gitea: Add monitoring

2023-10-07 04:15:52 +02:00 · 2023-10-07 04:15:52 +02:00 · 345159601e
commit 345159601e
parent c373911a1b
4 changed files with 54 additions and 8 deletions
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@ -1,6 +1,7 @@
 {
  pkgs,
  config,
+  lib,
  ...
 }: let
  domain = "gitea.${config.services.nginx.domain}";
@ -19,11 +20,23 @@ in {
        SSH_PORT = 2222;
      };

+      metrics = {
+        ENABLED = true;
+        TOKEN = "#metricstoken#";
+      };
      service.DISABLE_REGISTRATION = true;
      session.COOKIE_SECURE = true;
    };
  };

+  systemd.services.gitea.serviceConfig.ExecStartPre = let
+    replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
+    secretPath = config.sops.secrets."gitea/metrics-token".path;
+    runConfig = "${config.services.gitea.customDir}/conf/app.ini";
+  in [
+    "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
+  ];
+
  # Set up SSL
  services.nginx.virtualHosts."${domain}" = let
    httpAddress = config.services.gitea.settings.server.HTTP_ADDR;
@ -37,6 +50,14 @@ in {
    '';

    locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
+    locations."/metrics" = {
+      extraConfig = ''
+        access_log off;
+        allow 127.0.0.1;
+        ${lib.optionalString config.networking.enableIPv6 "allow ::1;"}
+        deny all;
+      '';
+    };
  };

  # Block repeated failed login attempts
--- a/configuration/services/metrics/default.nix
+++ b/configuration/services/metrics/default.nix
@ -138,12 +138,29 @@ in {
          job_name = "tlater.net";
          static_configs = [
            {
-              targets =
-                lib.mapAttrsToList (name: exporter: "${exporter.listenAddress}:${toString exporter.port}")
-                (lib.filterAttrs (name: exporter: (builtins.isAttrs exporter) && exporter.enable)
-                  (config.services.prometheus.exporters // config.services.prometheus.local-exporters))
-                ++ [
-                  "127.0.0.1:9641" # coturn
+              targets = let
+                exporters = config.services.prometheus.exporters;
+                localExporters = config.services.prometheus.local-exporters;
+              in
+                map (exporter: "${exporter.listenAddress}:${toString exporter.port}") [
+                  exporters.domain
+                  exporters.node
+                  exporters.nginx
+                  exporters.nginxlog
+                  exporters.systemd
+
+                  localExporters.prometheus-fail2ban-exporter
+
+                  {
+                    # coturn
+                    listenAddress = "127.0.0.1";
+                    port = "9641";
+                  }
+                  {
+                    # gitea
+                    listenAddress = "127.0.0.1";
+                    port = "3000";
+                  }
                ];
            }
          ];