add prometheus-ping-exporter; misc changes

2023-12-15 06:03:46 +07:00 · 2023-12-15 06:03:46 +07:00 · a624526c5b
parent a212573774
commit a624526c5b
10 changed files with 207 additions and 5 deletions
--- a/flake.nix
+++ b/flake.nix
@ -112,7 +112,7 @@
        pkgs = super;
        nurpkgs = super;
      };
-      nix-gaming = nix-gaming.packages.${super.system};
+      inherit nix-gaming;
    } // args);
    overlay = overlay' { };
    # I override some settings down the line, but overlays always stay the same
@ -133,6 +133,7 @@
            _module.args.notnft = if devNft then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system};
          }
          (if devNixRt then import /${devPath}/nixos-router else nixos-router.nixosModules.default)
+          ./system/modules/ping-exporter.nix
        ];
      };
      crossConfig' = from: config: config // {
--- a/home/common/general.nix
+++ b/home/common/general.nix
@ -147,6 +147,7 @@
    readline = {
      enable = true;
      variables.editing-mode = "vi";
+      variables.show-mode-in-prompt = true;
    };
    nix-index = {
      enable = true;
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -14,7 +14,7 @@ let
 in

 {
-  inherit (nix-gaming) faf-client osu-lazer-bin;
+  inherit (nix-gaming.packages.${pkgs.system}) faf-client osu-lazer-bin;
  inherit nixForNixPlugins;
  nix = nixForNixPlugins;
  nixVersions = pkgs.nixVersions.extend (self: super: {
@ -108,6 +108,7 @@ in
  kvmfrOverlay = kvmfr: kvmfr.overrideAttrs (old: {
    inherit (pkgs'.looking-glass-client) version src;
  });
+  ping-exporter = callPackage ./ping-exporter { };
  proton-ge = pkgs.stdenvNoCC.mkDerivation {
    inherit (sources.proton-ge) pname version src;
    installPhase = ''
--- a/pkgs/ping-exporter/default.nix
+++ b/pkgs/ping-exporter/default.nix
@ -0,0 +1,24 @@
+{ lib
+, fetchFromGitHub
+, rustPlatform
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "ping-exporter";
+  version = "0.1";
+
+  src = fetchFromGitHub {
+    owner = "chayleaf";
+    repo = "ping-exporter";
+    rev = "cf5e5f7e96fb477e015d44cd462fb996b944c896";
+    hash = "sha256-eZncfKTegLp+KBnAds8YR7ZMN8i7jDIIN8qt7832+0Y=";
+  };
+
+  cargoLock.lockFile = "${src}/Cargo.lock";
+
+  meta = with lib; {
+    description = "A ping exporter for Prometheus";
+    license = with lib.licenses; [ mit asl20 ];
+    maintainers = with lib.maintainers; [ chayleaf ];
+  };
+}
--- a/system/devices/bpi-r3-router.nix
+++ b/system/devices/bpi-r3-router.nix
@ -14,6 +14,12 @@ in
  ];
  networking.hostName = "nixos-router";

+  systemd.enableEmergencyMode = false;
+  boot.kernel.sysctl = {
+    "net.core.default_qdisc" = "fq";
+    "net.ipv4.tcp_congestion_control" = "bbr";
+  };
+
  fileSystems = {
    # mount root on tmpfs
    "/" =     { device = "none"; fsType = "tmpfs"; neededForBoot = true;
--- a/system/devices/radxa-rock5a-server.nix
+++ b/system/devices/radxa-rock5a-server.nix
@ -29,6 +29,12 @@ in
    "dm_mod" "dm_crypt" "encrypted_keys"
  ];

+  systemd.enableEmergencyMode = false;
+  boot.kernel.sysctl = {
+    "net.core.default_qdisc" = "fq";
+    "net.ipv4.tcp_congestion_control" = "bbr";
+  };
+
  networking.useDHCP = true;
  /*
  # as expected, systemd initrd and networking didn't work well, and i really cba to debug it
--- a/system/hosts/router/metrics.nix
+++ b/system/hosts/router/metrics.nix
@ -31,6 +31,18 @@ in {
      ];
      listenAddress = netAddresses.lan4;
    };
+    ping = {
+      enable = true;
+      listenAddress = netAddresses.lan4;
+      port = 9380;
+      config = {
+        type = "raw";
+        targets = [
+          "8.8.8.8"
+          { target = "8.8.8.8"; netns = "wan"; }
+        ];
+      };
+    };
  };
  router.interfaces.br0 = let
    # all of this just to avoid logging commands...
--- a/system/hosts/server/default.nix
+++ b/system/hosts/server/default.nix
@ -134,13 +134,12 @@ in {
      })}'')}
    real_ip_header CF-Connecting-IP;
  '';
-  # brotli and zstd requires recompilation so I don't enable it
-  # services.nginx.recommendedBrotliSettings = true;
-  # services.nginx.recommendedZstdSettings = true;
+  services.nginx.recommendedBrotliSettings = true;
  services.nginx.recommendedGzipSettings = true;
  services.nginx.recommendedOptimisation = true;
  services.nginx.recommendedProxySettings = true;
  services.nginx.recommendedTlsSettings = true;
+  services.nginx.recommendedZstdSettings = true;

