diff options
Diffstat (limited to 'nixos/modules/services/monitoring')
10 files changed, 293 insertions, 47 deletions
diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 32919950adc1e..eae2658b7ffb8 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -105,7 +105,7 @@ let }; url = mkOption { type = types.str; - default = "localhost"; + default = ""; description = "Url of the datasource."; }; editable = mkOption { diff --git a/nixos/modules/services/monitoring/nezha-agent.nix b/nixos/modules/services/monitoring/nezha-agent.nix index 8312a425d28fc..7ebbc7f2f3297 100644 --- a/nixos/modules/services/monitoring/nezha-agent.nix +++ b/nixos/modules/services/monitoring/nezha-agent.nix @@ -24,6 +24,13 @@ in Enable SSL/TLS encryption. ''; }; + gpu = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Enable GPU monitoring. + ''; + }; disableCommandExecute = lib.mkOption { type = lib.types.bool; default = true; @@ -46,7 +53,12 @@ in ''; }; reportDelay = lib.mkOption { - type = lib.types.enum [ 1 2 3 4 ]; + type = lib.types.enum [ + 1 + 2 + 3 + 4 + ]; default = 1; description = '' The interval between system status reportings. @@ -96,6 +108,7 @@ in ++ lib.optional cfg.skipConnection "--skip-conn" ++ lib.optional cfg.skipProcess "--skip-procs" ++ lib.optional cfg.tls "--tls" + ++ lib.optional cfg.gpu "--gpu" ); wantedBy = [ "multi-user.target" ]; }; diff --git a/nixos/modules/services/monitoring/opentelemetry-collector.nix b/nixos/modules/services/monitoring/opentelemetry-collector.nix index 459cc85324902..d9b8c27ccdfe3 100644 --- a/nixos/modules/services/monitoring/opentelemetry-collector.nix +++ b/nixos/modules/services/monitoring/opentelemetry-collector.nix @@ -6,8 +6,9 @@ let cfg = config.services.opentelemetry-collector; opentelemetry-collector = cfg.package; - settingsFormat = pkgs.formats.yaml {}; -in { + settingsFormat = pkgs.formats.yaml { }; +in +{ options.services.opentelemetry-collector = { enable = mkEnableOption "Opentelemetry Collector"; @@ -15,7 +16,7 @@ in { settings = mkOption { type = settingsFormat.type; - default = {}; + default = { }; description = '' Specify the configuration for Opentelemetry Collector in Nix. @@ -35,9 +36,9 @@ in { config = mkIf cfg.enable { assertions = [{ assertion = ( - (cfg.settings == {}) != (cfg.configFile == null) + (cfg.settings == { }) != (cfg.configFile == null) ); - message = '' + message = '' Please specify a configuration for Opentelemetry Collector with either 'services.opentelemetry-collector.settings' or 'services.opentelemetry-collector.configFile'. @@ -48,21 +49,27 @@ in { description = "Opentelemetry Collector Service Daemon"; wantedBy = [ "multi-user.target" ]; - serviceConfig = let - conf = if cfg.configFile == null - then settingsFormat.generate "config.yaml" cfg.settings - else cfg.configFile; - in - { - ExecStart = "${getExe opentelemetry-collector} --config=file:${conf}"; - DynamicUser = true; - Restart = "always"; - ProtectSystem = "full"; - DevicePolicy = "closed"; - NoNewPrivileges = true; - WorkingDirectory = "/var/lib/opentelemetry-collector"; - StateDirectory = "opentelemetry-collector"; - }; + serviceConfig = + let + conf = + if cfg.configFile == null + then settingsFormat.generate "config.yaml" cfg.settings + else cfg.configFile; + in + { + ExecStart = "${getExe opentelemetry-collector} --config=file:${conf}"; + DynamicUser = true; + Restart = "always"; + ProtectSystem = "full"; + DevicePolicy = "closed"; + NoNewPrivileges = true; + WorkingDirectory = "%S/opentelemetry-collector"; + StateDirectory = "opentelemetry-collector"; + SupplementaryGroups = [ + # allow to read the systemd journal for opentelemetry-collector + "systemd-journal" + ]; + }; }; }; } diff --git a/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix b/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix index b4307a76e1b02..b3665b66ba406 100644 --- a/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix +++ b/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix @@ -32,9 +32,15 @@ in ${escapeShellArgs cfg.extraFlags} ''; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; DynamicUser = true; NoNewPrivileges = true; + MemoryDenyWriteExecute = true; + + LockPersonality = true; + ProtectProc = "invisible"; ProtectSystem = "strict"; ProtectHome = "tmpfs"; @@ -43,6 +49,8 @@ in PrivateDevices = true; PrivateIPC = true; + ProcSubset = "pid"; + ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; @@ -50,7 +58,10 @@ in ProtectKernelLogs = true; ProtectControlGroups = true; + Restart = "on-failure"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; diff --git a/nixos/modules/services/monitoring/prometheus/alertmanager.nix