From 38e371ebe3006fd42ec07892c439872581632b8f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 16 Oct 2025 08:54:47 +0200 Subject: ... --- hosts/vidhar/default.nix | 2 - hosts/vidhar/network/default.nix | 2 +- hosts/vidhar/network/pppoe.nix | 4 +- hosts/vidhar/prometheus/default.nix | 52 ++++++++++++++++++++++ hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil | 26 +++++++++++ .../nftables-prometheus-exporter.py | 22 ++++----- overlays/zte-prometheus-exporter/default.nix | 2 +- 7 files changed, 93 insertions(+), 17 deletions(-) create mode 100644 hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 547572c6..1c60ed22 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -157,8 +157,6 @@ with lib; recommendedProxySettings = true; recommendedTlsSettings = true; commonHttpConfig = '' - ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; - log_format main '$remote_addr "$remote_user" ' '"$host" "$request" $status $bytes_sent ' diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 5245972d..6fcef9d8 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ... }: +{ pkgs, lib, config, ... }: with lib; diff --git a/hosts/vidhar/network/pppoe.nix b/hosts/vidhar/network/pppoe.nix index da64b353..ff70cc0f 100644 --- a/hosts/vidhar/network/pppoe.nix +++ b/hosts/vidhar/network/pppoe.nix @@ -70,8 +70,8 @@ in { tc qdisc add dev "${pppInterface}" handle ffff: ingress tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}" - tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth ${toString (builtins.floor (159 * 0.95))}mbit - tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth ${toString (builtins.floor (36 * 0.95))}mbit + tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth ${toString (builtins.floor (177968 * 0.95))}kbit + tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth ${toString (builtins.floor (41216 * 0.95))}kbit ''; }; in "${app}/bin/${app.meta.mainProgram}"; diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index 094f9f7a..005af680 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix @@ -145,6 +145,17 @@ in { ]; scrape_interval = "15s"; } + { job_name = "zte"; + static_configs = [ + { targets = ["localhost:9900"]; } + ]; + relabel_configs = [ + { replacement = "dsl01"; + target_label = "instance"; + } + ]; + scrape_interval = "15s"; + } { job_name = "unbound"; static_configs = [ { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; } @@ -425,6 +436,47 @@ in { }; }; + systemd.services."prometheus-zte-exporter@dsl01.mgmt.yggdrasil" = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Restart = "always"; + PrivateTmp = true; + WorkingDirectory = "/tmp"; + DynamicUser = true; + CapabilityBoundingSet = [""]; + DeviceAllow = [""]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + UMask = "0077"; + + Type = "simple"; + ExecStart = "${pkgs.zte-prometheus-exporter}/bin/zte-prometheus-exporter"; + Environment = "ZTE_BASEURL=http://%I ZTE_HOSTNAME=localhost ZTE_PORT=9900"; + EnvironmentFile = config.sops.secrets."zte_dsl01.mgmt.yggdrasil".path; + }; + }; + sops.secrets."zte_dsl01.mgmt.yggdrasil" = { + format = "binary"; + sopsFile = ./zte_dsl01.mgmt.yggdrasil; + }; + services.nginx = { upstreams.prometheus = { servers = { "localhost:${toString config.services.prometheus.port}" = {}; }; diff --git a/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil b/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil new file mode 100644 index 00000000..1c9c1fe0 --- /dev/null +++ b/hosts/vidhar/prometheus/zte_dsl01.mgmt.yggdrasil @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:nAsn7dhfDr0+V1cJjpqWn/kJQt2zGjlfQKi3n5speroJkL3IvMG/9fsTaXJQZSi2gPlrN8GbxKQ=,iv:9g0V3xRBC+sa/JPP2bUZMfg//VuKT5qI7ua9iU4QRCg=,tag:fzwih9OHUBLmx8dxL4BjGg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaEE3bUFBY0xKSDUrVnc2\nbFpjSkNOSm56amJTNjdXcTljdDNRREhITm1NCjZrOUEwNFpxN2FmTVV5T2xCbENk\nMEFmVzlPZ29CTlJ4dVNCRUsyRFFseXcKLS0tIEhscVZ4VUVsaG9OUnBIRFE4WXA2\ncGFnbWpNMlNIQzFLc1Ryc1Z3NUl1bVUKi9zYBlF2vslGKu4GP368ApbvuxjZnQpF\nuOujXSNoEps21wY6xUENm+CbYbgaJjSgmb5c1IjAmnubVI4JVY9OyQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2021-12-31T15:00:33Z", + "mac": "ENC[AES256_GCM,data:sw2NVXHLibbuOChgScLhSTjGZBjSoHpzIuRqfCW0eL3DwhL5CekG6T/oYu06KjNmxVjxwb3OmqECSU0TUvPn9ySOWwMSoBfyJpDoTHnZ+YOjOH351IOAMBNcBDJse7aLGRWW5YXKLDfmp8Dhg2hlMhCmkVwAquQjPhfmAdJfj64=,iv:wgM/BlRU2XJSGj7KvAo1WRamecffUDnFvv2+4twtsQY=,tag:0mXblJtTGMTvxndedws94A==,type:str]", + "pgp": [ + { + "created_at": "2023-01-30T10:58:49Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAcwl1Blp3J5wgpRJKbYI1G1yEZrRYeYuoDtYUh3ToMAQw\nd92/bIJJR5Ml91eDym9uBN0fFRRy72r6FOx4qZT7S4DhmuA84qCbASjF8bKSclc0\n0l4BBXvDS5Dz1Q7iYc+LxZjHASV1v73A+MaeCFvG/pjmHzF0z0EzBiAJD4ZWGcP0\nX2dDbjl+n9VFrvmeLRxQNh4XZW43iTXdRjwHDgm16zhd9X6VOVhr5UkC4Nyjq2Ar\n=4ZEa\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/overlays/nftables-prometheus-exporter/nftables-prometheus-exporter.py b/overlays/nftables-prometheus-exporter/nftables-prometheus-exporter.py index 484228c8..60ef4670 100644 --- a/overlays/nftables-prometheus-exporter/nftables-prometheus-exporter.py +++ b/overlays/nftables-prometheus-exporter/nftables-prometheus-exporter.py @@ -42,7 +42,7 @@ class NFTMetrics: cls._instance = cls.__new__(cls) cls._instance.attrs = None return cls._instance - + def __init__(self): raise RuntimeError('Call instance() instead') @@ -62,7 +62,7 @@ class NFTMetrics: raise RuntimeError(f'nftables json schema v{version} is not supported') queries[query_name] = data['nftables'][1:] - + def extract_query(query_name, type_name): return [ item[type_name] @@ -98,21 +98,21 @@ class NFTMetrics: metrics += _format_prom_metrics('nftables_counter_packets_count', 'counter', counter_packets) map_counts = [] - for meter in self.attrs['maps']: + for item in self.attrs['maps']: labels = { k: v for k, v in counter.items() if k not in set(['elem']) } - map_counts += [(labels, len(meter['elem']))] + map_counts += [(labels, len(item['elem']) if 'elem' in item else 0)] metrics += _format_prom_metrics('nftables_map_elem_count', 'gauge', map_counts) meter_counts = [] - for meter in self.attrs['meters']: + for item in self.attrs['meters']: labels = { k: v for k, v in counter.items() if k not in set(['elem']) } - meter_counts += [(labels, len(meter['elem']))] + item_counts += [(labels, len(item['elem']) if 'elem' in item else 0)] metrics += _format_prom_metrics('nftables_meter_elem_count', 'gauge', meter_counts) - + set_counts = [] - for meter in self.attrs['sets']: + for item in self.attrs['sets']: labels = { k: v for k, v in counter.items() if k not in set(['elem']) } - set_counts += [(labels, len(meter['elem']))] + set_counts += [(labels, len(item['elem']) if 'elem' in item else 0)] metrics += _format_prom_metrics('nftables_set_elem_count', 'gauge', set_counts) return metrics.encode('utf-8') @@ -120,7 +120,7 @@ class NFTMetrics: class NFTMetricsServer(BaseHTTPRequestHandler): def log_message(self, format, *args): pass - + def do_GET(self): nft_metrics = NFTMetrics.instance() nft_metrics.update() @@ -138,7 +138,7 @@ class NFTMetricsServer(BaseHTTPRequestHandler): self.send_response(200) self.send_header("Content-type", "text/plain") self.end_headers() - + self.wfile.write(nft_metrics.prometheus()) case _: self.send_response(404) diff --git a/overlays/zte-prometheus-exporter/default.nix b/overlays/zte-prometheus-exporter/default.nix index cd4207cd..6295567d 100644 --- a/overlays/zte-prometheus-exporter/default.nix +++ b/overlays/zte-prometheus-exporter/default.nix @@ -1,7 +1,7 @@ { final, prev, ... }: let packageOverrides = final.callPackage ./python-packages.nix {}; - inpPython = final.python310.override { inherit packageOverrides; }; + inpPython = final.python3.override { inherit packageOverrides; }; python = inpPython.withPackages (ps: with ps; [pytimeparse requests]); in { zte-prometheus-exporter = prev.stdenv.mkDerivation rec { -- cgit v1.2.3