From 6fbd86b3dc5ca9a73ad339701fd090a450d4549d Mon Sep 17 00:00:00 2001
From: Peter Lehmann <36541313+peterablehmann@users.noreply.github.com>
Date: Wed, 17 Apr 2024 19:16:49 +0200
Subject: [PATCH] Setup node-exporter for every node

---
 modules/common/default.nix              |  2 ++
 modules/common/exporters.nix            | 39 ++++---------------------
 nodes/monitoring/modules/prometheus.nix | 17 ++++-------
 3 files changed, 13 insertions(+), 45 deletions(-)

diff --git a/modules/common/default.nix b/modules/common/default.nix
index 9789089..8183798 100644
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@@ -23,5 +23,7 @@
 
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
+  networking.nftables.enable = true;
+
   system.stateVersion = "23.11";
 }
diff --git a/modules/common/exporters.nix b/modules/common/exporters.nix
index 6108581..23ec8e7 100644
--- a/modules/common/exporters.nix
+++ b/modules/common/exporters.nix
@@ -1,40 +1,11 @@
-{ config
-, inputs
-, ...
-}:
 {
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  sops.secrets."monitoring/basicAuthFile" = {
-    sopsFile = "${inputs.self}/secrets/common.yaml";
-    owner = "nginx";
-  };
-
-  security.acme = {
-    defaults.email = "acme@xnee.net";
-    acceptTerms = true;
-    certs."${config.networking.fqdn}" = { };
-  };
-
-  services.nginx = {
-    enable = true;
-    recommendedTlsSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    virtualHosts."${config.networking.hostName}.${config.networking.domain}" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/exporters/node-exporter/" = {
-        proxyPass = "http://${config.services.prometheus.exporters.node.listenAddress}:${builtins.toString config.services.prometheus.exporters.node.port}/";
-        basicAuthFile = config.sops.secrets."monitoring/basicAuthFile".path;
-      };
-    };
-  };
-
   services.prometheus.exporters.node = {
     enable = true;
-    listenAddress = "127.0.0.1";
-    extraFlags = [ "--web.telemetry-path=/exporters/node-exporter" ];
+    openFirewall = true;
+    firewallRules = 
+      "ip saddr 65.108.0.24 tcp dport 9100 accept
+      ip6 saddr 2a01:4f9:6a:4f6f::201 tcp dport 9100 accept
+      tcp dport 9100 drop";
     enabledCollectors = [
       "systemd"
     ];
diff --git a/nodes/monitoring/modules/prometheus.nix b/nodes/monitoring/modules/prometheus.nix
index e41b000..2ace947 100644
--- a/nodes/monitoring/modules/prometheus.nix
+++ b/nodes/monitoring/modules/prometheus.nix
@@ -1,5 +1,4 @@
-{ config
-, inputs
+{ inputs
 , ...
 }:
 {
@@ -16,19 +15,15 @@
         {
           job_name = "node-exporter";
           scrape_interval = "5s";
-          scheme = "https";
+          scheme = "http";
           static_configs = [{
             targets = [
-              "mns.xnee.net"
-              "monitoring.xnee.net"
-              "sync.xnee.de"
+              "cache.xnee.net:9100"
+              "mns.xnee.net:9100"
+              "monitoring.xnee.net:9100"
+              "sync.xnee.de:9100"
             ];
           }];
-          metrics_path = "/exporters/node-exporter/metrics";
-          basic_auth = {
-            username = "prometheus";
-            password_file = config.sops.secrets."basicAuth/password".path;
-          };
         }
         {
           job_name = "prometheus";