add monitoring

config/default.nix

@@ -11,6 +11,7 @@
     ./http
     ./search
     ./security
+    ./monitoring
   ];
   system.stateVersion = "25.05";
 }

config/monitoring/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./grafana.nix
+    ./prometheus.nix
+  ];
+}

config/monitoring/grafana.nix

@@ -0,0 +1,93 @@
+{config, ...}: let
+  cfg = config.services.grafana;
+  owner = config.customOps.owner;
+  domain = config.customOps.domain.fqdn;
+  hostname = config.networking.hostName;
+  subdomain = "${hostname}.${domain}";
+
+  dashboardsDir = ./dashboards;
+  dashboardFiles = builtins.attrNames (builtins.readDir dashboardsDir);
+in {
+  sops.secrets."grafana/admin_password".owner = "grafana";
+
+  services.nginx.virtualHosts."${subdomain}" = {
+    locations."/" = {
+      proxyPass = "http://${
+        toString cfg.settings.server.http_addr
+      }:${
+        toString cfg.settings.server.http_port
+      }";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+    };
+    forceSSL = true;
+    enableACME = true;
+  };
+
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        http_addr = "127.0.0.1";
+        http_port = 3030;
+        domain = subdomain;
+        enforce_domain = true;
+        enable_gzip = true;
+      };
+      security = {
+        disable_initial_admin_creation = false;
+        admin_user = owner;
+        admin_email = "admin.grafana@${domain}";
+        admin_password = "$__file{${
+          config.sops.secrets."grafana/admin_password".path
+        }}";
+        disable_brute_force_login_protection = false;
+        brute_force_login_protection_max_attempts = 3;
+        disable_username_login_protection = false;
+        disable_ip_address_login_protection = false;
+        cookie_secure = true;
+        cookie_samesite = "strict";
+      };
+      analytics = {
+        reporting_enabled = false;
+        check_for_updates = false;
+      };
+    };
+
+    provision = {
+      enable = true;
+      dashboards.settings.providers = [
+        {
+          name = "dashboards";
+          disableDeletion = true;
+          options = {
+            path = "/etc/grafana-dashboards";
+            foldersFromFilesStructure = true;
+          };
+        }
+      ];
+
+      datasources.settings.datasources = [
+        {
+          name = "prometheus";
+          type = "prometheus";
+          url = "http://${
+            config.services.prometheus.listenAddress
+          }:${
+            toString config.services.prometheus.port
+          }";
+          isDefault = true;
+          editable = false;
+        }
+      ];
+    };
+  };
+
+  environment.etc = builtins.listToAttrs (map (
+      name: {
+        name = "grafana-dashboards/" + name;
+        value = {source = dashboardsDir + "/" + name;};
+      }
+    )
+    dashboardFiles);
+}

config/monitoring/prometheus.nix

@@ -0,0 +1,40 @@
+{config, ...}: {
+  services.prometheus = {
+    enable = true;
+    port = 9100;
+    globalConfig.scrape_interval = "1m";
+    scrapeConfigs = [
+      {
+        job_name = "node";
+        static_configs = [
+          {
+            targets = [
+              "localhost:${
+                toString
+                config.services.prometheus.exporters.node.port
+              }"
+            ];
+          }
+        ];
+      }
+    ];
+
+    exporters = {
+      node = {
+        enable = true;
+        port = 9101;
+        enabledCollectors = [
+          "ethtool"
+          "softirqs"
+          "systemd"
+          "tcpstat"
+          "wifi"
+        ];
+        extraFlags = [
+          "--collector.ntp.protocol-version=4"
+          "--no-collector.mdadm"
+        ];
+      };
+    };
+  };
+}

config/network.nix

@@ -26,6 +26,7 @@ in {
       MaxAdvertisedBandwidth = "100 MB";
       BandWidthRate = "100 MB";
       RelayBandwidthRate = "100 MB";
+      RelayBandwidthBurst = "100 MB";
 
       CookieAuthentication = true;
       AvoidDiskWrites = 1;

secrets.yaml

@@ -15,6 +15,8 @@ forgejo:
     admin: ENC[AES256_GCM,data:yWvcNrmQJJTyUrML8ibkxLlDgp7/Ac4JD4GZ8ArwmJdZeDuedSIWZV8j/nr0Tg==,iv:AqDV5QEneIZ+KcrJF1mBEZiXZ7QxFfwxnSGxGVWAhCc=,tag:EPfeCvDAGsMLkhE4QawoDQ==,type:str]
     mail: ENC[AES256_GCM,data:+pohnzkYs6RsusDhuX7s48stYRJfS66AXx05J3xi6RdL3d3eJ2iCIcwQs1wIzbVsyA==,iv:7dV2B0Tyh65iQlfemaynYJFvt0NOXWWSonwu0y7grG8=,tag:Km7cKbe9RMxtT2lJDizYpQ==,type:str]
     secret: ENC[AES256_GCM,data:/c9me5lpSIX2AFjqWm+YFdP+5dIxMI+k55GA7agDiTX0A3hlbDaqSZCE9R5YtlBXTeiY1jvoksMZVoW0340RzA==,iv:/CL9L3PH7viJaVxMLv2MVJY9akD3lbk9TThJkn9g4bg=,tag:q9eChmyBd/vzY9UlGGP2gw==,type:str]
+grafana:
+    admin_password: ENC[AES256_GCM,data:MBJ4NBXxF4Fu/QG56XjYVuaHXF5Mz9XpdAArYdpFMZOSJ9f/HaxXJf8OTqIdEvo=,iv:gFMAZcBWGfzJwF8gDxp/D16pbtNW/Lmynjdk9Th2Qc4=,tag:oNi2zahi+bdyguISlMMzZg==,type:str]
 sops:
     age:
         - recipient: age1jcl6pr27ne5qmnadh723lhlu0js5dnt050akvaxmhvapm3yz9yqqkpakxs
@@ -26,7 +28,7 @@ sops:
             L0NsZWFmd3UwblExc3UrVVVraHVTTm8KyUN1t1NgQG8+zHViKXT4fwnuFBVgzhYw
             WbCHfzut3a55ta1B50hQGFlPcUZDPImUg4wKmkdc7vurg02vOTgwUQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-29T15:03:27Z"
+    lastmodified: "2026-01-30T03:55:15Z"
-    mac: ENC[AES256_GCM,data:9E1gL8PdR7MAt6+jd5U/M/ja+NuAwDvlLXfPLBkVtsSIl6TudPme4Neoa/6aePME5nSqqDbOUTpjEZWwCqIR6iL578/tGGu7My5UNagqgo18O1x4nBgHiw4AWGVwtFWSQ4AA8itte/GkrLHrGtXqDbN/p7LiMLb+ch0Za3zdHUM=,iv:mwns7En2tO/JIe+fGMFT83rRu6etnuCmofBQV1uAdRg=,tag:eJ+ITIQ69iqi66/lYPuyWw==,type:str]
+    mac: ENC[AES256_GCM,data:EN0cKMMgImKSMPBHDxAsmxX+TVfeL0OZMLumhsRVpzG5/aagTmaKmJ2pmDqDeZa7ZkoWRF3vfShET0LVgFi9aQMpCyzShKuPNpvpA/gxwc1Ud7Dkkx6K0vVyQWRsI0cWgiM6hWIzRzpxDvTdlZ1xyGxkpEG5IsAkdIBKi5l4svQ=,iv:hX/BpaJ4p2XltQHaxB3cVE6GzRWYzD0Fs4r3VpFTJbM=,tag:a562G3pwjPxNbHuUKWp6DQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0