working prometheus setup with processes

requires openssh, but removing public key

hosts/flame/default.nix

@@ -49,6 +49,7 @@ inputs.nixpkgs.lib.nixosSystem {
 
       services.caddy.enable = true;
       services.grafana.enable = true;
+      services.openssh.enable = true;
       services.prometheus.enable = true;
       services.gitea.enable = true;
       services.vaultwarden.enable = true;

hosts/swan/default.nix

@@ -56,6 +56,7 @@ inputs.nixpkgs.lib.nixosSystem {
       services.jellyfin.enable = true;
       services.nextcloud.enable = true;
       services.calibre-web.enable = true;
+      services.openssh.enable = true;
       services.prometheus.enable = true;
       services.samba.enable = true;
 

hosts/tempest/default.nix

@@ -92,6 +92,7 @@ inputs.nixpkgs.lib.nixosSystem {
         ryujinx.enable = true;
       };
 
+      services.openssh.enable = true; # Required for Cloudflare tunnel
       cloudflareTunnel = {
         enable = true;
         id = "ac133a82-31fb-480c-942a-cdbcd4c58173";

modules/nixos/hardware/zfs.nix

@@ -10,6 +10,12 @@
         config.boot.zfs.package.latestCompatibleLinuxPackages;
       boot.kernelParams = [ "nohibernate" ];
       boot.supportedFilesystems = [ "zfs" ];
+      services.prometheus.exporters.zfs.enable = true;
+      scrapeTargets = [
+        "127.0.0.1:${
+          builtins.toString config.services.prometheus.exporters.zfs.port
+        }"
+      ];
 
     };
 

modules/nixos/services/nextcloud.nix

@@ -3,7 +3,7 @@
   config = lib.mkIf config.services.nextcloud.enable {
 
     services.nextcloud = {
-      package = pkgs.nextcloud26; # Required to specify
+      package = pkgs.nextcloud27; # Required to specify
       datadir = "/data/nextcloud";
       https = true;
       hostName = "localhost";
@@ -11,6 +11,7 @@
       config = {
         adminpassFile = config.secrets.nextcloud.dest;
         extraTrustedDomains = [ config.hostnames.content ];
+        trustedProxies = [ "127.0.0.1" ];
       };
     };
 
@@ -74,6 +75,21 @@
       requires = [ "phpfpm-nextcloud.service" ];
     };
 
+    # Log metrics to prometheus
+    services.prometheus.exporters.nextcloud = {
+      enable = true;
+      username = config.services.nextcloud.config.adminuser;
+      url = "http://localhost:8080";
+      passwordFile = config.services.nextcloud.config.adminpassFile;
+    };
+    scrapeTargets = [
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.nextcloud.port
+      }"
+    ];
+    # Allows nextcloud-exporter to read passwordFile
+    users.users.nextcloud-exporter.extraGroups = [ "nextcloud" ];
+
   };
 
 }

modules/nixos/services/prometheus.nix

@@ -1,5 +1,11 @@
 { config, pkgs, lib, ... }: {
 
+  options.scrapeTargets = lib.mkOption {
+    type = lib.types.listOf lib.types.str;
+    description = "Prometheus scrape targets";
+    default = [ ];
+  };
+
   config = let
 
     # If hosting Grafana, host local Prometheus and listen for inbound jobs. If
@@ -8,11 +14,33 @@
 
   in lib.mkIf config.services.prometheus.enable {
 
+    scrapeTargets = [
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.node.port
+      }"
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.systemd.port
+      }"
+      "127.0.0.1:${
+        builtins.toString config.services.prometheus.exporters.process.port
+      }"
+    ];
+
     services.prometheus = {
       exporters.node.enable = true;
+      exporters.systemd.enable = true;
+      exporters.process.enable = true;
+      exporters.process.settings.process_names = [
+        # Remove nix store path from process name
+        {
+          name = "{{.Matches.Wrapped}} {{ .Matches.Args }}";
+          cmdline = [ "^/nix/store[^ ]*/(?P<Wrapped>[^ /]*) (?P<Args>.*)" ];
+        }
+      ];
+      extraFlags = lib.mkIf isServer [ "--web.enable-remote-write-receiver" ];
       scrapeConfigs = [{
-        job_name = "local";
-        static_configs = [{ targets = [ "127.0.0.1:9100" ]; }];
+        job_name = config.networking.hostName;
+        static_configs = [{ targets = config.scrapeTargets; }];
       }];
       webExternalUrl =
         lib.mkIf isServer "https://${config.hostnames.prometheus}";
@@ -28,7 +56,7 @@
         });
       remoteWrite = lib.mkIf (!isServer) [{
         name = config.networking.hostName;
-        url = "https://${config.hostnames.prometheus}";
+        url = "https://${config.hostnames.prometheus}/api/v1/write";
         basic_auth = {
           # Uses password hashed with bcrypt above
           username = "prometheus";

modules/nixos/services/sshd.nix

@@ -13,9 +13,8 @@
     };
   };
 
-  config = lib.mkIf (config.publicKey != null) {
+  config = lib.mkIf config.services.openssh.enable {
     services.openssh = {
-      enable = true;
       ports = [ 22 ];
       allowSFTP = true;
       settings = {
@@ -27,7 +26,7 @@
     };
 
     users.users.${config.user}.openssh.authorizedKeys.keys =
-      [ config.publicKey ];
+      lib.mkIf (config.publicKey != null) [ config.publicKey ];
 
     # Implement a simple fail2ban service for sshd
     services.sshguard.enable = true;