Added Overlays
This commit is contained in:
@@ -0,0 +1,177 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.services.gs1200-exporter;
|
||||
|
||||
instanceOpts =
|
||||
{ name, ... }:
|
||||
{
|
||||
options = {
|
||||
address = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "IP address or hostname of the GS1200 switch.";
|
||||
example = "192.168.1.3";
|
||||
};
|
||||
|
||||
port = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 9934;
|
||||
description = "Port on which to expose Prometheus metrics.";
|
||||
};
|
||||
|
||||
password = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Password to log in to the GS1200 web interface.
|
||||
Use passwordFile instead to avoid storing the password in the Nix store.
|
||||
'';
|
||||
};
|
||||
|
||||
passwordFile = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a file containing the password to log in to the GS1200 web interface.
|
||||
This is the recommended option as it avoids storing the password in the Nix store.
|
||||
Compatible with sops-nix and agenix.
|
||||
'';
|
||||
example = "/run/secrets/gs1200-password";
|
||||
};
|
||||
|
||||
debug = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "Enable debug logging. Logs are accessible via journalctl -u gs1200-exporter-<name>.";
|
||||
};
|
||||
|
||||
verbose = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "Enable verbose logging. Logs are accessible via journalctl -u gs1200-exporter-<name>.";
|
||||
};
|
||||
|
||||
json = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "Output logs in JSON format. Logs are accessible via journalctl -u gs1200-exporter-<name>.";
|
||||
};
|
||||
|
||||
user = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "gs1200-exporter-${name}";
|
||||
description = "User under which the service runs.";
|
||||
};
|
||||
|
||||
group = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "gs1200-exporter-${name}";
|
||||
description = "Group under which the service runs.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
mkService = name: icfg: {
|
||||
"gs1200-exporter-${name}" = {
|
||||
description = "Prometheus exporter for Zyxel GS1200 switch '${name}'";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
User = icfg.user;
|
||||
Group = icfg.group;
|
||||
Restart = "always";
|
||||
RestartSec = "10s";
|
||||
|
||||
# Hardening
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
CapabilityBoundingSet = "";
|
||||
};
|
||||
|
||||
script =
|
||||
let
|
||||
args = lib.concatStringsSep " " (
|
||||
[
|
||||
"--address ${icfg.address}"
|
||||
"--port ${toString icfg.port}"
|
||||
]
|
||||
++ lib.optional icfg.debug "--debug"
|
||||
++ lib.optional icfg.verbose "--verbose"
|
||||
++ lib.optional icfg.json "--json"
|
||||
);
|
||||
in
|
||||
if icfg.passwordFile != null then
|
||||
''
|
||||
export GS1200_PASSWORD=$(cat ${icfg.passwordFile})
|
||||
exec ${lib.getExe pkgs.gs1200-exporter} ${args}
|
||||
''
|
||||
else
|
||||
''
|
||||
export GS1200_PASSWORD=${lib.escapeShellArg icfg.password}
|
||||
exec ${lib.getExe pkgs.gs1200-exporter} ${args}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
in
|
||||
{
|
||||
options.services.gs1200-exporter = {
|
||||
instances = lib.mkOption {
|
||||
type = lib.types.attrsOf (lib.types.submodule instanceOpts);
|
||||
default = { };
|
||||
description = ''
|
||||
Each attribute defines a separate gs1200-exporter instance for one switch.
|
||||
Use this to monitor multiple GS1200 switches on the same host.
