metronom: add promtail, prometheus node-exporter

configure wireguard to push logs to and scrape metrics from flora-6 open firewall for node-exporter port on wg-ssh interface
2024-06-06 12:52:55 +02:00 · 2024-06-06 12:52:55 +02:00 · b93608a8fa
parent 6143f56c01
commit b93608a8fa
4 changed files with 21 additions and 0 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -68,6 +68,8 @@
          self.nixosModules.unlock-zfs-on-boot
          self.nixosModules.core
          self.nixosModules.mail
+          self.nixosModules.prometheus-exporters
+          self.nixosModules.promtail

          self.inputs.simple-nixos-mailserver.nixosModule
        ];
--- a/hosts/flora-6/wireguard.nix
+++ b/hosts/flora-6/wireguard.nix
@ -28,6 +28,16 @@
            "fd00:fae:fae:fae:fae:1::/96"
          ];
        }
+        {
+          # metronom.pub.solar
+          endpoint = "49.13.236.167:51820";
+          publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo=";
+          allowedIPs = [
+            "10.7.6.3/32"
+            "fd00:fae:fae:fae:fae:3::/96"
+          ];
+          persistentKeepalive = 15;
+        }
      ];
    };
  };
--- a/modules/prometheus-exporters/default.nix
+++ b/modules/prometheus-exporters/default.nix
@ -1,5 +1,8 @@
 { config, ... }:
 {
+  # Only expose prometheus exporter port via wireguard interface
+  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 9002 ];
+
  services.prometheus = {
    exporters = {
      node = {
--- a/modules/prometheus/default.nix
+++ b/modules/prometheus/default.nix
@ -53,6 +53,12 @@
              instance = "nachtigall";
            };
          }
+          {
+            targets = [ "metronom.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" ];
+            labels = {
+              instance = "metronom";
+            };
+          }
        ];
      }
      {