b/nixos/modules/services/monitoring/prometheus/alertmanager.nix index d1d8f2caaf63d..f40ac3c9138ff 100644 --- a/nixos/modules/services/monitoring/prometheus/alertmanager.nix +++ b/nixos/modules/services/monitoring/prometheus/alertmanager.nix @@ -181,15 +181,57 @@ in { -i "${alertmanagerYml}" ''; serviceConfig = { - Restart = "always"; - StateDirectory = "alertmanager"; - DynamicUser = true; # implies PrivateTmp - EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; - WorkingDirectory = "/tmp"; ExecStart = "${cfg.package}/bin/alertmanager" + optionalString (length cmdlineArgs != 0) (" \\\n " + concatStringsSep " \\\n " cmdlineArgs); ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; + + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + DynamicUser = true; + NoNewPrivileges = true; + + MemoryDenyWriteExecute = true; + + LockPersonality = true; + + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ProtectHome = "tmpfs"; + + PrivateTmp = true; + PrivateDevices = true; + PrivateIPC = true; + + ProcSubset = "pid"; + + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + + Restart = "always"; + + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + StateDirectory = "alertmanager"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" + "~@privileged" + "~@reboot" + "~@setuid" + "~@swap" + ]; + + WorkingDirectory = "/tmp"; }; }; }) diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index dc357f6cc5fb3..0a9d4ef985227 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -29,6 +29,7 @@ let "blackbox" "buildkite-agent" "collectd" + "deluge" "dmarc" "dnsmasq" "dnssec" @@ -408,6 +409,14 @@ in Please ensure you have either `services.prometheus.exporters.idrac.configuration' or `services.prometheus.exporters.idrac.configurationPath' set! ''; + } { + assertion = cfg.deluge.enable -> ( + (cfg.deluge.delugePassword == null) != (cfg.deluge.delugePasswordFile == null) + ); + message = '' + Please ensure you have either `services.prometheus.exporters.deluge.delugePassword' + or `services.prometheus.exporters.deluge.delugePasswordFile' set! + ''; } ] ++ (flip map (attrNames exporterOpts) (exporter: { assertion = cfg.${exporter}.firewallFilter != null -> cfg.${exporter}.openFirewall; message = '' @@ -437,6 +446,13 @@ in hardware.rtl-sdr.enable = mkDefault true; })] ++ [(mkIf config.services.postfix.enable { services.prometheus.exporters.postfix.group = mkDefault config.services.postfix.setgidGroup; + })] ++ [(mkIf config.services.prometheus.exporters.deluge.enable { + system.activationScripts = { + deluge-exported.text = '' + mkdir -p /etc/deluge-exporter + echo "DELUGE_PASSWORD=$(cat ${config.services.prometheus.exporters.deluge.delugePasswordFile})" > /etc/deluge-exporter/password + ''; + }; })] ++ (mapAttrsToList (name: conf: mkExporterConf { inherit name; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/deluge.nix b/nixos/modules/services/monitoring/prometheus/exporters/deluge.nix new file mode 100644 index 0000000000000..5943b46eeb5fc --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/deluge.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.prometheus.exporters.deluge; + inherit (lib) mkOption types concatStringsSep; +in +{ + port = 9354; + + extraOpts = { + delugeHost = mkOption { + type = types.str; + default = "localhost"; + description = '' + Hostname where deluge server is running. + ''; + }; + + delugePort = mkOption { + type = types.port; + default = 58846; + description = '' + Port where deluge server is listening. + ''; + }; + + delugeUser = mkOption { + type = types.str; + default = "localclient"; + description = '' + User to connect to deluge server. + ''; + }; + + delugePassword = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Password to connect to deluge server. + + This stores the password unencrypted in the nix store and is thus considered unsafe. Prefer + using the delugePasswordFile option. + ''; + }; + + delugePasswordFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + File containing the password to connect to deluge server. + ''; + }; + + exportPerTorrentMetrics = mkOption { + type = types.bool; + default = false; + description = '' + Enable per-torrent metrics. + + This may significantly increase the number of time series depending on the number of + torrents in your Deluge instance. + ''; + }; + }; + serviceOpts = { + serviceConfig = { + ExecStart = '' + ${pkgs.prometheus-deluge-exporter}/bin/deluge-exporter + ''; + Environment = [ + "LISTEN_PORT=${toString cfg.port}" + "LISTEN_ADDRESS=${toString cfg.listenAddress}" + + "DELUGE_HOST=${cfg.delugeHost}" + "DELUGE_USER=${cfg.delugeUser}" + "DELUGE_PORT=${toString cfg.delugePort}" + ] ++ lib.optionals (cfg.delugePassword != null) [ + "DELUGE_PASSWORD=${cfg.delugePassword}" + ] ++ lib.optionals cfg.exportPerTorrentMetrics [ + "PER_TORRENT_METRICS=1" + ]; + EnvironmentFile = lib.optionalString (cfg.delugePasswordFile != null) "/etc/deluge-exporter/password"; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/fastly.nix b/nixos/modules/services/monitoring/prometheus/exporters/fastly.nix index 097ea39594788..e470ebe2eb592 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/fastly.