  # BLOG
  services.nginx.virtualHosts.${cfg.domainName} = {
--- a/system/hosts/server/home.nix
+++ b/system/hosts/server/home.nix
@ -315,6 +315,7 @@ in {
            "retracker.local:9101"
            "retracker.local:9256"
            "retracker.local:9167"
+            "retracker.local:9380"
          ];
          labels.machine = "router";
        } ];
--- a/system/modules/ping-exporter.nix
+++ b/system/modules/ping-exporter.nix
@ -0,0 +1,151 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+
+let
+  cfg = config.services.prometheus.exporters.ping;
+  inherit (lib) concatStrings literalExpression mkMerge mkDefault mkEnableOption mkIf mkOption types;
+  # copied from nixpkgs/nixos/modules/services/monitoring/prometheus/exporters
+  mkExporterOpts = { name, port }: {
+    enable = mkEnableOption (lib.mdDoc "the prometheus ${name} exporter");
+    port = mkOption {
+      type = types.port;
+      default = port;
+      description = lib.mdDoc ''
+        Port to listen on.
+      '';
+    };
+    listenAddress = mkOption {
+      type = types.str;
+      default = "0.0.0.0";
+      description = lib.mdDoc ''
+        Address to listen on.
+      '';
+    };
+    extraFlags = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = lib.mdDoc ''
+        Extra commandline options to pass to the ${name} exporter.
+      '';
+    };
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Open port in firewall for incoming connections.
+      '';
+    };
+    firewallFilter = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      example = literalExpression ''
+        "-i eth0 -p tcp -m tcp --dport ${toString port}"
+      '';
+      description = lib.mdDoc ''
+        Specify a filter for iptables to use when
+        {option}`services.prometheus.exporters.${name}.openFirewall`
+        is true. It is used as `ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept`.
+      '';
+    };
+    user = mkOption {
+      type = types.str;
+      default = "${name}-exporter";
+      description = lib.mdDoc ''
+        User name under which the ${name} exporter shall be run.
+      '';
+    };
+    group = mkOption {
+      type = types.str;
+      default = "${name}-exporter";
+      description = lib.mdDoc ''
+        Group under which the ${name} exporter shall be run.
+      '';
+    };
+  };
+  mkExporterConf = { name, conf, serviceOpts }:
+    let
+      enableDynamicUser = serviceOpts.serviceConfig.DynamicUser or true;
+    in
+    mkIf conf.enable {
+      warnings = conf.warnings or [];
+      users.users."${name}-exporter" = (mkIf (conf.user == "${name}-exporter" && !enableDynamicUser) {
+        description = "Prometheus ${name} exporter service user";
+        isSystemUser = true;
+        inherit (conf) group;
+      });
+      users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {
+        "${name}-exporter" = {};
+      });
+      networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
+        "ip46tables -A nixos-fw ${conf.firewallFilter} "
+        "-m comment --comment ${name}-exporter -j nixos-fw-accept"
+      ]);
+      systemd.services."prometheus-${name}-exporter" = mkMerge ([{
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        serviceConfig.Restart = mkDefault "always";
+        serviceConfig.PrivateTmp = mkDefault true;
+        serviceConfig.WorkingDirectory = mkDefault /tmp;
+        serviceConfig.DynamicUser = mkDefault enableDynamicUser;
+        serviceConfig.User = mkDefault conf.user;
+        serviceConfig.Group = conf.group;
+        # Hardening
+        serviceConfig.CapabilityBoundingSet = mkDefault [ "" ];
+        serviceConfig.DeviceAllow = [ "" ];
+        serviceConfig.LockPersonality = true;
+        serviceConfig.MemoryDenyWriteExecute = true;
+        serviceConfig.NoNewPrivileges = true;
+        serviceConfig.PrivateDevices = mkDefault true;
+        serviceConfig.ProtectClock = mkDefault true;
+        serviceConfig.ProtectControlGroups = true;
+        serviceConfig.ProtectHome = true;
+        serviceConfig.ProtectHostname = true;
+        serviceConfig.ProtectKernelLogs = true;
+        serviceConfig.ProtectKernelModules = true;
+        serviceConfig.ProtectKernelTunables = true;
+        serviceConfig.ProtectSystem = mkDefault "strict";
+        serviceConfig.RemoveIPC = true;
+        serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        serviceConfig.RestrictNamespaces = true;
+        serviceConfig.RestrictRealtime = true;
+        serviceConfig.RestrictSUIDSGID = true;
+        serviceConfig.SystemCallArchitectures = "native";
+        serviceConfig.UMask = "0077";
+      } serviceOpts ]);
+  };
+  format = pkgs.formats.toml { };
+in {
+  options.services.prometheus.exporters.ping = mkExporterOpts { name = "ping"; port = 9390; } // {
+    config = mkOption {
+      type = format.type;
+      default = { };
+      description = "Exporter config";
+    };
+  };
+  config = mkExporterConf {
+    name = "ping";
+    conf = cfg;
+    serviceOpts = {
+      serviceConfig = rec {
+        # netns switching
+        AmbientCapabilities = [
+          # set network namespace
+          "CAP_SYS_ADMIN"
+          # open icmp socket
+          "CAP_NET_RAW"
+        ];
+        CapabilityBoundingSet = AmbientCapabilities;
+        RestrictNamespaces = lib.mkForce false;
+        ExecStart = ''
+          ${pkgs.ping-exporter}/bin/ping-exporter \
+            --listen ${cfg.listenAddress}:${toString cfg.port} \
+            --config ${format.generate "ping-exporter-config.toml" cfg.config} \
+            ${lib.escapeShellArgs cfg.extraFlags}
+        '';
+      };
+    };
+  };
+}