diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-01 16:51:10 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-01 16:51:10 +0100 |
commit | a806adad2017413071d20d519d9a5d9b6b937474 (patch) | |
tree | d6a23660977c0e78e770783058965d92de243dbd /hosts/vidhar | |
parent | c389674935494e1246d156515e25ead60551e705 (diff) | |
download | nixos-a806adad2017413071d20d519d9a5d9b6b937474.tar nixos-a806adad2017413071d20d519d9a5d9b6b937474.tar.gz nixos-a806adad2017413071d20d519d9a5d9b6b937474.tar.bz2 nixos-a806adad2017413071d20d519d9a5d9b6b937474.tar.xz nixos-a806adad2017413071d20d519d9a5d9b6b937474.zip |
vidhar: prometheus: nftables
Diffstat (limited to 'hosts/vidhar')
-rw-r--r-- | hosts/vidhar/prometheus/default.nix | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index f915fc68..87035d5d 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix | |||
@@ -142,6 +142,13 @@ in { | |||
142 | relabel_configs = relabelHosts; | 142 | relabel_configs = relabelHosts; |
143 | scrape_interval = "1s"; | 143 | scrape_interval = "1s"; |
144 | } | 144 | } |
145 | { job_name = "nftables"; | ||
146 | static_configs = [ | ||
147 | { targets = ["localhost:9901"]; } | ||
148 | ]; | ||
149 | relabel_configs = relabelHosts; | ||
150 | scrape_interval = "1s"; | ||
151 | } | ||
145 | ]; | 152 | ]; |
146 | }; | 153 | }; |
147 | users.users.${config.services.prometheus.exporters.unbound.user} = { | 154 | users.users.${config.services.prometheus.exporters.unbound.user} = { |
@@ -193,5 +200,42 @@ in { | |||
193 | format = "binary"; | 200 | format = "binary"; |
194 | sopsFile = ./zte_10.141.1.3; | 201 | sopsFile = ./zte_10.141.1.3; |
195 | }; | 202 | }; |
203 | |||
204 | systemd.services."prometheus-nftables-exporter" = { | ||
205 | wantedBy = [ "multi-user.target" ]; | ||
206 | after = [ "network.target" ]; | ||
207 | serviceConfig = { | ||
208 | Restart = "always"; | ||
209 | PrivateTmp = true; | ||
210 | WorkingDirectory = "/tmp"; | ||
211 | DynamicUser = true; | ||
212 | CapabilityBoundingSet = [""]; | ||
213 | DeviceAllow = [""]; | ||
214 | LockPersonality = true; | ||
215 | MemoryDenyWriteExecute = true; | ||
216 | NoNewPrivileges = true; | ||
217 | PrivateDevices = true; | ||
218 | ProtectClock = true; | ||
219 | ProtectControlGroups = true; | ||
220 | ProtectHome = true; | ||
221 | ProtectHostname = true; | ||
222 | ProtectKernelLogs = true; | ||
223 | ProtectKernelModules = true; | ||
224 | ProtectKernelTunables = true; | ||
225 | ProtectSystem = "strict"; | ||
226 | RemoveIPC = true; | ||
227 | RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; | ||
228 | RestrictNamespaces = true; | ||
229 | RestrictRealtime = true; | ||
230 | RestrictSUIDSGID = true; | ||
231 | SystemCallArchitectures = "native"; | ||
232 | UMask = "0077"; | ||
233 | AmbientCapabilities = [ "CAP_NET_ADMIN" ]; | ||
234 | |||
235 | Type = "simple"; | ||
236 | ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter"; | ||
237 | Environment = "ZTE_HOSTNAME=localhost ZTE_PORT=9901"; | ||
238 | }; | ||
239 | }; | ||
196 | }; | 240 | }; |
197 | } | 241 | } |