Original commit

2025-10-12 17:15:04 +02:00 · 2025-10-12 17:15:04 +02:00 · cc74263a3b
commit cc74263a3b
26 changed files with 3052 additions and 0 deletions
--- a/modules/servermodules/grafana/dashboards/jellyfin.json
+++ b/modules/servermodules/grafana/dashboards/jellyfin.json
--- a/modules/servermodules/grafana/grafana.nix
+++ b/modules/servermodules/grafana/grafana.nix
@ -0,0 +1,70 @@
+{ config, ... }:
+{
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        # Listening Address
+        http_addr = "127.0.0.1";
+        # and Port
+        http_port = 3000;
+        # Grafana needs to know on which domain and URL it's running
+        domain = "grafana.maxiemgeldhof.com";
+      };
+    };
+    provision.datasources.path = ./provision;
+    provision.dashboards.settings = {
+      apiVersion = 1;
+
+      providers = [
+        {
+          name = "default";
+          options.path = ./dashboards;
+        }
+      ];
+    };
+  };
+
+  services.prometheus.exporters.node = {
+    enable = true;
+    port = 9000;
+    # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/exporters.nix
+    enabledCollectors = [ "systemd" ];
+    # /nix/store/zgsw0yx18v10xa58psanfabmg95nl2bb-node_exporter-1.8.1/bin/node_exporter  --help
+    extraFlags = [
+      "--collector.ethtool"
+      "--collector.softirqs"
+      "--collector.tcpstat"
+      "--collector.wifi"
+    ];
+  };
+
+  services.prometheus = {
+    enable = true;
+    globalConfig.scrape_interval = "30s";
+    scrapeConfigs = [
+      {
+        job_name = "node";
+        static_configs = [
+          {
+            targets = [
+              "localhost:${toString config.services.prometheus.exporters.node.port}"
+              "localhost:8096"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "jellyfin";
+        static_configs = [
+          {
+            targets = [
+              "localhost:9594"
+            ];
+          }
+        ];
+      }
+
+    ];
+  };
+}
--- a/modules/servermodules/grafana/provision/prom.yaml
+++ b/modules/servermodules/grafana/provision/prom.yaml
@ -0,0 +1,19 @@
+# Configuration file version
+apiVersion: 1
+prune: true
+
+datasources:
+  - name: Prometheus
+    type: prometheus
+    access: proxy
+    url: http://localhost:9090
+    jsonData:
+      httpMethod: POST
+      manageAlerts: true
+      allowAsRecordingRulesTarget: true
+      prometheusType: Prometheus
+      prometheusVersion: 3.3.0
+      cacheLevel: 'High'
+      disableRecordingRules: false
+      timeInterval: 10s   # Prometheus scrape interval
+      incrementalQueryOverlapWindow: 10m
--- a/modules/servermodules/jellyfin/jellyfin.nix
+++ b/modules/servermodules/jellyfin/jellyfin.nix
@ -0,0 +1,60 @@
+{
+  pkgs,
+  config,
+  exporter-pkg,
+  ...
+}:
+{
+  environment.systemPackages = [
+    pkgs.jellyfin
+    pkgs.jellyfin-web
+    pkgs.jellyfin-ffmpeg
+  ];
+
+  services.jellyfin = {
+    enable = true;
+    configDir = "/jellyfin/config";
+    dataDir = "/jellyfin/data";
+  };
+
+  age.secrets.jellyfin-key = {
+    file = ./secrets/jellyfin-key;
+    owner = "jellyfin";
+  };
+
+  # Define the systemd service
+  systemd.services.jellyfin-exporter = {
+    description = "Jellyfin Exporter for Prometheus";
+    wantedBy = [ "multi-user.target" ];
+    after = [
+      "network-online.target"
+      "run-agenix.d.mount"
+    ]; # Should start after network is up
+    wants = [
+      "network-online.target"
+      "run-agenix.d.mount"
+    ]; # Should start after network is up
+
+    serviceConfig = {
+      # The command to start the exporter
+      # You MUST replace the placeholders below with your actual data
+      ExecStart = ''
+        /bin/sh -c "${exporter-pkg}/bin/jellyfin_exporter \
+          --jellyfin.address=http://localhost:8096 \
+          --jellyfin.token=$(cat ${config.age.secrets.jellyfin-key.path})"
+      '';
+
+      # Run the service as the user we created
+      User = "jellyfin";
+
+      # Automatically restart the service if it fails
+      Restart = "on-failure";
+      RestartSec = "5s";
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "L+ /data/movies      -       -      -      -    /mnt/volume-hel1-1/movies"
+    "L+ /data/series      -       -      -      -    /mnt/volume-hel1-1/series"
+  ];
+}
--- a/modules/servermodules/nginx.nix
+++ b/modules/servermodules/nginx.nix
@ -0,0 +1,76 @@
+{ rootdomain }:
+{
+  systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/logs/nginx" ];
+  services.nginx.enable = true;
+  services.nginx.commonHttpConfig = ''
+      log_format myformat '$remote_addr - $remote_user [$time_local] '
+                      '$host "$request" $status $body_bytes_sent '
+                      '"$http_referer" "$http_user_agent"';
+      '';
+
+  services.nginx.virtualHosts."default" = {
+      enableACME = false;
+      rejectSSL = true;
+      default = true;
+
+      locations."/" = {
+        return = 404;
+      };
+      extraConfig = ''
+        access_log /logs/nginx/nginx-access.log myformat;
+      '';
+  };
+
+
+  services.nginx.virtualHosts."grafana.${rootdomain}" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3000";
+        proxyWebsockets = true;
+        recommendedProxySettings = true;
+      };
+      extraConfig = ''
+        access_log /logs/nginx/nginx-access.log myformat;
+      '';
+  };
+
+  services.nginx.virtualHosts."jellyfin.${rootdomain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8096";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+    };
+
+    locations."/metrics" = {
+      proxyPass = "http://127.0.0.1:8096/metrics";
+      recommendedProxySettings = true;
+      extraConfig = ''
+      allow 127.0.0.1;
+      allow 192.168.0.0/16;
+      allow 10.0.0.0/8;
+      allow 172.16.0.0/12;
+      deny all;
+      '';
+    };
+
+    extraConfig = ''
+      access_log /logs/nginx/nginx-access.log myformat;
+    '';
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@${rootdomain}";
+  };
+
+  systemd.tmpfiles.rules = [
+  # Type  Path           Mode    User   Group  Age  Argument
+  "d /logs/nginx        0755    nginx  nginx  -    -"
+  ]
+}
+
--- a/modules/servermodules/packages.nix
+++ b/modules/servermodules/packages.nix
@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = [
+    pkgs.git
+    pkgs.google-cloud-sdk
+    pkgs.zulu8
+    pkgs.wget
+    pkgs.tmux
+  ];
+  age.secrets.google-storage-key = {
+    file = ./secrets/google-storage-key;
+    owner = "root";
+  };
+  environment.variables.GOOGLE_APPLICATION_CREDENTIALS = config.age.secrets."google-storage-key".path;
+}