nixos/modules/services/monitoring/prometheus/exporters/unbound.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / monitoring / prometheus / exporters / unbound.nix
at 23.11-beta 2.8 kB view raw
 1{ config
 2, lib
 3, pkgs
 4, options
 5}:
 6
 7with lib;
 8
 9let
10  cfg = config.services.prometheus.exporters.unbound;
11in
12{
13  imports = [
14    (mkRemovedOptionModule [ "controlInterface" ] "This option was removed, use the `unbound.host` option instead.")
15    (mkRemovedOptionModule [ "fetchType" ] "This option was removed, use the `unbound.host` option instead.")
16    ({ options.warnings = options.warnings; options.assertions = options.assertions; })
17  ];
18
19  port = 9167;
20  extraOpts = {
21    telemetryPath = mkOption {
22      type = types.str;
23      default = "/metrics";
24      description = lib.mdDoc ''
25        Path under which to expose metrics.
26      '';
27    };
28
29    unbound = {
30      ca = mkOption {
31        type = types.nullOr types.path;
32        default = "/var/lib/unbound/unbound_server.pem";
33        example = null;
34        description = ''
35          Path to the Unbound server certificate authority
36        '';
37      };
38
39      certificate = mkOption {
40        type = types.nullOr types.path;
41        default = "/var/lib/unbound/unbound_control.pem";
42        example = null;
43        description = ''
44          Path to the Unbound control socket certificate
45        '';
46      };
47
48      key = mkOption {
49        type = types.nullOr types.path;
50        default = "/var/lib/unbound/unbound_control.key";
51        example = null;
52        description = ''
53          Path to the Unbound control socket key.
54        '';
55      };
56
57      host = mkOption {
58        type = types.str;
59        default = "tcp://127.0.0.1:8953";
60        example = "unix:///run/unbound/unbound.socket";
61        description = lib.mdDoc ''
62          Path to the unbound control socket. Supports unix domain sockets, as well as the TCP interface.
63        '';
64      };
65    };
66  };
67
68  serviceOpts = mkMerge ([{
69    serviceConfig = {
70      User = "unbound"; # to access the unbound_control.key
71      ExecStart = ''
72        ${pkgs.prometheus-unbound-exporter}/bin/unbound_exporter \
73          --unbound.host "${cfg.unbound.host}" \
74          --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
75          --web.telemetry-path ${cfg.telemetryPath} \
76          ${optionalString (cfg.unbound.ca != null) "--unbound.ca ${cfg.unbound.ca}"} \
77          ${optionalString (cfg.unbound.certificate != null) "--unbound.cert ${cfg.unbound.certificate}"} \
78          ${optionalString (cfg.unbound.key != null) "--unbound.key ${cfg.unbound.key}"} \
79          ${toString cfg.extraFlags}
80      '';
81      RestrictAddressFamilies = [
82        "AF_UNIX"
83        "AF_INET"
84        "AF_INET6"
85      ];
86    } // optionalAttrs (!config.services.unbound.enable) {
87      DynamicUser = true;
88    };
89  }] ++ [
90    (mkIf config.services.unbound.enable {
91      after = [ "unbound.service" ];
92      requires = [ "unbound.service" ];
93    })
94  ]);
95}