-
Notifications
You must be signed in to change notification settings - Fork 0
/
grafana.nix
155 lines (130 loc) · 4.95 KB
/
grafana.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# This module deploys a static Grafana installation that pulls data from Prometheus.
# REPLACES hologram-monitoring-server (partially)
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.my.services.grafana;
internalListenPort = 28563;
# copy the entire ./grafana-dashboards directory into the /nix/store.
dashboardsDir = builtins.path { path = ./grafana-dashboards; name = "grafana-dashboards"; };
ldapConfigFile = pkgs.writeText "grafana-ldap.toml" ''
[[servers]]
host = "${config.my.ldap.domainName}"
port = 636
use_ssl = true
bind_dn = "uid=${config.my.ldap.searchUserName},ou=users,${config.my.ldap.suffix}"
bind_password = """${config.my.ldap.searchUserPassword}"""
search_filter = "(uid=%s)"
search_base_dns = ["ou=users,${config.my.ldap.suffix}"]
[servers.attributes]
name = "givenName"
surname = "sn"
username = "uid"
member_of = "isMemberOf"
# email = ""
[[servers.group_mappings]]
group_dn = "cn=grafana-admins,ou=groups,${config.my.ldap.suffix}"
org_role = "Admin"
grafana_admin = true
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
'';
in {
options.my.services.grafana = {
domainName = mkOption {
default = null;
description = "domain name for Grafana (must be given to enable the service)";
type = types.nullOr types.str;
};
prometheusHost = mkOption {
description = "hostname (or IP address) and port of the Prometheus instance used by Grafana as a datasource";
type = types.str;
};
};
config = mkIf (cfg.domainName != null) {
services.grafana = {
enable = true;
settings = {
alerting.enabled = false;
analytics.reporting_enabled = false;
"auth.anonymous".enabled = false;
"auth.ldap" = {
enabled = true;
config_file = "${ldapConfigFile}";
allow_sign_up = true; # allow the LDAP driver to create new users in the Grafana DB
};
log = {
mode = "console";
level = "info";
};
security = {
cookie_secure = true;
data_source_proxy_whitelist = cfg.prometheusHost;
disable_gravatar = true;
disable_initial_admin_creation = true; # rely only on LDAP for admin users
security_key = "$__file{/var/lib/grafana/secret-key}"; # generated on first start, see `preStart` below
strict_transport_security = true;
};
server = {
domain = cfg.domainName;
http_port = internalListenPort;
root_url = "https://${cfg.domainName}/";
};
snapshots.external_enabled = false;
unified_alerting.enabled = false;
};
provision.datasources.settings = {
apiVersion = 1;
deleteDatasources = [{
name = "Prometheus";
orgId = 1;
}];
datasources = [{
name = "Prometheus";
orgId = 1;
type = "prometheus";
access = "proxy";
url = "http://${cfg.prometheusHost}";
editable = false;
}];
};
provision.dashboards.settings = {
apiVersion = 1;
providers = [{
name = "default";
orgID = 1;
disableDeletion = true;
# This update is practically disabled because it's not useful here.
# The dashboards are in the /nix/store, so changing them requires a
# nixos-rebuild which restarts Grafana anyway.
updateIntervalSeconds = 86400;
options.path = dashboardsDir;
}];
};
};
services.nginx.virtualHosts.${cfg.domainName} = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:${toString internalListenPort}/";
extraConfig = ''
# recommended HTTP headers according to https://securityheaders.io
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; # six months
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;
add_header Feature-Policy "accelerometer 'none', ambient-light-sensor 'none', autoplay 'none', camera 'none', document-domain 'none', encrypted-media 'none', fullscreen 'none', geolocation 'none', gyroscope 'none', magnetometer 'none', microphone 'none', midi 'none', payment 'none', picture-in-picture 'none', sync-xhr 'none', usb 'none', vibrate 'none', vr 'none'" always;
add_header Content-Security-Policy "default-src 'self' 'unsafe-eval' 'unsafe-inline'" always;
# hamper Google surveillance
add_header Permissions-Policy "interest-cohort=()" always;
'';
};
systemd.services.grafana = {
path = [ pkgs.pwgen ];
preStart = ''
test -f /var/lib/grafana/secret-key || pwgen 30 1 > /var/lib/grafana/secret-key
'';
};
};
}