add restic-exporter to prometheus metrics

2025-01-31 21:17:49 +00:00 · 2025-01-31 21:17:49 +00:00 · 37c50ce7b5
commit 37c50ce7b5
parent c73aa9933a
2 changed files with 46 additions and 5 deletions
--- a/flake.lock
+++ b/flake.lock
@ -539,11 +539,11 @@
    },
    "nix-secrets": {
      "locked": {
-        "lastModified": 1737899664,
-        "narHash": "sha256-iZpzTSERNQ5UvFfEzrBLuEmcRUGjBSal7ShtXurYq8Q=",
+        "lastModified": 1738356588,
+        "narHash": "sha256-mb3P2bNaZuCz1is4NR05r2xm66n6ABQAkYLP5U5/eCY=",
        "ref": "refs/heads/master",
-        "rev": "a9844a78dcbdc8a84679835112970d80822b113c",
-        "revCount": 257,
+        "rev": "3ae59d3cfe419e10087da719129cca5c01b8cbcd",
+        "revCount": 267,
        "type": "git",
        "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
      },
--- a/hosts/common/optional/nixos-containers/metrics-server.nix
+++ b/hosts/common/optional/nixos-containers/metrics-server.nix
@ -2,6 +2,7 @@
  pkgs,
  lib,
  configVars,
+  inputs,
  ...
 }: let
  containerName = "metrics-server";
@ -15,6 +16,7 @@
  bitcoinNode = configVars.networking.addresses.bitcoin-node.ip;
  postres = configVars.networking.addresses.postgres.ip;
  backupServer = configVars.networking.addresses.backup-server.ip;
+  sops-nix = inputs.sops-nix;

  http_endpoints = configVars.metrics-server.blackbox.http_endpoints;

@ -52,6 +54,10 @@ in {
        hostPath = metricsServerContainerData;
        isReadOnly = false;
      };
+      "/etc/ssh/ssh_host_ed25519_key" = {
+        hostPath = "/etc/ssh/ssh_host_ed25519_key";
+        isReadOnly = true;
+      };
    };

    config = {
@ -59,7 +65,10 @@ in {
      lib,
      config,
      ...
-    }: {
+    }: let
+      secretsDirectory = builtins.toString inputs.nix-secrets;
+      secretsFile = "${secretsDirectory}/secrets.yaml";
+    in {
      networking = {
        defaultGateway = "${gatewayIp}";
        interfaces.eth0.ipv4.addresses = [
@ -79,9 +88,23 @@ in {
        useHostResolvConf = lib.mkForce false;
      };

+      sops = {
+        defaultSopsFile = "${secretsFile}";
+        validateSopsFiles = false;
+
+        age = {
+          sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+        };
+        secrets = {
+          "software/restic-passphrase" = {};
+          "software/restic-exporter-credentials" = {};
+        };
+      };
+
      services.resolved.enable = true;

      imports = [
+        sops-nix.nixosModules.sops
      ];

      environment.systemPackages = [
@ -110,6 +133,16 @@ in {
              }
            ];
          }
+          {
+            job_name = "restic-exporter";
+            static_configs = [
+              {
+                targets = [
+                  "0.0.0.0:8001"
+                ];
+              }
+            ];
+          }

          {
            job_name = "blackbox";
@ -175,6 +208,14 @@ in {
            enabledCollectors = ["systemd"];
            port = 9002;
          };
+          restic = {
+            enable = true;
+            repository = "";
+            environmentFile = config.sops.secrets."software/restic-exporter-credentials".path;
+            passwordFile = config.sops.secrets."software/restic-passphrase".path;
+            refreshInterval = 10800; # refresh every 3 hours
+            port = 8001;
+          };
        };
      };