nixos-modules/pp-node-exporter.nix

79 lines
3.1 KiB
Nix

{ config, lib, pkgs, ... }:
let
cfg = config.services.ppNodeExporter;
prometheusCaFile = pkgs.writeTextFile {
name = "prometheus_ca.pem";
text = cfg.prometheusCa;
};
yaml = pkgs.formats.yaml { };
nodeWebConfig = yaml.generate "prometheus-node-exporter-webconfig.yml" {
tls_server_config = {
client_ca_file = prometheusCaFile;
cert_file = cfg.prometheusNodeExporterCertFile;
key_file = cfg.prometheusNodeExporterCertKeyFile;
client_auth_type = "RequireAndVerifyClientCert";
} // (if (cfg.prometheusNodeExporterAllowScrapperSans != null) then {
client_allowed_sans = cfg.prometheusNodeExporterAllowScrapperSans;
} else {});
};
in {
options.services.ppNodeExporter = {
prometheusCa = lib.mkOption {
type = lib.types.str;
example = ''
-----BEGIN CERTIFICATE-----
MIIBaTCCAQ6gAwIBAgIUccDw/Xe2RC4p9gwdQMkcbPlS740wCgYIKoZIzj0EAwIw
EjEQMA4GA1UEAwwHZXhhbXBsZTAeFw0yNTAyMjMxMTQzMTlaFw0zNTAyMjExMTQz
MTlaMBIxEDAOBgNVBAMMB2V4YW1wbGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AARk2SGMdAzOR+I+xAJDXO2nm8N4oa8V/kqstJrvd3gGTVsk8b0/EA+6ZrFISL0t
MroC27QCybMwRol9oalSVnoCo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
/wQEAwIBhjAdBgNVHQ4EFgQUy13fD60aREMworuMEulXdkvTKOwwCgYIKoZIzj0E
AwIDSQAwRgIhALcoP/hicosVELvPfnomcEsWXTkkIVGbu1NeS5I2L72YAiEAi3AG
7/hpeMxkaE0d2D8pr6exVlZR7kDa9FgDpfu/+a0=
-----END CERTIFICATE-----
'';
description = "The CA that issues the prometheus scrapper certificate";
};
prometheusNodeExporterCertFile = lib.mkOption {
type = lib.types.path;
default = "/etc/prometheus-node-exporter/node-exporter.pem";
description = "The file of the certificate use by prometheus node exporter.";
};
prometheusNodeExporterCertKeyFile = lib.mkOption {
type = lib.types.path;
default = "/etc/prometheus-node-exporter/node-exporter.key";
description = "The file of the key for the certificate used by prometheus node exporter.";
};
prometheusNodeExporterAllowScrapperSans = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.str);
default = null;
example = [ "prometheus.example.com" ];
description = "The list of Subject Alternative Names allowed to scrape node exporter. If not set, do not check Subject Names.";
};
};
config = {
system.activationScripts = {
prometheusNodeExporterFilePermission.text =
''
chmod 640 ${cfg.prometheusNodeExporterCertFile}
chmod 640 ${cfg.prometheusNodeExporterCertKeyFile}
chown root:${config.services.prometheus.exporters.node.group} ${cfg.prometheusNodeExporterCertFile}
chown root:${config.services.prometheus.exporters.node.group} ${cfg.prometheusNodeExporterCertKeyFile}
'';
};
services.prometheus = {
exporters = {
node = {
enable = true;
port = 9100; # default
enabledCollectors = [ "systemd" ]; # logind ?
extraFlags = [
"--web.config.file=${nodeWebConfig}"
];
};
};
};
};
}