nixos-configuration/hosts/iron/services/prometheus.nix

{ config
, lib
, pkgs
, ...
}:
let
  #domain = "";
  cfg = config.services.prometheus;
  mkStaticTargets = targets: lib.singleton { inherit targets; };
  inherit (config.networking) ports;
  blackboxRelabelConfig = [
    {
      source_labels = [ "__address__" ];
      target_label = "__param_target";
    }
    {
      source_labels = [ "__param_target" ];
      target_label = "instance";
    }
    {
      target_label = "__address__";
      replacement = with config.services.prometheus.exporters.blackbox; "${listenAddress}:${toString port}";
    }
  ];
in
{
  #sops.secrets.prometheus-htpasswd = {
  #  owner = "nginx";
  #  sopsFile = ../secrets.yaml;
  #};

  services.prometheus = {
    enable = true;
    listenAddress = "127.0.0.1";
    #webExternalUrl = "https://${domain}";
    globalConfig = {
      scrape_interval = "15s";
      evaluation_interval = "15s";
    };
    extraFlags = [
      "--storage.tsdb.retention.time=90d"
      "--web.enable-admin-api"
    ];
    scrapeConfigs = [
      {
        job_name = "node";
        static_configs = [
          {
            targets = with config.services.prometheus.exporters.node; [
              "${listenAddress}:${toString port}"
            ];
          }
        ];
        relabel_configs = [
          {
            source_labels = [ "__address__" ];
            target_label = "instance";
            replacement = config.networking.hostName;
          }
        ];
      }
      {
        job_name = "vodafone_station";
        static_configs = mkStaticTargets [
          "127.0.0.1:${toString ports.prometheus-vodafone-station-exporter.tcp}"
        ];
      }
      {
        job_name = "unifi";
        static_configs = mkStaticTargets [
          "${cfg.exporters.unpoller.listenAddress}:${toString cfg.exporters.unpoller.port}"
        ];
      }
      {
        job_name = "blackbox";
        metrics_path = "/probe";
        params.module = [ "http_2xx" ];
        static_configs = [
          {
            targets = [
              "https://c58r0l3wtmqltl4y.myfritz.net:44919/"
            ];
          }
        ];
        relabel_configs = blackboxRelabelConfig;
      }
      {
        job_name = "internet_ip4";
        static_configs = mkStaticTargets [ "1.1.1.1" "8.8.8.8" ];
        metrics_path = "/probe";
        params.module = [ "icmp_ip4" ];
        relabel_configs = blackboxRelabelConfig;
      }
      {
        job_name = "internet_ip6";
        static_configs = mkStaticTargets [ "2606:4700:4700::1111" "2001:4860:4860::8888" ];
        metrics_path = "/probe";
        params.module = [ "icmp_ip6" ];
        relabel_configs = blackboxRelabelConfig;
      }
    ];

    exporters = {
      node.enable = true;

      blackbox = {
        enable = true;
        listenAddress = "127.0.0.1";

        # https://github.com/prometheus/blackbox_exporter/blob/master/CONFIGURATION.md
        configFile = pkgs.writeText "prometheus-blackbox-config" (builtins.toJSON {
          modules = {
            icmp_ip4 = {
              prober = "icmp";
              timeout = "5s";
              icmp = {
                ip_protocol_fallback = false;
                preferred_ip_protocol = "ip4";
              };
            };
            icmp_ip6 = {
              prober = "icmp";
              timeout = "5s";
              icmp = {
                ip_protocol_fallback = false;
                preferred_ip_protocol = "ip6";
              };
            };
            http_2xx = {
              prober = "http";
              timeout = "5s";
              http = {
                valid_http_versions = [ "HTTP/1.1" "HTTP/2.0" ];
                valid_status_codes = [ ]; # Defaults to 2xx
                method = "GET";
                follow_redirects = true;
                fail_if_ssl = false;
                fail_if_not_ssl = true;
                tls_config = {
                  insecure_skip_verify = false;
                };
                preferred_ip_protocol = "ip4"; # defaults to "ip6"
                ip_protocol_fallback = false; # no fallback to "ip6"
              };
            };
          };
        });
      };
    };
  };

  /*
  */
  #

  systemd.services.prometheus-vodafone-station-exporter =
    let
      unitName = "prometheus-vodafone-station-exporter";
    in
    {
      enable = true;
      description = "Prometheus Vodafone Station exporter";
      wants = [ "network.target" ];
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        BindReadOnlyPaths = [
          "/nix/store"
          "/etc/resolv.conf"
        ];
        DynamicUser = "yes";
        ExecStart = lib.strings.concatStringsSep " " [
          "${pkgs.vodafone-station-exporter}/bin/vodafone-station-exporter"
          "-web.listen-address"
          "127.0.0.1:${toString ports.prometheus-vodafone-station-exporter.tcp}"
          "-vodafone.station-url"
          "http://192.168.100.1"
          "-vodafone.station-password-file"
          "\${CREDENTIALS_DIRECTORY}/password"
        ];
        LoadCredential = "password:${config.sops.secrets."prometheus/exporters/vodafone-station".path}";
        NoNewPrivileges = true;
        PrivateTmp = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
        RestrictNamespaces = true;
        RootDirectory = "%t/${unitName}";
        RuntimeDirectory = [ unitName ];
      };
    };

  /*
    services.nginx.virtualHosts."${domain}" = {
    enableACME = true;
    forceSSL = true;

    #basicAuthFile = config.sops.secrets.prometheus-htpasswd.path;

    locations = {
      "/".proxyPass = "http://${cfg.listenAddress}:${toString cfg.port}";
    };
    };
  */
}