From 703f03b0a86c490f4c7d2a2ae06588927feebd05 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Fri, 8 Apr 2022 23:47:07 +0200 Subject: surtr: prometheus --- hosts/surtr/prometheus/default.nix | 129 +++++++++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) (limited to 'hosts/surtr/prometheus') diff --git a/hosts/surtr/prometheus/default.nix b/hosts/surtr/prometheus/default.nix index 26144302..a3ce4976 100644 --- a/hosts/surtr/prometheus/default.nix +++ b/hosts/surtr/prometheus/default.nix @@ -20,6 +20,41 @@ in { enable = true; enabledCollectors = []; }; + unbound = { + enable = true; + controlInterface = "/run/unbound/unbound.ctl"; + group = config.services.unbound.group; + }; + wireguard = { + enable = true; + wireguardConfig = + let + keys = { + "sif" = ["yioRagUtRvalJLrTtLp8NPiym6a3RpIcqgVfNL1iyRA=" "zIgyMw5wSernKPmMfDZ+fqaYUjbIQUhsXe+7hIZgJho="]; + "surtr" = ["YP/sWEUWw51czlGxvgrgyEZ+ssx/3C9siufgd0a8d3g=" "6V2EjwvZ07Pebc9g9TNqIlQu57MvqyUsCeIOzky4Txw="]; + "vidhar" = ["IOuHpNQ2ff09HCPKtKY95lDXoRhd8FIBsbB8kaMeUUA=" "jdaF4sx+dhdkTNGxQI6g6JV4XwXgD9QQJQ4f0NYy1gY=" "moESFbO3qUTuoOv6lbzSLrNYSjHkM5hyvAs5XZtQzRA="]; + }; + in pkgs.writeText "wireguard-config" (concatMapStringsSep "\n" ({ name, value }: '' + [Peer] + # friendly_name = ${name} + PublicKey = ${value} + AllowedIPs = ::/0 + '') (concatLists (mapAttrsToList (host: hostKeys: map (nameValuePair host) hostKeys) keys))); + }; + blackbox = { + enable = true; + configFile = pkgs.writeText "blackbox-config.yaml" (builtins.toJSON { + modules = { + "dns_soa" = { + prober = "dns"; + dns = { + query_name = "."; + query_type = "SOA"; + }; + }; + }; + }); + }; }; globalConfig = { @@ -53,6 +88,54 @@ in { relabel_configs = relabelHosts; scrape_interval = "1s"; } + { job_name = "unbound"; + static_configs = [ + { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; } + ]; + relabel_configs = relabelHosts; + scrape_interval = "1s"; + } + { job_name = "wireguard"; + static_configs = [ + { targets = ["localhost:${toString config.services.prometheus.exporters.wireguard.port}"]; } + ]; + relabel_configs = relabelHosts; + scrape_interval = "1s"; + } + { job_name = "nftables"; + static_configs = [ + { targets = ["localhost:9901"]; } + ]; + relabel_configs = relabelHosts; + scrape_interval = "1s"; + } + { job_name = "blackbox"; + metrics_path = "/probe"; + params = { module = ["dns_soa"]; }; + static_configs = [ + { targets = ["127.0.0.53:53" "127.0.0.1:53"]; } + ]; + relabel_configs = [ + { source_labels = ["__address__"]; + target_label = "__param_target"; + } + ] ++ relabelHosts ++ + [ { source_labels = ["__param_target"]; + target_label = "job"; + regex = "127\.0\.0\.53:53"; + replacement = "systemd-resolved.dns_soa"; + } + { source_labels = ["__param_target"]; + target_label = "job"; + regex = "127\.0\.0\.1:53"; + replacement = "unbound.dns_soa"; + } + { replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}"; + target_label = "__address__"; + } + ]; + scrape_interval = "5s"; + } ]; rules = [ @@ -62,6 +145,52 @@ in { }) ]; }; + users.users.${config.services.prometheus.exporters.unbound.user} = { + description = "Prometheus unbound exporter service user"; + isSystemUser = true; + group = config.services.unbound.group; + }; + systemd.services."prometheus-unbound-exporter".serviceConfig = { + DynamicUser = false; + }; + + systemd.services."prometheus-nftables-exporter" = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = with pkgs; [ nftables ]; + serviceConfig = { + Restart = "always"; + + PrivateTmp = true; + WorkingDirectory = "/tmp"; + CapabilityBoundingSet = ["CAP_NET_ADMIN"]; + DynamicUser = true; + DeviceAllow = [""]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + UMask = "0077"; + AmbientCapabilities = [ "CAP_NET_ADMIN" ]; + + Type = "simple"; + ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter"; + Environment = "NFT_HOSTNAME=localhost NFT_PORT=9901"; + }; + }; sops.secrets."prometheus.key" = { format = "binary"; -- cgit v1.2.3