summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-01-01 16:51:10 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-01-01 16:51:10 +0100
commita806adad2017413071d20d519d9a5d9b6b937474 (patch)
treed6a23660977c0e78e770783058965d92de243dbd /hosts
parentc389674935494e1246d156515e25ead60551e705 (diff)
downloadnixos-a806adad2017413071d20d519d9a5d9b6b937474.tar
nixos-a806adad2017413071d20d519d9a5d9b6b937474.tar.gz
nixos-a806adad2017413071d20d519d9a5d9b6b937474.tar.bz2
nixos-a806adad2017413071d20d519d9a5d9b6b937474.tar.xz
nixos-a806adad2017413071d20d519d9a5d9b6b937474.zip
vidhar: prometheus: nftables
Diffstat (limited to 'hosts')
-rw-r--r--hosts/vidhar/prometheus/default.nix44
1 files changed, 44 insertions, 0 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index f915fc68..87035d5d 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -142,6 +142,13 @@ in {
142 relabel_configs = relabelHosts; 142 relabel_configs = relabelHosts;
143 scrape_interval = "1s"; 143 scrape_interval = "1s";
144 } 144 }
145 { job_name = "nftables";
146 static_configs = [
147 { targets = ["localhost:9901"]; }
148 ];
149 relabel_configs = relabelHosts;
150 scrape_interval = "1s";
151 }
145 ]; 152 ];
146 }; 153 };
147 users.users.${config.services.prometheus.exporters.unbound.user} = { 154 users.users.${config.services.prometheus.exporters.unbound.user} = {
@@ -193,5 +200,42 @@ in {
193 format = "binary"; 200 format = "binary";
194 sopsFile = ./zte_10.141.1.3; 201 sopsFile = ./zte_10.141.1.3;
195 }; 202 };
203
204 systemd.services."prometheus-nftables-exporter" = {
205 wantedBy = [ "multi-user.target" ];
206 after = [ "network.target" ];
207 serviceConfig = {
208 Restart = "always";
209 PrivateTmp = true;
210 WorkingDirectory = "/tmp";
211 DynamicUser = true;
212 CapabilityBoundingSet = [""];
213 DeviceAllow = [""];
214 LockPersonality = true;
215 MemoryDenyWriteExecute = true;
216 NoNewPrivileges = true;
217 PrivateDevices = true;
218 ProtectClock = true;
219 ProtectControlGroups = true;
220 ProtectHome = true;
221 ProtectHostname = true;
222 ProtectKernelLogs = true;
223 ProtectKernelModules = true;
224 ProtectKernelTunables = true;
225 ProtectSystem = "strict";
226 RemoveIPC = true;
227 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
228 RestrictNamespaces = true;
229 RestrictRealtime = true;
230 RestrictSUIDSGID = true;
231 SystemCallArchitectures = "native";
232 UMask = "0077";
233 AmbientCapabilities = [ "CAP_NET_ADMIN" ];
234
235 Type = "simple";
236 ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter";
237 Environment = "ZTE_HOSTNAME=localhost ZTE_PORT=9901";
238 };
239 };
196 }; 240 };
197} 241}