2 files changed, 130 insertions, 1 deletions
diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix
index 26144302..a3ce4976 100644
--- a/hosts/surtr/prometheus/default.nix
+++ b/hosts/surtr/prometheus/default.nix
@@ -20,6 +20,41 @@ in {
          enable = true;
          enabledCollectors = [];
        };
+        unbound = {
+          enable = true;
+          controlInterface = "/run/unbound/unbound.ctl";
+          group = config.services.unbound.group;
+        };
+        wireguard = {
+          enable = true;
+          wireguardConfig =
+            let
+              keys = {
+                "sif" = ["yioRagUtRvalJLrTtLp8NPiym6a3RpIcqgVfNL1iyRA=" "zIgyMw5wSernKPmMfDZ+fqaYUjbIQUhsXe+7hIZgJho="];
+                "surtr" = ["YP/sWEUWw51czlGxvgrgyEZ+ssx/3C9siufgd0a8d3g=" "6V2EjwvZ07Pebc9g9TNqIlQu57MvqyUsCeIOzky4Txw="];
+                "vidhar" = ["IOuHpNQ2ff09HCPKtKY95lDXoRhd8FIBsbB8kaMeUUA=" "jdaF4sx+dhdkTNGxQI6g6JV4XwXgD9QQJQ4f0NYy1gY=" "moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA="];
+              };
+            in pkgs.writeText "wireguard-config" (concatMapStringsSep "\n" ({ name, value }: ''
+              [Peer]
+              # friendly_name = ${name}
+              PublicKey = ${value}
+              AllowedIPs = ::/0
+            '') (concatLists (mapAttrsToList (host: hostKeys: map (nameValuePair host) hostKeys) keys)));
+        };
+        blackbox = {
+          enable = true;
+          configFile = pkgs.writeText "blackbox-config.yaml" (builtins.toJSON {
+            modules = {
+              "dns_soa" = {
+                prober = "dns";
+                dns = {
+                  query_name = ".";
+                  query_type = "SOA";
+                };
+              };
+            };
+          });
+        };
      };
      globalConfig = {
@@ -53,6 +88,54 @@ in {
          relabel_configs = relabelHosts;
          scrape_interval = "1s";
        }
+        { job_name = "unbound";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+          scrape_interval = "1s";
+        }
+        { job_name = "wireguard";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.wireguard.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+          scrape_interval = "1s";
+        }
+        { job_name = "nftables";
+          static_configs = [
+            { targets = ["localhost:9901"]; }
+          ];
+          relabel_configs = relabelHosts;
+          scrape_interval = "1s";
+        }
+        { job_name = "blackbox";
+          metrics_path = "/probe";
+          params = { module = ["dns_soa"]; };
+          static_configs = [
+            { targets = ["127.0.0.53:53" "127.0.0.1:53"]; }
+          ];
+          relabel_configs = [
+            { source_labels = ["__address__"];
+              target_label = "__param_target";
+            }
+          ] ++ relabelHosts ++
+          [ { source_labels = ["__param_target"];
+              target_label = "job";
+              regex = "127\.0\.0\.53:53";
+              replacement = "systemd-resolved.dns_soa";
+            }
+            { source_labels = ["__param_target"];
+              target_label = "job";
+              regex = "127\.0\.0\.1:53";
+              replacement = "unbound.dns_soa";
+            }
+            { replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
+              target_label = "__address__";
+            }
+          ];
+          scrape_interval = "5s";
+        }
      ];
      rules = [
@@ -62,6 +145,52 @@ in {
        })
      ];
    };
+    users.users.${config.services.prometheus.exporters.unbound.user} = {
+      description = "Prometheus unbound exporter service user";
+      isSystemUser = true;
+      group = config.services.unbound.group;
+    };
+    systemd.services."prometheus-unbound-exporter".serviceConfig = {
