mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-20 04:19:00 +02:00
nixos/prometheus.exporters.dnssec: init module
This commit is contained in:
parent
33d6119bc9
commit
8737490803
|
@ -129,6 +129,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
|
||||||
|
|
||||||
- [ping_exporter](https://github.com/czerwonk/ping_exporter), a Prometheus exporter for ICMP echo requests. Available as [services.prometheus.exporters.ping](#opt-services.prometheus.exporters.ping.enable).
|
- [ping_exporter](https://github.com/czerwonk/ping_exporter), a Prometheus exporter for ICMP echo requests. Available as [services.prometheus.exporters.ping](#opt-services.prometheus.exporters.ping.enable).
|
||||||
|
|
||||||
|
- [Prometheus DNSSEC Exporter](https://github.com/chrj/prometheus-dnssec-exporter), check for validity and expiration in DNSSEC signatures and expose metrics for Prometheus. Available as [services.prometheus.exporters.dnssec](#opt-services.prometheus.exporters.dnssec.enable).
|
||||||
|
|
||||||
- [TigerBeetle](https://tigerbeetle.com/), a distributed financial accounting database designed for mission critical safety and performance. Available as [services.tigerbeetle](#opt-services.tigerbeetle.enable).
|
- [TigerBeetle](https://tigerbeetle.com/), a distributed financial accounting database designed for mission critical safety and performance. Available as [services.tigerbeetle](#opt-services.tigerbeetle.enable).
|
||||||
|
|
||||||
- [go-camo](https://github.com/cactus/go-camo), a secure image proxy server. Available as [services.go-camo](#opt-services.go-camo.enable).
|
- [go-camo](https://github.com/cactus/go-camo), a secure image proxy server. Available as [services.go-camo](#opt-services.go-camo.enable).
|
||||||
|
|
|
@ -31,6 +31,7 @@ let
|
||||||
"collectd"
|
"collectd"
|
||||||
"dmarc"
|
"dmarc"
|
||||||
"dnsmasq"
|
"dnsmasq"
|
||||||
|
"dnssec"
|
||||||
"domain"
|
"domain"
|
||||||
"dovecot"
|
"dovecot"
|
||||||
"fastly"
|
"fastly"
|
||||||
|
|
|
@ -0,0 +1,90 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.prometheus.exporters.dnssec;
|
||||||
|
configFormat = pkgs.formats.toml { };
|
||||||
|
configFile = configFormat.generate "dnssec-checks.toml" cfg.configuration;
|
||||||
|
in {
|
||||||
|
port = 9204;
|
||||||
|
extraOpts = {
|
||||||
|
configuration = lib.mkOption {
|
||||||
|
type = lib.types.nullOr lib.types.attrs;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
dnssec exporter configuration as nix attribute set.
|
||||||
|
|
||||||
|
See <https://github.com/chrj/prometheus-dnssec-exporter/blob/master/README.md>
|
||||||
|
for the description of the configuration file format.
|
||||||
|
'';
|
||||||
|
example = lib.literalExpression ''
|
||||||
|
{
|
||||||
|
records = [
|
||||||
|
{
|
||||||
|
zone = "ietf.org";
|
||||||
|
record = "@";
|
||||||
|
type = "SOA";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
zone = "verisigninc.com";
|
||||||
|
record = "@";
|
||||||
|
type = "SOA";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
listenAddress = lib.mkOption {
|
||||||
|
type = lib.types.nullOr lib.types.str;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
Listen address as host IP and port definition.
|
||||||
|
'';
|
||||||
|
example = ":9204";
|
||||||
|
};
|
||||||
|
|
||||||
|
resolvers = lib.mkOption {
|
||||||
|
type = lib.types.listOf lib.types.str;
|
||||||
|
default = [ ];
|
||||||
|
description = ''
|
||||||
|
DNSSEC capable resolver to be used for the check.
