feat: monitoring + containers - grafana + prometheus + node_exporter + other exporters

2026-05-22 06:26:53 +02:00 · 2024-02-17 19:53:20 +08:00
parent 9626986524
commit b6e51e1950
25 changed files with 739 additions and 184 deletions
@@ -1,13 +1,14 @@
 # Idols - Kana

-TODO: use kana for various services.
+Use kana for common applications.
 All the services assumes a reverse proxy to be setup in the front, they are not exposed to the internet directly.

-Services:
+## Services
+
+1. dashy: Homepage
+1. ddns
+1. transmission & AriaNg: Torrent downloader and HTTP downloader
+1. uptime-kuma: uptime monitoring
+1. alist/filebrower: File browser for local/SMB/Cloud
+1. excalidraw/DDTV/owncast/jitsi-meet/...

-4. dashy: Homepage
-3. ddns
-4. transmission & AriaNg: Torrent downloader and HTTP downloader
-5. uptime-kuma: uptime monitoring
-7. alist/filebrower: File browser for local/SMB/Cloud
-8. excalidraw/DDTV/owncast/jitsi-meet/...
@@ -1,4 +1,8 @@
-{vars_networking, ...}:
+{
+  vars_networking,
+  mylib,
+  ...
+}:
 #############################################################
 #
 #  Kana - a NixOS VM running on Proxmox
@@ -8,6 +12,8 @@ let
  hostName = "kana"; # Define your hostname.
  hostAddress = vars_networking.hostAddress.${hostName};
 in {
+  imports = mylib.scanPaths ./.;
+
  # Enable binfmt emulation of aarch64-linux, this is required for cross compilation.
  boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
  # supported file systems, so we can mount any removable disks with these filesystems
@@ -0,0 +1,242 @@
+appConfig:
+  theme: crayola
+  layout: auto
+  iconSize: large
+  language: cn
+  startingView: default
+  defaultOpeningMethod: newtab
+  statusCheck: true
+  statusCheckInterval: 0
+  backgroundImg: https://thiscute.world/posts/revolution-and-innovation/rolling-girls.webp
+  faviconApi: allesedv
+  routingMode: history
+  enableMultiTasking: false
+  widgetsAlwaysUseProxy: false
+  webSearch:
+    disableWebSearch: false
+    searchEngine: duckduckgo
+    openingMethod: newtab
+    searchBangs: {}
+  enableFontAwesome: true
+  enableMaterialDesignIcons: false
+  hideComponents:
+    hideHeading: false
+    hideNav: false
+    hideSearch: false
+    hideSettings: false
+    hideFooter: false
+  auth:
+    enableGuestAccess: false
+    users: []
+    enableKeycloak: false
+  showSplashScreen: false
+  preventWriteToDisk: false
+  preventLocalSave: false
+  disableConfiguration: false
+  allowConfigEdit: true
+  enableServiceWorker: false
+  disableContextMenu: false
+  disableUpdateChecks: false
+  disableSmartSort: false
+  enableErrorReporting: false
+pageInfo:
+  title: This Cute Micro Cluster
+  description: 欢迎进入 ryan4yin 的 Cute Micro Cluster 主页，在这里你能找到许多有趣的玩意儿哦
+  navLinks:
+    - title: GitHub
+      path: https://github.com/ryan4yin
+      target: newtab
+    - title: Blog
+      path: https://thiscute.world/
+      target: newtab
+    - title: Dashy Docs
+      path: https://dashy.to/docs
+      target: newtab
+  footerText: 做更多有价值的东西，赚更多的钱，也帮助更多的人。
+sections:
+  - name: Proxmox VE  虚拟化集群
+    icon: si-proxmox
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_0
+        title: PVE-UM560
+        description: 'CPU: R5-5625U / MEM: 32G / DISK: 512G+4T*2'
+        icon: si-proxmox
+        url: https://192.168.5.173:8006
+        target: newtab
+        provider: Proxmox
+        statusCheck: true
+        statusCheckAllowInsecure: true
+        id: 0_153265_pveum
+      - &ref_1
+        title: PVE-S500+
+        description: 'CPU: R7-5825U / MEM: 64G / DISK: 1T'
+        icon: si-proxmox
+        url: https://192.168.5.174:8006/
+        target: newtab
+        provider: Proxmox
+        statusCheck: true
+        statusCheckAllowInsecure: true
+        id: 1_153265_pves
+      - &ref_2
+        title: PVE-GTR5
+        description: 'CPU: R9-5900HX / MEM: 64G / DISK: 1T'
+        icon: si-proxmox
+        url: https://192.168.5.172:8006
+        target: newtab
+        provider: Proxmox
+        statusCheck: true
+        statusCheckAllowInsecure: true
+        id: 2_153265_pvegtr
+      - &ref_3
+        title: Orange Pi 5 8G
+        description: 'CPU: 8C / MEM: 8G / DISK: 128G'
+        icon: si-raspberrypi
+        url: ssh pi@192.168.5.191
+        target: clipboard
+        statusCheck: true
+        statusCheckUrl: https://192.168.5.191:10250
+        statusCheckAllowInsecure: true
+        statusCheckAcceptCodes: '404'
+        id: 3_153265_orangepig
+    filteredItems:
+      - *ref_0
+      - *ref_1
+      - *ref_2
+      - *ref_3
+  - name: K3s 容器化集群
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    items:
+      - &ref_4
+        title: k3s-main-master
+        description: control-plane + master
+        icon: si-k3s
+        url: ssh ryan@192.168.5.181
+        target: clipboard
+        provider: Rancher
+        statusCheck: true
