systems/makanek/monitoring/default.nix

{ lib, config, pkgs, ... }:
let
  lokiConfig = import ./loki.nix;
  blackboxConfig = import ./blackbox.nix;
  inherit (import <niveum/lib>) restic;
in
{
  services.grafana = {
    enable = true;
    domain = "grafana.kmein.r";
    port = 9444;
    addr = "127.0.0.1";
  };

  services.nginx.virtualHosts.${config.services.grafana.domain} = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
      proxyWebsockets = true;
    };
  };

  services.prometheus.rules = let diskFreeThreshold = 10; in [(builtins.toJSON {
    groups = [{
      name = "niveum";
      rules = [
        {
          alert = "ServiceDown";
          expr = ''node_systemd_unit_state{state="failed"} == 1'';
          annotations = {
            summary = "{{$labels.job}}: Service {{$labels.name}} failed to start.";
          };
        }
        {
          alert = "RootPartitionFull";
          for = "10m";
          expr = ''(node_filesystem_free_bytes{mountpoint="/"} * 100) / node_filesystem_size_bytes{mountpoint="/"} < ${toString diskFreeThreshold}'';
          annotations = {
            summary = "{{ $labels.job }}: Filesystem is running out of space soon.";
            description = ''The root disk of {{ $labels.job }} has {{ $value | printf "%.2f" }}% free disk space (threshold at ${toString diskFreeThreshold}%).'';
          };
        }
        {
          alert = "RootPartitionFullWeek";
          for = "1h";
          expr = ''node_filesystem_free_bytes{mountpoint="/"} ''
            + ''and predict_linear(node_filesystem_free_bytes{mountpoint="/"}[2d], 7*24*3600) <= 0'';
          annotations = {
            summary = "{{$labels.job}}: Filesystem is running out of space in 7 days.";
          };
        }
        {
          alert = "HighLoad";
          expr = ''node_load15 / on(job) count(node_cpu_seconds_total{mode="system"}) by (job) >= 1.0'';
          for = "10m";
          annotations = {
            summary = "{{$labels.job}}: Running on high load: {{$value}}";
          };
        }
        {
          alert = "HighRAM";
          expr = "node_memory_MemFree_bytes + node_memory_Buffers_bytes + node_memory_Cached_bytes < node_memory_MemTotal_bytes * 0.1";
          for = "1h";
          annotations.summary = "{{$labels.job}}: Using lots of RAM.";
        }
        {
          alert = "UptimeMonster";
          expr = "time() - node_boot_time_seconds > 2592000";
          annotations.summary = "{{$labels.job}}: up for more than 30 days.";
        }
        {
          alert = "HostDown";
          expr = ''up == 0'';
          for = "5m";
          annotations = {
            summary = "Host {{ $labels.job }} down for 5 minutes.";
          };
        }
        {
          alert = "Reboot";
          expr = "time() - node_boot_time_seconds < 300";
          annotations.summary = "{{$labels.job}}: Reboot";
        }
        {
          alert = "ProbeFailed";
          expr = "probe_success == 0";
          for = "5m";
          annotations.summary = "{{$labels.instance}}: probe failed";
        }
        {
          alert = "SlowProbe";
          expr = "avg_over_time(probe_http_duration_seconds[1m]) > 1";
          for = "5m";
          annotations.summary = "{{$labels.instance}}: HTTP probe slow";
        }
        {
          alert = "HttpStatusCode";
          expr = "probe_http_status_code != 0 AND (probe_http_status_code <= 199 OR probe_http_status_code >= 400)";
          for = "5m";
          annotations.summary = "{{$labels.instance}}: status code {{$value}}";
        }
        {
          alert = "SslExpirySoon";
          expr = "probe_ssl_earliest_cert_expiry - time() < 86400 * 30";
          for = "5m";
          annotations.summary = "{{$labels.instance}}: SSL certificate expires in 30 days";
        }
        {
          alert = "SslExpiry";
          expr = "probe_ssl_earliest_cert_expiry - time()  <= 0";
          for = "5m";
          annotations.summary = "{{$labels.instance}}: SSL certificate has expired";
        }
      ];
    }];
  })];

  systemd.services.alertmanager-irc = {
    wantedBy = [ "multi-user.target" ];
    after = [ "ip-up.target" ];
    serviceConfig = {
      DynamicUser = true;
      StateDirectory = "alert-irc";
      ExecStart = ''${pkgs.alertmanager-irc-relay}/bin/alertmanager-irc-relay \
        --config ${(pkgs.formats.yaml {}).generate "config.yaml" {
          http_host = "0.0.0.0";
          http_port = 16330;
          irc_host = "irc.r";
          irc_port = 6667;
          irc_use_ssl = false;
          irc_nickname = "niveum";
          irc_channels = [ { name = "#niveum"; } ];
          msg_template = ''{{ index .Annotations "summary" }} ({{ .Status }})'';
        }}
      '';
    };
  };

