tlaternet-server/configuration/services/metrics.nix

{
  config,
  pkgs,
  lib,
  ...
}: let
  domain = "metrics.${config.services.nginx.domain}";
  yaml = pkgs.formats.yaml {};
in {
  services.victoriametrics.enable = true;

  services.grafana = {
    enable = true;
    settings = {
      server.http_port = 3001; # Default overlaps with gitea

      security = {
        admin_user = "tlater";
        admin_password = "$__file{${config.sops.secrets."grafana/adminPassword".path}}";
        secret_key = "$__file{${config.sops.secrets."grafana/secretKey".path}}";
        cookie_secure = true;
        cookie_samesite = "strict";
        content_security_policy = true;
      };

      database = {
        user = "grafana";
        name = "grafana";
        type = "postgres";
        host = "/run/postgresql";
      };
    };

    provision = {
      enable = true;

      datasources.settings.datasources = [
        {
          name = "Victoriametrics - tlater.net";
          url = "http://localhost:8428";
          type = "prometheus";
        }
      ];
    };
  };

  services.prometheus.exporters = {
    node = {
      enable = true;
      enabledCollectors = ["systemd"];
      listenAddress = "127.0.0.1";
    };

    nginx = {
      enable = true;
      listenAddress = "127.0.0.1";
    };

    nginxlog = {
      enable = true;
      listenAddress = "127.0.0.1";
    };
  };

  systemd.services.export-to-victoriametrics = let
    promscrape = yaml.generate "prometheus.yml" {
      scrape_configs = [
        {
          job_name = "tlater.net";
          static_configs = [
            {
              targets =
                lib.mapAttrsToList (name: exporter: "${exporter.listenAddress}:${toString exporter.port}")
                (lib.filterAttrs (name: exporter: (builtins.isAttrs exporter) && exporter.enable)
                  config.services.prometheus.exporters);
            }
          ];
        }
      ];
    };
  in {
    enable = true;
    path = [pkgs.victoriametrics];
    wantedBy = ["multi-user.target"];
    script = "vmagent -promscrape.config=${promscrape} -remoteWrite.url=http://localhost:8428/api/v1/write";
  };

  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
    '';
    locations."/".proxyPass = "http://localhost:3001";
  };
}