Add blackbox-exporter for certificate expiry checks #231

Open
teutat3s wants to merge 5 commits from ssl-cert-warning into main
4 changed files with 1148 additions and 4 deletions

View file

@ -28,6 +28,11 @@
group = "grafana"; group = "grafana";
user = "grafana"; user = "grafana";
}; };
"grafana-dashboards/blackbox-exporter_rev3.json" = {
source = ./grafana-dashboards/blackbox-exporter_rev3.json;
group = "grafana";
user = "grafana";
};
"grafana-dashboards/synapse.json" = { "grafana-dashboards/synapse.json" = {
source = ./grafana-dashboards/synapse.json; source = ./grafana-dashboards/synapse.json;
group = "grafana"; group = "grafana";

File diff suppressed because it is too large Load diff

View file

@ -198,10 +198,10 @@ lib.mapAttrsToList
description = "{{$labels.instance}}: healtcheck {{$labels.job}} fails!"; description = "{{$labels.instance}}: healtcheck {{$labels.job}} fails!";
}; };
*/ */
#cert_expiry = { cert_expiry = {
# condition = "(probe_ssl_earliest_cert_expiry - time())/(3600*24) < 30"; condition = "(probe_ssl_earliest_cert_expiry - time())/(3600*24) < 21";
# description = "{{$labels.instance}}: The TLS certificate will expire in less than 30 days: {{$value}}s"; description = "{{$labels.instance}}: The TLS certificate will expire in less than 21 days: {{$value}}s";
#}; };
# ignore devices that disabled S.M.A.R.T (example if attached via USB) # ignore devices that disabled S.M.A.R.T (example if attached via USB)

View file

@ -5,6 +5,10 @@
flake, flake,
... ...
}: }:
let
# TODO add hosts here
blackboxTargets = [ "https://pablo.tools" ];
Review

This probably still needs to happen?

This probably still needs to happen?
in
{ {
age.secrets.alertmanager-envfile = { age.secrets.alertmanager-envfile = {
file = "${flake.self}/secrets/alertmanager-envfile.age"; file = "${flake.self}/secrets/alertmanager-envfile.age";
@ -27,6 +31,32 @@
enable = true; enable = true;
port = 9001; port = 9001;
exporters = { exporters = {
blackbox = {
enable = true;
# Default port is 9115
openFirewall = false;
configFile = pkgs.writeTextFile {
name = "blackbox-exporter-config";
text = ''
modules:
http_2xx:
prober: http
timeout: 5s
http:
valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
valid_status_codes: [] # Defaults to 2xx
method: GET
no_follow_redirects: false
fail_if_ssl: false
fail_if_not_ssl: false
tls_config:
insecure_skip_verify: false
preferred_ip_protocol: "ip4" # defaults to "ip6"
ip_protocol_fallback: true # fallback to "ip6"
'';
};
};
node = { node = {
enable = true; enable = true;
enabledCollectors = [ "systemd" ]; enabledCollectors = [ "systemd" ];
@ -38,6 +68,30 @@
scrape_timeout = "9s"; scrape_timeout = "9s";
}; };
scrapeConfigs = [ scrapeConfigs = [
{
job_name = "blackbox";
scrape_interval = "5m";
metrics_path = "/probe";
params = {
module = [ "http_2xx" ];
};
static_configs = [ { targets = blackboxTargets; } ];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
}
{
source_labels = [ "__param_target" ];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "127.0.0.1:9115"; # The blackbox exporter's real hostname:port.
}
];
}
{ {
job_name = "node-exporter"; job_name = "node-exporter";
static_configs = [ static_configs = [