nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / monitoring / prometheus / exporters / wireguard.nix
at 23.11-beta 2.3 kB view raw
 1{ config, lib, pkgs, options }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.prometheus.exporters.wireguard;
 7in {
 8  port = 9586;
 9  imports = [
10    (mkRenamedOptionModule [ "addr" ] [ "listenAddress" ])
11    ({ options.warnings = options.warnings; options.assertions = options.assertions; })
12  ];
13  extraOpts = {
14    verbose = mkEnableOption (lib.mdDoc "verbose logging mode for prometheus-wireguard-exporter");
15
16    wireguardConfig = mkOption {
17      type = with types; nullOr (either path str);
18      default = null;
19
20      description = lib.mdDoc ''
21        Path to the Wireguard Config to
22        [add the peer's name to the stats of a peer](https://github.com/MindFlavor/prometheus_wireguard_exporter/tree/2.0.0#usage).
23
24        Please note that `networking.wg-quick` is required for this feature
25        as `networking.wireguard` uses
26        {manpage}`wg(8)`
27        to set the peers up.
28      '';
29    };
30
31    singleSubnetPerField = mkOption {
32      type = types.bool;
33      default = false;
34      description = lib.mdDoc ''
35        By default, all allowed IPs and subnets are comma-separated in the
36        `allowed_ips` field. With this option enabled,
37        a single IP and subnet will be listed in fields like `allowed_ip_0`,
38        `allowed_ip_1` and so on.
39      '';
40    };
41
42    withRemoteIp = mkOption {
43      type = types.bool;
44      default = false;
45      description = lib.mdDoc ''
46        Whether or not the remote IP of a WireGuard peer should be exposed via prometheus.
47      '';
48    };
49  };
50  serviceOpts = {
51    path = [ pkgs.wireguard-tools ];
52
53    serviceConfig = {
54      AmbientCapabilities = [ "CAP_NET_ADMIN" ];
55      CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
56      ExecStart = ''
57        ${pkgs.prometheus-wireguard-exporter}/bin/prometheus_wireguard_exporter \
58          -p ${toString cfg.port} \
59          -l ${cfg.listenAddress} \
60          ${optionalString cfg.verbose "-v true"} \
61          ${optionalString cfg.singleSubnetPerField "-s true"} \
62          ${optionalString cfg.withRemoteIp "-r true"} \
63          ${optionalString (cfg.wireguardConfig != null) "-n ${escapeShellArg cfg.wireguardConfig}"}
64      '';
65      RestrictAddressFamilies = [
66        # Need AF_NETLINK to collect data
67        "AF_NETLINK"
68      ];
69    };
70  };
71}