61 lines
1.5 KiB
Nix
61 lines
1.5 KiB
Nix
{ lib, config, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
inherit (lib.strings) concatStringsSep;
|
|
|
|
cfg = config.fudo.node-exporter;
|
|
fudo-cfg = config.fudo.common;
|
|
|
|
allow-network = network: "allow ${network};";
|
|
|
|
in {
|
|
options.fudo.node-exporter = {
|
|
enable = mkEnableOption "Enable a Prometheus node exporter with some reasonable settings.";
|
|
|
|
hostname = mkOption {
|
|
type = types.str;
|
|
description = "Hostname from which to export statistics.";
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
security.acme.certs.${cfg.hostname}.email = fudo-cfg.admin-email;
|
|
|
|
services = {
|
|
# This'll run an exporter at localhost:9100
|
|
prometheus.exporters.node = {
|
|
enable = true;
|
|
enabledCollectors = [ "systemd" ];
|
|
listenAddress = "127.0.0.1";
|
|
port = 9100;
|
|
user = "node";
|
|
};
|
|
|
|
# ...And this'll expose the above to the outside world, or at least the
|
|
# list of trusted networks, with SSL protection.
|
|
nginx = {
|
|
enable = true;
|
|
|
|
virtualHosts."${cfg.hostname}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/metrics/node" = {
|
|
extraConfig = ''
|
|
${concatStringsSep "\n" (map allow-network fudo-cfg.local-networks)}
|
|
allow 127.0.0.0/16;
|
|
deny all;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header Host $host;
|
|
'';
|
|
|
|
proxyPass = "http://127.0.0.1:9100/metrics";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|