prometheus-chrony-exporter: init chrony nixos module (#394575)

2025-06-12 04:35:41 +03:00 · 2025-03-30 22:30:21 +02:00 · 2025-03-30 22:30:21 +02:00 · 35bb79372d
commit 35bb79372d
parent 025a50c2d1 cdb80c1f44
2 changed files with 98 additions and 0 deletions
--- a/nixos/modules/services/monitoring/prometheus/exporters.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters.nix
@ -29,6 +29,7 @@ let
    "blackbox"
    "borgmatic"
    "buildkite-agent"
+    "chrony"
    "collectd"
    "deluge"
    "dmarc"
--- a/nixos/modules/services/monitoring/prometheus/exporters/chrony.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/chrony.nix
@ -0,0 +1,97 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.prometheus.exporters.chrony;
+  inherit (lib)
+    mkOption
+    types
+    concatStringsSep
+    concatMapStringsSep
+    ;
+in
+{
+  port = 9123;
+  extraOpts = {
+    chronyServerAddress = mkOption {
+      type = types.str;
+      default = "unix:///run/chrony/chronyd.sock";
+      example = [ "192.82.0.1:323" ];
+      description = ''
+        ChronyServerAddress of the chrony server side command port. (Not enabled by default.)
+        Defaults to the local unix socket.
+      '';
+    };
+    user = mkOption {
+      type = types.str;
+      default = "chrony";
+      description = ''
+        User name under which the chrony exporter shall be run.
+        This allows the exporter to talk to chrony using a unix socket, which is owned by chrony.
+        The exporter startup with the default user chrony will fail without local chrony instance.
+      '';
+    };
+    group = mkOption {
+      type = types.str;
+      default = "chrony";
+      description = ''
+        Group under which the chrony exporter shall be run.
+        This allows the exporter to talk to chrony using a unix socket, which is owned by chrony group.
+        The service startup with the default group chrony will fail without local chrony instance.
+      '';
+    };
+    enabledCollectors = mkOption {
+      type = types.listOf types.str;
+      default = [
+        "tracking"
+        "sources"
+        "sources.with-ntpdata"
+        "serverstats"
+        "dns-lookups"
+      ];
+      example = [ "dns-lookups" ];
+      description = ''
+        Collectors to enable.
+        Currently all collectors are enabled by default.
+      '';
+    };
+    disabledCollectors = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      example = [ "sources.with-ntpdata" ];
+      description = ''
+        Collectors to disable which are enabled by default.
+        Disable sources.with-ntpdata for network scraper. Option requires unix socket.
+      '';
+    };
+  };
+  serviceOpts = {
+    serviceConfig = {
+      AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      ProtectClock = true;
+      ProtectSystem = "strict";
+      Restart = "on-failure";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      ExecStart = ''
+        ${lib.getExe pkgs.prometheus-chrony-exporter} \
+          ${concatMapStringsSep " " (x: "--collector." + x) cfg.enabledCollectors} \
+          ${concatMapStringsSep " " (x: "--no-collector." + x) cfg.disabledCollectors} \
+          --chrony.address ${cfg.chronyServerAddress} \
+          --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
+          ${concatStringsSep " " cfg.extraFlags}
+      '';
+    };
+  };
+}