|
||||
'';
|
||||
example = lib.literalExpression ''
|
||||
{
|
||||
switch-1 = {
|
||||
address = "192.168.1.3";
|
||||
port = 9934;
|
||||
passwordFile = "/run/secrets/gs1200-password";
|
||||
};
|
||||
switch-2 = {
|
||||
address = "192.168.1.4";
|
||||
port = 9935;
|
||||
passwordFile = "/run/secrets/gs1200-password";
|
||||
};
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf (cfg.instances != { }) {
|
||||
assertions = lib.flatten (
|
||||
lib.mapAttrsToList (name: icfg: [
|
||||
{
|
||||
assertion = icfg.address != "";
|
||||
message = "services.gs1200-exporter.instances.${name}: address must be set.";
|
||||
}
|
||||
{
|
||||
assertion = (icfg.password == null) != (icfg.passwordFile == null);
|
||||
message = "services.gs1200-exporter.instances.${name}: exactly one of password or passwordFile must be set.";
|
||||
}
|
||||
]) cfg.instances
|
||||
);
|
||||
|
||||
users.users = lib.mapAttrs' (
|
||||
name: icfg:
|
||||
lib.nameValuePair icfg.user {
|
||||
isSystemUser = true;
|
||||
inherit (icfg) group;
|
||||
description = "gs1200-exporter '${name}' service user";
|
||||
}
|
||||
) cfg.instances;
|
||||
|
||||
users.groups = lib.mapAttrs' (_name: icfg: lib.nameValuePair icfg.group { }) cfg.instances;
|
||||
|
||||
systemd.services = lib.mkMerge (lib.mapAttrsToList mkService cfg.instances);
|
||||
};
|
||||
}
|
||||
@@ -23,6 +23,9 @@ let
|
||||
};
|
||||
in
|
||||
{
|
||||
|
||||
imports = [ ./gs-exporter.nix ];
|
||||
|
||||
sops.secrets = {
|
||||
grafana_secret_key = {
|
||||
owner = "grafana";
|
||||
@@ -32,8 +35,14 @@ in
|
||||
owner = "grafana";
|
||||
group = "grafana";
|
||||
};
|
||||
zyxel_pass = {
|
||||
group = "gs1200-exporter";
|
||||
mode = "0440";
|
||||
};
|
||||
};
|
||||
|
||||
users.groups.gs1200-exporter = { };
|
||||
|
||||
services = {
|
||||
grafana = {
|
||||
enable = true;
|
||||
@@ -141,9 +150,32 @@ in
|
||||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
job_name = "gs1200-zyxel1";
|
||||
static_configs = [ { targets = [ "localhost:9934" ]; } ];
|
||||
}
|
||||
{
|
||||
job_name = "gs1200-zyxel2";
|
||||
static_configs = [ { targets = [ "localhost:9935" ]; } ];
|
||||
}
|
||||
]
|
||||
++ (lib.mapAttrsToList mkNodeJob extraNodes);
|
||||
};
|
||||
|
||||
gs1200-exporter.instances = {
|
||||
zyxel1 = {
|
||||
address = "192.168.2.3";
|
||||
port = 9934;
|
||||
passwordFile = config.sops.secrets.zyxel_pass.path;
|
||||
group = "gs1200-exporter";
|
||||
};
|
||||
zyxel2 = {
|
||||
address = "192.168.2.4";
|
||||
port = 9935;
|
||||
passwordFile = config.sops.secrets.zyxel_pass.path;
|
||||
group = "gs1200-exporter";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
|
||||
@@ -1,29 +1,21 @@
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
port = 8222;
|
||||
oidcwarden = import ../packages/oidcwarden.nix {
|
||||
inherit pkgs;
|
||||
oidcwarden-src = inputs.oidcwarden;
|
||||
};
|
||||
in
|
||||
{
|
||||
sops.secrets.vaultwarden_env = {
|
||||
owner = "vaultwarden";
|
||||
group = "vaultwarden";
|
||||
};
|
||||
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
package = oidcwarden;
|
||||
package = pkgs.oidcwarden;
|
||||
environmentFile = config.sops.secrets.vaultwarden_env.path;
|
||||
backupDir = "/var/local/vaultwarden/backup";
|
||||
|
||||
config = {
|
||||
DOMAIN = "https://vault.cyperpunk.de";
|
||||
ROCKET_ADDRESS = "0.0.0.0";
|
||||
@@ -38,9 +30,7 @@ in
|
||||
SSO_PKCE = false;
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ port ];
|
||||
|
||||
systemd = {
|
||||
services.vaultwarden-backup-rotate = {
|
||||
description = "Rotate old Vaultwarden backups";
|
||||
@@ -49,7 +39,6 @@ in
|
||||
ExecStart = "${pkgs.findutils}/bin/find /var/lib/vaultwarden/backup -mtime +30 -delete";
|
||||
};
|
||||
};
|
||||
|
||||
timers.vaultwarden-backup-rotate = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
|
||||
Reference in New Issue
Block a user