nix/services/telegraf.nix
2023-07-06 14:23:24 +09:00

89 lines
No EOL
2.3 KiB
Nix

{ config, pkgs, hostname, ... }: {
# Telegraf Monitoring
# Set up the secrets file for the token:
sops.secrets.telegraf-token = {
owner = "telegraf";
sopsFile = ../secrets/secrets.yaml;
restartUnits = [ "telegraf.service" ];
};
# Add telegraf to "wheel" to allow the use of sudo:
users.users.telegraf = {
extraGroups = [ "wheel" ];
isSystemUser = true;
};
# Allow the telegraf account to invoke sudo without a password
security.sudo.extraConfig = ''
Cmnd_Alias FAIL2BAN = /run/current-system/sw/bin/fail2ban-client status, /run/current-system/sw/bin/fail2ban-client status *
telegraf ALL=(root) NOEXEC: NOPASSWD: FAIL2BAN
Defaults!FAIL2BAN !logfile, !syslog, !pam_session
'';
# Install the package
environment.systemPackages = with pkgs; [
lm_sensors
telegraf
smartmontools
fail2ban
];
# Allow telegraf to talk to other executables it requires:
systemd.services.telegraf = {
path = with pkgs; [
lm_sensors # sensors
fail2ban # fail2ban-client
linuxPackages.nvidia_x11 # nvidia-smi
smartmontools # smartctl
sudo # sudo
];
};
# Configure the package:
services.telegraf = {
enable = true;
environmentFiles = [ /run/secrets/telegraf-token ];
extraConfig = {
outputs = {
influxdb_v2 = {
urls = [ "https://influx.sysctl.io/" ];
token = "$TELEGRAF_TOKEN";
organization = "default";
bucket = "telegrafdb";
http_headers = { Authorization = "Token $TELEGRAF_TOKEN"; };
};
};
inputs = {
cpu = {
percpu = true;
totalcpu = true;
collect_cpu_time = false;
report_active = false;
};
disk = {
ignore_fs = ["tmpfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs"];
};
diskio = {};
kernel = {};
mem = {};
processes = {};
swap = {};
system = {};
fail2ban = {
use_sudo = true;
socket = /var/run/fail2ban/fail2ban.sock;
};
intel_powerstat = {};
net = {};
nvidia_smi = {};
sensors = {};
smart = {
timeout = "30s";
};
temp = {};
wireless = {};
};
};
};
}