add prometheus-ping-exporter; misc changes

2023-12-15 06:03:46 +07:00 · 2023-12-15 06:03:46 +07:00 · a624526c5b
parent a212573774
commit a624526c5b
10 changed files with 207 additions and 5 deletions
--- a/flake.nix
+++ b/flake.nix
@ -112,7 +112,7 @@
        pkgs = super;
        nurpkgs = super;
      };
-      nix-gaming = nix-gaming.packages.${super.system};
+      inherit nix-gaming;
    } // args);
    overlay = overlay' { };
    # I override some settings down the line, but overlays always stay the same
@ -133,6 +133,7 @@
            _module.args.notnft = if devNft then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system};
          }
          (if devNixRt then import /${devPath}/nixos-router else nixos-router.nixosModules.default)
          ./system/modules/ping-exporter.nix
        ];
      };
      crossConfig' = from: config: config // {
--- a/home/common/general.nix
+++ b/home/common/general.nix
@ -147,6 +147,7 @@
    readline = {
      enable = true;
      variables.editing-mode = "vi";
      variables.show-mode-in-prompt = true;
    };
    nix-index = {
      enable = true;
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -14,7 +14,7 @@ let
 in
 {
-  inherit (nix-gaming) faf-client osu-lazer-bin;
+  inherit (nix-gaming.packages.${pkgs.system}) faf-client osu-lazer-bin;
  inherit nixForNixPlugins;
  nix = nixForNixPlugins;
  nixVersions = pkgs.nixVersions.extend (self: super: {
@ -108,6 +108,7 @@ in
  kvmfrOverlay = kvmfr: kvmfr.overrideAttrs (old: {
    inherit (pkgs'.looking-glass-client) version src;
  });
  ping-exporter = callPackage ./ping-exporter { };
  proton-ge = pkgs.stdenvNoCC.mkDerivation {
    inherit (sources.proton-ge) pname version src;
    installPhase = ''
--- a/pkgs/ping-exporter/default.nix
+++ b/pkgs/ping-exporter/default.nix
@ -0,0 +1,24 @@
 { lib
 , fetchFromGitHub
 , rustPlatform
 }:
 rustPlatform.buildRustPackage rec {
  pname = "ping-exporter";
  version = "0.1";
  src = fetchFromGitHub {
    owner = "chayleaf";
    repo = "ping-exporter";
    rev = "cf5e5f7e96fb477e015d44cd462fb996b944c896";
    hash = "sha256-eZncfKTegLp+KBnAds8YR7ZMN8i7jDIIN8qt7832+0Y=";
  };
  cargoLock.lockFile = "${src}/Cargo.lock";
  meta = with lib; {
    description = "A ping exporter for Prometheus";
    license = with lib.licenses; [ mit asl20 ];
    maintainers = with lib.maintainers; [ chayleaf ];
  };
 }
--- a/system/devices/bpi-r3-router.nix
+++ b/system/devices/bpi-r3-router.nix
@ -14,6 +14,12 @@ in
  ];
  networking.hostName = "nixos-router";
  systemd.enableEmergencyMode = false;
  boot.kernel.sysctl = {
    "net.core.default_qdisc" = "fq";
    "net.ipv4.tcp_congestion_control" = "bbr";
  };
  fileSystems = {
    # mount root on tmpfs
    "/" =     { device = "none"; fsType = "tmpfs"; neededForBoot = true;
--- a/system/devices/radxa-rock5a-server.nix
+++ b/system/devices/radxa-rock5a-server.nix
@ -29,6 +29,12 @@ in
    "dm_mod" "dm_crypt" "encrypted_keys"
  ];
  systemd.enableEmergencyMode = false;
  boot.kernel.sysctl = {
    "net.core.default_qdisc" = "fq";
    "net.ipv4.tcp_congestion_control" = "bbr";
  };
  networking.useDHCP = true;
  /*
  # as expected, systemd initrd and networking didn't work well, and i really cba to debug it
--- a/system/hosts/router/metrics.nix
+++ b/system/hosts/router/metrics.nix
@ -31,6 +31,18 @@ in {
      ];
      listenAddress = netAddresses.lan4;
    };
    ping = {
      enable = true;
      listenAddress = netAddresses.lan4;
      port = 9380;
      config = {
        type = "raw";
        targets = [
          "8.8.8.8"
          { target = "8.8.8.8"; netns = "wan"; }
        ];
      };
    };
  };
  router.interfaces.br0 = let
    # all of this just to avoid logging commands...
--- a/system/hosts/server/default.nix
+++ b/system/hosts/server/default.nix
@ -134,13 +134,12 @@ in {
      })}'')}
    real_ip_header CF-Connecting-IP;
  '';
-  # brotli and zstd requires recompilation so I don't enable it
+  services.nginx.recommendedBrotliSettings = true;
  # services.nginx.recommendedBrotliSettings = true;
  # services.nginx.recommendedZstdSettings = true;
  services.nginx.recommendedGzipSettings = true;
  services.nginx.recommendedOptimisation = true;
  services.nginx.recommendedProxySettings = true;
  services.nginx.recommendedTlsSettings = true;
  services.nginx.recommendedZstdSettings = true;
  # BLOG
  services.nginx.virtualHosts.${cfg.domainName} = {
--- a/system/hosts/server/home.nix
+++ b/system/hosts/server/home.nix
@ -315,6 +315,7 @@ in {
            "retracker.local:9101"
            "retracker.local:9256"
            "retracker.local:9167"
            "retracker.local:9380"
          ];
          labels.machine = "router";
        } ];
--- a/system/modules/ping-exporter.nix
+++ b/system/modules/ping-exporter.nix
@ -0,0 +1,151 @@
 { config
 , lib
 , pkgs
 , ...
