summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'hosts')
-rw-r--r--hosts/vidhar/prometheus.nix165
1 files changed, 165 insertions, 0 deletions
diff --git a/hosts/vidhar/prometheus.nix b/hosts/vidhar/prometheus.nix
new file mode 100644
index 00000000..017097ad
--- /dev/null
+++ b/hosts/vidhar/prometheus.nix
@@ -0,0 +1,165 @@
1{ config, lib, pkgs, ... }:
2let
3 relabelHosts = [
4 { source_labels = ["__address__"];
5 target_label = "instance";
6 regex = "localhost(:[0-9]+)?";
7 replacement = "vidhar";
8 }
9 { source_labels = ["__address__"];
10 target_label = "instance";
11 regex = "10.141.1.2(:[0-9]+)?";
12 replacement = "switch01";
13 }
14 ];
15in {
16 config = {
17 services.prometheus = {
18 enable = true;
19
20 exporters = {
21 node.enable = true;
22 smartctl = {
23 enable = true;
24 devices = map (dev: "/dev/disk/by-path/${dev}") [
25 "pci-0000:00:1f.2-ata-1"
26 "pci-0000:00:1f.2-ata-3"
27 "pci-0000:00:1f.2-ata-4"
28 "pci-0000:00:1f.2-ata-5"
29 "pci-0000:00:1f.2-ata-6"
30 "pci-0000:02:00.0-nvme-1"
31 "pci-0000:05:00.0-sas-phy0-lun-0"
32 "pci-0000:05:00.0-sas-phy1-lun-0"
33 "pci-0000:06:00.0-nvme-1"
34 ];
35 };
36 snmp = {
37 enable = true;
38 configurationPath = ./snmp.yml;
39 };
40 unbound = {
41 enable = true;
42 controlInterface = "/run/unbound/unbound.ctl";
43 group = config.services.unbound.group;
44 };
45 wireguard.enable = true;
46 };
47
48 scrapeConfigs = [
49 { job_name = "prometheus";
50 static_configs = [
51 { targets = ["localhost:${toString config.services.prometheus.port}"]; }
52 ];
53 relabel_configs = relabelHosts;
54 }
55 { job_name = "node";
56 static_configs = [
57 { targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; }
58 ];
59 relabel_configs = relabelHosts;
60 }
61 { job_name = "smartctl";
62 static_configs = [
63 { targets = ["localhost:${toString config.services.prometheus.exporters.smartctl.port}"]; }
64 ];
65 relabel_configs = relabelHosts;
66 }
67 { job_name = "snmp";
68 static_configs = [
69 { targets = ["10.141.1.2"]; }
70 ];
71 metrics_path = "/snmp";
72 params = {
73 module = ["if_mib"];
74 };
75 relabel_configs = [
76 { source_labels = ["__address__"];
77 target_label = "__param_target";
78 }
79 ] ++ relabelHosts ++
80 [ { replacement = "localhost:${toString config.services.prometheus.exporters.snmp.port}";
81 target_label = "__address__";
82 }
83 ];
84 }
85 { job_name = "zte";
86 static_configs = [
87 { targets = ["localhost:9900"]; }
88 ];
89 relabel_configs = [
90 { replacement = "telekom";
91 target_label = "instance";
92 }
93 ];
94 }
95 { job_name = "unbound";
96 static_configs = [
97 { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
98 ];
99 relabel_configs = relabelHosts;
100 }
101 { job_name = "wireguard";
102 static_configs = [
103 { targets = ["localhost:${toString config.services.prometheus.exporters.wireguard.port}"]; }
104 ];
105 relabel_configs = relabelHosts;
106 }
107 { job_name = "corerad";
108 static_configs = [
109 { targets = ["localhost:9430"]; }
110 ];
111 relabel_configs = relabelHosts;
112 }
113 ];
114 };
115 users.users.${config.services.prometheus.exporters.unbound.user} = {
116 description = "Prometheus unbound exporter service user";
117 isSystemUser = true;
118 group = config.services.unbound.group;
119 };
120 systemd.services."prometheus-unbound-exporter".serviceConfig = {
121 DynamicUser = false;
122 };
123
124 systemd.services."prometheus-zte-exporter@10.141.1.3" = {
125 wantedBy = [ "multi-user.target" ];
126 after = [ "network.target" ];
127 serviceConfig = {
128 Restart = "always";
129 PrivateTmp = true;
130 WorkingDirectory = "/tmp";
131 DynamicUser = true;
132 CapabilityBoundingSet = [""];
133 DeviceAllow = [""];
134 LockPersonality = true;
135 MemoryDenyWriteExecute = true;
136 NoNewPrivileges = true;
137 PrivateDevices = true;
138 ProtectClock = true;
139 ProtectControlGroups = true;
140 ProtectHome = true;
141 ProtectHostname = true;
142 ProtectKernelLogs = true;
143 ProtectKernelModules = true;
144 ProtectKernelTunables = true;
145 ProtectSystem = "strict";
146 RemoveIPC = true;
147 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
148 RestrictNamespaces = true;
149 RestrictRealtime = true;
150 RestrictSUIDSGID = true;
151 SystemCallArchitectures = "native";
152 UMask = "0077";
153
154 Type = "simple";
155 ExecStart = "${pkgs.zte-prometheus-exporter}/bin/zte-prometheus-exporter";
156 Environment = "ZTE_BASEURL=http://%I ZTE_HOSTNAME=localhost ZTE_PORT=9900";
157 EnvironmentFile = config.sops.secrets."zte_10.141.1.3".path;
158 };
159 };
160 sops.secrets."zte_10.141.1.3" = {
161 format = "binary";
162 sopsFile = ./zte_10.141.1.3;
163 };
164 };
165}