vidhar: prometheus: ...

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-31 16:03:18 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-12-31 16:03:18 +0100
commit: 70b99a56e9dae01397e9692bc6eb5fe23dec15a3 (patch)
tree: d62855c492353dbbb3b5e0744fc576b351d600d3
parent: f4301a77c9410f931c61b851bc5c1076d25dae80 (diff)
download: nixos-70b99a56e9dae01397e9692bc6eb5fe23dec15a3.tar
nixos-70b99a56e9dae01397e9692bc6eb5fe23dec15a3.tar.gz
nixos-70b99a56e9dae01397e9692bc6eb5fe23dec15a3.tar.bz2
nixos-70b99a56e9dae01397e9692bc6eb5fe23dec15a3.tar.xz
nixos-70b99a56e9dae01397e9692bc6eb5fe23dec15a3.zip
4 files changed, 181 insertions, 1 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index a2764158..fef43c33 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -1,7 +1,7 @@
 { hostName, flake, config, pkgs, lib, ... }:
 {
  imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network.nix ./samba.nix ./dns.nix
+    ./zfs.nix ./network.nix ./samba.nix ./dns.nix ./prometheus.nix
    initrd-all-crypto-modules default-locale openssh rebuild-machines
    build-server
    initrd-ssh
diff --git a/hosts/vidhar/prometheus.nix b/hosts/vidhar/prometheus.nix
new file mode 100644
index 00000000..1eaacd0f
--- /dev/null
+++ b/hosts/vidhar/prometheus.nix
@@ -0,0 +1,148 @@
+{ config, lib, pkgs, ... }:
+let
+  relabelHosts = [
+    { source_labels = ["__address__"];
+      target_label = "instance";
+      regex = "localhost(:[0-9]+)?";
+      replacement = "vidhar";
+    }
+    { source_labels = ["__address__"];
+      target_label = "instance";
+      regex = "10.141.1.2(:[0-9]+)?";
+      replacement = "switch01";
+    }
+  ];
+in {
+  config = {
+    services.prometheus = {
+      enable = true;
+      exporters = {
+        node.enable = true;
+        smartctl = {
+          enable = true;
+          devices = [
+            "pci-0000:00:1f.2-ata-1"
+            "pci-0000:00:1f.2-ata-3"
+            "pci-0000:00:1f.2-ata-4"
+            "pci-0000:00:1f.2-ata-5"
+            "pci-0000:00:1f.2-ata-6"
+            "pci-0000:02:00.0-nvme-1"
+            "pci-0000:05:00.0-sas-phy0-lun-0"
+            "pci-0000:05:00.0-sas-phy1-lun-0"
+            "pci-0000:06:00.0-nvme-1"
+          ];
+        };
+        snmp = {
+          enable = true;
+          configuration = {
+            default = { auth = { community = "public"; }; version = "2"; };
+          };
+        };
+        unbound = {
+          enable = true;
+          controlInterface = "/run/unbound/unbound.ctl";
+        };
+        wireguard.enable = true;
+      };
+      scrapeConfigs = [
+        { job_name = "node";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+        }
+        { job_name = "smartctl";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.smartctl.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+        }
+        { job_name = "snmp";
+          static_configs = [
+            { targets = ["10.141.1.2"]; }
+          ];
+          metrics_path = "/snmp";
+          params = {
+            module = ["if_mib"];
+          };
+          relabel_configs = [
+            { source_labels = ["__address__"];
+              target_label = "__param_target";
+            }
+            { source_labels = ["__param_target"];
+              target_label = "instance";
+            }
+            { replacement = "localhost:${toString config.services.prometheus.exporters.snmp.port}";
+              target_label = "__address__";
+            }
+          ] ++ relabelHosts;
+        }
+        { job_name = "zte";
+          static_configs = [
+            { targets = ["localhost:9900"]; }
+          ];
+          relabel_configs = [
