From 38e371ebe3006fd42ec07892c439872581632b8f Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Thu, 16 Oct 2025 08:54:47 +0200
Subject: ...

---
 hosts/vidhar/prometheus/default.nix | 52 +++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

(limited to 'hosts/vidhar/prometheus/default.nix')

diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 094f9f7a..005af680 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -145,6 +145,17 @@ in {
           ];
           scrape_interval = "15s";
         }
+        { job_name = "zte";
+          static_configs = [
+            { targets = ["localhost:9900"]; }
+          ];
+          relabel_configs = [
+            { replacement = "dsl01";
+              target_label = "instance";
+            }
+          ];
+          scrape_interval = "15s";
+        }
         { job_name = "unbound";
           static_configs = [
             { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; }
@@ -425,6 +436,47 @@ in {
       };
     };
 
+    systemd.services."prometheus-zte-exporter@dsl01.mgmt.yggdrasil" = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        Restart = "always";
+        PrivateTmp = true;
+        WorkingDirectory = "/tmp";
+        DynamicUser = true;
+        CapabilityBoundingSet = [""];
+        DeviceAllow = [""];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+
+        Type = "simple";
+        ExecStart = "${pkgs.zte-prometheus-exporter}/bin/zte-prometheus-exporter";
+        Environment = "ZTE_BASEURL=http://%I ZTE_HOSTNAME=localhost ZTE_PORT=9900";
+        EnvironmentFile = config.sops.secrets."zte_dsl01.mgmt.yggdrasil".path;
+      };
+    };
+    sops.secrets."zte_dsl01.mgmt.yggdrasil" = {
+      format = "binary";
+      sopsFile = ./zte_dsl01.mgmt.yggdrasil;
+    };
+
     services.nginx = {
       upstreams.prometheus = {
         servers = { "localhost:${toString config.services.prometheus.port}" = {}; };
-- 
cgit v1.2.3