  services.prometheus.alertmanager = {
    enable = true;
    listenAddress = "localhost";
    configuration = {
      route = {
        group_wait = "30s";
        repeat_interval = "4h";
        receiver = "me";
      };
      receivers = [{
        name = "me";
        webhook_configs = [
          {
            url = "http://localhost:16330/niveum";
            send_resolved = true;
          }
        ];
      }];
    };
  };

  services.prometheus.scrapeConfigs = [
    {
      job_name = "makanek";
      static_configs = [ { targets = [
        "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
      ]; } ];
    }
    {
      scrape_interval = "5m";
      job_name = "blackbox";
      metrics_path = "/probe";
      params.module = [ "http_2xx" ];
      relabel_configs = [
        { source_labels = ["__address__"]; target_label = "__param_target"; }
        { source_labels = ["__param_target"]; target_label = "instance"; }
        { replacement = "127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}"; target_label = "__address__"; }
      ];
      static_configs = [{
        targets = [
          "alew.hu-berlin.de"
          "pad.kmein.de"
          "code.kmein.de"
          "radio.kmein.de"
          "tarot.kmein.de"
          "cloud.xn--kiern-0qa.de"
          "grafana.kmein.r"
          "names.kmein.r"
          "rrm.r"
          "graph.r"
        ];
      }];
    }
    {
      job_name = "zaatar";
      static_configs = [ { targets = [
        "zaatar.r:${toString config.services.prometheus.exporters.node.port}"
        "zaatar.r:${toString restic.port}"
      ]; } ];
    }
  ];


  services.prometheus.exporters.blackbox = {
    enable = true;
    configFile = (pkgs.formats.yaml {}).generate "blackbox.yaml" blackboxConfig;
  };

  networking.firewall.allowedTCPPorts = [
    lokiConfig.server.http_listen_port
  ];

  services.loki = {
    enable = true;
    configFile = (pkgs.formats.yaml {}).generate "loki.yaml" lokiConfig;
  };
}
feat: monitoring 2021-09-18 23:54:12 +02:00			`{ lib, config, pkgs, ... }:`
			`let`
			`lokiConfig = import ./loki.nix;`
feat(monitoring): probe alew.hu-berlin.de 2021-12-13 17:29:09 +01:00			`blackboxConfig = import ./blackbox.nix;`
feat(restic): run on makanek, prometheus 2022-01-18 23:28:53 +01:00			`inherit (import <niveum/lib>) restic;`
feat: monitoring 2021-09-18 23:54:12 +02:00			`in`
			`{`
			`services.grafana = {`
			`enable = true;`
feat(monitoring): add more rules, run grafana in retiolum 2021-09-19 12:03:52 +02:00			`domain = "grafana.kmein.r";`
			`port = 9444;`
feat: monitoring 2021-09-18 23:54:12 +02:00			`addr = "127.0.0.1";`
			`};`

			`services.nginx.virtualHosts.${config.services.grafana.domain} = {`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";`
			`proxyWebsockets = true;`
			`};`
			`};`

