 additions and 94 deletions
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@ -37,6 +37,9 @@ in {
    nixos.access.freeipa
    nixos.access.freepbx
    nixos.access.unifi
+    nixos.access.prometheus
+    nixos.access.grafana
+    nixos.access.loki
    nixos.access.kitchencam
    nixos.access.openwebrx
    nixos.access.deluge
@ -173,6 +176,30 @@ in {
        virtualHosts.unifi'local.allServerNames
      ];
    };
+    prometheus = {
+      inherit (nginx) group;
+      domain = virtualHosts.prometheus.serverName;
+      extraDomainNames = mkMerge [
+        virtualHosts.prometheus.otherServerNames
+        virtualHosts.prometheus'local.allServerNames
+      ];
+    };
+    mon = {
+      inherit (nginx) group;
+      domain = virtualHosts.grafana.serverName;
+      extraDomainNames = mkMerge [
+        virtualHosts.grafana.otherServerNames
+        virtualHosts.grafana'local.allServerNames
+      ];
+    };
+    logs = {
+      inherit (nginx) group;
+      domain = virtualHosts.loki.serverName;
+      extraDomainNames = mkMerge [
+        virtualHosts.loki.otherServerNames
+        virtualHosts.loki'local.allServerNames
+      ];
+    };
    idp = {
      inherit (nginx) group;
      domain = virtualHosts.freeipa.serverName;
@ -292,6 +319,21 @@ in {
        local.denyGlobal = true;
        ssl.cert.enable = true;
      };
+      prometheus = {
+        # we're not the real prometheus record-holder, so don't respond globally..
+        local.denyGlobal = true;
+        ssl.cert.enable = true;
+      };
+      grafana = {
+        # we're not the real mon record-holder, so don't respond globally..
+        local.denyGlobal = true;
+        ssl.cert.enable = true;
+      };
+      loki = {
+        # we're not the real logs record-holder, so don't respond globally..
+        local.denyGlobal = true;
+        ssl.cert.enable = true;
+      };
      home-assistant = {
        # not the real hass record-holder, so don't respond globally..
        local.denyGlobal = true;
--- a/systems/utsuho/nixos.nix
+++ b/systems/utsuho/nixos.nix
@ -1,8 +1,10 @@
 {
  meta,
  config,
+  lib,
  ...
 }: let
+  inherit (lib.modules) mkMerge;
  inherit (config.services) nginx;
 in {
  imports = let
@ -16,6 +18,9 @@ in {
    nixos.cloudflared
    nixos.nginx
    nixos.access.unifi
+    nixos.access.prometheus
+    nixos.access.grafana
+    nixos.access.loki
    nixos.unifi
    nixos.dnsmasq
    nixos.mosquitto
@ -29,7 +34,12 @@ in {
    tunnels.${tunnelId} = {
      default = "http_status:404";
      credentialsFile = config.sops.secrets.cloudflared-tunnel-utsuho.path;
-      ingress = virtualHosts.unifi.proxied.cloudflared.getIngress {};
+      ingress = mkMerge [
+        (virtualHosts.unifi.proxied.cloudflared.getIngress {})
+        (virtualHosts.prometheus.proxied.cloudflared.getIngress {})
+        (virtualHosts.grafana.proxied.cloudflared.getIngress {})
+        (virtualHosts.loki.proxied.cloudflared.getIngress {})
+      ];
    };
  };

@ -37,6 +47,9 @@ in {
    proxied.enable = true;
    virtualHosts = {
      unifi.proxied.enable = "cloudflared";
+      prometheus.proxied.enable = "cloudflared";
+      grafana.proxied.enable = "cloudflared";
+      loki.proxied.enable = "cloudflared";
    };
  };