metronom: add promtail, prometheus node-exporter

configure wireguard to push logs to and scrape metrics from flora-6

open firewall for node-exporter port on wg-ssh interface

hosts/default.nix

@@ -68,6 +68,8 @@
           self.nixosModules.unlock-zfs-on-boot
           self.nixosModules.core
           self.nixosModules.mail
+          self.nixosModules.prometheus-exporters
+          self.nixosModules.promtail
 
           self.inputs.simple-nixos-mailserver.nixosModule
         ];

hosts/flora-6/wireguard.nix

@@ -28,6 +28,16 @@
             "fd00:fae:fae:fae:fae:1::/96"
           ];
         }
+        {
+          # metronom.pub.solar
+          endpoint = "49.13.236.167:51820";
+          publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo=";
+          allowedIPs = [
+            "10.7.6.3/32"
+            "fd00:fae:fae:fae:fae:3::/96"
+          ];
+          persistentKeepalive = 15;
+        }
       ];
     };
   };

modules/prometheus-exporters/default.nix

@@ -1,5 +1,8 @@
 { config, ... }:
 {
+  # Only expose prometheus exporter port via wireguard interface
+  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 9002 ];
+
   services.prometheus = {
     exporters = {
       node = {

modules/prometheus/default.nix

@@ -53,6 +53,12 @@
               instance = "nachtigall";
             };
           }
+          {
+            targets = [ "metronom.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" ];
+            labels = {
+              instance = "metronom";
+            };
+          }
         ];
       }
       {