+            { replacement = "telekom";
+              target_label = "instance";
+            }
+          ];
+        }
+        { job_name = "unbound";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+        }
+        { job_name = "wireguard";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.wireguard.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+        }
+      ];
+    };
+    systemd.services."prometheus-zte-exporter@10.141.1.3" = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        Restart = "always";
+        PrivateTmp = true;
+        WorkingDirectory = "/tmp";
+        DynamicUser = true;
+        CapabilityBoundingSet = [""];
+        DeviceAllow = [""];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+        Type = "simple";
+        ExecStart = "${pkgs.zte-prometheus-exporter}/bin/zte-prometheus-exporter";
+        Environment = "ZTE_BASEURL=%I ZTE_HOSTNAME=localhost ZTE_PORT=9900";
+        EnvironmentFile = config.sops.secrets."zte_10.141.1.3".path;
+      };
+    };
+    sops.secrets."zte_10.141.1.3" = {
+      format = "binary";
+      sopsFile = ./zte_10.141.1.3;
+    };
+  };
+}
diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix
index 0797bfcd..38c3a4e8 100644
--- a/hosts/vidhar/zfs.nix
+++ b/hosts/vidhar/zfs.nix
@@ -76,6 +76,12 @@ in {
        { device = "ssd-raid1/local/var-lib-samba";
          fsType = "zfs";
        };
+      
+      "/var/lib/prometheus2" =
+        { device = "ssd-raid1/local/var-lib-prometheus2";
+          fsType = "zfs";
+          options = [ "zfsutil" ];
+        };
      "/var/log" =
        { device = "ssd-raid1/local/var-log";
diff --git a/hosts/vidhar/zte_10.141.1.3 b/hosts/vidhar/zte_10.141.1.3
new file mode 100644
index 00000000..b455ea50
--- /dev/null
+++ b/hosts/vidhar/zte_10.141.1.3
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:nAsn7dhfDr0+V1cJjpqWn/kJQt2zGjlfQKi3n5speroJkL3IvMG/9fsTaXJQZSi2gPlrN8GbxKQ=,iv:9g0V3xRBC+sa/JPP2bUZMfg//VuKT5qI7ua9iU4QRCg=,tag:fzwih9OHUBLmx8dxL4BjGg==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2021-12-31T15:00:33Z",
+                "mac": "ENC[AES256_GCM,data:sw2NVXHLibbuOChgScLhSTjGZBjSoHpzIuRqfCW0eL3DwhL5CekG6T/oYu06KjNmxVjxwb3OmqECSU0TUvPn9ySOWwMSoBfyJpDoTHnZ+YOjOH351IOAMBNcBDJse7aLGRWW5YXKLDfmp8Dhg2hlMhCmkVwAquQjPhfmAdJfj64=,iv:wgM/BlRU2XJSGj7KvAo1WRamecffUDnFvv2+4twtsQY=,tag:0mXblJtTGMTvxndedws94A==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2021-12-31T15:00:06Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAn++RT4a1DwWe5FutYxwjV9kCaXPnKYjgNK5T5NQthF4w\nnWprU35P7saYuJqxXfReNxFDahkdju7GyDJPEo1sqtzUdBJilcykTlpno3KgVt5+\n0l4BB0Nab5e9oOx5XdoMLjpQ023qbmOCVdt1/Sny99qFWwCdxubJv1R8nQlCpD/p\nkNnMszzuH+UjYHDap84OQPuD92zbowqljBe3lC9/dHfg3yK+ajRnK3jpZA2V3aBz\n=DY6n\n-----END PGP MESSAGE-----\n",
+                                "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
+                        },
+                        {
+                                "created_at": "2021-12-31T15:00:06Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAU2jZECgVflkSbtQkNYD4aeOHEEahbJUJNmXncqoBt2Ew\na7dVkHlBp1WdUF9UBAbkiUEP364fGttFFUf6xORhWiNnWok8gwkzaFKF1Y/zNEjV\n0l4BpY/GSUIFnD92AW/ymrGGDODnDdoLKiyiptkraZO74Ox/hezHJyNwKX4XJq68\naedJ+Xz6JYfYMafHSEMFQsdhihwESt4eIjGM4y8fNEQ97RuaN82tIbUjkWJASoS2\n=ExBD\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-31 16:03:18 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-12-31 16:03:18 +0100
commit	70b99a56e9dae01397e9692bc6eb5fe23dec15a3 (patch)
tree	d62855c492353dbbb3b5e0744fc576b351d600d3
parent	f4301a77c9410f931c61b851bc5c1076d25dae80 (diff)
