1 files changed, 167 insertions, 0 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
new file mode 100644
index 00000000..cb7567c9
--- /dev/null
+++ b/hosts/vidhar/prometheus/default.nix
@@ -0,0 +1,167 @@
+{ config, lib, pkgs, ... }:
+let
+  relabelHosts = [
+    { source_labels = ["__address__"];
+      target_label = "instance";
+      regex = "localhost(:[0-9]+)?";
+      replacement = "vidhar";
+    }
+    { source_labels = ["__address__"];
+      target_label = "instance";
+      regex = "10.141.1.2(:[0-9]+)?";
+      replacement = "switch01";
+    }
+  ];
+in {
+  config = {
+    services.prometheus = {
+      enable = true;
+      exporters = {
+        node.enable = true;
+        smartctl = {
+          enable = true;
+          devices = map (dev: "/dev/disk/by-path/${dev}") [
+            "pci-0000:00:1f.2-ata-1"
+            "pci-0000:00:1f.2-ata-3"
+            "pci-0000:00:1f.2-ata-4"
+            "pci-0000:00:1f.2-ata-5"
+            "pci-0000:00:1f.2-ata-6"
+            "pci-0000:02:00.0-nvme-1"
+            "pci-0000:05:00.0-sas-phy0-lun-0"
+            "pci-0000:05:00.0-sas-phy1-lun-0"
+            "pci-0000:06:00.0-nvme-1"
+          ];
+        };
+        snmp = {
+          enable = true;
+          configurationPath = ./snmp.yml;
+        };
+        unbound = {
+          enable = true;
+          controlInterface = "/run/unbound/unbound.ctl";
+          group = config.services.unbound.group;
+        };
+        wireguard.enable = true;
+      };
+      scrapeConfigs = [
+        { job_name = "prometheus";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+        }
+        { job_name = "node";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+        }
+        { job_name = "smartctl";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.smartctl.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+        }
+        { job_name = "snmp";
+          static_configs = [
+            { targets = ["10.141.1.2"]; }
+          ];
+          metrics_path = "/snmp";
+          params = {
+            module = ["if_mib"];
+          };
+          relabel_configs = [
+            { source_labels = ["__address__"];
+              target_label = "__param_target";
+            }
+            { source_labels = ["__param_target"];
+              target_label = "instance";
+            }
+            { replacement = "localhost:${toString config.services.prometheus.exporters.snmp.port}";
+              target_label = "__address__";
+            }
+          ] ++ relabelHosts;
+        }
+        { job_name = "zte";
+          static_configs = [
+            { targets = ["localhost:9900"]; }
+          ];
+          relabel_configs = [
+            { replacement = "telekom";
+              target_label = "instance";
+            }
+          ];
+        }
+        { job_name = "unbound";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+        }
+        { job_name = "wireguard";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.wireguard.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+        }
+        { job_name = "corerad";
+          static_configs = [
+            { targets = ["localhost:9430"]; }
+          ];
+          relabel_configs = relabelHosts;
+        }
+      ];
+    };
+    users.users.${config.services.prometheus.exporters.unbound.user} = {
+      description = "Prometheus unbound exporter service user";
+      isSystemUser = true;
+      group = config.services.unbound.group;
+    };
+    systemd.services."prometheus-unbound-exporter".serviceConfig = {
+      DynamicUser = false;
+    };
+    systemd.services."prometheus-zte-exporter@10.141.1.3" = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        Restart = "always";
+        PrivateTmp = true;
+        WorkingDirectory = "/tmp";
+        DynamicUser = true;
+        CapabilityBoundingSet = [""];
+        DeviceAllow = [""];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+        Type = "simple";
+        ExecStart = "${pkgs.zte-prometheus-exporter}/bin/zte-prometheus-exporter";
+        Environment = "ZTE_BASEURL=http://%I ZTE_HOSTNAME=localhost ZTE_PORT=9900";
+        EnvironmentFile = config.sops.secrets."zte_10.141.1.3".path;
+      };
+    };
+    sops.secrets."zte_10.141.1.3" = {
+      format = "binary";
+      sopsFile = ./zte_10.141.1.3;
+    };
+  };
+}

diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix new file mode 100644 index 00000000..cb7567c9 --- /dev/null +++ b/hosts/vidhar/prometheus/default.nix
@@ -0,0 +1,167 @@
