{ config, lib, pkgs, ... }: let relabelHosts = [ { source_labels = ["__address__"]; target_label = "instance"; regex = "localhost(:[0-9]+)?"; replacement = "vidhar"; } { source_labels = ["__address__"]; target_label = "instance"; regex = "10.141.1.2(:[0-9]+)?"; replacement = "switch01"; } ]; in { config = { services.prometheus = { enable = true; exporters = { node.enable = true; smartctl = { enable = true; devices = map (dev: "/dev/${dev}") [ "pci-0000:00:1f.2-ata-1" "pci-0000:00:1f.2-ata-3" "pci-0000:00:1f.2-ata-4" "pci-0000:00:1f.2-ata-5" "pci-0000:00:1f.2-ata-6" "pci-0000:02:00.0-nvme-1" "pci-0000:05:00.0-sas-phy0-lun-0" "pci-0000:05:00.0-sas-phy1-lun-0" "pci-0000:06:00.0-nvme-1" ]; }; snmp = { enable = true; configuration = { default = { auth = { community = "public"; }; version = 2; }; }; }; unbound = { enable = true; controlInterface = "/run/unbound/unbound.ctl"; group = config.services.unbound.group; }; wireguard.enable = true; }; scrapeConfigs = [ { job_name = "node"; static_configs = [ { targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"]; } ]; relabel_configs = relabelHosts; } { job_name = "smartctl"; static_configs = [ { targets = ["localhost:${toString config.services.prometheus.exporters.smartctl.port}"]; } ]; relabel_configs = relabelHosts; } { job_name = "snmp"; static_configs = [ { targets = ["10.141.1.2"]; } ]; metrics_path = "/snmp"; params = { module = ["if_mib"]; }; relabel_configs = [ { source_labels = ["__address__"]; target_label = "__param_target"; } { source_labels = ["__param_target"]; target_label = "instance"; } { replacement = "localhost:${toString config.services.prometheus.exporters.snmp.port}"; target_label = "__address__"; } ] ++ relabelHosts; } { job_name = "zte"; static_configs = [ { targets = ["localhost:9900"]; } ]; relabel_configs = [ { replacement = "telekom"; target_label = "instance"; } ]; } { job_name = "unbound"; static_configs = [ { targets = ["localhost:${toString config.services.prometheus.exporters.unbound.port}"]; } ]; relabel_configs = relabelHosts; } { job_name = "wireguard"; static_configs = [ { targets = ["localhost:${toString config.services.prometheus.exporters.wireguard.port}"]; } ]; relabel_configs = relabelHosts; } { job_name = "corerad"; static_configs = [ { targets = ["localhost:9430"]; } ]; relabel_configs = relabelHosts; } ]; }; users.users.${config.services.prometheus.exporters.unbound.user} = { description = "Prometheus unbound exporter service user"; isSystemUser = true; group = config.services.unbound.group; }; systemd.services."prometheus-unbound-exporter".serviceConfig = { DynamicUser = false; }; systemd.services."prometheus-zte-exporter@10.141.1.3" = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { Restart = "always"; PrivateTmp = true; WorkingDirectory = "/tmp"; DynamicUser = true; CapabilityBoundingSet = [""]; DeviceAllow = [""]; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = "strict"; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; UMask = "0077"; Type = "simple"; ExecStart = "${pkgs.zte-prometheus-exporter}/bin/zte-prometheus-exporter"; Environment = "ZTE_BASEURL=http://%I ZTE_HOSTNAME=localhost ZTE_PORT=9900"; EnvironmentFile = config.sops.secrets."zte_10.141.1.3".path; }; }; sops.secrets."zte_10.141.1.3" = { format = "binary"; sopsFile = ./zte_10.141.1.3; }; }; }