homelab-nomad/core/metrics.tf

resource "nomad_job" "exporters" {
  hcl2 {
    enabled = true
  }

  jobspec = templatefile("${path.module}/exporters.nomad", {
    use_wesher = var.use_wesher,
  })
}

resource "nomad_job" "prometheus" {
  hcl2 {
    enabled = true
  }

  jobspec = templatefile("${path.module}/prometheus.nomad", {
    use_wesher = var.use_wesher,
  })
}

resource "nomad_job" "grafana" {
  hcl2 {
    enabled = true
  }

  jobspec = templatefile("${path.module}/grafana.nomad", {
    module_path = path.module
    use_wesher  = var.use_wesher
  })

  depends_on = [nomad_job.prometheus]
}

# Generate secrets and policies for access to MySQL
resource "nomad_acl_policy" "grafana_mysql_bootstrap_secrets" {
  name        = "grafana-secrets-mysql"
  description = "Give access to MySQL secrets"
  rules_hcl   = <<EOH
namespace "default" {
  variables {
    path "secrets/mysql" {
      capabilities = ["read"]
    }
  }
}
EOH

  job_acl {
    job_id = "grafana"
    group  = "grafana"
    task   = "mysql-bootstrap"
  }
}

resource "random_password" "grafana_mysql_psk" {
  length           = 32
  override_special = "!@#%&*-_="
}

resource "nomad_variable" "grafana_mysql_psk" {
  path = "secrets/mysql/allowed_psks/grafana"
  items = {
    psk = "grafana:${resource.random_password.grafana_mysql_psk.result}"
  }
}

resource "nomad_acl_policy" "grafana_mysql_psk" {
  name        = "grafana-secrets-mysql-psk"
  description = "Give access to MySQL PSK secrets"
  rules_hcl   = <<EOH
namespace "default" {
  variables {
    path "secrets/mysql/allowed_psks/grafana" {
      capabilities = ["read"]
    }
  }
}
EOH

  job_acl {
    job_id = "grafana"
    group  = "grafana"
    task   = "stunnel"
  }
}