download	nixos-70b99a56e9dae01397e9692bc6eb5fe23dec15a3.tar nixos-70b99a56e9dae01397e9692bc6eb5fe23dec15a3.tar.gz nixos-70b99a56e9dae01397e9692bc6eb5fe23dec15a3.tar.bz2 nixos-70b99a56e9dae01397e9692bc6eb5fe23dec15a3.tar.xz nixos-70b99a56e9dae01397e9692bc6eb5fe23dec15a3.zip

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index a2764158..fef43c33 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -1,7 +1,7 @@
1	{ hostName, flake, config, pkgs, lib, ... }:	1	{ hostName, flake, config, pkgs, lib, ... }:
2	{	2	{
3	imports = with flake.nixosModules.systemProfiles; [	3	imports = with flake.nixosModules.systemProfiles; [
4	./zfs.nix ./network.nix ./samba.nix ./dns.nix	4	./zfs.nix ./network.nix ./samba.nix ./dns.nix ./prometheus.nix
5	initrd-all-crypto-modules default-locale openssh rebuild-machines	5	initrd-all-crypto-modules default-locale openssh rebuild-machines
6	build-server	6	build-server
7	initrd-ssh	7	initrd-ssh


diff --git a/hosts/vidhar/prometheus.nix b/hosts/vidhar/prometheus.nix new file mode 100644 index 00000000..1eaacd0f --- /dev/null +++ b/hosts/vidhar/prometheus.nix
@@ -0,0 +1,148 @@
		1	{ config, lib, pkgs, ... }:
		2	let
		3	relabelHosts = [
		4	{ source_labels = ["__address__"];
		5	target_label = "instance";
		6	regex = "localhost(:[0-9]+)?";
		7	replacement = "vidhar";
		8	}
		9	{ source_labels = ["__address__"];
		10	target_label = "instance";
		11	regex = "10.141.1.2(:[0-9]+)?";
		12	replacement = "switch01";
		13	}
		14	];
		15	in {
		16	config = {
		17	services.prometheus = {
		18	enable = true;
		19
		20	exporters = {
		21	node.enable = true;
		22	smartctl = {
		23	enable = true;
		24	devices = [
		25	"pci-0000:00:1f.2-ata-1"
		26	"pci-0000:00:1f.2-ata-3"
		27	"pci-0000:00:1f.2-ata-4"
		28	"pci-0000:00:1f.2-ata-5"
		29	"pci-0000:00:1f.2-ata-6"
		30	"pci-0000:02:00.0-nvme-1"
		31	"pci-0000:05:00.0-sas-phy0-lun-0"
		32	"pci-0000:05:00.0-sas-phy1-lun-0"
		33	"pci-0000:06:00.0-nvme-1"
		34	];
		35	};
		36	snmp = {
		37	enable = true;
		38	configuration = {
		39	default = { auth = { community = "public"; }; version = "2"; };
		40	};
		41	};
		42	unbound = {
		43	enable = true;
		44	controlInterface = "/run/unbound/unbound.ctl";
		45	};
		46	wireguard.enable = true;
		47	};
		48
		49	scrapeConfigs = [
		50	{ job_name = "node";
		51	static_configs = [
		52	{ targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; }
		53	];
		54	relabel_configs = relabelHosts;
		55	}
		56	{ job_name = "smartctl";
		57	static_configs = [
		58	{ targets = ["localhost:${toString config.services.prometheus.exporters.smartctl.port}"]; }
		59	];
		60	relabel_configs = relabelHosts;
		61	}
		62	{ job_name = "snmp";
		63	static_configs = [
		64	{ targets = ["10.141.1.2"]; }
		65	];
		66	metrics_path = "/snmp";
		67	params = {
		68	module = ["if_mib"];
		69	};
		70	relabel_configs = [
		71	{ source_labels = ["__address__"];
		72	target_label = "__param_target";
		73	}
		74	{ source_labels = ["__param_target"];
		75	target_label = "instance";
		76	}
		77	{ replacement = "localhost:${toString config.services.prometheus.exporters.snmp.port}";
		78	target_label = "__address__";
		79	}
		80	] ++ relabelHosts;
		81	}
		82	{ job_name = "zte";
		83	static_configs = [
		84	{ targets = ["localhost:9900"]; }
		85	];
		86	relabel_configs = [
		87	{ replacement = "telekom";
		88	target_label = "instance";
		89	}
		90	];
		91	}
		92	{ job_name = "unbound";
		93	static_configs = [
		94	{ targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
		95	];
		96	relabel_configs = relabelHosts;
		97	}
		98	{ job_name = "wireguard";
		99	static_configs = [
		100	{ targets = ["localhost:${toString config.services.prometheus.exporters.wireguard.port}"]; }
