{ config, lib, pkgs, ... }: with lib; let cfg = config.clerie.monitoring; monitoring-network-base = "fd00:327:327:327::"; in { options = { clerie.monitoring = { enable = mkEnableOption "clerie's Monitoring"; id = mkOption { type = types.str; description = "ID of the Monitoring Interface (it is actually a part of an ip address)"; }; pubkey = mkOption { type = types.str; description = "Public Key of the monitoring wireguard interface of this host"; }; bird = mkEnableOption "Monitor bird"; blackbox = mkEnableOption "Monitor blackbox"; }; }; config = mkIf cfg.enable { networking.wireguard.enable = true; networking.wireguard.interfaces = { wg-monitoring = { ips = [ "${monitoring-network-base}${cfg.id}/64" ]; peers = [ { endpoint = "[2001:638:904:ffca::7]:54523"; persistentKeepalive = 25; allowedIPs = [ "${monitoring-network-base}/64" ]; publicKey = "eyhJKV41E1F0gZHBNqyzUnj72xg5f3bdDduVtpPN4AY="; } ]; privateKeyFile = "/var/src/secrets/wireguard/wg-monitoring"; }; }; services.prometheus.exporters.node = { enable = true; #listenAddress = "${monitoring-network-base}${cfg.id}"; openFirewall = true; firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100"; }; systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ]; services.prometheus.exporters.bird = mkIf cfg.bird { enable = true; openFirewall = true; firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324"; }; services.prometheus.exporters.blackbox = mkIf cfg.blackbox { enable = true; openFirewall = true; firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115"; configFile = pkgs.writeText "blackbox.yml" '' modules: icmp6: prober: icmp icmp: preferred_ip_protocol: ip6 ip_protocol_fallback: false icmp4: prober: icmp icmp: preferred_ip_protocol: ip4 ip_protocol_fallback: false ''; }; }; }