tlaternet-server/configuration/services/metrics/exporters.nix

{
  config,
  lib,
  ...
}: {
  options.services.prometheus.local-exporters = lib.mkOption {
    type = lib.types.anything;
  };

  config.systemd.services = lib.mapAttrs (_: exporter:
    lib.mkMerge [
      {
        wantedBy = ["multi-user.target"];
        after = ["network.target"];

        serviceConfig = {
          Restart = "always";
          PrivateTmp = true;
          WorkingDirectory = "/tmp";
          DynamicUser = true;
          LockPersonality = true;
          MemoryDenyWriteExecute = true;
          NonNewPrivileges = true;
          PrivateDevices = true;
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectSystem = "strict";
          RemoveIPC = true;
          RestrictAddressFamilies = lib.mkDefault ["AF_INET" "AF_INET6"];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
          UMask = "0077";
        };
      }
      (removeAttrs exporter ["port" "listenAddress"])
    ])
  config.services.prometheus.local-exporters;
}