...

author: Gregor Kleen <gkleen@yggdrasil.li> 2025-10-16 08:54:47 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2025-10-16 08:54:47 +0200
commit: 38e371ebe3006fd42ec07892c439872581632b8f (patch)
tree: 60cc2117e09b33dd79e6acbd8f409fedf4766a29
parent: 41efa2ab074e43021fea33ce03c36f60b24cffa9 (diff)
download: nixos-38e371ebe3006fd42ec07892c439872581632b8f.tar
nixos-38e371ebe3006fd42ec07892c439872581632b8f.tar.gz
nixos-38e371ebe3006fd42ec07892c439872581632b8f.tar.bz2
nixos-38e371ebe3006fd42ec07892c439872581632b8f.tar.xz
nixos-38e371ebe3006fd42ec07892c439872581632b8f.zip
7 files changed, 93 insertions, 17 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 547572c6..1c60ed22 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -157,8 +157,6 @@ with lib;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      commonHttpConfig = ''
-        ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
        log_format main
                '$remote_addr "$remote_user" '
                '"$host" "$request" $status $bytes_sent '
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index 5245972d..6fcef9d8 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ pkgs, lib, config, ... }:
 with lib;
diff --git a/hosts/vidhar/network/pppoe.nix b/hosts/vidhar/network/pppoe.nix
index da64b353..ff70cc0f 100644
--- a/hosts/vidhar/network/pppoe.nix
+++ b/hosts/vidhar/network/pppoe.nix
@@ -70,8 +70,8 @@ in {
            tc qdisc add dev "${pppInterface}" handle ffff: ingress
            tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}"
-            tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth ${toString (builtins.floor (159 * 0.95))}mbit
+            tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth ${toString (builtins.floor (177968 * 0.95))}kbit
-            tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth ${toString (builtins.floor (36 * 0.95))}mbit
+            tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth ${toString (builtins.floor (41216 * 0.95))}kbit
          '';
        };
      in "${app}/bin/${app.meta.mainProgram}";
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 094f9f7a..005af680 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -145,6 +145,17 @@ in {
          ];
          scrape_interval = "15s";
        }
+        { job_name = "zte";
+          static_configs = [
+            { targets = ["localhost:9900"]; }
+          ];
+          relabel_configs = [
+            { replacement = "dsl01";
+              target_label = "instance";
+            }
+          ];
+          scrape_interval = "15s";
+        }
        { job_name = "unbound";
          static_configs = [
            { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
@@ -425,6 +436,47 @@ in {
      };
    };
+    systemd.services."prometheus-zte-exporter@dsl01.mgmt.yggdrasil" = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        Restart = "always";
+        PrivateTmp = true;
+        WorkingDirectory = "/tmp";
+        DynamicUser = true;
+        CapabilityBoundingSet = [""];
+        DeviceAllow = [""];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+        Type = "simple";
+        ExecStart = "${pkgs.zte-prometheus-exporter}/bin/zte-prometheus-exporter";
+        Environment = "ZTE_BASEURL=http://%I ZTE_HOSTNAME=localhost ZTE_PORT=9900";
+        EnvironmentFile = config.sops.secrets."zte_dsl01.mgmt.yggdrasil".path;
+      };
+    };
+    sops.secrets."zte_dsl01.mgmt.yggdrasil" = {
+      format = "binary";
+      sopsFile = ./zte_dsl01.mgmt.yggdrasil;
+    };
    services.nginx = {
      upstreams.prometheus = {
        servers = { "localhost:${toString config.services.prometheus.port}" = {}; };
diff --git a/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil b/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil
new file mode 100644
index 00000000..1c9c1fe0
--- /dev/null
+++ b/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:nAsn7dhfDr0+V1cJjpqWn/kJQt2zGjlfQKi3n5speroJkL3IvMG/9fsTaXJQZSi2gPlrN8GbxKQ=,iv:9g0V3xRBC+sa/JPP2bUZMfg//VuKT5qI7ua9iU4QRCg=,tag:fzwih9OHUBLmx8dxL4BjGg==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": [
+                        {
+                                "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaEE3bUFBY0xKSDUrVnc2\nbFpjSkNOSm56amJTNjdXcTljdDNRREhITm1NCjZrOUEwNFpxN2FmTVV5T2xCbENk\nMEFmVzlPZ29CTlJ4dVNCRUsyRFFseXcKLS0tIEhscVZ4VUVsaG9OUnBIRFE4WXA2\ncGFnbWpNMlNIQzFLc1Ryc1Z3NUl1bVUKi9zYBlF2vslGKu4GP368ApbvuxjZnQpF\nuOujXSNoEps21wY6xUENm+CbYbgaJjSgmb5c1IjAmnubVI4JVY9OyQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2021-12-31T15:00:33Z",
