summaryrefslogtreecommitdiff
path: root/hosts/surtr
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr')
-rw-r--r--hosts/surtr/prometheus/default.nix129
1 files changed, 129 insertions, 0 deletions
diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix
index 26144302..a3ce4976 100644
--- a/hosts/surtr/prometheus/default.nix
+++ b/hosts/surtr/prometheus/default.nix
@@ -20,6 +20,41 @@ in {
20 enable = true; 20 enable = true;
21 enabledCollectors = []; 21 enabledCollectors = [];
22 }; 22 };
23 unbound = {
24 enable = true;
25 controlInterface = "/run/unbound/unbound.ctl";
26 group = config.services.unbound.group;
27 };
28 wireguard = {
29 enable = true;
30 wireguardConfig =
31 let
32 keys = {
33 "sif" = ["yioRagUtRvalJLrTtLp8NPiym6a3RpIcqgVfNL1iyRA=" "zIgyMw5wSernKPmMfDZ+fqaYUjbIQUhsXe+7hIZgJho="];
34 "surtr" = ["YP/sWEUWw51czlGxvgrgyEZ+ssx/3C9siufgd0a8d3g=" "6V2EjwvZ07Pebc9g9TNqIlQu57MvqyUsCeIOzky4Txw="];
35 "vidhar" = ["IOuHpNQ2ff09HCPKtKY95lDXoRhd8FIBsbB8kaMeUUA=" "jdaF4sx+dhdkTNGxQI6g6JV4XwXgD9QQJQ4f0NYy1gY=" "moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA="];
36 };
37 in pkgs.writeText "wireguard-config" (concatMapStringsSep "\n" ({ name, value }: ''
38 [Peer]
39 # friendly_name = ${name}
40 PublicKey = ${value}
41 AllowedIPs = ::/0
42 '') (concatLists (mapAttrsToList (host: hostKeys: map (nameValuePair host) hostKeys) keys)));
43 };
44 blackbox = {
45 enable = true;
46 configFile = pkgs.writeText "blackbox-config.yaml" (builtins.toJSON {
47 modules = {
48 "dns_soa" = {
49 prober = "dns";
50 dns = {
51 query_name = ".";
52 query_type = "SOA";
53 };
54 };
55 };
56 });
57 };
23 }; 58 };
24 59
25 globalConfig = { 60 globalConfig = {
@@ -53,6 +88,54 @@ in {
53 relabel_configs = relabelHosts; 88 relabel_configs = relabelHosts;
54 scrape_interval = "1s"; 89 scrape_interval = "1s";
55 } 90 }
91 { job_name = "unbound";
92 static_configs = [
93 { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
94 ];
95 relabel_configs = relabelHosts;
96 scrape_interval = "1s";
97 }
98 { job_name = "wireguard";
99 static_configs = [
100 { targets = ["localhost:${toString config.services.prometheus.exporters.wireguard.port}"]; }
101 ];
102 relabel_configs = relabelHosts;
103 scrape_interval = "1s";
104 }
105 { job_name = "nftables";
106 static_configs = [
107 { targets = ["localhost:9901"]; }
108 ];
109 relabel_configs = relabelHosts;
110 scrape_interval = "1s";
111 }
112 { job_name = "blackbox";
113 metrics_path = "/probe";
114 params = { module = ["dns_soa"]; };
115 static_configs = [
116 { targets = ["127.0.0.53:53" "127.0.0.1:53"]; }
117 ];
118 relabel_configs = [
119 { source_labels = ["__address__"];
120 target_label = "__param_target";
121 }
122 ] ++ relabelHosts ++
123 [ { source_labels = ["__param_target"];
124 target_label = "job";
125 regex = "127\.0\.0\.53:53";
126 replacement = "systemd-resolved.dns_soa";
127 }
128 { source_labels = ["__param_target"];
129 target_label = "job";
130 regex = "127\.0\.0\.1:53";
131 replacement = "unbound.dns_soa";
132 }
133 { replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
134 target_label = "__address__";
135 }
136 ];
137 scrape_interval = "5s";
138 }
56 ]; 139 ];
57 140
58 rules = [ 141 rules = [
@@ -62,6 +145,52 @@ in {
62 }) 145 })
63 ]; 146 ];
64 }; 147 };
148 users.users.${config.services.prometheus.exporters.unbound.user} = {
149 description = "Prometheus unbound exporter service user";
150 isSystemUser = true;
151 group = config.services.unbound.group;
152 };
153 systemd.services."prometheus-unbound-exporter".serviceConfig = {
154 DynamicUser = false;
155 };
156
157 systemd.services."prometheus-nftables-exporter" = {
158 wantedBy = [ "multi-user.target" ];
159 after = [ "network.target" ];
160 path = with pkgs; [ nftables ];
161 serviceConfig = {
162 Restart = "always";
163
164 PrivateTmp = true;
165 WorkingDirectory = "/tmp";
166 CapabilityBoundingSet = ["CAP_NET_ADMIN"];
167 DynamicUser = true;
168 DeviceAllow = [""];
169 LockPersonality = true;
170 MemoryDenyWriteExecute = true;
171 NoNewPrivileges = true;
172 PrivateDevices = true;
173 ProtectClock = true;
174 ProtectControlGroups = true;
175 ProtectHome = true;
176 ProtectHostname = true;
177 ProtectKernelLogs = true;
178 ProtectKernelModules = true;
179 ProtectKernelTunables = true;
180 ProtectSystem = "strict";
181 RemoveIPC = true;
182 RestrictNamespaces = true;
183 RestrictRealtime = true;
184 RestrictSUIDSGID = true;
185 SystemCallArchitectures = "native";
186 UMask = "0077";
187 AmbientCapabilities = [ "CAP_NET_ADMIN" ];
188
189 Type = "simple";
190 ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter";
191 Environment = "NFT_HOSTNAME=localhost NFT_PORT=9901";
192 };
193 };
65 194
66 sops.secrets."prometheus.key" = { 195 sops.secrets."prometheus.key" = {
67 format = "binary"; 196 format = "binary";