From 8bb43c697cc90f933b1865183af4d47316d50cdb Mon Sep 17 00:00:00 2001 From: Lu Wang Date: Sat, 21 Dec 2024 20:04:41 +0800 Subject: [PATCH] services/prometheus: init metrics --- nixos/modules/networking/ports.nix | 2 ++ .../services/prometheus/node-exporter.nix | 32 +++++++++++++++++++ secrets/common.yaml | 6 ++-- secrets/hosts/reisen-nrt0.yaml | 31 ++++++++++++++++++ 4 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 nixos/profiles/services/prometheus/node-exporter.nix create mode 100644 secrets/hosts/reisen-nrt0.yaml diff --git a/nixos/modules/networking/ports.nix b/nixos/modules/networking/ports.nix index 5a89280..92cc620 100644 --- a/nixos/modules/networking/ports.nix +++ b/nixos/modules/networking/ports.nix @@ -30,6 +30,8 @@ in rspamd-controller = 4040; rspamd-redis = 4041; caddy-admin = 4050; + prometheus = 4060; + prometheus-node-exporter = 4070; # public ports enthalpy-wireguard-reimu-aston = 13101; diff --git a/nixos/profiles/services/prometheus/node-exporter.nix b/nixos/profiles/services/prometheus/node-exporter.nix new file mode 100644 index 0000000..a76e13a --- /dev/null +++ b/nixos/profiles/services/prometheus/node-exporter.nix @@ -0,0 +1,32 @@ +# Portions of this file are sourced from +# https://github.com/NickCao/flakes/blob/3b03efb676ea602575c916b2b8bc9d9cd13b0d85/modules/metrics/default.nix +{ config, ... }: +{ + sops.secrets."prometheus/metrics" = { + sopsFile = config.sops.secretFiles.get "common.yaml"; + restartUnits = [ "caddy.service" ]; + }; + + systemd.services.caddy.serviceConfig = { + EnvironmentFile = [ config.sops.secrets."prometheus/metrics".path ]; + }; + + services.prometheus.exporters.node = { + enable = true; + listenAddress = "127.0.0.1"; + port = config.networking.ports.prometheus-node-exporter; + enabledCollectors = [ "systemd" ]; + disabledCollectors = [ "arp" ]; + }; + + services.caddy.virtualHosts."${config.networking.fqdn}" = { + extraConfig = with config.services.prometheus.exporters.node; '' + route /metrics { + basic_auth { + prometheus {$PROM_PASSWD} + } + reverse_proxy ${listenAddress}:${toString port} + } + ''; + }; +} diff --git a/secrets/common.yaml b/secrets/common.yaml index 76c0e3e..8f68e37 100644 --- a/secrets/common.yaml +++ b/secrets/common.yaml @@ -1,5 +1,7 @@ user-password: root: ENC[AES256_GCM,data:SN7VmzYOyaNlDBjlDOTfiLghIJmIAUUBU0Im1kJv7KSsV4K+1vNQYez7bWh12i0e7zhIPtiT6WuRUaMeMIxJEoEBGUYunyZPMg==,iv:pb1T/FVzcVs9zATWsQvrTxV5V0lbL50v2ZXMGMcWy/M=,tag:E88JH+x414Xawm0efzFIYQ==,type:str] +prometheus: + metrics: ENC[AES256_GCM,data:t13fsbrjzE4snvhu2byRwNptkrKZ4+Cy+oVXoChFTJg0r/J+pRSEHWKJ6u673sgOUE1ZCdiltuE0+SH00gmOtQ4kboEFBmJwFg==,iv:oxPsofpA8fBrsWn7OqECojvL6EGSC9v1u/qUxaGQErc=,tag:7lEWWspOqOuUSHY/hbfzWA==,type:str] sops: