karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Replace telegraf with node exporter

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-04-19 17:57:34 +03:00
parent 3f1531fbd1
commit 1a445ab6fd
37 changed files with 3099 additions and 421 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/common/configs/system/boot/default.nix
View File

@@ -13,6 +13,5 @@
initrd.systemd.enable = true;
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems = [ "btrfs" ];
};
}

5
hosts/common/configs/system/btrfs/default.nix
View File

@@ -1,5 +1,10 @@
{ pkgs, ... }:
{
boot = {
initrd.supportedFilesystems = [ "btrfs" ];
supportedFilesystems = [ "btrfs" ];
};
services.btrfs.autoScrub = {
enable = true;
interval = "weekly";

13
hosts/common/configs/system/impermanence/default.nix
View File

@@ -1,9 +1,4 @@
{
config,
lib,
pkgs,
...
}:
{ config, pkgs, ... }:
{
imports = [ ./options.nix ];
@@ -11,15 +6,15 @@
# https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/administration/systemd-state.section.md
# https://github.com/NixOS/nixpkgs/pull/286140/files
# https://git.eisfunke.com/config/nixos/-/blob/e65e1dc21d06d07b454005762b177ef151f8bfb6/nixos/machine-id.nix
sops.secrets."machineId".mode = "0444";
sops.secrets.machineId.mode = "0444";
fileSystems."/persist".neededForBoot = true;
environment = {
impermanence.enable = true;
etc."machine-id".source = pkgs.runCommandLocal "machine-id-link" { } ''
ln -s ${config.sops.secrets."machineId".path} $out
etc.machine-id.source = pkgs.runCommandLocal "machine-id-link" { } ''
ln -s ${config.sops.secrets.machineId.path} $out
'';
persistence = {

4
hosts/common/configs/system/nix/default.nix
View File

@@ -8,7 +8,7 @@
../../../../../secrets/personal/secrets.yaml;
};
templates."nix-access-tokens" = {
templates.nix-access-tokens = {
content = ''
access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/public/password"}
'';
@@ -33,7 +33,7 @@
registry.self.flake = inputs.self;
extraOptions = ''
!include ${config.sops.templates."nix-access-tokens".path}
!include ${config.sops.templates.nix-access-tokens.path}
'';
};
}

16
hosts/common/configs/system/sshd/default.nix
View File

@@ -1,13 +1,5 @@
{ ... }:
{
nixpkgs.overlays = [
(final: prev: {
fail2ban = prev.fail2ban.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches or [ ] ++ [ ./remove-umask.patch ];
});
})
];
environment = {
enableAllTerminfo = true;
persistence."/persist/state"."/var/lib/fail2ban" = { };
@@ -32,12 +24,4 @@
};
};
};
systemd.services.fail2ban.serviceConfig = {
User = "root";
Group = "fail2ban";
UMask = "0117";
};
users.groups.fail2ban = { };
}

15
hosts/common/configs/system/sshd/remove-umask.patch
View File

@@ -1,15 +0,0 @@
diff --git a/fail2ban/server/server.py b/fail2ban/server/server.py
index e438c4ca..aeee4075 100644
--- a/fail2ban/server/server.py
+++ b/fail2ban/server/server.py
@@ -108,9 +108,7 @@ class Server:
signal.signal(s, new)
def start(self, sock, pidfile, force=False, observer=True, conf={}):
- # First set the mask to only allow access to owner
- os.umask(0o077)
- # Second daemonize before logging etc, because it will close all handles:
+ # Daemonize before logging etc, because it will close all handles:
if self.__daemon: # pragma: no cover
logSys.info("Starting in daemon mode")
ret = self.__createDaemon()

117
hosts/common/configs/system/telegraf/default.nix
View File

@@ -1,117 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (
subject.user == "telegraf"
&& action.id.indexOf("org.freedesktop.systemd1.") == 0
)
{ return polkit.Result.YES; }
});
'';
services.telegraf = {
enable = true;
extraConfig = {
agent.quiet = true;
outputs.prometheus_client = [ { listen = ":9273"; } ];
inputs =
{
cpu = [ { report_active = true; } ];
disk = [
{
mount_points = lib.attrsets.mapAttrsToList (_: fs: fs.mountPoint) config.fileSystems;
}
];
diskio = [ { skip_serial_number = false; } ];
kernel = [ { } ];
mem = [ { } ];
processes = [ { } ];
swap = [ { } ];
system = [ { } ];
internal = [ { } ];
# TODO: Enable
# linux_cpu = [ { } ];
net = [ { ignore_protocol_stats = true; } ];
# TODO: Enable
# sensors = [ { remove_numbers = false; } ];
smart = [ { } ];
# TODO: Enable
# amd_rocm_smi = [ { } ];
systemd_units = [ { } ];
}
// lib.attrsets.optionalAttrs config.virtualisation.podman.enable {
docker = [
{
endpoint = "unix:///var/run/podman/podman.sock";
perdevice = false;
perdevice_include = [
"cpu"
"blkio"
"network"
];
}
];
}
// lib.attrsets.optionalAttrs config.services.fail2ban.enable {
fail2ban = [ { } ];
}
// lib.attrsets.optionalAttrs (config.networking.wireguard.interfaces != { }) {
wireguard = [ { } ];
};
};
};
systemd.services.telegraf = {
path =
with pkgs;
[
dbus
smartmontools
# TODO: Enable
# lm_sensors
# rocmPackages.rocm-smi
]
++ lib.lists.optional config.services.fail2ban.enable fail2ban;
environment = {
DBUS_SYSTEM_BUS_ADDRESS = "unix:path=/var/run/dbus/system_bus_socket";
};
serviceConfig = {
AmbientCapabilities = [
"CAP_NET_RAW"
"CAP_SYS_RAWIO"
] ++ lib.lists.optional (config.networking.wireguard.interfaces != { }) "CAP_NET_ADMIN";
SupplementaryGroups =
[
"disk"
]
++ lib.lists.optional config.virtualisation.podman.enable "podman"
++ lib.lists.optional config.services.fail2ban.enable "fail2ban";
};
};
}