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/fastly.nix @@ -1,17 +1,20 @@ -{ config -, lib -, pkgs -, options -, ... +{ + config, + lib, + pkgs, + utils, + ... }: let inherit (lib) - escapeShellArgs + getExe mkOption optionals types - ; + ; + + inherit (utils) escapeSystemdExecArgs; cfg = config.services.prometheus.exporters.fastly; in @@ -39,17 +42,19 @@ in serviceOpts = { serviceConfig = { LoadCredential = "fastly-api-token:${cfg.tokenPath}"; + Environment = [ "FASTLY_API_TOKEN=%d/fastly-api-token" ]; + ExecStart = escapeSystemdExecArgs ( + [ + (getExe pkgs.prometheus-fastly-exporter) + "-listen" + "${cfg.listenAddress}:${toString cfg.port}" + ] + ++ optionals (cfg.configFile != null) [ + "--config-file" + cfg.configFile + ] + ++ cfg.extraFlags + ); }; - script = let - call = escapeShellArgs ([ - "${pkgs.prometheus-fastly-exporter}/bin/fastly-exporter" - "-listen" "${cfg.listenAddress}:${toString cfg.port}" - ] ++ optionals (cfg.configFile != null) [ - "--config-file" cfg.configFile - ] ++ cfg.extraFlags); - in '' - export FASTLY_API_TOKEN="$(cat $CREDENTIALS_DIRECTORY/fastly-api-token)" - ${call} - ''; }; } diff --git a/nixos/modules/services/monitoring/prometheus/pushgateway.nix b/nixos/modules/services/monitoring/prometheus/pushgateway.nix index 80e2339f59256..d4f9c4a29f386 100644 --- a/nixos/modules/services/monitoring/prometheus/pushgateway.nix +++ b/nixos/modules/services/monitoring/prometheus/pushgateway.nix @@ -147,12 +147,52 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - Restart = "always"; - DynamicUser = true; ExecStart = "${cfg.package}/bin/pushgateway" + optionalString (length cmdlineArgs != 0) (" \\\n " + concatStringsSep " \\\n " cmdlineArgs); + + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + DynamicUser = true; + NoNewPrivileges = true; + + MemoryDenyWriteExecute = true; + + LockPersonality = true; + + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ProtectHome = "tmpfs"; + + PrivateTmp = true; + PrivateDevices = true; + PrivateIPC = true; + + ProcSubset = "pid"; + + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + + Restart = "always"; + + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + StateDirectory = if cfg.persistMetrics then cfg.stateDir else null; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" + "~@privileged" + "~@reboot" + "~@setuid" + "~@swap" + ]; }; }; }; diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix index 2c05eaad25ace..6fd3b5707ab67 100644 --- a/nixos/modules/services/monitoring/smartd.nix +++ b/nixos/modules/services/monitoring/smartd.nix @@ -10,6 +10,7 @@ let opt = options.services.smartd; nm = cfg.notifications.mail; + ns = cfg.notifications.systembus-notify; nw = cfg.notifications.wall; nx = cfg.notifications.x11; @@ -28,6 +29,12 @@ let ${pkgs.smartmontools}/sbin/smartctl -a -d "$SMARTD_DEVICETYPE" "$SMARTD_DEVICE" } | ${nm.mailer} -i "${nm.recipient}" ''} + ${optionalString ns.enable '' + ${pkgs.dbus}/bin/dbus-send --system \ + / net.nuetzlich.SystemNotifications.Notify \ + "string:Problem detected with disk: $SMARTD_DEVICESTRING" \ + "string:Warning message from smartd is: $SMARTD_MESSAGE" + ''} ${optionalString nw.enable '' { ${pkgs.coreutils}/bin/cat << EOF @@ -159,6 +166,24 @@ in }; }; + systembus-notify = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Whenever to send systembus-notify notifications. + + WARNING: enabling this option (while convenient) should *not* be done on a + machine where you do not trust the other users as it allows any other + local user to DoS your session by spamming notifications. + + To actually see the notifications in your GUI session, you need to have + `systembus-notify` running as your user, which this + option handles by enabling {option}`services.systembus-notify`. + ''; + }; + }; + wall = { enable = mkOption { default = true; @@ -247,6 +272,8 @@ in serviceConfig.ExecStart = "${pkgs.smartmontools}/sbin/smartd ${lib.concatStringsSep " " cfg.extraOptions} --no-fork --configfile=${smartdConf}"; }; + services.systembus-notify.enable = mkDefault ns.enable; + }; } |