|
||||||
|
'';
|
||||||
|
example = [ "0.0.0.0:53" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
timeout = lib.mkOption {
|
||||||
|
type = lib.types.nullOr lib.types.str;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
DNS request timeout duration.
|
||||||
|
'';
|
||||||
|
example = "10s";
|
||||||
|
};
|
||||||
|
|
||||||
|
extraFlags = lib.mkOption {
|
||||||
|
type = lib.types.listOf lib.types.str;
|
||||||
|
default = [ ];
|
||||||
|
description = ''
|
||||||
|
Extra commandline options when launching Prometheus.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
serviceOpts = {
|
||||||
|
serviceConfig = let
|
||||||
|
startScript = pkgs.writeShellScriptBin "prometheus-dnssec-exporter-start"
|
||||||
|
"${lib.concatStringsSep " "
|
||||||
|
([ "${pkgs.prometheus-dnssec-exporter}/bin/prometheus-dnssec-exporter" ]
|
||||||
|
++ lib.optionals (cfg.configuration != null)
|
||||||
|
[ "-config ${configFile}" ]
|
||||||
|
++ lib.optionals (cfg.listenAddress != null)
|
||||||
|
[ "-listen-address ${lib.escapeShellArg cfg.listenAddress}" ]
|
||||||
|
++ lib.optionals (cfg.resolvers != [ ]) [
|
||||||
|
"-resolvers ${
|
||||||
|
lib.escapeShellArg (lib.concatStringsSep "," cfg.resolvers)
|
||||||
|
}"
|
||||||
|
] ++ lib.optionals (cfg.timeout != null)
|
||||||
|
[ "-timeout ${lib.escapeShellArg cfg.timeout}" ] ++ cfg.extraFlags)}";
|
||||||
|
in { ExecStart = lib.getExe startScript; };
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
|
@ -227,6 +227,54 @@ let
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
dnssec = {
|
||||||
|
exporterConfig = {
|
||||||
|
enable = true;
|
||||||
|
configuration = {
|
||||||
|
records = [
|
||||||
|
{
|
||||||
|
zone = "example.com";
|
||||||
|
record = "@";
|
||||||
|
type = "SOA";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
resolvers = [ "127.0.0.1:53" ];
|
||||||
|
};
|
||||||
|
metricProvider = {
|
||||||
|
services.knot = {
|
||||||
|
enable = true;
|
||||||
|
settingsFile = pkgs.writeText "knot.conf" ''
|
||||||
|
server:
|
||||||
|
listen: 127.0.0.1@53
|
||||||
|
template:
|
||||||
|
- id: default
|
||||||
|
storage: ${pkgs.buildEnv {
|
||||||
|
name = "zones";
|
||||||
|
paths = [(pkgs.writeTextDir "example.com.zone" ''
|
||||||
|
@ SOA ns1.example.com. noc.example.com. 2024032401 86400 7200 3600000 172800
|
||||||
|
@ NS ns1
|
||||||
|
ns1 A 192.168.0.1
|
||||||
|
'')];
|
||||||
|
}}
|
||||||
|
zonefile-load: difference
|
||||||
|
zonefile-sync: -1
|
||||||
|
zone:
|
||||||
|
- domain: example.com
|
||||||
|
file: example.com.zone
|
||||||
|
dnssec-signing: on
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
exporterTest = ''
|
||||||
|
wait_for_unit("knot.service")
|
||||||
|
wait_for_open_port(53)
|
||||||
|
wait_for_unit("prometheus-dnssec-exporter.service")
|
||||||
|
wait_for_open_port(9204)
|
||||||
|
succeed("curl -sSf http://localhost:9204/metrics | grep 'example.com'")
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
# Access to WHOIS server is required to properly test this exporter, so
|
# Access to WHOIS server is required to properly test this exporter, so
|
||||||
# just perform basic sanity check that the exporter is running and returns
|
# just perform basic sanity check that the exporter is running and returns
|
||||||
# a failure.
|
# a failure.
|
||||||
|
|
Loading…
Reference in a new issue