104 lines
2.8 KiB
Nix
104 lines
2.8 KiB
Nix
{ config
|
|
, lib
|
|
, pkgs
|
|
, options
|
|
, ...
|
|
}:
|
|
|
|
let
|
|
cfg = config.services.prometheus.exporters.unbound;
|
|
inherit (lib)
|
|
mkOption
|
|
types
|
|
mkRemovedOptionModule
|
|
optionalAttrs
|
|
optionalString
|
|
mkMerge
|
|
mkIf
|
|
;
|
|
in
|
|
{
|
|
imports = [
|
|
(mkRemovedOptionModule [ "controlInterface" ] "This option was removed, use the `unbound.host` option instead.")
|
|
(mkRemovedOptionModule [ "fetchType" ] "This option was removed, use the `unbound.host` option instead.")
|
|
({ options.warnings = options.warnings; options.assertions = options.assertions; })
|
|
];
|
|
|
|
port = 9167;
|
|
extraOpts = {
|
|
telemetryPath = mkOption {
|
|
type = types.str;
|
|
default = "/metrics";
|
|
description = ''
|
|
Path under which to expose metrics.
|
|
'';
|
|
};
|
|
|
|
unbound = {
|
|
ca = mkOption {
|
|
type = types.nullOr types.path;
|
|
default = "/var/lib/unbound/unbound_server.pem";
|
|
example = null;
|
|
description = ''
|
|
Path to the Unbound server certificate authority
|
|
'';
|
|
};
|
|
|
|
certificate = mkOption {
|
|
type = types.nullOr types.path;
|
|
default = "/var/lib/unbound/unbound_control.pem";
|
|
example = null;
|
|
description = ''
|
|
Path to the Unbound control socket certificate
|
|
'';
|
|
};
|
|
|
|
key = mkOption {
|
|
type = types.nullOr types.path;
|
|
default = "/var/lib/unbound/unbound_control.key";
|
|
example = null;
|
|
description = ''
|
|
Path to the Unbound control socket key.
|
|
'';
|
|
};
|
|
|
|
host = mkOption {
|
|
type = types.str;
|
|
default = "tcp://127.0.0.1:8953";
|
|
example = "unix:///run/unbound/unbound.socket";
|
|
description = ''
|
|
Path to the unbound control socket. Supports unix domain sockets, as well as the TCP interface.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
serviceOpts = mkMerge ([{
|
|
serviceConfig = {
|
|
User = "unbound"; # to access the unbound_control.key
|
|
ExecStart = ''
|
|
${pkgs.prometheus-unbound-exporter}/bin/unbound_exporter \
|
|
--unbound.host "${cfg.unbound.host}" \
|
|
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
|
|
--web.telemetry-path ${cfg.telemetryPath} \
|
|
${optionalString (cfg.unbound.ca != null) "--unbound.ca ${cfg.unbound.ca}"} \
|
|
${optionalString (cfg.unbound.certificate != null) "--unbound.cert ${cfg.unbound.certificate}"} \
|
|
${optionalString (cfg.unbound.key != null) "--unbound.key ${cfg.unbound.key}"} \
|
|
${toString cfg.extraFlags}
|
|
'';
|
|
RestrictAddressFamilies = [
|
|
"AF_UNIX"
|
|
"AF_INET"
|
|
"AF_INET6"
|
|
];
|
|
} // optionalAttrs (!config.services.unbound.enable) {
|
|
DynamicUser = true;
|
|
};
|
|
}] ++ [
|
|
(mkIf config.services.unbound.enable {
|
|
after = [ "unbound.service" ];
|
|
requires = [ "unbound.service" ];
|
|
})
|
|
]);
|
|
}
|