	1	{ config, lib, pkgs, ... }:
	2	let
	3	relabelHosts = [
	4	{ source_labels = ["__address__"];
	5	target_label = "instance";
	6	regex = "localhost(:[0-9]+)?";
	7	replacement = "vidhar";
	8	}
	9	{ source_labels = ["__address__"];
	10	target_label = "instance";
	11	regex = "10.141.1.2(:[0-9]+)?";
	12	replacement = "switch01";
	13	}
	14	];
	15	in {
	16	config = {
	17	services.prometheus = {
	18	enable = true;
	19
	20	exporters = {
	21	node.enable = true;
	22	smartctl = {
	23	enable = true;
	24	devices = map (dev: "/dev/disk/by-path/${dev}") [
	25	"pci-0000:00:1f.2-ata-1"
	26	"pci-0000:00:1f.2-ata-3"
	27	"pci-0000:00:1f.2-ata-4"
	28	"pci-0000:00:1f.2-ata-5"
	29	"pci-0000:00:1f.2-ata-6"
	30	"pci-0000:02:00.0-nvme-1"
	31	"pci-0000:05:00.0-sas-phy0-lun-0"
	32	"pci-0000:05:00.0-sas-phy1-lun-0"
	33	"pci-0000:06:00.0-nvme-1"
	34	];
	35	};
	36	snmp = {
	37	enable = true;
	38	configurationPath = ./snmp.yml;
	39	};
	40	unbound = {
	41	enable = true;
	42	controlInterface = "/run/unbound/unbound.ctl";
	43	group = config.services.unbound.group;
	44	};
	45	wireguard.enable = true;
	46	};
	47
	48	scrapeConfigs = [
	49	{ job_name = "prometheus";
	50	static_configs = [
	51	{ targets = ["localhost:${toString config.services.prometheus.port}"]; }
	52	];
	53	relabel_configs = relabelHosts;
	54	}
	55	{ job_name = "node";
	56	static_configs = [
	57	{ targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; }
	58	];
	59	relabel_configs = relabelHosts;
	60	}
	61	{ job_name = "smartctl";
	62	static_configs = [
	63	{ targets = ["localhost:${toString config.services.prometheus.exporters.smartctl.port}"]; }
	64	];
	65	relabel_configs = relabelHosts;
	66	}
	67	{ job_name = "snmp";
	68	static_configs = [
	69	{ targets = ["10.141.1.2"]; }
	70	];
	71	metrics_path = "/snmp";
	72	params = {
	73	module = ["if_mib"];
	74	};
	75	relabel_configs = [
	76	{ source_labels = ["__address__"];
	77	target_label = "__param_target";
	78	}
	79	{ source_labels = ["__param_target"];
	80	target_label = "instance";
	81	}
	82	{ replacement = "localhost:${toString config.services.prometheus.exporters.snmp.port}";
	83	target_label = "__address__";
	84	}
	85	] ++ relabelHosts;
	86	}
	87	{ job_name = "zte";
	88	static_configs = [
	89	{ targets = ["localhost:9900"]; }
	90	];
	91	relabel_configs = [
	92	{ replacement = "telekom";
	93	target_label = "instance";
	94	}
	95	];
	96	}
	97	{ job_name = "unbound";
	98	static_configs = [
	99	{ targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
	100	];
	101	relabel_configs = relabelHosts;
	102	}
	103	{ job_name = "wireguard";
	104	static_configs = [
	105	{ targets = ["localhost:${toString config.services.prometheus.exporters.wireguard.port}"]; }
	106	];
	107	relabel_configs = relabelHosts;
	108	}
	109	{ job_name = "corerad";
	110	static_configs = [
	111	{ targets = ["localhost:9430"]; }
	112	];
	113	relabel_configs = relabelHosts;
	114	}
	115	];
	116	};
	117	users.users.${config.services.prometheus.exporters.unbound.user} = {
	118	description = "Prometheus unbound exporter service user";
	119	isSystemUser = true;
	120	group = config.services.unbound.group;
	121	};
	122	systemd.services."prometheus-unbound-exporter".serviceConfig = {
	123	DynamicUser = false;
	124	};
	125
	126	systemd.services."prometheus-zte-exporter@10.141.1.3" = {
	127	wantedBy = [ "multi-user.target" ];
	128	after = [ "network.target" ];
	129	serviceConfig = {
	130	Restart = "always";
	131	PrivateTmp = true;
	132	WorkingDirectory = "/tmp";
	133	DynamicUser = true;
	134	CapabilityBoundingSet = [""];
	135	DeviceAllow = [""];
	136	LockPersonality = true;
	137	MemoryDenyWriteExecute = true;
	138	NoNewPrivileges = true;
	139	PrivateDevices = true;
	140	ProtectClock = true;
	141	ProtectControlGroups = true;
	142	ProtectHome = true;
	143	ProtectHostname = true;
	144	ProtectKernelLogs = true;
	145	ProtectKernelModules = true;
	146	ProtectKernelTunables = true;
	147	ProtectSystem = "strict";
	148	RemoveIPC = true;
	149	RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
	150	RestrictNamespaces = true;
	151	RestrictRealtime = true;
	152	RestrictSUIDSGID = true;
	153	SystemCallArchitectures = "native";
	154	UMask = "0077";
	155
	156	Type = "simple";
	157	ExecStart = "${pkgs.zte-prometheus-exporter}/bin/zte-prometheus-exporter";
	158	Environment = "ZTE_BASEURL=http://%I ZTE_HOSTNAME=localhost ZTE_PORT=9900";
	159	EnvironmentFile = config.sops.secrets."zte_10.141.1.3".path;
	160	};
	161	};
	162	sops.secrets."zte_10.141.1.3" = {
	163	format = "binary";
	164	sopsFile = ./zte_10.141.1.3;
	165	};
	166	};
	167	}