			`services.prometheus.rules = let diskFreeThreshold = 10; in [(builtins.toJSON {`
			`groups = [{`
			`name = "niveum";`
			`rules = [`
			`{`
			`alert = "ServiceDown";`
			`expr = ''node_systemd_unit_state{state="failed"} == 1'';`
			`annotations = {`
feat(monitoring): add more rules, run grafana in retiolum 2021-09-19 12:03:52 +02:00			`summary = "{{$labels.job}}: Service {{$labels.name}} failed to start.";`
feat: monitoring 2021-09-18 23:54:12 +02:00			`};`
			`}`
			`{`
			`alert = "RootPartitionFull";`
feat(monitoring): add more rules, run grafana in retiolum 2021-09-19 12:03:52 +02:00			`for = "10m";`
			`expr = ''(node_filesystem_free_bytes{mountpoint="/"} * 100) / node_filesystem_size_bytes{mountpoint="/"} < ${toString diskFreeThreshold}'';`
feat: monitoring 2021-09-18 23:54:12 +02:00			`annotations = {`
feat(monitoring): add more rules, run grafana in retiolum 2021-09-19 12:03:52 +02:00			`summary = "{{ $labels.job }}: Filesystem is running out of space soon.";`
feat: monitoring 2021-09-18 23:54:12 +02:00			`description = ''The root disk of {{ $labels.job }} has {{ $value \| printf "%.2f" }}% free disk space (threshold at ${toString diskFreeThreshold}%).'';`
			`};`
			`}`
feat(monitoring): add more rules, run grafana in retiolum 2021-09-19 12:03:52 +02:00			`{`
			`alert = "RootPartitionFullWeek";`
			`for = "1h";`
			`expr = ''node_filesystem_free_bytes{mountpoint="/"} ''`
			`+ ''and predict_linear(node_filesystem_free_bytes{mountpoint="/"}[2d], 7243600) <= 0'';`
			`annotations = {`
			`summary = "{{$labels.job}}: Filesystem is running out of space in 7 days.";`
			`};`
			`}`
			`{`
			`alert = "HighLoad";`
			`expr = ''node_load15 / on(job) count(node_cpu_seconds_total{mode="system"}) by (job) >= 1.0'';`
			`for = "10m";`
			`annotations = {`
			`summary = "{{$labels.job}}: Running on high load: {{$value}}";`
			`};`
			`}`
			`{`
			`alert = "HighRAM";`
			`expr = "node_memory_MemFree_bytes + node_memory_Buffers_bytes + node_memory_Cached_bytes < node_memory_MemTotal_bytes * 0.1";`
			`for = "1h";`
			`annotations.summary = "{{$labels.job}}: Using lots of RAM.";`
			`}`
feat(monitoring): add uptime alert 2021-10-08 20:03:44 +02:00			`{`
			`alert = "UptimeMonster";`
			`expr = "time() - node_boot_time_seconds > 2592000";`
			`annotations.summary = "{{$labels.job}}: up for more than 30 days.";`
			`}`
feat: monitoring 2021-09-18 23:54:12 +02:00			`{`
			`alert = "HostDown";`
			`expr = ''up == 0'';`
			`for = "5m";`
			`annotations = {`
			`summary = "Host {{ $labels.job }} down for 5 minutes.";`
			`};`
			`}`
feat(monitoring): add more rules, run grafana in retiolum 2021-09-19 12:03:52 +02:00			`{`
			`alert = "Reboot";`
			`expr = "time() - node_boot_time_seconds < 300";`
fix(monitoring): display host name in reboot message 2021-11-08 10:06:29 +01:00			`annotations.summary = "{{$labels.job}}: Reboot";`
feat(monitoring): add more rules, run grafana in retiolum 2021-09-19 12:03:52 +02:00			`}`
feat(monitoring): probe alew.hu-berlin.de 2021-12-13 17:29:09 +01:00			`{`
			`alert = "ProbeFailed";`
			`expr = "probe_success == 0";`
			`for = "5m";`
			`annotations.summary = "{{$labels.instance}}: probe failed";`
			`}`
			`{`
			`alert = "SlowProbe";`
			`expr = "avg_over_time(probe_http_duration_seconds[1m]) > 1";`
			`for = "5m";`
			`annotations.summary = "{{$labels.instance}}: HTTP probe slow";`
			`}`
			`{`
			`alert = "HttpStatusCode";`
feat(monitoring): probe alew.hu-berlin.de 2021-12-13 17:29:09 +01:00			`expr = "probe_http_status_code != 0 AND (probe_http_status_code <= 199 OR probe_http_status_code >= 400)";`
feat(monitoring): probe alew.hu-berlin.de 2021-12-13 17:29:09 +01:00			`for = "5m";`
feat(monitoring): probe alew.hu-berlin.de 2021-12-13 17:29:09 +01:00			`annotations.summary = "{{$labels.instance}}: status code {{$value}}";`
feat(monitoring): probe alew.hu-berlin.de 2021-12-13 17:29:09 +01:00			`}`
			`{`
			`alert = "SslExpirySoon";`
			`expr = "probe_ssl_earliest_cert_expiry - time() < 86400 * 30";`
			`for = "5m";`
			`annotations.summary = "{{$labels.instance}}: SSL certificate expires in 30 days";`
			`}`
			`{`
			`alert = "SslExpiry";`
			`expr = "probe_ssl_earliest_cert_expiry - time() <= 0";`
			`for = "5m";`
			`annotations.summary = "{{$labels.instance}}: SSL certificate has expired";`
			`}`
feat: monitoring 2021-09-18 23:54:12 +02:00			`];`
			`}];`
			`})];`

