tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 10 Pull requests Activity

treewide: Start using nixpkgs-fmt formatting

Browse source
This commit is contained in:
Tristan Daniël Maat 2024-06-28 20:12:55 +02:00
parent 501c3466bc
commit fd138d45e6
Signed by: tlater
GPG key ID: 49670FD774E43268
29 changed files with 812 additions and 767 deletions
Download patch file Download diff file Expand all files Collapse all files

100
configuration/services/metrics/exporters.nix
View file

@ -1,25 +1,28 @@
{ config
, pkgs
, lib
, ...
}:
let
yaml = pkgs.formats.yaml { };
in
{
config,
pkgs,
lib,
...
}: let
yaml = pkgs.formats.yaml {};
in {
services.prometheus = {
exporters = {
# Periodically check domain registration status
domain = {
enable = true;
listenAddress = "127.0.0.1";
extraFlags = let
conf.domains = [
"tlater.net"
"tlater.com"
extraFlags =
let
conf.domains = [
"tlater.net"
"tlater.com"
];
in
[
"--config=${yaml.generate "domains.yml" conf}"
];
in [
"--config=${yaml.generate "domains.yml" conf}"
];
};
# System statistics
@ -49,47 +52,50 @@ in {
group = "nginx";
settings.namespaces =
lib.mapAttrsToList (name: virtualHost: {
inherit name;
metrics_override.prefix = "nginxlog";
namespace_label = "vhost";
lib.mapAttrsToList
(name: virtualHost: {
inherit name;
metrics_override.prefix = "nginxlog";
namespace_label = "vhost";
format = lib.concatStringsSep " " [
"$remote_addr - $remote_user [$time_local]"
''"$request" $status $body_bytes_sent''
''"$http_referer" "$http_user_agent"''
''rt=$request_time uct="$upstream_connect_time"''
''uht="$upstream_header_time" urt="$upstream_response_time"''
];
format = lib.concatStringsSep " " [
"$remote_addr - $remote_user [$time_local]"
''"$request" $status $body_bytes_sent''
''"$http_referer" "$http_user_agent"''
''rt=$request_time uct="$upstream_connect_time"''
''uht="$upstream_header_time" urt="$upstream_response_time"''
];
source.files = [
"/var/log/nginx/${name}/access.log"
];
})
config.services.nginx.virtualHosts;
source.files = [
"/var/log/nginx/${name}/access.log"
];
})
config.services.nginx.virtualHosts;
};
};
extraExporters = {
fail2ban = let
cfg = config.services.prometheus.extraExporters.fail2ban;
in {
port = 9191;
serviceOpts = {
after = ["fail2ban.service"];
requires = ["fail2ban.service"];
serviceConfig = {
Group = "fail2ban";
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
ExecStart = lib.concatStringsSep " " [
"${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter"
"--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock"
"--web.listen-address='${cfg.listenAddress}:${toString cfg.port}'"
"--collector.f2b.exit-on-socket-connection-error=true"
];
fail2ban =
let
cfg = config.services.prometheus.extraExporters.fail2ban;
in
{
port = 9191;
serviceOpts = {
after = [ "fail2ban.service" ];
requires = [ "fail2ban.service" ];
serviceConfig = {
Group = "fail2ban";
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
ExecStart = lib.concatStringsSep " " [
"${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter"
"--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock"
"--web.listen-address='${cfg.listenAddress}:${toString cfg.port}'"
"--collector.f2b.exit-on-socket-connection-error=true"
];
};
};
};
};
};
# TODO(tlater):

6
configuration/services/metrics/grafana.nix
View file

@ -1,6 +1,8 @@
{config, ...}: let
{ config, ... }:
let
domain = "metrics.${config.services.nginx.domain}";
in {
in
{
services.grafana = {
enable = true;
settings = {

