nix/hosts/common/configs/system/telegraf/default.nix

{
  config,
  lib,
  pkgs,
  ...
}:
{
  security.polkit.extraConfig = ''
    polkit.addRule(function(action, subject) {
      if (
        subject.user == "telegraf"
        && action.id.indexOf("org.freedesktop.systemd1.") == 0
        )
          { return polkit.Result.YES; }
    });
  '';

  services.telegraf = {
    enable = true;

    extraConfig = {
      agent.quiet = true;

      outputs.prometheus_client = [ { listen = ":9273"; } ];

      inputs =
        {
          cpu = [ { report_active = true; } ];

          disk = [
            {
              mount_points = lib.attrsets.mapAttrsToList (_: fs: fs.mountPoint) config.fileSystems;
            }
          ];

          diskio = [ { skip_serial_number = false; } ];

          kernel = [ { } ];

          mem = [ { } ];

          processes = [ { } ];

          swap = [ { } ];

          system = [ { } ];

          internal = [ { } ];

          # TODO: Enable
          # linux_cpu = [ { } ];

          net = [ { ignore_protocol_stats = true; } ];

          # TODO: Enable
          # sensors = [ { remove_numbers = false; } ];

          smart = [ { } ];

          # TODO: Enable
          # amd_rocm_smi = [ { } ];

          systemd_units = [ { } ];
        }
        // lib.attrsets.optionalAttrs config.virtualisation.podman.enable {
          docker = [
            {
              endpoint = "unix:///var/run/podman/podman.sock";
              perdevice = false;
              perdevice_include = [
                "cpu"
                "blkio"
                "network"
              ];
            }
          ];
        }
        // lib.attrsets.optionalAttrs config.services.fail2ban.enable {
          fail2ban = [ { } ];
        }
        // lib.attrsets.optionalAttrs (config.networking.wireguard.interfaces != { }) {
          wireguard = [ { } ];
        };
    };
  };

  systemd.services.telegraf = {
    path =
      with pkgs;
      [
        dbus
        smartmontools
        # TODO: Enable
        # lm_sensors
        # rocmPackages.rocm-smi
      ]
      ++ lib.lists.optional config.services.fail2ban.enable fail2ban;

    environment = {
      DBUS_SYSTEM_BUS_ADDRESS = "unix:path=/var/run/dbus/system_bus_socket";
    };

    serviceConfig = {
      AmbientCapabilities = [
        "CAP_NET_RAW"
        "CAP_SYS_RAWIO"
      ] ++ lib.lists.optional (config.networking.wireguard.interfaces != { }) "CAP_NET_ADMIN";

      SupplementaryGroups =
        [
          "disk"
        ]
        ++ lib.lists.optional config.virtualisation.podman.enable "podman"
        ++ lib.lists.optional config.services.fail2ban.enable "fail2ban";
    };
  };
}