From 37c50ce7b5f7517d56cb952ff6a751942eae1d91 Mon Sep 17 00:00:00 2001
From: Sam <samual.shop@proton.me>
Date: Fri, 31 Jan 2025 21:17:49 +0000
Subject: [PATCH] add restic-exporter to prometheus metrics

---
 flake.lock                                    |  8 ++--
 .../nixos-containers/metrics-server.nix       | 43 ++++++++++++++++++-
 2 files changed, 46 insertions(+), 5 deletions(-)

diff --git a/flake.lock b/flake.lock
index 550380e..0b5877e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -539,11 +539,11 @@
     },
     "nix-secrets": {
       "locked": {
-        "lastModified": 1737899664,
-        "narHash": "sha256-iZpzTSERNQ5UvFfEzrBLuEmcRUGjBSal7ShtXurYq8Q=",
+        "lastModified": 1738356588,
+        "narHash": "sha256-mb3P2bNaZuCz1is4NR05r2xm66n6ABQAkYLP5U5/eCY=",
         "ref": "refs/heads/master",
-        "rev": "a9844a78dcbdc8a84679835112970d80822b113c",
-        "revCount": 257,
+        "rev": "3ae59d3cfe419e10087da719129cca5c01b8cbcd",
+        "revCount": 267,
         "type": "git",
         "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
       },
diff --git a/hosts/common/optional/nixos-containers/metrics-server.nix b/hosts/common/optional/nixos-containers/metrics-server.nix
index 50417f4..148fbac 100644
--- a/hosts/common/optional/nixos-containers/metrics-server.nix
+++ b/hosts/common/optional/nixos-containers/metrics-server.nix
@@ -2,6 +2,7 @@
   pkgs,
   lib,
   configVars,
+  inputs,
   ...
 }: let
   containerName = "metrics-server";
@@ -15,6 +16,7 @@
   bitcoinNode = configVars.networking.addresses.bitcoin-node.ip;
   postres = configVars.networking.addresses.postgres.ip;
   backupServer = configVars.networking.addresses.backup-server.ip;
+  sops-nix = inputs.sops-nix;
 
   http_endpoints = configVars.metrics-server.blackbox.http_endpoints;
 
@@ -52,6 +54,10 @@ in {
         hostPath = metricsServerContainerData;
         isReadOnly = false;
       };
+      "/etc/ssh/ssh_host_ed25519_key" = {
+        hostPath = "/etc/ssh/ssh_host_ed25519_key";
+        isReadOnly = true;
+      };
     };
 
     config = {
@@ -59,7 +65,10 @@ in {
       lib,
       config,
       ...
-    }: {
+    }: let
+      secretsDirectory = builtins.toString inputs.nix-secrets;
+      secretsFile = "${secretsDirectory}/secrets.yaml";
+    in {
       networking = {
         defaultGateway = "${gatewayIp}";
         interfaces.eth0.ipv4.addresses = [
@@ -79,9 +88,23 @@ in {
         useHostResolvConf = lib.mkForce false;
       };
 
+      sops = {
+        defaultSopsFile = "${secretsFile}";
+        validateSopsFiles = false;
+
+        age = {
+          sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+        };
+        secrets = {
+          "software/restic-passphrase" = {};
+          "software/restic-exporter-credentials" = {};
+        };
+      };
+
       services.resolved.enable = true;
 
       imports = [
+        sops-nix.nixosModules.sops
       ];
 
       environment.systemPackages = [
@@ -110,6 +133,16 @@ in {
               }
             ];
           }
+          {
+            job_name = "restic-exporter";
+            static_configs = [
+              {
+                targets = [
+                  "0.0.0.0:8001"
+                ];
+              }
+            ];
+          }
 
           {
             job_name = "blackbox";
@@ -175,6 +208,14 @@ in {
             enabledCollectors = ["systemd"];
             port = 9002;
           };
+          restic = {
+            enable = true;
+            repository = "";
+            environmentFile = config.sops.secrets."software/restic-exporter-credentials".path;
+            passwordFile = config.sops.secrets."software/restic-passphrase".path;
+            refreshInterval = 10800; # refresh every 3 hours
+            port = 8001;
+          };
         };
       };