+                "mac": "ENC[AES256_GCM,data:sw2NVXHLibbuOChgScLhSTjGZBjSoHpzIuRqfCW0eL3DwhL5CekG6T/oYu06KjNmxVjxwb3OmqECSU0TUvPn9ySOWwMSoBfyJpDoTHnZ+YOjOH351IOAMBNcBDJse7aLGRWW5YXKLDfmp8Dhg2hlMhCmkVwAquQjPhfmAdJfj64=,iv:wgM/BlRU2XJSGj7KvAo1WRamecffUDnFvv2+4twtsQY=,tag:0mXblJtTGMTvxndedws94A==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2023-01-30T10:58:49Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAcwl1Blp3J5wgpRJKbYI1G1yEZrRYeYuoDtYUh3ToMAQw\nd92/bIJJR5Ml91eDym9uBN0fFRRy72r6FOx4qZT7S4DhmuA84qCbASjF8bKSclc0\n0l4BBXvDS5Dz1Q7iYc+LxZjHASV1v73A+MaeCFvG/pjmHzF0z0EzBiAJD4ZWGcP0\nX2dDbjl+n9VFrvmeLRxQNh4XZW43iTXdRjwHDgm16zhd9X6VOVhr5UkC4Nyjq2Ar\n=4ZEa\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/overlays/nftables-prometheus-exporter/nftables-prometheus-exporter.py b/overlays/nftables-prometheus-exporter/nftables-prometheus-exporter.py
index 484228c8..60ef4670 100644
--- a/overlays/nftables-prometheus-exporter/nftables-prometheus-exporter.py
+++ b/overlays/nftables-prometheus-exporter/nftables-prometheus-exporter.py
@@ -42,7 +42,7 @@ class NFTMetrics:
            cls._instance = cls.__new__(cls)
            cls._instance.attrs = None
        return cls._instance
-    
    def __init__(self):
        raise RuntimeError('Call instance() instead')
@@ -62,7 +62,7 @@ class NFTMetrics:
                raise RuntimeError(f'nftables json schema v{version} is not supported')
            queries[query_name] = data['nftables'][1:]
-        
        def extract_query(query_name, type_name):
            return [
                item[type_name]
@@ -98,21 +98,21 @@ class NFTMetrics:
        metrics += _format_prom_metrics('nftables_counter_packets_count', 'counter', counter_packets)
        map_counts = []
-        for meter in self.attrs['maps']:
+        for item in self.attrs['maps']:
            labels = {  k: v for k, v in counter.items() if k not in set(['elem']) }
-            map_counts += [(labels, len(meter['elem']))]
+            map_counts += [(labels, len(item['elem']) if 'elem' in item else 0)]
        metrics += _format_prom_metrics('nftables_map_elem_count', 'gauge', map_counts)
        meter_counts = []
-        for meter in self.attrs['meters']:
+        for item in self.attrs['meters']:
            labels = {  k: v for k, v in counter.items() if k not in set(['elem']) }
-            meter_counts += [(labels, len(meter['elem']))]
+            item_counts += [(labels, len(item['elem']) if 'elem' in item else 0)]
        metrics += _format_prom_metrics('nftables_meter_elem_count', 'gauge', meter_counts)
-            
        set_counts = []
-        for meter in self.attrs['sets']:
+        for item in self.attrs['sets']:
            labels = {  k: v for k, v in counter.items() if k not in set(['elem']) }
-            set_counts += [(labels, len(meter['elem']))]
+            set_counts += [(labels, len(item['elem']) if 'elem' in item else 0)]
        metrics += _format_prom_metrics('nftables_set_elem_count', 'gauge', set_counts)
        return metrics.encode('utf-8')
@@ -120,7 +120,7 @@ class NFTMetrics:
 class NFTMetricsServer(BaseHTTPRequestHandler):
    def log_message(self, format, *args):
        pass
-    
    def do_GET(self):
        nft_metrics = NFTMetrics.instance()
        nft_metrics.update()
@@ -138,7 +138,7 @@ class NFTMetricsServer(BaseHTTPRequestHandler):
                self.send_response(200)
                self.send_header("Content-type", "text/plain")
                self.end_headers()
-                
                self.wfile.write(nft_metrics.prometheus())
            case _:
                self.send_response(404)
diff --git a/overlays/zte-prometheus-exporter/default.nix b/overlays/zte-prometheus-exporter/default.nix
index cd4207cd..6295567d 100644
--- a/overlays/zte-prometheus-exporter/default.nix
+++ b/overlays/zte-prometheus-exporter/default.nix
@@ -1,7 +1,7 @@
 { final, prev, ... }:
 let
  packageOverrides = final.callPackage ./python-packages.nix {};
-  inpPython = final.python310.override { inherit packageOverrides; };
+  inpPython = final.python3.override { inherit packageOverrides; };
  python = inpPython.withPackages (ps: with ps; [pytimeparse requests]);
 in {
  zte-prometheus-exporter = prev.stdenv.mkDerivation rec {
author	Gregor Kleen <gkleen@yggdrasil.li>	2025-10-16 08:54:47 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2025-10-16 08:54:47 +0200
commit	38e371ebe3006fd42ec07892c439872581632b8f (patch)
tree	60cc2117e09b33dd79e6acbd8f409fedf4766a29
parent	41efa2ab074e43021fea33ce03c36f60b24cffa9 (diff)
download	nixos-38e371ebe3006fd42ec07892c439872581632b8f.tar nixos-38e371ebe3006fd42ec07892c439872581632b8f.tar.gz nixos-38e371ebe3006fd42ec07892c439872581632b8f.tar.bz2 nixos-38e371ebe3006fd42ec07892c439872581632b8f.tar.xz nixos-38e371ebe3006fd42ec07892c439872581632b8f.zip