1
0
nixfiles/modules/monitoring/default.nix

118 lines
3.4 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.clerie.monitoring;
monitoring-network-base = "fd00:327:327:327::";
in
{
options = {
clerie.monitoring = {
enable = mkEnableOption "clerie's Monitoring";
id = mkOption {
type = types.str;
description = "ID of the Monitoring Interface (it is actually a part of an ip address)";
};
pubkey = mkOption {
type = types.str;
description = "Public Key of the monitoring wireguard interface of this host";
};
privateKeyFile = mkOption {
type = with types; nullOr str;
default = null;
description = "Path to private key file, pulls secret from secret store when null";
};
serviceLevel = mkOption {
type = types.str;
default = "infra";
description = "Service level this instance is assigned to";
};
2022-03-22 12:16:28 +01:00
bird = mkEnableOption "Monitor bird";
blackbox = mkEnableOption "Monitor blackbox";
nixos = mkOption {
type = types.bool;
default = true;
description = "Monitor NixOS";
};
};
};
config = mkIf cfg.enable {
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
wg-monitoring = {
ips = [ "${monitoring-network-base}${cfg.id}/64" ];
peers = [
{
endpoint = "[2001:638:904:ffca::7]:54523";
persistentKeepalive = 25;
allowedIPs = [ "${monitoring-network-base}/64" ];
publicKey = "eyhJKV41E1F0gZHBNqyzUnj72xg5f3bdDduVtpPN4AY=";
}
];
2024-04-20 23:20:14 +02:00
privateKeyFile = if cfg.privateKeyFile != null then cfg.privateKeyFile else
if builtins.elem "wg-monitoring" (attrNames config.sops.secrets) then config.sops.secrets.wg-monitoring.path else
config.age.secrets.wg-monitoring.path;
};
};
services.prometheus.exporters.node = {
enable = true;
#listenAddress = "${monitoring-network-base}${cfg.id}";
openFirewall = true;
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100";
enabledCollectors = [
"systemd"
];
extraFlags = [
"--collector.textfile.directory=/var/lib/prometheus-node-exporter/textfiles"
];
};
2022-03-22 12:16:28 +01:00
systemd.tmpfiles.rules = [
"d /var/lib/prometheus-node-exporter/textfiles - - - - -"
];
systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ];
2022-03-22 12:16:28 +01:00
services.prometheus.exporters.bird = mkIf cfg.bird {
enable = true;
openFirewall = true;
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324";
};
services.prometheus.exporters.blackbox = mkIf cfg.blackbox {
enable = true;
openFirewall = true;
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115";
configFile = pkgs.writeText "blackbox.yml" ''
modules:
icmp6:
prober: icmp
icmp:
preferred_ip_protocol: ip6
ip_protocol_fallback: false
icmp4:
prober: icmp
icmp:
preferred_ip_protocol: ip4
ip_protocol_fallback: false
'';
};
2023-01-02 19:10:33 +01:00
services.nixos-exporter = {
enable = true;
listen = "[::]:9152";
2023-01-02 19:10:33 +01:00
};
networking.firewall.extraCommands = ''
ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept
'';
};
}