		101	];
		102	relabel_configs = relabelHosts;
		103	}
		104	];
		105	};
		106
		107	systemd.services."prometheus-zte-exporter@10.141.1.3" = {
		108	wantedBy = [ "multi-user.target" ];
		109	after = [ "network.target" ];
		110	serviceConfig = {
		111	Restart = "always";
		112	PrivateTmp = true;
		113	WorkingDirectory = "/tmp";
		114	DynamicUser = true;
		115	CapabilityBoundingSet = [""];
		116	DeviceAllow = [""];
		117	LockPersonality = true;
		118	MemoryDenyWriteExecute = true;
		119	NoNewPrivileges = true;
		120	PrivateDevices = true;
		121	ProtectClock = true;
		122	ProtectControlGroups = true;
		123	ProtectHome = true;
		124	ProtectHostname = true;
		125	ProtectKernelLogs = true;
		126	ProtectKernelModules = true;
		127	ProtectKernelTunables = true;
		128	ProtectSystem = "strict";
		129	RemoveIPC = true;
		130	RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
		131	RestrictNamespaces = true;
		132	RestrictRealtime = true;
		133	RestrictSUIDSGID = true;
		134	SystemCallArchitectures = "native";
		135	UMask = "0077";
		136
		137	Type = "simple";
		138	ExecStart = "${pkgs.zte-prometheus-exporter}/bin/zte-prometheus-exporter";
		139	Environment = "ZTE_BASEURL=%I ZTE_HOSTNAME=localhost ZTE_PORT=9900";
		140	EnvironmentFile = config.sops.secrets."zte_10.141.1.3".path;
		141	};
		142	};
		143	sops.secrets."zte_10.141.1.3" = {
		144	format = "binary";
		145	sopsFile = ./zte_10.141.1.3;
		146	};
		147	};
		148	}


diff --git a/hosts/vidhar/zfs.nix b/hosts/vidhar/zfs.nix index 0797bfcd..38c3a4e8 100644 --- a/hosts/vidhar/zfs.nix +++ b/hosts/vidhar/zfs.nix
@@ -76,6 +76,12 @@ in {
76	{ device = "ssd-raid1/local/var-lib-samba";	76	{ device = "ssd-raid1/local/var-lib-samba";
77	fsType = "zfs";	77	fsType = "zfs";
78	};	78	};
		79
		80	"/var/lib/prometheus2" =
		81	{ device = "ssd-raid1/local/var-lib-prometheus2";
		82	fsType = "zfs";
		83	options = [ "zfsutil" ];
		84	};
79		85
80	"/var/log" =	86	"/var/log" =
81	{ device = "ssd-raid1/local/var-log";	87	{ device = "ssd-raid1/local/var-log";


diff --git a/hosts/vidhar/zte_10.141.1.3 b/hosts/vidhar/zte_10.141.1.3 new file mode 100644 index 00000000..b455ea50 --- /dev/null +++ b/hosts/vidhar/zte_10.141.1.3
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:nAsn7dhfDr0+V1cJjpqWn/kJQt2zGjlfQKi3n5speroJkL3IvMG/9fsTaXJQZSi2gPlrN8GbxKQ=,iv:9g0V3xRBC+sa/JPP2bUZMfg//VuKT5qI7ua9iU4QRCg=,tag:fzwih9OHUBLmx8dxL4BjGg==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2021-12-31T15:00:33Z",
		10	"mac": "ENC[AES256_GCM,data:sw2NVXHLibbuOChgScLhSTjGZBjSoHpzIuRqfCW0eL3DwhL5CekG6T/oYu06KjNmxVjxwb3OmqECSU0TUvPn9ySOWwMSoBfyJpDoTHnZ+YOjOH351IOAMBNcBDJse7aLGRWW5YXKLDfmp8Dhg2hlMhCmkVwAquQjPhfmAdJfj64=,iv:wgM/BlRU2XJSGj7KvAo1WRamecffUDnFvv2+4twtsQY=,tag:0mXblJtTGMTvxndedws94A==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2021-12-31T15:00:06Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAn++RT4a1DwWe5FutYxwjV9kCaXPnKYjgNK5T5NQthF4w\nnWprU35P7saYuJqxXfReNxFDahkdju7GyDJPEo1sqtzUdBJilcykTlpno3KgVt5+\n0l4BB0Nab5e9oOx5XdoMLjpQ023qbmOCVdt1/Sny99qFWwCdxubJv1R8nQlCpD/p\nkNnMszzuH+UjYHDap84OQPuD92zbowqljBe3lC9/dHfg3yK+ajRnK3jpZA2V3aBz\n=DY6n\n-----END PGP MESSAGE-----\n",
		15	"fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
		16	},
		17	{
		18	"created_at": "2021-12-31T15:00:06Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAU2jZECgVflkSbtQkNYD4aeOHEEahbJUJNmXncqoBt2Ew\na7dVkHlBp1WdUF9UBAbkiUEP364fGttFFUf6xORhWiNnWok8gwkzaFKF1Y/zNEjV\n0l4BpY/GSUIFnD92AW/ymrGGDODnDdoLKiyiptkraZO74Ox/hezHJyNwKX4XJq68\naedJ+Xz6JYfYMafHSEMFQsdhihwESt4eIjGM4y8fNEQ97RuaN82tIbUjkWJASoS2\n=ExBD\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file