From a806adad2017413071d20d519d9a5d9b6b937474 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 1 Jan 2022 16:51:10 +0100 Subject: vidhar: prometheus: nftables --- hosts/vidhar/prometheus/default.nix | 44 +++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) (limited to 'hosts/vidhar/prometheus') diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index f915fc68..87035d5d 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix @@ -142,6 +142,13 @@ in { relabel_configs = relabelHosts; scrape_interval = "1s"; } + { job_name = "nftables"; + static_configs = [ + { targets = ["localhost:9901"]; } + ]; + relabel_configs = relabelHosts; + scrape_interval = "1s"; + } ]; }; users.users.${config.services.prometheus.exporters.unbound.user} = { @@ -193,5 +200,42 @@ in { format = "binary"; sopsFile = ./zte_10.141.1.3; }; + + systemd.services."prometheus-nftables-exporter" = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Restart = "always"; + PrivateTmp = true; + WorkingDirectory = "/tmp"; + DynamicUser = true; + CapabilityBoundingSet = [""]; + DeviceAllow = [""]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + UMask = "0077"; + AmbientCapabilities = [ "CAP_NET_ADMIN" ]; + + Type = "simple"; + ExecStart = "${pkgs.nftables-prometheus-exporter}/bin/nftables-prometheus-exporter"; + Environment = "ZTE_HOSTNAME=localhost ZTE_PORT=9901"; + }; + }; }; } -- cgit v1.2.3