kms: [] gcp_kms: [] @@ -51,8 +53,8 @@ sops: eXhjTEtFRHk1bXdVcW5CelQ0b0lZazAKT798Qw+HCVtvfxuf3JgHcEtL5iIMF6/u vPqlDDO/jPaGgSoWUWYRjcqJ7tMSmXcuu8SqBTKvv5MwGgvkXF4Uiw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-14T14:16:54Z" - mac: ENC[AES256_GCM,data:wewto5HqMRqlDSBZ7/muXMx59JfDtLyMqzaoha4yF3RMAb28lyZ/qCa99WIbHZtyvStspNzveUST9tUKdOqnxF7g6xUKZYsKzNNMEroL3qV3yOj1gaEonluS0T04EOvlBFOgtwOW7meJmNjv52N2l5embuRkeXf44quNxcu/G6A=,iv:QrYbYV3T6AWk8eKqidchML0xAVP3Y8OjnuL2zli0Ft8=,tag:3VryAJvVb0qBHzW4/Zy5DQ==,type:str] + lastmodified: "2024-12-21T11:58:06Z" + mac: ENC[AES256_GCM,data:7bmoRWptwd9XBzMCiWsHT1JT8wj5jZhOszXbFwq/6xGTvKSZZdDiLzkwQCzYLWupvC54nX8sG9kRiIYXM+PCsQagiUIDGrUE6IyPe09H48PaCSPPoG0DYgvpMsfkQQMKhSG06RLFVCtn/lM9PSETDGL0RuSMxUScE+oxBQhinu0=,iv:iWX/5ybPdJOE81ORq1b5b7NelAAMx7iZeICkBkuXx/Y=,tag:TTGtXxijf+8EQ5DS9nCMFA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/secrets/hosts/reisen-nrt0.yaml b/secrets/hosts/reisen-nrt0.yaml new file mode 100644 index 0000000..30b7e62 --- /dev/null +++ b/secrets/hosts/reisen-nrt0.yaml @@ -0,0 +1,31 @@ +prometheus: + password: ENC[AES256_GCM,data:s6Uws+CPWOSXZIqnkTH0CQ68ht0kv1tPP34k0NlTVo896zq2qdSXnC4/758gAkw+st0W9Pp91H2IKs0NAvs8JQ==,iv:dwRX8wloEIc3uJXY0wSmVycwnjHtBWvzkxdNwodlX5s=,tag:TMh2YgdFkNRVnyZk5lRnyQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1sfnct03u4cvfj98x4yjrcrrnu5gg8qgxrwk4uqq8w4e6wveeaedq97rn44 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTck5wUWhFdGVxSmNWblBT + VXlNSEhRaHdJeGtMajBCVmdRV3pPbzdBTzJBCmdZdjc4UXZqZXJibWMxbjNiZGMx + QjU2MytDbnNUS2ZLZEpGN2l5QVk0bk0KLS0tIHJrejlUM3JmbGFHRHJUdnh4OGJu + aVQxam5qTVk5TldaL2k5VEYvRmE2bUEK3tEEWLrEjyNMQBAcZf/V9JuUoLSRT1La + mJVIOHSOli3q6xLkCZPmPL44CVSuxhuNaopbFbbkKIxdWatCypndaQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1uf2h3hlv373ppdstjlngyuu7q5mee3u3ww3674lsj9rlt9ax7vqsv7wpe8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVXEzeDZQUEpiTG5QWTB1 + WEZ4cmJ2NVlDaFpVOUV4NzFadDRianZDOFE4CjBLYVpPSUlOdzd0aHJwcEdIV1RK + eUdwLy9xMTF6TzlmbEtMS25DdUlVek0KLS0tIGI0Qlp6Z00rWDcydEJwc3B3UW9r + WncvOExhVnQ4bmNHSUNiSGlqeEZpR3MKMBLtLEbGA76XsH6cuqBJ/81V27F+PN1K + 0Qxd9jHDlljzwsdz2IYzb5Cya6Fg0QhuU3zn7zNp1B8JYJIxXdyMiA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-21T11:20:18Z" + mac: ENC[AES256_GCM,data:yuTTbHN4L6BlTJhUt7kHKQ0Mal+0IFhK26rl/EOJLdeGsByZQV2LxWqGRhsfZJI0F2vnhdheHyHAf40lCPF5kYvDjz+RmOWdffVIPtmR24jovGWQl+oL7ia3FbbvkBSo+xds+5Qe3YWReDCMdO+2uKJh9IGx8UPPdwre+Re5Rgs=,iv:3c0CJhKvSfhIBNe1UCO7VUV4B9/uW29lnuSwkJnQIus=,tag:gJh2q/nEzUSIaUw5mltBnA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1