2021-02-21 22:38:36 +01:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
let
|
|
|
|
cfg = config.clerie.monitoring;
|
|
|
|
|
|
|
|
monitoring-network-base = "fd00:327:327:327::";
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
options = {
|
|
|
|
clerie.monitoring = {
|
|
|
|
enable = mkEnableOption "clerie's Monitoring";
|
|
|
|
id = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
description = "ID of the Monitoring Interface (it is actually a part of an ip address)";
|
|
|
|
};
|
|
|
|
pubkey = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
description = "Public Key of the monitoring wireguard interface of this host";
|
|
|
|
};
|
2023-05-06 16:11:49 +02:00
|
|
|
privateKeyFile = mkOption {
|
|
|
|
type = with types; nullOr str;
|
|
|
|
default = null;
|
|
|
|
description = "Path to private key file, pulls secret from secret store when null";
|
|
|
|
};
|
2023-01-05 23:16:50 +01:00
|
|
|
serviceLevel = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "infra";
|
|
|
|
description = "Service level this instance is assigned to";
|
|
|
|
};
|
2022-03-22 12:16:28 +01:00
|
|
|
bird = mkEnableOption "Monitor bird";
|
2022-10-31 22:54:06 +01:00
|
|
|
blackbox = mkEnableOption "Monitor blackbox";
|
2023-01-02 21:43:43 +01:00
|
|
|
nixos = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = "Monitor NixOS";
|
|
|
|
};
|
2021-02-21 22:38:36 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
networking.wireguard.enable = true;
|
|
|
|
networking.wireguard.interfaces = {
|
|
|
|
wg-monitoring = {
|
|
|
|
ips = [ "${monitoring-network-base}${cfg.id}/64" ];
|
|
|
|
peers = [
|
|
|
|
{
|
|
|
|
endpoint = "[2001:638:904:ffca::7]:54523";
|
|
|
|
persistentKeepalive = 25;
|
|
|
|
allowedIPs = [ "${monitoring-network-base}/64" ];
|
|
|
|
publicKey = "eyhJKV41E1F0gZHBNqyzUnj72xg5f3bdDduVtpPN4AY=";
|
|
|
|
}
|
|
|
|
];
|
2024-04-20 23:20:14 +02:00
|
|
|
privateKeyFile = if cfg.privateKeyFile != null then cfg.privateKeyFile else
|
|
|
|
if builtins.elem "wg-monitoring" (attrNames config.sops.secrets) then config.sops.secrets.wg-monitoring.path else
|
|
|
|
config.age.secrets.wg-monitoring.path;
|
2021-02-21 22:38:36 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.prometheus.exporters.node = {
|
|
|
|
enable = true;
|
|
|
|
#listenAddress = "${monitoring-network-base}${cfg.id}";
|
|
|
|
openFirewall = true;
|
|
|
|
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100";
|
2023-04-30 20:57:42 +02:00
|
|
|
enabledCollectors = [
|
|
|
|
"systemd"
|
|
|
|
];
|
2023-05-23 20:18:40 +02:00
|
|
|
extraFlags = [
|
|
|
|
"--collector.textfile.directory=/var/lib/prometheus-node-exporter/textfiles"
|
|
|
|
];
|
2021-02-21 22:38:36 +01:00
|
|
|
};
|
2022-03-22 12:16:28 +01:00
|
|
|
|
2023-05-23 20:18:40 +02:00
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
"d /var/lib/prometheus-node-exporter/textfiles - - - - -"
|
|
|
|
];
|
|
|
|
|
2022-11-02 18:47:06 +01:00
|
|
|
systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ];
|
|
|
|
|
2022-03-22 12:16:28 +01:00
|
|
|
services.prometheus.exporters.bird = mkIf cfg.bird {
|
|
|
|
enable = true;
|
|
|
|
openFirewall = true;
|
|
|
|
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324";
|
|
|
|
};
|
2022-10-31 22:54:06 +01:00
|
|
|
|
|
|
|
services.prometheus.exporters.blackbox = mkIf cfg.blackbox {
|
|
|
|
enable = true;
|
|
|
|
openFirewall = true;
|
|
|
|
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115";
|
|
|
|
configFile = pkgs.writeText "blackbox.yml" ''
|
|
|
|
modules:
|
|
|
|
icmp6:
|
|
|
|
prober: icmp
|
|
|
|
icmp:
|
|
|
|
preferred_ip_protocol: ip6
|
|
|
|
ip_protocol_fallback: false
|
|
|
|
icmp4:
|
|
|
|
prober: icmp
|
|
|
|
icmp:
|
|
|
|
preferred_ip_protocol: ip4
|
|
|
|
ip_protocol_fallback: false
|
|
|
|
'';
|
|
|
|
};
|
2023-01-02 19:10:33 +01:00
|
|
|
|
|
|
|
|
2023-05-09 11:56:53 +02:00
|
|
|
services.nixos-exporter = {
|
|
|
|
enable = true;
|
|
|
|
listen = "[::]:9152";
|
2023-01-02 19:10:33 +01:00
|
|
|
};
|
2023-01-02 21:43:43 +01:00
|
|
|
|
|
|
|
networking.firewall.extraCommands = ''
|
|
|
|
ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept
|
|
|
|
'';
|
2021-02-21 22:38:36 +01:00
|
|
|
};
|
|
|
|
}
|