From 6548edee9af817ba8415cc953e7ae830ada97f79 Mon Sep 17 00:00:00 2001
From: Pablo Ovelleiro Corral <mail@pablo.tools>
Date: Sun, 25 Aug 2024 17:17:54 +0200
Subject: [PATCH] Add blackbox-exporter config

---
 modules/prometheus/alert-rules.nix |  8 ++---
 modules/prometheus/default.nix     | 55 ++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+), 4 deletions(-)

diff --git a/modules/prometheus/alert-rules.nix b/modules/prometheus/alert-rules.nix
index 866709b..575bfcb 100644
--- a/modules/prometheus/alert-rules.nix
+++ b/modules/prometheus/alert-rules.nix
@@ -198,10 +198,10 @@ lib.mapAttrsToList
       description = "{{$labels.instance}}: healtcheck {{$labels.job}} fails!";
       };
     */
-    #cert_expiry = {
-    #  condition = "(probe_ssl_earliest_cert_expiry - time())/(3600*24) < 30";
-    #  description = "{{$labels.instance}}: The TLS certificate will expire in less than 30 days: {{$value}}s";
-    #};
+    cert_expiry = {
+     condition = "(probe_ssl_earliest_cert_expiry - time())/(3600*24) < 30";
+     description = "{{$labels.instance}}: The TLS certificate will expire in less than 30 days: {{$value}}s";
+    };
 
     # ignore devices that disabled S.M.A.R.T (example if attached via USB)
 
diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix
index 41cc28c..ff9766f 100644
--- a/modules/prometheus/default.nix
+++ b/modules/prometheus/default.nix
@@ -5,6 +5,10 @@
   flake,
   ...
 }:
+let
+  # TODO add hosts here
+  blackboxTargets = [ "https://pablo.tools" ];
+in
 {
   age.secrets.alertmanager-envfile = {
     file = "${flake.self}/secrets/alertmanager-envfile.age";
@@ -39,6 +43,33 @@
     enable = true;
     port = 9001;
     exporters = {
+      blackbox = {
+        enable = true;
+        # Default port is 9115
+        # Listen on 0.0.0.0, bet we only open the firewall for wg0
+        openFirewall = false;
+
+        configFile = pkgs.writeTextFile {
+          name = "blackbox-exporter-config";
+          text = ''
+            modules:
+              http_2xx:
+                prober: http
+                timeout: 5s
+                http:
+                  valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
+                  valid_status_codes: []  # Defaults to 2xx
+                  method: GET
+                  no_follow_redirects: false
+                  fail_if_ssl: false
+                  fail_if_not_ssl: false
+                  tls_config:
+                    insecure_skip_verify: false
+                  preferred_ip_protocol: "ip4" # defaults to "ip6"
+                  ip_protocol_fallback: true  # fallback to "ip6"
+          '';
+        };
+      };
       node = {
         enable = true;
         enabledCollectors = [ "systemd" ];
@@ -50,6 +81,30 @@
       scrape_timeout = "9s";
     };
     scrapeConfigs = [
+      {
+        job_name = "blackbox";
+        scrape_interval = "2m";
+        metrics_path = "/probe";
+        params = {
+          module = [ "http_2xx" ];
+        };
+        static_configs = [ { targets = blackboxTargets; } ];
+
+        relabel_configs = [
+          {
+            source_labels = [ "__address__" ];
+            target_label = "__param_target";
+          }
+          {
+            source_labels = [ "__param_target" ];
+            target_label = "instance";
+          }
+          {
+            target_label = "__address__";
+            replacement = "127.0.0.1:9115"; # The blackbox exporter's real hostname:port.
+          }
+        ];
+      }
       {
         job_name = "node-exporter";
         static_configs = [