diff options
Diffstat (limited to 'hosts/surtr')
-rw-r--r-- | hosts/surtr/prometheus/default.nix | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix index 26144302..a3ce4976 100644 --- a/hosts/surtr/prometheus/default.nix +++ b/hosts/surtr/prometheus/default.nix | |||
@@ -20,6 +20,41 @@ in { | |||
20 | enable = true; | 20 | enable = true; |
21 | enabledCollectors = []; | 21 | enabledCollectors = []; |
22 | }; | 22 | }; |
23 | unbound = { | ||
24 | enable = true; | ||
25 | controlInterface = "/run/unbound/unbound.ctl"; | ||
26 | group = config.services.unbound.group; | ||
27 | }; | ||
28 | wireguard = { | ||
29 | enable = true; | ||
30 | wireguardConfig = | ||
31 | let | ||
32 | keys = { | ||
33 | "sif" = ["yioRagUtRvalJLrTtLp8NPiym6a3RpIcqgVfNL1iyRA=" "zIgyMw5wSernKPmMfDZ+fqaYUjbIQUhsXe+7hIZgJho="]; | ||
34 | "surtr" = ["YP/sWEUWw51czlGxvgrgyEZ+ssx/3C9siufgd0a8d3g=" "6V2EjwvZ07Pebc9g9TNqIlQu57MvqyUsCeIOzky4Txw="]; | ||
35 | "vidhar" = ["IOuHpNQ2ff09HCPKtKY95lDXoRhd8FIBsbB8kaMeUUA=" "jdaF4sx+dhdkTNGxQI6g6JV4XwXgD9QQJQ4f0NYy1gY=" "moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA="]; | ||
36 | }; | ||
37 | in pkgs.writeText "wireguard-config" (concatMapStringsSep "\n" ({ name, value }: '' | ||
38 | [Peer] | ||
39 | # friendly_name = ${name} | ||
40 | PublicKey = ${value} | ||
41 | AllowedIPs = ::/0 | ||
42 | '') (concatLists (mapAttrsToList (host: hostKeys: map (nameValuePair host) hostKeys) keys))); | ||
43 | }; | ||
44 | blackbox = { | ||
45 | enable = true; | ||
46 | configFile = pkgs.writeText "blackbox-config.yaml" (builtins.toJSON { | ||
47 | modules = { | ||
48 | "dns_soa" = { | ||
49 | prober = "dns"; | ||
50 | dns = { | ||
51 | query_name = "."; | ||
52 | query_type = "SOA"; | ||
53 | }; | ||
54 | }; | ||
55 | }; | ||
56 | }); | ||
57 | }; | ||
23 | }; | 58 | }; |
24 | 59 | ||
25 | globalConfig = { | 60 | globalConfig = { |
@@ -53,6 +88,54 @@ in { | |||
53 | relabel_configs = relabelHosts; | 88 | relabel_configs = relabelHosts; |
54 | scrape_interval = "1s"; | 89 | scrape_interval = "1s"; |
55 | } | 90 | } |
91 | { job_name = "unbound"; | ||
92 | static_configs = [ | ||
93 | { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; } | ||
94 | ]; | ||
95 | relabel_configs = relabelHosts; | ||
96 | scrape_interval = "1s"; | ||
97 | } | ||
98 | { job_name = "wireguard"; | ||
99 | static_configs = [ | ||
100 | { targets = ["localhost:${toString config.services.prometheus.exporters.wireguard.port}"]; } | ||
101 | ]; | ||
102 | relabel_configs = relabelHosts; | ||
103 | scrape_interval = "1s"; | ||
104 | } | ||
105 | { job_name = "nftables"; | ||
106 | static_configs = [ | ||
107 | { targets = ["localhost:9901"]; } | ||
108 | ]; | ||
109 | relabel_configs = relabelHosts; | ||
110 | scrape_interval = "1s"; | ||
111 | } | ||
112 | { job_name = "blackbox"; | ||
113 | metrics_path = "/probe"; | ||
114 | params = { module = ["dns_soa"]; }; | ||
