movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

prometheus-node-cert-exporter: init at 1.1.7 (#368325)

Browse source
This commit is contained in:
Tristan Ross 2025-02-12 12:34:24 -08:00 committed by GitHub
commit 8005d0910b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 182 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2505.section.md
View file

@ -119,6 +119,8 @@
- [nostr-rs-relay](https://git.sr.ht/~gheartsfield/nostr-rs-relay/), This is a nostr relay, written in Rust. Available as [services.nostr-rs-relay](options.html#opt-services.nostr-rs-relay.enable).
- [Prometheus Node Cert Exporter](https://github.com/amimof/node-cert-exporter), a prometheus exporter to check for SSL cert expiry. Available under [services.prometheus.exporters.node-cert](#opt-services.prometheus.exporters.node-cert.enable).
- [Actual Budget](https://actualbudget.org/), a local-first personal finance app. Available as [services.actual](#opt-services.actual.enable).
- [immich-public-proxy](https://github.com/alangrainger/immich-public-proxy), a proxy for sharing Immich albums without exposing the Immich API. Available as [services.immich-public-proxy](#opt-services.immich-public-proxy.enable).

1
nixos/modules/services/monitoring/prometheus/exporters.nix
View file

@ -66,6 +66,7 @@ let
"nginx"
"nginxlog"
"node"
"node-cert"
"nut"
"nvidia-gpu"
"pgbouncer"

70
nixos/modules/services/monitoring/prometheus/exporters/node-cert.nix Normal file
View file

@ -0,0 +1,70 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.prometheus.exporters.node-cert;
inherit (lib) mkOption types concatStringsSep;
in
{
port = 9141;
extraOpts = {
paths = mkOption {
type = types.listOf types.str;
description = ''
List of paths to search for SSL certificates.
'';
};
excludePaths = mkOption {
type = types.listOf types.str;
description = ''
List of paths to exclute from searching for SSL certificates.
'';
default = [ ];
};
includeGlobs = mkOption {
type = types.listOf types.str;
description = ''
List files matching a pattern to include. Uses Go blob pattern.
'';
default = [ ];
};
excludeGlobs = mkOption {
type = types.listOf types.str;
description = ''
List files matching a pattern to include. Uses Go blob pattern.
'';
default = [ ];
};
user = mkOption {
type = types.str;
description = ''
User owning the certs.
'';
default = "acme";
};
};
serviceOpts = {
serviceConfig = {
User = cfg.user;
ExecStart = ''
${lib.getExe pkgs.prometheus-node-cert-exporter} \
--listen ${toString cfg.listenAddress}:${toString cfg.port} \
--path ${concatStringsSep "," cfg.paths} \
--exclude-path "${concatStringsSep "," cfg.excludePaths}" \
--include-glob "${concatStringsSep "," cfg.includeGlobs}" \
--exclude-glob "${concatStringsSep "," cfg.excludeGlobs}" \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
};
};
}

43
nixos/tests/prometheus-exporters.nix
View file

@ -1002,6 +1002,49 @@ let
'';
};
node-cert = {
nodeName = "node_cert";
exporterConfig = {
enable = true;
paths = ["/run/certs"];
};
exporterTest = ''
wait_for_unit("prometheus-node-cert-exporter.service")
wait_for_open_port(9141)
wait_until_succeeds(
"curl -sSf http://localhost:9141/metrics | grep 'ssl_certificate_expiry_seconds{.\\+path=\"/run/certs/node-cert\\.cert\".\\+}'"
)
'';
metricProvider = {
system.activationScripts.cert.text = ''
mkdir -p /run/certs
cd /run/certs
cat >ca.template <<EOF
organization = "prometheus-node-cert-exporter"
cn = "prometheus-node-cert-exporter"
expiration_days = 365
ca
cert_signing_key
crl_signing_key
EOF
${pkgs.gnutls}/bin/certtool \
--generate-privkey \
--key-type rsa \
--sec-param High \
--outfile node-cert.key
${pkgs.gnutls}/bin/certtool \
--generate-self-signed \
--load-privkey node-cert.key \
--template ca.template \
--outfile node-cert.cert
'';
};
};
pgbouncer = {
exporterConfig = {
enable = true;