From 6eac33cc2204de2b2a62122c5d50446479ee86e7 Mon Sep 17 00:00:00 2001
From: Grimmauld <soeren@benjos.de>
Date: Sat, 30 Dec 2023 10:01:06 +0000
Subject: [PATCH] rudimentary grafana addition. Missing data sources, no clue
 how to get those.

---
 flake.nix                              |  1 +
 modules/email.nix                      |  3 ++
 modules/grafana.nix                    | 40 ++++++++++++++++++++++++++
 modules/mailpass/admin                 |  1 +
 modules/matrix.nix                     |  3 ++
 modules/matrix_synapse_log_config.yaml | 25 ++++++++++++++++
 secrets/grafana_admin_pass.age         | 15 ++++++++++
 secrets/secrets.nix                    |  1 +
 8 files changed, 89 insertions(+)
 create mode 100644 modules/grafana.nix
 create mode 100644 modules/mailpass/admin
 create mode 100644 modules/matrix_synapse_log_config.yaml
 create mode 100644 secrets/grafana_admin_pass.age

diff --git a/flake.nix b/flake.nix
index a47dd35..cb9b533 100644
--- a/flake.nix
+++ b/flake.nix
@@ -28,6 +28,7 @@
           ./modules/matrix.nix
           ./modules/puffer.nix
           ./modules/gitea.nix
+          ./modules/grafana.nix
           ./modules/letsencrypt.nix
           ./modules/fail2ban.nix
           ./modules/email.nix
diff --git a/modules/email.nix b/modules/email.nix
index 252425f..42cd544 100644
--- a/modules/email.nix
+++ b/modules/email.nix
@@ -18,6 +18,9 @@ in {
         hashedPasswordFile = ./mailpass/contact;
         aliases = ["kontakt@${root_host}"];
       };
+      "admin@${root_host}" = {
+        hashedPasswordFile = ./mailpass/admin;
+      };
     };
 
     # Use Let's Encrypt certificates. Note that this needs to set up a stripped
diff --git a/modules/grafana.nix b/modules/grafana.nix
new file mode 100644
index 0000000..0db9928
--- /dev/null
+++ b/modules/grafana.nix
@@ -0,0 +1,40 @@
+{ config, ... }:
+let
+  root_host = "grimmauld.de";
+  grafana_host = "grafana.${root_host}";
+  grafana_port = 8082;
+in {
+  age.secrets.grafana_admin_pass = {
+    file = ../secrets/grafana_admin_pass.age;
+    owner = "grafana";
+    group = "grafana";
+    mode = "0600";
+  };
+
+  security.acme.certs."${root_host}".extraDomainNames = [ grafana_host ];
+  services.grafana = {
+    enable = true;
+    settings = {
+      security = {
+        admin_user = "admin";
+        admin_email = "admin@${root_host}";
+        admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
+      };
+      server = {
+        http_port = grafana_port;
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${grafana_host}" = {
+      serverName = grafana_host;
+      forceSSL = true;
+      useACMEHost = root_host;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
+      };
+    };
+  };
+}
diff --git a/modules/mailpass/admin b/modules/mailpass/admin
new file mode 100644
index 0000000..ed12fba
--- /dev/null
+++ b/modules/mailpass/admin
@@ -0,0 +1 @@
+$2b$05$9E2phVa/06fZW3daV3CeYuLTCLcBBDY7xF5TOpeHdCBGU5yNemBgy
diff --git a/modules/matrix.nix b/modules/matrix.nix
index ce711ec..b4e8c03 100644
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@@ -57,15 +57,18 @@ host    replication     all             ::1/128                 md5
     workers.normalSyncers = 1;
     workers.eventPersisters = 2;
     workers.useUserDirectoryWorker = true;
+    mainLogConfig = ./matrix_synapse_log_config.yaml;
 
     enableNginx = true;
     enableSlidingSync = false;
 
     settings = {
+      suppress_key_server_warning = true;
       server_name = root_host;
       public_baseurl = "https://${root_host}";
       enable_registration = false;
       enable_registration_without_verification = true;
+#      mainLogConfig = ./matrix_synapse_log_config.yaml;
 
 #      registrations_require_3pid = [ "email" ];
       database = {
diff --git a/modules/matrix_synapse_log_config.yaml b/modules/matrix_synapse_log_config.yaml
new file mode 100644
index 0000000..f412638
--- /dev/null
+++ b/modules/matrix_synapse_log_config.yaml
@@ -0,0 +1,25 @@
+version: 1
+
+# In systemd's journal, loglevel is implicitly stored, so let's omit it
+# from the message text.
+formatters:
+    journal_fmt:
+        format: '%(name)s: [%(request)s] %(message)s'
+
+filters:
+    context:
+        (): synapse.util.logcontext.LoggingContextFilter
+        request: ""
+
+handlers:
+    journal:
+        class: systemd.journal.JournalHandler
+        formatter: journal_fmt
+        filters: [context]
+        SYSLOG_IDENTIFIER: synapse
+
+root:
+    level: WARNING
+    handlers: [journal]
+
+disable_existing_loggers: False
diff --git a/secrets/grafana_admin_pass.age b/secrets/grafana_admin_pass.age
new file mode 100644
index 0000000..53b98ba
--- /dev/null
+++ b/secrets/grafana_admin_pass.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+ieBCGzdQNeFiy2vjh2SbQz2jM9SFsqESvydY3ok681KYIBZKhw0FkQQPADCJElnM
+L0XxLSXkOB2l3hhie5i+O3iSHKlXAwPvbfxUcsZmDgV9F9MJtdqrDWrp8qpnIzau
+qsecyM28o37laD0hr+Zt6nG8QWPDmSBnNfVfdflYUkMQCPaNHrMa0+XQqABAJ7mi
+PssjYLHkVJzPTi4p0bYkewkBS45gsp7j6DlF2Gg5Ce+l2FxB+RWc5Pl8mp76IntR
+Vxm8gaGXG667IjwFqfxhsIbygyIZ2SX38GUJbtn3Is0aSOQCZtSkdLTkrjFtB+LP
+FUfvvqkPKC5ttQm6lkODrMo3Ai0VfT6kCo/F52A0T5mkrF5jVCQdeqo92zBPWI6S
+Um93uNLFmQ+OIDNnSVZKO0znpw6Vq9N7Q7LUPG1etRasnH5agMzBVlAeotbvD9Y/
+Y6jLOB7aTruX4Snw83WF8J4jjzr6MYG71wQ/0aGOA5EfS/njrWRT6PSgVERny/WW
+h/TaVV+Zw7vm7kw4cxSmnwcnvpst2W4Xg2hulj2MPO0OXlXPvIuIg68Olcctclox
+HR2BKjDDQ+9jScu0cQcYIsnXuJ5JillpETtYI5Z4AGmKLj0rqXxrZDmjr0WKE5AE
+qlbOw6/Jpn5vtmS4qEuSnbK11vhm4EWN/tv0Zz7KShM
+--- yNCRCxrMUj+Kx54kwJ0Tq3X/QmxRi3eUcDCIkAtnrk8
+~�E~
�}I�R9���*�\��f�r��y�U�w�B�
 1�!������tez�yxX�W<�s!��
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 45a7a61..ac73041 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,4 +6,5 @@ in
   # "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
   "synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
   "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
+  "grafana_admin_pass".publicKeys = [ contabo_nix_pub ];
 }