+      DynamicUser = false;
+    };
+    systemd.services."prometheus-nftables-exporter" = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      path = with pkgs; [ nftables ];
+      serviceConfig = {
+        Restart = "always";
+        PrivateTmp = true;
+        WorkingDirectory = "/tmp";
+        CapabilityBoundingSet = ["CAP_NET_ADMIN"];
+        DynamicUser = true;
+        DeviceAllow = [""];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+        AmbientCapabilities = [ "CAP_NET_ADMIN" ];
+        Type = "simple";
+        ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter";
+        Environment = "NFT_HOSTNAME=localhost NFT_PORT=9901";
+      };
+    };
    sops.secrets."prometheus.key" = {
      format = "binary";
diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 0181d431..4a666e95 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -63,7 +63,7 @@ in {
            let
              keys = {
                "sif" = ["yioRagUtRvalJLrTtLp8NPiym6a3RpIcqgVfNL1iyRA=" "zIgyMw5wSernKPmMfDZ+fqaYUjbIQUhsXe+7hIZgJho="];
-                "surtr" = ["YP/sWEUWw51czlGxvgrgyEZ+ssx/3C9siufgd0a8d3g=" "6V2EjwvZ07Pebc9g9TNqIlQu57MvqyUsCeIOzky4Txw="];
+                "surtr" = ["YP/sWEUWw51czlGxvgrgyEZ+ssx/3C9siufgd0a8d3g=" "6V2EjwvZ07Pebc9g9TNqIlQu57MvqyUsCeIOzky4Txw=" "moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA="];
                "vidhar" = ["IOuHpNQ2ff09HCPKtKY95lDXoRhd8FIBsbB8kaMeUUA=" "jdaF4sx+dhdkTNGxQI6g6JV4XwXgD9QQJQ4f0NYy1gY="];
              };
            in pkgs.writeText "wireguard-config" (concatMapStringsSep "\n" ({ name, value }: ''

diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix index 26144302..a3ce4976 100644 --- a/hosts/surtr/prometheus/default.nix +++ b/hosts/surtr/prometheus/default.nix
@@ -20,6 +20,41 @@ in {
20	enable = true;	20	enable = true;
21	enabledCollectors = [];	21	enabledCollectors = [];
22	};	22	};
		23	unbound = {
		24	enable = true;
		25	controlInterface = "/run/unbound/unbound.ctl";
		26	group = config.services.unbound.group;
		27	};
		28	wireguard = {
		29	enable = true;
		30	wireguardConfig =
		31	let
		32	keys = {
		33	"sif" = ["yioRagUtRvalJLrTtLp8NPiym6a3RpIcqgVfNL1iyRA=" "zIgyMw5wSernKPmMfDZ+fqaYUjbIQUhsXe+7hIZgJho="];
		34	"surtr" = ["YP/sWEUWw51czlGxvgrgyEZ+ssx/3C9siufgd0a8d3g=" "6V2EjwvZ07Pebc9g9TNqIlQu57MvqyUsCeIOzky4Txw="];
		35	"vidhar" = ["IOuHpNQ2ff09HCPKtKY95lDXoRhd8FIBsbB8kaMeUUA=" "jdaF4sx+dhdkTNGxQI6g6JV4XwXgD9QQJQ4f0NYy1gY=" "moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA="];
		36	};
		37	in pkgs.writeText "wireguard-config" (concatMapStringsSep "\n" ({ name, value }: ''
		38	[Peer]
		39	# friendly_name = ${name}
		40	PublicKey = ${value}
		41	AllowedIPs = ::/0
		42	'') (concatLists (mapAttrsToList (host: hostKeys: map (nameValuePair host) hostKeys) keys)));
		43	};
		44	blackbox = {
		45	enable = true;
		46	configFile = pkgs.writeText "blackbox-config.yaml" (builtins.toJSON {
		47	modules = {
		48	"dns_soa" = {
		49	prober = "dns";
		50	dns = {
		51	query_name = ".";
		52	query_type = "SOA";
		53	};
		54	};
		55	};
		56	});
		57	};
23	};	58	};
24		59
25	globalConfig = {	60	globalConfig = {
@@ -53,6 +88,54 @@ in {
53	relabel_configs = relabelHosts;	88	relabel_configs = relabelHosts;
54	scrape_interval = "1s";	89	scrape_interval = "1s";
55	}	90	}
		91	{ job_name = "unbound";
		92	static_configs = [
		93	{ targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
		94	];
		95	relabel_configs = relabelHosts;
		96	scrape_interval = "1s";
		97	}
		98	{ job_name = "wireguard";
		99	static_configs = [
		100	{ targets = ["localhost:${toString config.services.prometheus.exporters.wireguard.port}"]; }
		101	];
		102	relabel_configs = relabelHosts;
		103	scrape_interval = "1s";
		104	}
		105	{ job_name = "nftables";