+        statusCheckUrl: ' https://192.168.5.181:6443'
+        statusCheckAllowInsecure: true
+        statusCheckAcceptCodes: '401'
+        id: 0_138418_ksmainmaster
+      - &ref_5
+        title: k3s-data-1-master
+        description: worker node
+        icon: si-k3s
+        url: ssh ryan@192.168.5.182
+        target: clipboard
+        provider: Rancher
+        statusCheck: true
+        statusCheckUrl: https://192.168.5.182:10250
+        statusCheckAllowInsecure: true
+        statusCheckAcceptCodes: '404'
+        id: 1_138418_ksdatamaster
+      - &ref_6
+        title: k3s-data-1-worker-1
+        description: worker node
+        icon: si-k3s
+        url: ssh ryan@192.168.5.184
+        target: clipboard
+        provider: Rancher
+        statusCheck: true
+        statusCheckUrl: https://192.168.5.184:10250
+        statusCheckAllowInsecure: true
+        statusCheckAcceptCodes: '404'
+        id: 2_138418_ksdataworker
+      - &ref_7
+        title: k3s-data-1-worker-2
+        description: worker node
+        icon: si-k3s
+        url: ssh ryan@192.168.5.186
+        target: clipboard
+        provider: Rancher
+        statusCheck: true
+        statusCheckUrl: https://192.168.5.186:10250
+        statusCheckAllowInsecure: true
+        statusCheckAcceptCodes: '404'
+        id: 3_138418_ksdataworker
+    filteredItems:
+      - *ref_4
+      - *ref_5
+      - *ref_6
+      - *ref_7
+  - name: System Monitoring & Control
+    icon: fas fa-monitor-heart-rate
+    items:
+      - &ref_9
+        title: Grafana
+        description: Data visualised on dashboards
+        icon: hl-grafana
+        url: http://grafana.writefor.fun
+        target: newtab
+        statusCheck: true
+        statusCheckAllowInsecure: true
+        id: 1_2578_grafana
+      - &ref_10
+        title: Prometheus Dashboard
+        description: Monitoring - Prometheus
+        icon: si-prometheus
+        url: http://prometheus.writefor.fun
+        target: newtab
+        statusCheck: true
+        id: 2_2578_prometheus
+      - &ref_11
+        title: Uptime Kuma
+        description: Uptime Checking
+        icon: hl-uptime-kuma
+        url: http://uptime-kuma.writefor.fun
+        target: newtab
+        statusCheck: true
+        id: 3_2578_uptimekuma
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    filteredItems:
+      - *ref_9
+      - *ref_10
+      - *ref_11
+  - name: Productivity
+    icon: fas fa-bookmark
+    items:
+      - &ref_12
+        title: Cloud IDE
+        description: Eclipse Che - Cloud IDE
+        icon: hl-code
+        url: https://ide.writefor.fun/
+        target: newtab
+        statusCheck: true
+        id: 0_1302_cloudide
+    filteredItems:
+      - *ref_12
+  - name: Media & Entertainment
+    icon: fas fa-photo-video
+    items:
+      - &ref_13
+        title: Home Assistant
+        description: Smart home control
+        icon: hl-home-assistant
+        url: http://ha.writefor.fun:8123/
+        target: newtab
+        statusCheck: true
+        id: 0_1956_homeassistant
+    displayData:
+      sortBy: default
+      rows: 1
+      cols: 1
+      collapsed: false
+      hideForGuests: false
+    filteredItems:
+      - *ref_13
@@ -0,0 +1,24 @@
+{
+  # Install the dashy configuration file instaed of symlink it
+  system.activationScripts.installDashyConfig = ''
+    install -Dm 600 ${./dashy_conf.yml} /etc/dashy/dashy_conf.yml
+  '';
+
+  # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/virtualisation/oci-containers.nix
+  virtualisation.oci-containers.containers = {
+    # check its logs via `journalctl -u podman-dashy`
+    dashy = {
+      hostname = "dashy";
+      image = "lissy93/dashy:latest";
+      ports = ["4000:80"];
+      environment = {
+        "NODE_ENV" = "production";
+      };
+      volumes = [
+        "/etc/dashy/dashy_conf.yml:/app/public/conf.yml"
+      ];
+      autoStart = true;
+      # cmd = [];
+    };
+  };
+}
@@ -0,0 +1,28 @@
+{
+  lib,
+  mylib,
+  ...
+}: {
+  imports = mylib.scanPaths ./.;
+
+  virtualisation = {
+    docker.enable = lib.mkForce false;
+    podman = {
+      enable = true;
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+      # Periodically prune Podman resources
+      autoPrune = {
+        enable = true;
+        dates = "weekly";
+        flags = ["--all"];
+      };
+    };
+
+    oci-containers = {
+      backend = "podman";
+    };
+  };
+}
@@ -1,5 +1,9 @@
-let
-  dataDir = "/data/transmission";
+{
+  config,
+  username,
+  ...
+}: let
+  dataDir = "/var/lib/transmission";
  name = "transmission";
 in {
  # the headless Transmission BitTorrent daemon
@@ -10,9 +14,6 @@ in {
    user = name;
    group = name;
    home = dataDir;
-    incomplete-dir-enabled = true;
-    incomplete-dir = "${dataDir}/incomplete";
-    download-dir = "${dataDir}/downloads";
    downloadDirPermissions = "0770";

