Services: enable parent/child config for Netdata

flake.lock

@@ -234,11 +234,11 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1723838364,
+        "lastModified": 1724432746,
-        "narHash": "sha256-L1KajQACN1256oVG//QPXWuVbuzxlSAlOjXT67i6c0Q=",
+        "narHash": "sha256-s7XsY4ZsS9jyzZWpXOJNVzc03SNQbALM+S28QKXc8co=",
         "ref": "refs/heads/main",
-        "rev": "d57c296dab0ec1e7c6f28c7741d9a591b35117da",
+        "rev": "56ccf5bf3f4d8687dc22c390cdafe20c08a7e549",
-        "revCount": 59,
+        "revCount": 60,
         "type": "git",
         "url": "file:./nix-secrets"
       },

flake.nix

@@ -87,19 +87,11 @@
     in
     {
       formatter = forAllSystems (pkgs: pkgs.nixfmt-rfc-style);
+
       nixosConfigurations = {
 
         Dimaga = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
-
-          # Add unstable repo
-          specialArgs = {
-            pkgs-unstable = import nixpkgs-unstable {
-              system = "x86_64-linux";
-              config.allowUnfree = true;
-            };
-          };
-
           modules = defaultModules ++ [
             nixos-hardware.nixosModules.common-cpu-intel
             ./hosts/Dimaga

hosts/Dimaga/default.nix

@@ -173,10 +173,12 @@ in
       netdata = {
         enable = true;
         domain = config.secrets.networking.primaryDomain;
+        type = "parent";
         url = config.secrets.services.netdata.url;
         auth = {
           user = config.users.users.aires.name;
           password = config.secrets.services.netdata.password;
+          apiKey = config.secrets.services.netdata.apiKey;
         };
       };
       nginx = {

hosts/Shura/default.nix

@@ -66,6 +66,12 @@ in
         onCalendar = "daily";
         user = config.users.users.aires.name;
       };
+      netdata = {
+        enable = true;
+        type = "child";
+        url = config.secrets.services.netdata.url;
+        auth.apiKey = config.secrets.services.netdata.apiKey;
+      };
       # Install virtual machine management tools
       virtualization = {
         enable = true;

modules/common.nix

@@ -1,5 +1,10 @@
 # Modules common to all systems
-{ pkgs, config, ... }:
+{
+  pkgs,
+  config,
+  inputs,
+  ...
+}:
 
 {
   config = {
@@ -14,6 +19,16 @@
       ];
     };
 
+    # Allow packages from the unstable repo by using 'pkgs.unstable'
+    nixpkgs.overlays = [
+      (final: _prev: {
+        unstable = import inputs.nixpkgs-unstable {
+          system = final.system;
+          config.allowUnfree = true;
+        };
+      })
+    ];
+
     programs = {
       # Enable NH, an alternative nixos-rebuild frontend.
       nh = {

modules/services/netdata.nix

@@ -1,6 +1,5 @@
 {
   pkgs,
-  pkgs-unstable,
   config,
   lib,
   ...
@@ -23,6 +22,11 @@ in
           type = lib.types.str;
           description = "Password for basic auth.";
         };
+        apiKey = lib.mkOption {
+          default = "";
+          type = lib.types.str;
+          description = "API key for streaming data from a child to a parent.";
+        };
       };
       domain = lib.mkOption {
         default = "";
@@ -30,6 +34,15 @@ in
         description = "The root domain that Netdata will be hosted on.";
         example = "example.com";
       };
+      type = lib.mkOption {
+        default = "parent";
+        type = lib.types.enum [
+          "parent"
+          "child"
+        ];
+        description = "Whether this is a parent (default: includes web UI) or child (no web UI - streaming only).";
+        example = "child";
+      };
       url = lib.mkOption {
         default = "";
         type = lib.types.str;
@@ -39,42 +52,81 @@ in
     };
   };
 
-  config = lib.mkIf cfg.enable {
+  config = lib.mkMerge [
-
+    (lib.mkIf cfg.enable {
-    services = {
+      services.netdata = {
-      nginx.virtualHosts."${cfg.url}" = {
-        useACMEHost = cfg.domain;
-        forceSSL = true;
-        basicAuth = {
-          "${cfg.auth.user}" = cfg.auth.password;
-        };
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:19999";
-          extraConfig = ''
-            # Taken from https://learn.netdata.cloud/docs/netdata-agent/configuration/running-the-netdata-agent-behind-a-reverse-proxy/nginx
-            proxy_set_header X-Forwarded-Host $host;
-            proxy_set_header X-Forwarded-Server $host;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_pass_request_headers on;
-            proxy_set_header Connection "keep-alive";
-            proxy_store off;
-          '';
-        };
-      };
-
-      netdata = {
         enable = true;
-        package = pkgs-unstable.netdataCloud;
+        package = pkgs.unstable.netdataCloud;
         enableAnalyticsReporting = false;
+      };
+    })
+    (lib.mkIf (cfg.type == "parent") {
+      services = {
+        nginx.virtualHosts."${cfg.url}" = {
+          useACMEHost = cfg.domain;
+          forceSSL = true;
+          basicAuth = {
+            "${cfg.auth.user}" = cfg.auth.password;
+          };
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:19999";
+            extraConfig = ''
+              # Taken from https://learn.netdata.cloud/docs/netdata-agent/configuration/running-the-netdata-agent-behind-a-reverse-proxy/nginx
+              proxy_set_header X-Forwarded-Host $host;
+              proxy_set_header X-Forwarded-Server $host;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_pass_request_headers on;
+              proxy_set_header Connection "keep-alive";
+              proxy_store off;
+            '';
+          };
+        };
+
+        netdata = {
+          configDir = {
+            # Enable nvidia-smi: https://nixos.wiki/wiki/Netdata#nvidia-smi
+            "python.d.conf" = pkgs.writeText "python.d.conf" ''
+              nvidia_smi: yes
+            '';
+            # Allow incoming streams
+            "stream.conf" = pkgs.writeText "stream.conf" ''
+              [${config.secrets.services.netdata.apiKey}]
+                enabled = yes
+                default history = 3600
+                default memory mode = dbengine
+                health enabled by default = auto
+                allow streaming from = *
+            '';
+          };
+        };
+      };
+      systemd.services.nginx.wants = [ config.systemd.services.netdata.name ];
+    })
+
+    (lib.mkIf (cfg.type == "child") {
+      services.netdata = {
+        # Disable web UI
+        config = {
+          global = {
+            "memory mode" = "none";
+          };
+          web = {
+            mode = "none";
+            "accept a streaming request every seconds" = 0;
+          };
+        };
+        # Set up streaming
         configDir = {
-          # Enable nvidia-smi: https://nixos.wiki/wiki/Netdata#nvidia-smi
+          "stream.conf" = pkgs.writeText "stream.conf" ''
-          "python.d.conf" = pkgs.writeText "python.d.conf" ''
+            [stream]
-            nvidia_smi: yes
+              enabled = yes
+              destination = ${cfg.url}:SSL
+              api key = ${cfg.auth.apiKey}
+            [${cfg.auth.apiKey}]
+              enabled = yes 
           '';
         };
       };
-    };
+    })
-    systemd.services.nginx.wants = [ config.systemd.services.netdata.name ];
+  ];
-
-  };
 }

nix-secrets

@@ -1 +1 @@
-Subproject commit d57c296dab0ec1e7c6f28c7741d9a591b35117da
+Subproject commit 56ccf5bf3f4d8687dc22c390cdafe20c08a7e549