{ config, pkgs, hostname, ... }: { # Telegraf Monitoring # Set up the secrets file for the token: sops.secrets.telegraf-token = { owner = "telegraf"; sopsFile = ../secrets/secrets.yaml; restartUnits = [ "telegraf.service" ]; }; # Add telegraf to "wheel" to allow the use of sudo: users.users.telegraf = { extraGroups = [ "wheel" ]; isSystemUser = true; }; # Allow the telegraf account to invoke sudo without a password security.sudo.extraConfig = '' Cmnd_Alias FAIL2BAN = /run/current-system/sw/bin/fail2ban-client status, /run/current-system/sw/bin/fail2ban-client status * telegraf ALL=(root) NOEXEC: NOPASSWD: FAIL2BAN Defaults!FAIL2BAN !logfile, !syslog, !pam_session ''; # Install the package environment.systemPackages = with pkgs; [ lm_sensors telegraf smartmontools ]; # Allow telegraf to talk to other executables it requires: systemd.services.telegraf = { path = with pkgs; [ lm_sensors # sensors fail2ban # fail2ban-client linuxPackages.nvidia_x11 # nvidia-smi smartmontools # smartctl sudo # sudo ]; }; # Configure the package: services.telegraf = { enable = true; environmentFiles = [ /run/secrets/telegraf-token ]; extraConfig = { outputs = { influxdb_v2 = { urls = [ "https://influx.sysctl.io/" ]; token = "$TELEGRAF_TOKEN"; organization = "default"; bucket = "telegrafdb"; http_headers = { Authorization = "Token $TELEGRAF_TOKEN"; }; }; }; inputs = { cpu = { percpu = true; totalcpu = true; collect_cpu_time = false; report_active = false; }; disk = { ignore_fs = ["tmpfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs"]; }; diskio = {}; kernel = {}; mem = {}; processes = {}; swap = {}; system = {}; fail2ban = { use_sudo = true; socket = "/var/run/fail2ban/fail2ban.sock" }; intel_powerstat = {}; net = {}; nvidia_smi = {}; sensors = {}; smart = { timeout = "30s"; }; temp = {}; wireless = {}; }; }; }; }