metrics: Add metrics with victoriametrics + grafana

2023-10-07 22:14:43 +02:00 · 2023-10-07 22:14:43 +02:00 · 55a4aaf48b
commit 55a4aaf48b
parent 78a9eac9bb
22 changed files with 580 additions and 26 deletions
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -16,8 +16,10 @@

    ./services/backups.nix
    ./services/conduit.nix
+    ./services/fail2ban.nix
    ./services/foundryvtt.nix
    ./services/gitea.nix
+    ./services/metrics
    ./services/nextcloud.nix
    ./services/webserver.nix
    ./services/wireguard.nix
@ -136,34 +138,45 @@
    recommendedProxySettings = true;
    clientMaxBodySize = "10G";
    domain = "tlater.net";
+
+    statusPage = true; # For metrics, should be accessible only from localhost
+
+    commonHttpConfig = ''
+      log_format upstream_time '$remote_addr - $remote_user [$time_local] '
+                         '"$request" $status $body_bytes_sent '
+                         '"$http_referer" "$http_user_agent" '
+                         'rt=$request_time uct="$upstream_connect_time" '
+                         'uht="$upstream_header_time" urt="$upstream_response_time"';
+    '';
  };

+  services.logrotate = {
+    enable = true;
+
+    settings = lib.mapAttrs' (virtualHost: _:
+      lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
+        frequency = "daily";
+        rotate = 2;
+        compress = true;
+        delaycompress = true;
+        su = "${config.services.nginx.user} ${config.services.nginx.group}";
+        postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
+      })
+    config.services.nginx.virtualHosts;
+  };
+  systemd.tmpfiles.rules =
+    lib.mapAttrsToList (
+      virtualHost: _:
+      #
+      "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}"
+    )
+    config.services.nginx.virtualHosts;
+
  security.acme = {
    defaults.email = "tm@tlater.net";
    acceptTerms = true;
  };

-  services.fail2ban = {
-    enable = true;
-    extraPackages = [pkgs.ipset];
-    banaction = "iptables-ipset-proto6-allports";
-    bantime-increment.enable = true;
-
-    jails = {
-      nginx-botsearch = ''
-        enabled = true
-        logpath = /var/log/nginx/access.log
-      '';
-    };
-
-    ignoreIP = [
-      "127.0.0.0/8"
-      "10.0.0.0/8"
-      "172.16.0.0/12"
-      "192.168.0.0/16"
-    ];
-  };
-
  # Remove some unneeded packages
  environment.defaultPackages = [];