1 files changed, 44 insertions, 0 deletions
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index f915fc68..87035d5d 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -142,6 +142,13 @@ in {
          relabel_configs = relabelHosts;
          scrape_interval = "1s";
        }
+        { job_name = "nftables";
+          static_configs = [
+            { targets = ["localhost:9901"]; }
+          ];
+          relabel_configs = relabelHosts;
+          scrape_interval = "1s";
+        }
      ];
    };
    users.users.${config.services.prometheus.exporters.unbound.user} = {
@@ -193,5 +200,42 @@ in {
      format = "binary";
      sopsFile = ./zte_10.141.1.3;
    };
+    systemd.services."prometheus-nftables-exporter" = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        Restart = "always";
+        PrivateTmp = true;
+        WorkingDirectory = "/tmp";
+        DynamicUser = true;
+        CapabilityBoundingSet = [""];
+        DeviceAllow = [""];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+        AmbientCapabilities = [ "CAP_NET_ADMIN" ];
+        Type = "simple";
+        ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter";
+        Environment = "ZTE_HOSTNAME=localhost ZTE_PORT=9901";
+      };
+    };
  };
 }

diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index f915fc68..87035d5d 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix
@@ -142,6 +142,13 @@ in {
142	relabel_configs = relabelHosts;	142	relabel_configs = relabelHosts;
143	scrape_interval = "1s";	143	scrape_interval = "1s";
144	}	144	}
		145	{ job_name = "nftables";
		146	static_configs = [
		147	{ targets = ["localhost:9901"]; }
		148	];
		149	relabel_configs = relabelHosts;
		150	scrape_interval = "1s";
		151	}
145	];	152	];
146	};	153	};
147	users.users.${config.services.prometheus.exporters.unbound.user} = {	154	users.users.${config.services.prometheus.exporters.unbound.user} = {
@@ -193,5 +200,42 @@ in {
193	format = "binary";	200	format = "binary";
194	sopsFile = ./zte_10.141.1.3;	201	sopsFile = ./zte_10.141.1.3;
195	};	202	};
		203
		204	systemd.services."prometheus-nftables-exporter" = {
		205	wantedBy = [ "multi-user.target" ];
		206	after = [ "network.target" ];
		207	serviceConfig = {
		208	Restart = "always";
		209	PrivateTmp = true;
		210	WorkingDirectory = "/tmp";
		211	DynamicUser = true;
		212	CapabilityBoundingSet = [""];
		213	DeviceAllow = [""];
		214	LockPersonality = true;
		215	MemoryDenyWriteExecute = true;
		216	NoNewPrivileges = true;
		217	PrivateDevices = true;
		218	ProtectClock = true;
		219	ProtectControlGroups = true;
		220	ProtectHome = true;
		221	ProtectHostname = true;
		222	ProtectKernelLogs = true;
		223	ProtectKernelModules = true;
		224	ProtectKernelTunables = true;
		225	ProtectSystem = "strict";
		226	RemoveIPC = true;
		227	RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
		228	RestrictNamespaces = true;
		229	RestrictRealtime = true;
		230	RestrictSUIDSGID = true;
		231	SystemCallArchitectures = "native";
		232	UMask = "0077";
		233	AmbientCapabilities = [ "CAP_NET_ADMIN" ];
		234
		235	Type = "simple";
		236	ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter";
		237	Environment = "ZTE_HOSTNAME=localhost ZTE_PORT=9901";
		238	};
		239	};
196	};	240	};
197	}	241	}