From 703f03b0a86c490f4c7d2a2ae06588927feebd05 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 8 Apr 2022 23:47:07 +0200
Subject: surtr: prometheus

---
 hosts/surtr/prometheus/default.nix | 129 +++++++++++++++++++++++++++++++++++++
 1 file changed, 129 insertions(+)

(limited to 'hosts/surtr/prometheus')

diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix
index 26144302..a3ce4976 100644
--- a/hosts/surtr/prometheus/default.nix
+++ b/hosts/surtr/prometheus/default.nix
@@ -20,6 +20,41 @@ in {
           enable = true;
           enabledCollectors = [];
         };
+        unbound = {
+          enable = true;
+          controlInterface = "/run/unbound/unbound.ctl";
+          group = config.services.unbound.group;
+        };
+        wireguard = {
+          enable = true;
+          wireguardConfig =
+            let
+              keys = {
+                "sif" = ["yioRagUtRvalJLrTtLp8NPiym6a3RpIcqgVfNL1iyRA=" "zIgyMw5wSernKPmMfDZ+fqaYUjbIQUhsXe+7hIZgJho="];
+                "surtr" = ["YP/sWEUWw51czlGxvgrgyEZ+ssx/3C9siufgd0a8d3g=" "6V2EjwvZ07Pebc9g9TNqIlQu57MvqyUsCeIOzky4Txw="];
+                "vidhar" = ["IOuHpNQ2ff09HCPKtKY95lDXoRhd8FIBsbB8kaMeUUA=" "jdaF4sx+dhdkTNGxQI6g6JV4XwXgD9QQJQ4f0NYy1gY=" "moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA="];
+              };
+            in pkgs.writeText "wireguard-config" (concatMapStringsSep "\n" ({ name, value }: ''
+              [Peer]
+              # friendly_name = ${name}
+              PublicKey = ${value}
+              AllowedIPs = ::/0
+            '') (concatLists (mapAttrsToList (host: hostKeys: map (nameValuePair host) hostKeys) keys)));
+        };
+        blackbox = {
+          enable = true;
+          configFile = pkgs.writeText "blackbox-config.yaml" (builtins.toJSON {
+            modules = {
+              "dns_soa" = {
+                prober = "dns";
+                dns = {
+                  query_name = ".";
+                  query_type = "SOA";
+                };
+              };
+            };
+          });
+        };
       };
 
       globalConfig = {
@@ -53,6 +88,54 @@ in {
           relabel_configs = relabelHosts;
           scrape_interval = "1s";
         }
+        { job_name = "unbound";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+          scrape_interval = "1s";
+        }
+        { job_name = "wireguard";
+          static_configs = [
+            { targets = ["localhost:${toString config.services.prometheus.exporters.wireguard.port}"]; }
+          ];
+          relabel_configs = relabelHosts;
+          scrape_interval = "1s";
+        }
+        { job_name = "nftables";
+          static_configs = [
+            { targets = ["localhost:9901"]; }
+          ];
+          relabel_configs = relabelHosts;
+          scrape_interval = "1s";
+        }
+        { job_name = "blackbox";
+          metrics_path = "/probe";
+          params = { module = ["dns_soa"]; };
+          static_configs = [
+            { targets = ["127.0.0.53:53" "127.0.0.1:53"]; }
+          ];
+          relabel_configs = [
+            { source_labels = ["__address__"];
+              target_label = "__param_target";
+            }
+          ] ++ relabelHosts ++
+          [ { source_labels = ["__param_target"];
+              target_label = "job";
+              regex = "127\.0\.0\.53:53";
+              replacement = "systemd-resolved.dns_soa";
+            }
+            { source_labels = ["__param_target"];
+              target_label = "job";
+              regex = "127\.0\.0\.1:53";
+              replacement = "unbound.dns_soa";
+            }
+            { replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
+              target_label = "__address__";
+            }
+          ];
+          scrape_interval = "5s";
+        }
       ];
 
       rules = [
@@ -62,6 +145,52 @@ in {
         })
       ];
     };
+    users.users.${config.services.prometheus.exporters.unbound.user} = {
+      description = "Prometheus unbound exporter service user";
+      isSystemUser = true;
+      group = config.services.unbound.group;
+    };
+    systemd.services."prometheus-unbound-exporter".serviceConfig = {
+      DynamicUser = false;
+    };
+
+    systemd.services."prometheus-nftables-exporter" = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      path = with pkgs; [ nftables ];
+      serviceConfig = {
+        Restart = "always";
+
+        PrivateTmp = true;
+        WorkingDirectory = "/tmp";
+        CapabilityBoundingSet = ["CAP_NET_ADMIN"];
+        DynamicUser = true;
+        DeviceAllow = [""];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+        AmbientCapabilities = [ "CAP_NET_ADMIN" ];
+
+        Type = "simple";
+        ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter";
+        Environment = "NFT_HOSTNAME=localhost NFT_PORT=9901";
+      };
+    };
 
     sops.secrets."prometheus.key" = {
       format = "binary";
-- 
cgit v1.2.3