From b931543508377c0e48a6801e4ea217eb523e2b03 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 13 Sep 2022 10:29:35 +0200
Subject: ...

---
 hosts/vidhar/prometheus/default.nix | 50 +++++++++++++++++++------------------
 1 file changed, 26 insertions(+), 24 deletions(-)

(limited to 'hosts/vidhar/prometheus')

diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix
index 4c23d8a9..7ac86c30 100644
--- a/hosts/vidhar/prometheus/default.nix
+++ b/hosts/vidhar/prometheus/default.nix
@@ -34,20 +34,6 @@ in {
           enable = true;
           enabledCollectors = [];
         };
-        smartctl = {
-          enable = true;
-          devices = map (dev: "/dev/disk/by-path/${dev}") [
-            "pci-0000:00:1f.2-ata-1"
-            "pci-0000:00:1f.2-ata-3"
-            "pci-0000:00:1f.2-ata-4"
-            "pci-0000:00:1f.2-ata-5"
-            "pci-0000:00:1f.2-ata-6"
-            "pci-0000:02:00.0-nvme-1"
-            "pci-0000:05:00.0-sas-phy0-lun-0"
-            "pci-0000:05:00.0-sas-phy1-lun-0"
-            "pci-0000:06:00.0-nvme-1"
-          ];
-        };
         snmp = {
           enable = true;
           configurationPath = ./snmp.yml;
@@ -124,10 +110,10 @@ in {
         }
         { job_name = "smartctl";
           static_configs = [
-            { targets = ["localhost:${toString config.services.prometheus.exporters.smartctl.port}"]; }
+            { targets = ["localhost:9633"]; }
           ];
           relabel_configs = relabelHosts;
-          scrape_interval = "1s";
+          scrape_interval = "60s";
         }
         { job_name = "snmp";
           static_configs = [
@@ -376,6 +362,30 @@ in {
       };
     };
 
+    systemd.services."prometheus-smartctl-exporter" = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      path = with pkgs; [ smartmontools ];
+      serviceConfig = {
+        Restart = "always";
+
+        CapabilityBoundingSet = ["CAP_DAC_OVERRIDE" "CAP_SYS_RAWIO" "CAP_SYS_ADMIN"];
+        AmbientCapabilities = ["CAP_DAC_OVERRIDE" "CAP_SYS_RAWIO" "CAP_SYS_ADMIN"];
+        ProtectSystem = "strict";
+        DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = false;
+        PrivateTmp = true;
+        ProcSubset = "pid";
+
+        Type = "simple";
+        ExecStart = "${pkgs.smartprom}/bin/smartprom";
+        Environment = "SMARTCTL_EXPORTER_PORT=9633";
+      };
+    };
+
     systemd.services."prometheus-systemd-exporter" = let
       cfg = config.services.prometheus.exporters.systemd;
     in {
@@ -385,14 +395,6 @@ in {
       '';
     };
 
-    systemd.services."prometheus-smartctl-exporter" = {
-      serviceConfig = {
-        DeviceAllow = lib.mkForce config.services.prometheus.exporters.smartctl.devices;
-        CapabilityBoundingSet = lib.mkForce ["CAP_SYS_ADMIN"];
-        AmbientCapabilities = lib.mkForce ["CAP_SYS_ADMIN"];
-      };
-    };
-
     services.nginx = {
       upstreams.prometheus = {
         servers = { "localhost:${toString config.services.prometheus.port}" = {}; };
-- 
cgit v1.2.3