		106	static_configs = [
		107	{ targets = ["localhost:9901"]; }
		108	];
		109	relabel_configs = relabelHosts;
		110	scrape_interval = "1s";
		111	}
		112	{ job_name = "blackbox";
		113	metrics_path = "/probe";
		114	params = { module = ["dns_soa"]; };
		115	static_configs = [
		116	{ targets = ["127.0.0.53:53" "127.0.0.1:53"]; }
		117	];
		118	relabel_configs = [
		119	{ source_labels = ["__address__"];
		120	target_label = "__param_target";
		121	}
		122	] ++ relabelHosts ++
		123	[ { source_labels = ["__param_target"];
		124	target_label = "job";
		125	regex = "127\.0\.0\.53:53";
		126	replacement = "systemd-resolved.dns_soa";
		127	}
		128	{ source_labels = ["__param_target"];
		129	target_label = "job";
		130	regex = "127\.0\.0\.1:53";
		131	replacement = "unbound.dns_soa";
		132	}
		133	{ replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
		134	target_label = "__address__";
		135	}
		136	];
		137	scrape_interval = "5s";
		138	}
56	];	139	];
57		140
58	rules = [	141	rules = [
@@ -62,6 +145,52 @@ in {
62	})	145	})
63	];	146	];
64	};	147	};
		148	users.users.${config.services.prometheus.exporters.unbound.user} = {
		149	description = "Prometheus unbound exporter service user";
		150	isSystemUser = true;
		151	group = config.services.unbound.group;
		152	};
		153	systemd.services."prometheus-unbound-exporter".serviceConfig = {
		154	DynamicUser = false;
		155	};
		156
		157	systemd.services."prometheus-nftables-exporter" = {
		158	wantedBy = [ "multi-user.target" ];
		159	after = [ "network.target" ];
		160	path = with pkgs; [ nftables ];
		161	serviceConfig = {
		162	Restart = "always";
		163
		164	PrivateTmp = true;
		165	WorkingDirectory = "/tmp";
		166	CapabilityBoundingSet = ["CAP_NET_ADMIN"];
		167	DynamicUser = true;
		168	DeviceAllow = [""];
		169	LockPersonality = true;
		170	MemoryDenyWriteExecute = true;
		171	NoNewPrivileges = true;
		172	PrivateDevices = true;
		173	ProtectClock = true;
		174	ProtectControlGroups = true;
		175	ProtectHome = true;
		176	ProtectHostname = true;
		177	ProtectKernelLogs = true;
		178	ProtectKernelModules = true;
		179	ProtectKernelTunables = true;
		180	ProtectSystem = "strict";
		181	RemoveIPC = true;
		182	RestrictNamespaces = true;
		183	RestrictRealtime = true;
		184	RestrictSUIDSGID = true;
		185	SystemCallArchitectures = "native";
		186	UMask = "0077";
		187	AmbientCapabilities = [ "CAP_NET_ADMIN" ];
		188
		189	Type = "simple";
		190	ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter";
		191	Environment = "NFT_HOSTNAME=localhost NFT_PORT=9901";
		192	};
		193	};
65		194
66	sops.secrets."prometheus.key" = {	195	sops.secrets."prometheus.key" = {
67	format = "binary";	196	format = "binary";


diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index 0181d431..4a666e95 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix
@@ -63,7 +63,7 @@ in {
63	let	63	let
64	keys = {	64	keys = {
65	"sif" = ["yioRagUtRvalJLrTtLp8NPiym6a3RpIcqgVfNL1iyRA=" "zIgyMw5wSernKPmMfDZ+fqaYUjbIQUhsXe+7hIZgJho="];	65	"sif" = ["yioRagUtRvalJLrTtLp8NPiym6a3RpIcqgVfNL1iyRA=" "zIgyMw5wSernKPmMfDZ+fqaYUjbIQUhsXe+7hIZgJho="];
66	"surtr" = ["YP/sWEUWw51czlGxvgrgyEZ+ssx/3C9siufgd0a8d3g=" "6V2EjwvZ07Pebc9g9TNqIlQu57MvqyUsCeIOzky4Txw="];	66	"surtr" = ["YP/sWEUWw51czlGxvgrgyEZ+ssx/3C9siufgd0a8d3g=" "6V2EjwvZ07Pebc9g9TNqIlQu57MvqyUsCeIOzky4Txw=" "moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA="];
67	"vidhar" = ["IOuHpNQ2ff09HCPKtKY95lDXoRhd8FIBsbB8kaMeUUA=" "jdaF4sx+dhdkTNGxQI6g6JV4XwXgD9QQJQ4f0NYy1gY="];	67	"vidhar" = ["IOuHpNQ2ff09HCPKtKY95lDXoRhd8FIBsbB8kaMeUUA=" "jdaF4sx+dhdkTNGxQI6g6JV4XwXgD9QQJQ4f0NYy1gY="];
68	};	68	};
69	in pkgs.writeText "wireguard-config" (concatMapStringsSep "\n" ({ name, value }: ''	69	in pkgs.writeText "wireguard-config" (concatMapStringsSep "\n" ({ name, value }: ''