249
configuration/services/metrics/options.nix
View file

@ -1,12 +1,13 @@
{
pkgs,
config,
lib,
...
}: let
{ pkgs
, config
, lib
, ...
}:
let
inherit (lib) types mkOption mkDefault;
yaml = pkgs.formats.yaml {};
in {
yaml = pkgs.formats.yaml { };
in
{
options = {
services.prometheus = {
extraExporters = mkOption {
@ -31,11 +32,10 @@ in {
};
services.victoriametrics.scrapeConfigs = mkOption {
type = types.attrsOf (types.submodule ({
name,
self,
...
}: {
type = types.attrsOf (types.submodule ({ name
, self
, ...
}: {
options = {
job_name = mkOption {
type = types.str;
@ -47,7 +47,7 @@ in {
description = ''
Other settings to set for this scrape config.
'';
default = {};
default = { };
};
targets = mkOption {
@ -57,11 +57,11 @@ in {
Shortcut for `static_configs = lib.singleton {targets = [<targets>];}`
'';
default = [];
default = [ ];
};
static_configs = mkOption {
default = [];
default = [ ];
type = types.listOf (types.submodule {
options = {
targets = mkOption {
@ -77,7 +77,7 @@ in {
description = lib.mdDoc ''
Labels to apply to all targets defined for this static config.
'';
default = {};
default = { };
};
};
});
@ -89,116 +89,125 @@ in {
config = {
systemd.services = lib.mkMerge [
(lib.mapAttrs' (name: exporter:
lib.nameValuePair "prometheus-${name}-exporter" (lib.mkMerge [
{
# Shamelessly copied from upstream because the upstream
# module is an intractable mess
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig.Restart = mkDefault "always";
serviceConfig.PrivateTmp = mkDefault true;
serviceConfig.WorkingDirectory = mkDefault /tmp;
serviceConfig.DynamicUser = mkDefault true;
# Hardening
serviceConfig.CapabilityBoundingSet = mkDefault [""];
serviceConfig.DeviceAllow = [""];
serviceConfig.LockPersonality = true;
serviceConfig.MemoryDenyWriteExecute = true;
serviceConfig.NoNewPrivileges = true;
serviceConfig.PrivateDevices = mkDefault true;
serviceConfig.ProtectClock = mkDefault true;
serviceConfig.ProtectControlGroups = true;
serviceConfig.ProtectHome = true;
serviceConfig.ProtectHostname = true;
serviceConfig.ProtectKernelLogs = true;
serviceConfig.ProtectKernelModules = true;
serviceConfig.ProtectKernelTunables = true;
serviceConfig.ProtectSystem = mkDefault "strict";
serviceConfig.RemoveIPC = true;
serviceConfig.RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
serviceConfig.RestrictNamespaces = true;
serviceConfig.RestrictRealtime = true;
serviceConfig.RestrictSUIDSGID = true;
serviceConfig.SystemCallArchitectures = "native";
serviceConfig.UMask = "0077";
}
exporter.serviceOpts
]))
config.services.prometheus.extraExporters)
(lib.mapAttrs'
(name: exporter:
lib.nameValuePair "prometheus-${name}-exporter" (lib.mkMerge [
{
# Shamelessly copied from upstream because the upstream
# module is an intractable mess
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig.Restart = mkDefault "always";
serviceConfig.PrivateTmp = mkDefault true;
serviceConfig.WorkingDirectory = mkDefault /tmp;
serviceConfig.DynamicUser = mkDefault true;
# Hardening
serviceConfig.CapabilityBoundingSet = mkDefault [ "" ];
serviceConfig.DeviceAllow = [ "" ];
serviceConfig.LockPersonality = true;
serviceConfig.MemoryDenyWriteExecute = true;
serviceConfig.NoNewPrivileges = true;
serviceConfig.PrivateDevices = mkDefault true;
serviceConfig.ProtectClock = mkDefault true;
serviceConfig.ProtectControlGroups = true;
serviceConfig.ProtectHome = true;
serviceConfig.ProtectHostname = true;
serviceConfig.ProtectKernelLogs = true;
serviceConfig.ProtectKernelModules = true;
serviceConfig.ProtectKernelTunables = true;
serviceConfig.ProtectSystem = mkDefault "strict";
serviceConfig.RemoveIPC = true;
serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
serviceConfig.RestrictNamespaces = true;
