From bf83ec9244e67ae14affc46f508a2f790fc62466 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 11 Mar 2023 13:06:00 +0100 Subject: ... --- hosts/vidhar/prometheus/default.nix | 45 +++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) (limited to 'hosts/vidhar') diff --git a/hosts/vidhar/prometheus/default.nix b/hosts/vidhar/prometheus/default.nix index 6bfa0b49..869b9b18 100644 --- a/hosts/vidhar/prometheus/default.nix +++ b/hosts/vidhar/prometheus/default.nix @@ -184,6 +184,13 @@ in { relabel_configs = relabelHosts; scrape_interval = "1s"; } + { job_name = "cake"; + static_configs = [ + { targets = ["localhost:9902"]; } + ]; + relabel_configs = relabelHosts; + scrape_interval = "1s"; + } { job_name = "loki"; static_configs = [ { targets = ["localhost:9094"]; } @@ -406,6 +413,44 @@ in { }; }; + systemd.services."prometheus-cake-exporter" = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = with pkgs; [ iproute2 ]; + serviceConfig = { + Restart = "always"; + + PrivateTmp = true; + WorkingDirectory = "/tmp"; + CapabilityBoundingSet = ["CAP_NET_ADMIN"]; + DynamicUser = true; + DeviceAllow = [""]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + UMask = "0077"; + AmbientCapabilities = [ "CAP_NET_ADMIN" ]; + + Type = "simple"; + ExecStart = "${pkgs.cake-prometheus-exporter}/bin/cake-prometheus-exporter"; + Environment = "CAKE_HOSTNAME=localhost CAKE_PORT=9902"; + }; + }; + services.nginx = { upstreams.prometheus = { servers = { "localhost:${toString config.services.prometheus.port}" = {}; }; -- cgit v1.2.3