    # Whether to enable tweaking of kernel parameters to open many more connections at the same time.
@@ -23,7 +24,7 @@ in {

    # Path to a JSON file to be merged with the settings.
    # Useful to merge a file which is better kept out of the Nix store to set secret config parameters like `rpc-password`.
-    credentialsFile = "/etc/agenix/transmission-credentials.json";
+    credentialsFile = config.age.secrets."transmission-credentials.json".path;

    # Whether to open the RPC port in the firewall.
    openRPCPort = false;
@@ -43,7 +44,7 @@ in {

      # rpc = Web Interface
      rpc-port = 9091;
-      rpc-bind-address = "127.0.0.1";
+      rpc-bind-address = "0.0.0.0";
      anti-brute-force-enabled = true;
      # After this amount of failed authentication attempts is surpassed,
      # the RPC server will deny any further authentication attempts until it is restarted.
@@ -53,15 +54,19 @@ in {

      # Comma-delimited list of IP addresses.
      # Wildcards allowed using '*'. Example: "127.0.0.*,192.168.*.*",
-      # rpc-whitelist-enabled = true;
-      # rpc-whitelist = "";
+      rpc-whitelist-enabled = true;
+      rpc-whitelist = "127.0.0.*,192.168.*.*";
      # Comma-delimited list of domain names.
      # Wildcards allowed using '*'. Example: "*.foo.org,example.com",
-      # rpc-host-whitelist-enabled = true;
-      # rpc-host-whitelist = "";
-      rpc-user = name;
-      rpc-username = name;
-      # rpc-password = "xxx"; # you'd better use the credentialsFile for this.
+      rpc-host-whitelist-enabled = true;
+      rpc-host-whitelist = "*.writefor.fun,localhost,192.168.5.*";
+      rpc-user = username;
+      rpc-username = username;
+      # rpc-password = "test"; # you'd better use the credentialsFile for this.
+
+      incomplete-dir-enabled = true;
+      incomplete-dir = "${dataDir}/incomplete";
+      download-dir = "${dataDir}/downloads";

      # Watch a directory for torrent files and add them to transmission.
      watch-dir-enabled = false;
@@ -4,10 +4,9 @@
    enable = true;
    # https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
    settings = {
-      # this assumes a reverse proxy to be set, uptime-kuma will only listen on localhost
-      "UPTIME_KUMA_HOST" = "127.0.0.1";
-      "UPTIME_KUMA_PORT" =  3001;
-      "DATA_DIR" =  "/data/uptime-kuma";
+      "UPTIME_KUMA_HOST" = "0.0.0.0";
+      "UPTIME_KUMA_PORT" = "3001";
+      "DATA_DIR" = "/var/lib/uptime-kuma/";
    };
  };
 }