feat(alertmanager): alert via irc 2022-01-13 19:25:28 +01:00			`systemd.services.alertmanager-irc = {`
feat: monitoring 2021-09-18 23:54:12 +02:00			`wantedBy = [ "multi-user.target" ];`
			`after = [ "ip-up.target" ];`
			`serviceConfig = {`
			`DynamicUser = true;`
feat(alertmanager): alert via irc 2022-01-13 19:25:28 +01:00			`StateDirectory = "alert-irc";`
			`ExecStart = ''${pkgs.alertmanager-irc-relay}/bin/alertmanager-irc-relay \`
			`--config ${(pkgs.formats.yaml {}).generate "config.yaml" {`
			`http_host = "0.0.0.0";`
			`http_port = 16330;`
			`irc_host = "irc.r";`
			`irc_port = 6667;`
			`irc_use_ssl = false;`
			`irc_nickname = "niveum";`
			`irc_channels = [ { name = "#niveum"; } ];`
			`msg_template = ''{{ index .Annotations "summary" }} ({{ .Status }})'';`
			`}}`
			`'';`
feat: monitoring 2021-09-18 23:54:12 +02:00			`};`
			`};`

			`services.prometheus.alertmanager = {`
			`enable = true;`
			`listenAddress = "localhost";`
			`configuration = {`
			`route = {`
			`group_wait = "30s";`
			`repeat_interval = "4h";`
			`receiver = "me";`
			`};`
			`receivers = [{`
			`name = "me";`
feat(alertmanager): alert via irc 2022-01-13 19:25:28 +01:00			`webhook_configs = [`
			`{`
			`url = "http://localhost:16330/niveum";`
			`send_resolved = true;`
			`}`
			`];`
feat: monitoring 2021-09-18 23:54:12 +02:00			`}];`
			`};`
			`};`

			`services.prometheus.scrapeConfigs = [`
			`{`
			`job_name = "makanek";`
			`static_configs = [ { targets = [`
			`"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"`
			`]; } ];`
			`}`
feat(monitoring): probe alew.hu-berlin.de 2021-12-13 17:29:09 +01:00			`{`
fix(monitoring): probe alew.hu-berlin.de every 5 min 2021-12-14 00:13:25 +01:00			`scrape_interval = "5m";`
feat(monitoring): probe alew.hu-berlin.de 2021-12-13 17:29:09 +01:00			`job_name = "blackbox";`
			`metrics_path = "/probe";`
			`params.module = [ "http_2xx" ];`
			`relabel_configs = [`
			`{ source_labels = ["__address__"]; target_label = "__param_target"; }`
			`{ source_labels = ["__param_target"]; target_label = "instance"; }`
			`{ replacement = "127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}"; target_label = "__address__"; }`
			`];`
			`static_configs = [{`
			`targets = [`
			`"alew.hu-berlin.de"`
feat(prometheus): monitor more URLs 2022-01-27 15:40:50 +01:00			`"pad.kmein.de"`
			`"code.kmein.de"`
			`"radio.kmein.de"`
			`"tarot.kmein.de"`
			`"cloud.xn--kiern-0qa.de"`
			`"grafana.kmein.r"`
			`"names.kmein.r"`
			`"rrm.r"`
			`"graph.r"`
feat(monitoring): probe alew.hu-berlin.de 2021-12-13 17:29:09 +01:00			`];`
			`}];`
			`}`
feat: monitoring 2021-09-18 23:54:12 +02:00			`{`
			`job_name = "zaatar";`
feat(restic): run on makanek, prometheus 2022-01-18 23:28:53 +01:00			`static_configs = [ { targets = [`
			`"zaatar.r:${toString config.services.prometheus.exporters.node.port}"`
			`"zaatar.r:${toString restic.port}"`
			`]; } ];`
feat: monitoring 2021-09-18 23:54:12 +02:00			`}`
			`];`

feat(monitoring): probe alew.hu-berlin.de 2021-12-13 17:29:09 +01:00
			`services.prometheus.exporters.blackbox = {`
			`enable = true;`
			`configFile = (pkgs.formats.yaml {}).generate "blackbox.yaml" blackboxConfig;`
			`};`

feat(monitoring): add more rules, run grafana in retiolum 2021-09-19 12:03:52 +02:00			`networking.firewall.allowedTCPPorts = [`
			`lokiConfig.server.http_listen_port`
			`];`
feat: monitoring 2021-09-18 23:54:12 +02:00
			`services.loki = {`
			`enable = true;`
			`configFile = (pkgs.formats.yaml {}).generate "loki.yaml" lokiConfig;`
			`};`
			`}`