box zfs

2026-01-19 22:37:30 -08:00
parent 3b33575b2a
commit d0cde973e7
21 changed files with 818 additions and 243 deletions
@@ -1,4 +1,10 @@
-{ self, config, pkgs, ... }: {
+{
+  self,
+  config,
+  pkgs,
+  ...
+}:
+{
  age.secrets.nullhex-smtp.file = "${self}/secrets/nullhex-smtp.age";
  age.secrets.nullhex-smtp.owner = "grafana";

@@ -25,7 +31,7 @@
  };

  # nginx reverse proxy
-  # services.nginx.recommendedProxySettings = true; # Needed for new grafana versions 
+  # services.nginx.recommendedProxySettings = true; # Needed for new grafana versions
  services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:2342";
@@ -33,21 +39,23 @@
    };
  };

-    services.postgresql = {
-      ensureUsers = [{
+  services.postgresql = {
+    ensureUsers = [
+      {
        name = "grafana";
-        # TODO this is deprecated 
-        # Need to translate this to 
-        # systemd.services.postgresql.postStart
-        # or initialScript 
-        ensurePermissions = {
-          "ALL TABLES IN SCHEMA public" = "SELECT";
-          "DATABASE wallabag" = "CONNECT";
-          "DATABASE ulogger" = "CONNECT";
-          "DATABASE photoprism" = "CONNECT";
-        };
-      }];
-    };
+      }
+    ];
+  };
+
+  # Grant grafana user read access to databases for monitoring
+  systemd.services.postgresql.postStart = pkgs.lib.mkAfter ''
+    $PSQL -tAc "GRANT CONNECT ON DATABASE wallabag TO grafana" 2>/dev/null || true
+    $PSQL -tAc "GRANT CONNECT ON DATABASE ulogger TO grafana" 2>/dev/null || true
+    $PSQL -tAc "GRANT CONNECT ON DATABASE photoprism TO grafana" 2>/dev/null || true
+    $PSQL -d wallabag -tAc "GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana" 2>/dev/null || true
+    $PSQL -d ulogger -tAc "GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana" 2>/dev/null || true
+    $PSQL -d photoprism -tAc "GRANT SELECT ON ALL TABLES IN SCHEMA public TO grafana" 2>/dev/null || true
+  '';

  services.prometheus = {
    enable = true;
@@ -66,11 +74,15 @@
    scrapeConfigs = [
      {
        job_name = "box";
-        static_configs = [{ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }];
+        static_configs = [
+          { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; }
+        ];
      }
      {
        job_name = "dns";
-        static_configs = [{ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; }];
+        static_configs = [
+          { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; }
+        ];
      }
    ];
  };