 }:
 let
  cfg = config.services.prometheus.exporters.ping;
  inherit (lib) concatStrings literalExpression mkMerge mkDefault mkEnableOption mkIf mkOption types;
  # copied from nixpkgs/nixos/modules/services/monitoring/prometheus/exporters
  mkExporterOpts = { name, port }: {
    enable = mkEnableOption (lib.mdDoc "the prometheus ${name} exporter");
    port = mkOption {
      type = types.port;
      default = port;
      description = lib.mdDoc ''
        Port to listen on.
      '';
    };
    listenAddress = mkOption {
      type = types.str;
      default = "0.0.0.0";
      description = lib.mdDoc ''
        Address to listen on.
      '';
    };
    extraFlags = mkOption {
      type = types.listOf types.str;
      default = [];
      description = lib.mdDoc ''
        Extra commandline options to pass to the ${name} exporter.
      '';
    };
    openFirewall = mkOption {
      type = types.bool;
      default = false;
      description = lib.mdDoc ''
        Open port in firewall for incoming connections.
      '';
    };
    firewallFilter = mkOption {
      type = types.nullOr types.str;
      default = null;
      example = literalExpression ''
        "-i eth0 -p tcp -m tcp --dport ${toString port}"
      '';
      description = lib.mdDoc ''
        Specify a filter for iptables to use when
        {option}`services.prometheus.exporters.${name}.openFirewall`
        is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`.
      '';
    };
    user = mkOption {
      type = types.str;
      default = "${name}-exporter";
      description = lib.mdDoc ''
        User name under which the ${name} exporter shall be run.
      '';
    };
    group = mkOption {
      type = types.str;
      default = "${name}-exporter";
      description = lib.mdDoc ''
        Group under which the ${name} exporter shall be run.
      '';
    };
  };
  mkExporterConf = { name, conf, serviceOpts }:
    let
      enableDynamicUser = serviceOpts.serviceConfig.DynamicUser or true;
    in
    mkIf conf.enable {
      warnings = conf.warnings or [];
      users.users."${name}-exporter" = (mkIf (conf.user == "${name}-exporter" && !enableDynamicUser) {
        description = "Prometheus ${name} exporter service user";
        isSystemUser = true;
        inherit (conf) group;
      });
      users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {
        "${name}-exporter" = {};
      });
      networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
        "ip46tables -A nixos-fw ${conf.firewallFilter} "
        "-m comment --comment ${name}-exporter -j nixos-fw-accept"
      ]);
      systemd.services."prometheus-${name}-exporter" = mkMerge ([{
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        serviceConfig.Restart = mkDefault "always";
        serviceConfig.PrivateTmp = mkDefault true;
        serviceConfig.WorkingDirectory = mkDefault /tmp;
        serviceConfig.DynamicUser = mkDefault enableDynamicUser;
        serviceConfig.User = mkDefault conf.user;
        serviceConfig.Group = conf.group;
        # Hardening
        serviceConfig.CapabilityBoundingSet = mkDefault [ "" ];
        serviceConfig.DeviceAllow = [ "" ];
        serviceConfig.LockPersonality = true;
        serviceConfig.MemoryDenyWriteExecute = true;
        serviceConfig.NoNewPrivileges = true;
        serviceConfig.PrivateDevices = mkDefault true;
        serviceConfig.ProtectClock = mkDefault true;
        serviceConfig.ProtectControlGroups = true;
        serviceConfig.ProtectHome = true;
        serviceConfig.ProtectHostname = true;
        serviceConfig.ProtectKernelLogs = true;
        serviceConfig.ProtectKernelModules = true;
        serviceConfig.ProtectKernelTunables = true;
        serviceConfig.ProtectSystem = mkDefault "strict";
        serviceConfig.RemoveIPC = true;
        serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        serviceConfig.RestrictNamespaces = true;
        serviceConfig.RestrictRealtime = true;
        serviceConfig.RestrictSUIDSGID = true;
        serviceConfig.SystemCallArchitectures = "native";
        serviceConfig.UMask = "0077";
      } serviceOpts ]);
  };
  format = pkgs.formats.toml { };
 in {
  options.services.prometheus.exporters.ping = mkExporterOpts { name = "ping"; port = 9390; } // {
    config = mkOption {
      type = format.type;
      default = { };
      description = "Exporter config";
    };
  };
  config = mkExporterConf {
    name = "ping";
    conf = cfg;
    serviceOpts = {
      serviceConfig = rec {
        # netns switching
        AmbientCapabilities = [
          # set network namespace
          "CAP_SYS_ADMIN"
          # open icmp socket
          "CAP_NET_RAW"
        ];
        CapabilityBoundingSet = AmbientCapabilities;
        RestrictNamespaces = lib.mkForce false;
        ExecStart = ''
          ${pkgs.ping-exporter}/bin/ping-exporter \
            --listen ${cfg.listenAddress}:${toString cfg.port} \
            --config ${format.generate "ping-exporter-config.toml" cfg.config} \
            ${lib.escapeShellArgs cfg.extraFlags}
        '';
      };
    };
  };
 }