From c52b0593cf6c350d52b3b0f49d7879636fd450dd Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 28 Aug 2023 21:52:26 +0200 Subject: [PATCH 1/2] prometheus-unbound-exporter: replace at 0.4.4 The previous exporter was archived in 2022, the one from Let's encrypt is now recommended. --- .../prometheus/unbound-exporter.nix | 42 +++++++++---------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/pkgs/servers/monitoring/prometheus/unbound-exporter.nix b/pkgs/servers/monitoring/prometheus/unbound-exporter.nix index 3f8206b14edf..a7575e809b3a 100644 --- a/pkgs/servers/monitoring/prometheus/unbound-exporter.nix +++ b/pkgs/servers/monitoring/prometheus/unbound-exporter.nix @@ -1,36 +1,34 @@ -{ lib, stdenv, rustPlatform, fetchFromGitHub, openssl, pkg-config, nixosTests, Security }: +{ lib +, buildGoModule +, fetchFromGitHub +, nixosTests +}: -rustPlatform.buildRustPackage rec { - pname = "unbound-telemetry"; - version = "unstable-2021-09-18"; +let + version = "0.4.4"; +in +buildGoModule { + pname = "unbound_exporter"; + inherit version; src = fetchFromGitHub { - owner = "svartalf"; - repo = pname; - rev = "19e53b05828a43b7062b67a9cc6c84836ca26439"; - sha256 = "sha256-wkr9T6GlJP/PSv17z3MC7vC0cXg/Z6rGlhlCUHH3Ua4="; + owner = "letsencrypt"; + repo = "unbound_exporter"; + rev = "refs/tags/v${version}"; + hash = "sha256-0eo56z5b+hzKCY5OKg/9F7rjLyoSKPJoHLoXeMjCuFU="; }; - cargoLock = { - lockFile = ./Cargo.lock; - outputHashes = { - "native-tls-0.2.3" = "sha256-I1+ZNLDVGS1x9Iu81RD2//xnqhKhNGBmlrT0ryNFSlE="; - }; - }; - - nativeBuildInputs = [ pkg-config ]; - - buildInputs = [ openssl ] - ++ lib.optional stdenv.isDarwin Security; + vendorHash = "sha256-4aWuf9UTPQseEwDJfWIcQW4uGMffRnWlHhiu0yMz4vk="; passthru.tests = { inherit (nixosTests.prometheus-exporters) unbound; }; meta = with lib; { + changelog = "https://github.com/letsencrypt/unbound_exporter/releases/tag/v${version}"; description = "Prometheus exporter for Unbound DNS resolver"; - homepage = "https://github.com/svartalf/unbound-telemetry"; - license = licenses.mit; - maintainers = with maintainers; [ ]; + homepage = "https://github.com/letsencrypt/unbound_exporter/tree/main"; + license = licenses.asl20; + maintainers = with maintainers; [ hexa ]; }; } From 73c5a5a778cebc386fbbc0e6423cc03550c32390 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 28 Aug 2023 23:21:52 +0200 Subject: [PATCH 2/2] nixos/prometheus/unbound-exporter: update for new package The command line interface changed slightly, but still supports the TCP as well as the UDS control interface. --- .../manual/release-notes/rl-2311.section.md | 3 + .../prometheus/exporters/unbound.nix | 84 +++++++++++++------ nixos/tests/prometheus-exporters.nix | 5 +- pkgs/top-level/all-packages.nix | 4 +- 4 files changed, 64 insertions(+), 32 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index e6c23f69e471..4c656e8037b7 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -116,6 +116,9 @@ - The ISC DHCP package and corresponding module have been removed, because they are end of life upstream. See https://www.isc.org/blogs/isc-dhcp-eol/ for details and switch to a different DHCP implementation like kea or dnsmasq. +- `prometheus-unbound-exporter` has been replaced by the Let's Encrypt maintained version, since the previous version was archived. This requires some changes to the module configuration, most notable `controlInterface` needs migration + towards `unbound.host` and requires either the `tcp://` or `unix://` URI scheme. + - `odoo` now defaults to 16, updated from 15. - `util-linux` is now supported on Darwin and is no longer an alias to `unixtools`. Use the `unixtools.util-linux` package for access to the Apple variants of the utilities. diff --git a/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix b/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix index f52d92a73d5d..f2336429d42f 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/unbound.nix @@ -1,4 +1,8 @@ -{ config, lib, pkgs, options }: +{ config +, lib +, pkgs +, options +}: with lib; @@ -6,17 +10,14 @@ let cfg = config.services.prometheus.exporters.unbound; in { + imports = [ + (mkRemovedOptionModule [ "controlInterface" ] "This option was removed, use the `unbound.host` option instead.") + (mkRemovedOptionModule [ "fetchType" ] "This option was removed, use the `unbound.host` option instead.") + ({ options.warnings = options.warnings; options.assertions = options.assertions; }) + ]; + port = 9167; extraOpts = { - fetchType = mkOption { - # TODO: add shm when upstream implemented it - type = types.enum [ "tcp" "uds" ]; - default = "uds"; - description = lib.mdDoc '' - Which methods the exporter uses to get the information from unbound. - ''; - }; - telemetryPath = mkOption { type = types.str; default = "/metrics"; @@ -25,34 +26,65 @@ in ''; }; - controlInterface = mkOption { - type = types.nullOr types.str; - default = null; - example = "/run/unbound/unbound.socket"; - description = lib.mdDoc '' - Path to the unbound socket for uds mode or the control interface port for tcp mode. + unbound = { + ca = mkOption { + type = types.nullOr types.path; + default = "/var/lib/unbound/unbound_server.pem"; + example = null; + description = '' + Path to the Unbound server certificate authority + ''; + }; - Example: - uds-mode: /run/unbound/unbound.socket - tcp-mode: 127.0.0.1:8953 - ''; + certificate = mkOption { + type = types.nullOr types.path; + default = "/var/lib/unbound/unbound_control.pem"; + example = null; + description = '' + Path to the Unbound control socket certificate + ''; + }; + + key = mkOption { + type = types.nullOr types.path; + default = "/var/lib/unbound/unbound_control.key"; + example = null; + description = '' + Path to the Unbound control socket key. + ''; + }; + + host = mkOption { + type = types.str; + default = "tcp://127.0.0.1:8953"; + example = "unix:///run/unbound/unbound.socket"; + description = lib.mdDoc '' + Path to the unbound control socket. Supports unix domain sockets, as well as the TCP interface. + ''; + }; }; }; serviceOpts = mkMerge ([{ serviceConfig = { + User = "unbound"; # to access the unbound_control.key ExecStart = '' - ${pkgs.prometheus-unbound-exporter}/bin/unbound-telemetry \ - ${cfg.fetchType} \ - --bind ${cfg.listenAddress}:${toString cfg.port} \ - --path ${cfg.telemetryPath} \ - ${optionalString (cfg.controlInterface != null) "--control-interface ${cfg.controlInterface}"} \ + ${pkgs.prometheus-unbound-exporter}/bin/unbound_exporter \ + --unbound.host "${cfg.unbound.host}" \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --web.telemetry-path ${cfg.telemetryPath} \ + ${optionalString (cfg.unbound.ca != null) "--unbound.ca ${cfg.unbound.ca}"} \ + ${optionalString (cfg.unbound.certificate != null) "--unbound.cert ${cfg.unbound.certificate}"} \ + ${optionalString (cfg.unbound.key != null) "--unbound.key ${cfg.unbound.key}"} \ ${toString cfg.extraFlags} ''; RestrictAddressFamilies = [ - # Need AF_UNIX to collect data "AF_UNIX" + "AF_INET" + "AF_INET6" ]; + } // optionalAttrs (!config.services.unbound.enable) { + DynamicUser = true; }; }] ++ [ (mkIf config.services.unbound.enable { diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 5734e54de023..306c5e071e75 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -1422,8 +1422,7 @@ let unbound = { exporterConfig = { enable = true; - fetchType = "uds"; - controlInterface = "/run/unbound/unbound.ctl"; + unbound.host = "unix:///run/unbound/unbound.ctl"; }; metricProvider = { services.unbound = { @@ -1438,7 +1437,7 @@ let wait_for_unit("unbound.service") wait_for_unit("prometheus-unbound-exporter.service") wait_for_open_port(9167) - succeed("curl -sSf localhost:9167/metrics | grep 'unbound_up 1'") + wait_until_succeeds("curl -sSf localhost:9167/metrics | grep 'unbound_up 1'") ''; }; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 5674a6f48f67..9d1c50d5c677 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -27299,9 +27299,7 @@ with pkgs; prometheus-sql-exporter = callPackage ../servers/monitoring/prometheus/sql-exporter.nix { }; prometheus-systemd-exporter = callPackage ../servers/monitoring/prometheus/systemd-exporter.nix { }; prometheus-tor-exporter = callPackage ../servers/monitoring/prometheus/tor-exporter.nix { }; - prometheus-unbound-exporter = callPackage ../servers/monitoring/prometheus/unbound-exporter.nix { - inherit (darwin.apple_sdk.frameworks) Security; - }; + prometheus-unbound-exporter = callPackage ../servers/monitoring/prometheus/unbound-exporter.nix { }; prometheus-v2ray-exporter = callPackage ../servers/monitoring/prometheus/v2ray-exporter.nix { }; prometheus-varnish-exporter = callPackage ../servers/monitoring/prometheus/varnish-exporter.nix { }; prometheus-wireguard-exporter = callPackage ../servers/monitoring/prometheus/wireguard-exporter.nix {