diff --git a/configuration/services/conduit.nix b/configuration/services/conduit.nix
index dcd0103..8257592 100644
--- a/configuration/services/conduit.nix
+++ b/configuration/services/conduit.nix
@@ -173,6 +173,9 @@ in {
# Various other security settings
no-tlsv1
no-tlsv1_1
+
+ # Monitoring
+ prometheus
'';
};
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index 6d6dafd..f167230 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -1,6 +1,7 @@
{
pkgs,
config,
+ lib,
...
}: let
domain = "gitea.${config.services.nginx.domain}";
@@ -19,11 +20,23 @@ in {
SSH_PORT = 2222;
};
+ metrics = {
+ ENABLED = true;
+ TOKEN = "#metricstoken#";
+ };
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
};
};
+ systemd.services.gitea.serviceConfig.ExecStartPre = let
+ replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
+ secretPath = config.sops.secrets."gitea/metrics-token".path;
+ runConfig = "${config.services.gitea.customDir}/conf/app.ini";
+ in [
+ "${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
+ ];
+
# Set up SSL
services.nginx.virtualHosts."${domain}" = let
httpAddress = config.services.gitea.settings.server.HTTP_ADDR;
@@ -37,6 +50,14 @@ in {
'';
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
+ locations."/metrics" = {
+ extraConfig = ''
+ access_log off;
+ allow 127.0.0.1;
+ ${lib.optionalString config.networking.enableIPv6 "allow ::1;"}
+ deny all;
+ '';
+ };
};
# Block repeated failed login attempts
diff --git a/configuration/services/metrics/default.nix b/configuration/services/metrics/default.nix
index 0c02556..4b163d3 100644
--- a/configuration/services/metrics/default.nix
+++ b/configuration/services/metrics/default.nix
@@ -49,9 +49,21 @@ in {
};
services.prometheus.exporters = {
+ domain = {
+ enable = true;
+ listenAddress = "127.0.0.1";
+ extraFlags = let
+ conf.domains = [
+ "tlater.net"
+ "tlater.com"
+ ];
+ in [
+ "--config=${yaml.generate "domains.yml" conf}"
+ ];
+ };
+
node = {
enable = true;
- enabledCollectors = ["systemd"];
listenAddress = "127.0.0.1";
};
@@ -85,6 +97,16 @@ in {
})
config.services.nginx.virtualHosts;
};
+
+ systemd = {
+ enable = true;
+ listenAddress = "127.0.0.1";
+ extraFlags = [
+ # Disabled by default because only supported from systemd 235+
+ "--systemd.collector.enable-restart-count"
+ "--systemd.collector.enable-ip-accounting"
+ ];
+ };
};
services.prometheus.local-exporters = {
@@ -116,10 +138,30 @@ in {
job_name = "tlater.net";
static_configs = [
{
- targets =
- lib.mapAttrsToList (name: exporter: "${exporter.listenAddress}:${toString exporter.port}")
- (lib.filterAttrs (name: exporter: (builtins.isAttrs exporter) && exporter.enable)
- (config.services.prometheus.exporters // config.services.prometheus.local-exporters));
+ targets = let
+ exporters = config.services.prometheus.exporters;
+ localExporters = config.services.prometheus.local-exporters;
+ in
+ map (exporter: "${exporter.listenAddress}:${toString exporter.port}") [
+ exporters.domain
+ exporters.node
+ exporters.nginx
+ exporters.nginxlog
+ exporters.systemd
+
+ localExporters.prometheus-fail2ban-exporter
+
+ {
+ # coturn
+ listenAddress = "127.0.0.1";
+ port = "9641";
+ }
+ {
+ # gitea
+ listenAddress = "127.0.0.1";
+ port = "3000";
+ }
+ ];
}
];
}