115 | static_configs = [ | ||
116 | { targets = ["127.0.0.53:53" "127.0.0.1:53"]; } | ||
117 | ]; | ||
118 | relabel_configs = [ | ||
119 | { source_labels = ["__address__"]; | ||
120 | target_label = "__param_target"; | ||
121 | } | ||
122 | ] ++ relabelHosts ++ | ||
123 | [ { source_labels = ["__param_target"]; | ||
124 | target_label = "job"; | ||
125 | regex = "127\.0\.0\.53:53"; | ||
126 | replacement = "systemd-resolved.dns_soa"; | ||
127 | } | ||
128 | { source_labels = ["__param_target"]; | ||
129 | target_label = "job"; | ||
130 | regex = "127\.0\.0\.1:53"; | ||
131 | replacement = "unbound.dns_soa"; | ||
132 | } | ||
133 | { replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}"; | ||
134 | target_label = "__address__"; | ||
135 | } | ||
136 | ]; | ||
137 | scrape_interval = "5s"; | ||
138 | } | ||
56 | ]; | 139 | ]; |
57 | 140 | ||
58 | rules = [ | 141 | rules = [ |
@@ -62,6 +145,52 @@ in { | |||
62 | }) | 145 | }) |
63 | ]; | 146 | ]; |
64 | }; | 147 | }; |
148 | users.users.${config.services.prometheus.exporters.unbound.user} = { | ||
149 | description = "Prometheus unbound exporter service user"; | ||
150 | isSystemUser = true; | ||
151 | group = config.services.unbound.group; | ||
152 | }; | ||
153 | systemd.services."prometheus-unbound-exporter".serviceConfig = { | ||
154 | DynamicUser = false; | ||
155 | }; | ||
156 | |||
157 | systemd.services."prometheus-nftables-exporter" = { | ||
158 | wantedBy = [ "multi-user.target" ]; | ||
159 | after = [ "network.target" ]; | ||
160 | path = with pkgs; [ nftables ]; | ||
161 | serviceConfig = { | ||
162 | Restart = "always"; | ||
163 | |||
164 | PrivateTmp = true; | ||
165 | WorkingDirectory = "/tmp"; | ||
166 | CapabilityBoundingSet = ["CAP_NET_ADMIN"]; | ||
167 | DynamicUser = true; | ||
168 | DeviceAllow = [""]; | ||
169 | LockPersonality = true; | ||
170 | MemoryDenyWriteExecute = true; | ||
171 | NoNewPrivileges = true; | ||
172 | PrivateDevices = true; | ||
173 | ProtectClock = true; | ||
174 | ProtectControlGroups = true; | ||
175 | ProtectHome = true; | ||
176 | ProtectHostname = true; | ||
177 | ProtectKernelLogs = true; | ||
178 | ProtectKernelModules = true; | ||
179 | ProtectKernelTunables = true; | ||
180 | ProtectSystem = "strict"; | ||
181 | RemoveIPC = true; | ||
182 | RestrictNamespaces = true; | ||
183 | RestrictRealtime = true; | ||
184 | RestrictSUIDSGID = true; | ||
185 | SystemCallArchitectures = "native"; | ||
186 | UMask = "0077"; | ||
187 | AmbientCapabilities = [ "CAP_NET_ADMIN" ]; | ||
188 | |||
189 | Type = "simple"; | ||
190 | ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter"; | ||
191 | Environment = "NFT_HOSTNAME=localhost NFT_PORT=9901"; | ||
192 | }; | ||
193 | }; | ||
65 | 194 | ||
66 | sops.secrets."prometheus.key" = { | 195 | sops.secrets."prometheus.key" = { |
67 | format = "binary"; | 196 | format = "binary"; |