serviceConfig.RestrictRealtime = true;
serviceConfig.RestrictSUIDSGID = true;
serviceConfig.SystemCallArchitectures = "native";
serviceConfig.UMask = "0077";
}
exporter.serviceOpts
]))
config.services.prometheus.extraExporters)
{
vmagent-scrape-exporters = let
listenAddress = config.services.victoriametrics.listenAddress;
vmAddr = (lib.optionalString (lib.hasPrefix ":" listenAddress) "127.0.0.1") + listenAddress;
promscrape = yaml.generate "prometheus.yml" {
scrape_configs = lib.mapAttrsToList (_: scrape:
lib.recursiveUpdate {
inherit (scrape) job_name;
static_configs =
scrape.static_configs
++ lib.optional (scrape.targets != []) {targets = scrape.targets;};
}
scrape.extraSettings)
config.services.victoriametrics.scrapeConfigs;
};
in {
enable = true;
path = [pkgs.victoriametrics];
wantedBy = ["multi-user.target"];
after = ["network.target" "victoriametrics.service"];
serviceConfig = {
ExecStart = [
(lib.concatStringsSep " " [
"${pkgs.victoriametrics}/bin/vmagent"
"-promscrape.config=${promscrape}"
"-remoteWrite.url=http://${vmAddr}/api/v1/write"
"-remoteWrite.tmpDataPath=%t/vmagent"
])
];
SupplementaryGroups = "metrics";
vmagent-scrape-exporters =
let
listenAddress = config.services.victoriametrics.listenAddress;
vmAddr = (lib.optionalString (lib.hasPrefix ":" listenAddress) "127.0.0.1") + listenAddress;
promscrape = yaml.generate "prometheus.yml" {
scrape_configs = lib.mapAttrsToList
(_: scrape:
lib.recursiveUpdate
{
inherit (scrape) job_name;
static_configs =
scrape.static_configs
++ lib.optional (scrape.targets != [ ]) { targets = scrape.targets; };
}
scrape.extraSettings)
config.services.victoriametrics.scrapeConfigs;
};
in
{
enable = true;
path = [ pkgs.victoriametrics ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "victoriametrics.service" ];
serviceConfig = {
ExecStart = [
(lib.concatStringsSep " " [
"${pkgs.victoriametrics}/bin/vmagent"
"-promscrape.config=${promscrape}"
"-remoteWrite.url=http://${vmAddr}/api/v1/write"
"-remoteWrite.tmpDataPath=%t/vmagent"
])
];
SupplementaryGroups = "metrics";
DynamicUser = true;
RuntimeDirectory = "vmagent";
CapabilityBoundingSet = [""];
DeviceAllow = [""];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
DynamicUser = true;
RuntimeDirectory = "vmagent";
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
};
};
};
}
];
users.groups.metrics = {};
users.groups.metrics = { };
services.victoriametrics.scrapeConfigs = let
allExporters =
lib.mapAttrs (name: exporter: {
inherit (exporter) listenAddress port;
}) ((lib.filterAttrs (_: exporter: builtins.isAttrs exporter && exporter.enable)
config.services.prometheus.exporters)
// config.services.prometheus.extraExporters);
in
lib.mapAttrs (_: exporter: {
targets = ["${exporter.listenAddress}:${toString exporter.port}"];
})
allExporters;
services.victoriametrics.scrapeConfigs =
let
allExporters =
lib.mapAttrs
(name: exporter: {
inherit (exporter) listenAddress port;
})
((lib.filterAttrs (_: exporter: builtins.isAttrs exporter && exporter.enable)
config.services.prometheus.exporters)
// config.services.prometheus.extraExporters);
in
lib.mapAttrs
(_: exporter: {
targets = [ "${exporter.listenAddress}:${toString exporter.port}" ];
})
allExporters;
};
}

6
configuration/services/metrics/victoriametrics.nix
View file

@ -1,4 +1,4 @@
{config, ...}: {
{ config, ... }: {
config.services.victoriametrics = {
enable = true;
extraOptions = [
@ -7,10 +7,10 @@
scrapeConfigs = {
forgejo = {
targets = ["127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"];
targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ];
extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
};
coturn.targets = ["127.0.0.1:9641"];
coturn.targets = [ "127.0.0.1:9641" ];
};
};
}