nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix at 21.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / monitoring / prometheus / exporters / wireguard.nix
at 21.11-pre 2.2 kB view raw
 1{ config, lib, pkgs, options }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.prometheus.exporters.wireguard;
 7in {
 8  port = 9586;
 9  imports = [
10    (mkRenamedOptionModule [ "addr" ] [ "listenAddress" ])
11    ({ options.warnings = options.warnings; options.assertions = options.assertions; })
12  ];
13  extraOpts = {
14    verbose = mkEnableOption "Verbose logging mode for prometheus-wireguard-exporter";
15
16    wireguardConfig = mkOption {
17      type = with types; nullOr (either path str);
18      default = null;
19
20      description = ''
21        Path to the Wireguard Config to
22        <link xlink:href="https://github.com/MindFlavor/prometheus_wireguard_exporter/tree/2.0.0#usage">add the peer's name to the stats of a peer</link>.
23
24        Please note that <literal>networking.wg-quick</literal> is required for this feature
25        as <literal>networking.wireguard</literal> uses
26        <citerefentry><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>
27        to set the peers up.
28      '';
29    };
30
31    singleSubnetPerField = mkOption {
32      type = types.bool;
33      default = false;
34      description = ''
35        By default, all allowed IPs and subnets are comma-separated in the
36        <literal>allowed_ips</literal> field. With this option enabled,
37        a single IP and subnet will be listed in fields like <literal>allowed_ip_0</literal>,
38        <literal>allowed_ip_1</literal> and so on.
39      '';
40    };
41
42    withRemoteIp = mkOption {
43      type = types.bool;
44      default = false;
45      description = ''
46        Whether or not the remote IP of a WireGuard peer should be exposed via prometheus.
47      '';
48    };
49  };
50  serviceOpts = {
51    path = [ pkgs.wireguard-tools ];
52
53    serviceConfig = {
54      AmbientCapabilities = [ "CAP_NET_ADMIN" ];
55      ExecStart = ''
56        ${pkgs.prometheus-wireguard-exporter}/bin/prometheus_wireguard_exporter \
57          -p ${toString cfg.port} \
58          -l ${cfg.listenAddress} \
59          ${optionalString cfg.verbose "-v"} \
60          ${optionalString cfg.singleSubnetPerField "-s"} \
61          ${optionalString cfg.withRemoteIp "-r"} \
62          ${optionalString (cfg.wireguardConfig != null) "-n ${escapeShellArg cfg.wireguardConfig}"}
63      '';
64    };
65  };
66}