selfprivacy-nixos-config/sp-modules/monitoring/module.nix

{ config, lib, ... }:
let
  cfg = config.selfprivacy.modules.monitoring;
in
{
  options.selfprivacy.modules.monitoring = {
    enable = lib.mkOption {
      default = false;
      type = lib.types.bool;
    };
    location = lib.mkOption {
      type = lib.types.str;
    };
  };
  config = lib.mkIf cfg.enable {
    fileSystems = lib.mkIf config.selfprivacy.useBinds {
      "/var/lib/prometheus2" = {
        device = "/volumes/${cfg.location}/prometheus";
        options = [
          "bind"
          "x-systemd.required-by=prometheus.service"
          "x-systemd.before=prometheus.service"
        ];
      };
    };
    security.auditd.enable = true;
    security.audit.enable = true;
    security.audit.rules = [
      "-w /root -p war -k root"
      "-w /root/.ssh -p wa -k rootkey"
      "-w /etc/nixos -p w -k nixosconfig"
      "-w /etc/selfprivacy.nix -p w -k selfprivacyfolder"
      "-a exit,always -F arch=b64 -S execve"
      "-a always,exit -F arch=b64 -S kexec_load -k KEXEC"
      "-a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles"
      "-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount"
      "-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap"
      "-a always,exit -F arch=b64 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time"
      "-w /etc/group -p wa -k etcgroup"
      "-w /etc/passwd -p wa -k etcpasswd"
      "-w /etc/shadow -k etcpasswd"
      "-w /etc/sudoers -p wa -k actions"
      "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications"
      "-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess"
      "-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess"
      "-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess"
      "-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess"
      "-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess"
      "-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess"

    ];
    services.cadvisor = {
      enable = true;
      port = 9003;
      listenAddress = "127.0.0.1";
      extraOptions = [ "--enable_metrics=cpu,memory,diskIO" ];
    };
    services.prometheus = {
      enable = true;
      port = 9001;
      listenAddress = "127.0.0.1";
      exporters = {
        node = {
          enable = true;
          enabledCollectors = [ "systemd" ];
          port = 9002;
          listenAddress = "127.0.0.1";
        };
      };
      scrapeConfigs = [
        {
          job_name = "node-exporter";
          static_configs = [{
            targets = [ "127.0.0.1:9002" ];
          }];
        }
        {
          job_name = "cadvisor";
          static_configs = [{
            targets = [ "127.0.0.1:9003" ];
          }];
        }
      ];
    };
    services.logrotate = {
      enable = true;
      settings = {
        "/var/log/audit/audit.log" = {
          rotate = 7;
          compress = true;
          missingok = true;
          notifempty = true;
          sharedscripts = true;
          postrotate = "systemctl kill -s USR1 auditd.service";
        };
      };
    };
    systemd = {
      services = {
        prometheus.serviceConfig.Slice = "monitoring.slice";
        prometheus-node-exporter.serviceConfig.Slice = "monitoring.slice";
        cadvisor.serviceConfig.Slice = "monitoring.slice";
      };
      slices.monitoring = {
        description = "Monitoring service slice";
      };
    };
  };
}
Add systemd slices to all SP modules 2024-07-26 23:52:21 +00:00			`{ config, lib, ... }:`
			`let`
feat: add prometheus monitoring service 2024-06-09 18:04:14 +00:00			`cfg = config.selfprivacy.modules.monitoring;`
Add systemd slices to all SP modules 2024-07-26 23:52:21 +00:00			`in`
			`{`
feat: add prometheus monitoring service 2024-06-09 18:04:14 +00:00			`options.selfprivacy.modules.monitoring = {`
			`enable = lib.mkOption {`
			`default = false;`
			`type = lib.types.bool;`
			`};`
feat: support binds for prometheus monitoring service 2024-07-17 17:45:23 +00:00			`location = lib.mkOption {`
			`type = lib.types.str;`
			`};`
feat: add prometheus monitoring service 2024-06-09 18:04:14 +00:00			`};`
			`config = lib.mkIf cfg.enable {`
feat: support binds for prometheus monitoring service 2024-07-17 17:45:23 +00:00			`fileSystems = lib.mkIf config.selfprivacy.useBinds {`
			`"/var/lib/prometheus2" = {`
			`device = "/volumes/${cfg.location}/prometheus";`
			`options = [`
			`"bind"`
			`"x-systemd.required-by=prometheus.service"`
			`"x-systemd.before=prometheus.service"`
			`];`
			`};`
			`};`
feat: add auditd to monitoring module 2024-07-29 14:39:14 +00:00			`security.auditd.enable = true;`
add some audit rules 2024-07-30 04:32:41 +00:00			`security.audit.enable = true;`
			`security.audit.rules = [`
			`"-w /root -p war -k root"`
add more audit rules 2024-07-30 04:53:58 +00:00			`"-w /root/.ssh -p wa -k rootkey"`
			`"-w /etc/nixos -p w -k nixosconfig"`
			`"-w /etc/selfprivacy.nix -p w -k selfprivacyfolder"`
add some audit rules 2024-07-30 04:32:41 +00:00			`"-a exit,always -F arch=b64 -S execve"`
add more audit rules 2024-07-30 04:53:58 +00:00			`"-a always,exit -F arch=b64 -S kexec_load -k KEXEC"`
			`"-a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles"`
			`"-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount"`
			`"-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap"`
			`"-a always,exit -F arch=b64 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time"`
			`"-w /etc/group -p wa -k etcgroup"`
			`"-w /etc/passwd -p wa -k etcpasswd"`
			`"-w /etc/shadow -k etcpasswd"`
			`"-w /etc/sudoers -p wa -k actions"`
			`"-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications"`
			`"-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess"`
			`"-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess"`
			`"-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess"`
			`"-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess"`
			`"-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess"`
			`"-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess"`

add some audit rules 2024-07-30 04:32:41 +00:00			`];`
test cadvisor 2024-07-26 22:17:57 +00:00			`services.cadvisor = {`
			`enable = true;`
			`port = 9003;`
			`listenAddress = "127.0.0.1";`
limit metrics collected by cadvisor 2024-07-26 23:00:39 +00:00			`extraOptions = [ "--enable_metrics=cpu,memory,diskIO" ];`
test cadvisor 2024-07-26 22:17:57 +00:00			`};`
feat: add prometheus monitoring service 2024-06-09 18:04:14 +00:00			`services.prometheus = {`
			`enable = true;`
			`port = 9001;`
fix: ensure that prometheus listens only on 127.0.0.1 2024-06-17 18:42:49 +00:00			`listenAddress = "127.0.0.1";`
feat: add prometheus monitoring service 2024-06-09 18:04:14 +00:00			`exporters = {`
			`node = {`
			`enable = true;`
test cadvisor 2024-07-26 22:17:57 +00:00			`enabledCollectors = [ "systemd" ];`
feat: add prometheus monitoring service 2024-06-09 18:04:14 +00:00			`port = 9002;`
fix: ensure that node-exporter listens on 127.0.0.1 2024-06-18 18:30:02 +00:00			`listenAddress = "127.0.0.1";`
feat: add prometheus monitoring service 2024-06-09 18:04:14 +00:00			`};`
			`};`
			`scrapeConfigs = [`
			`{`
			`job_name = "node-exporter";`
			`static_configs = [{`
			`targets = [ "127.0.0.1:9002" ];`
			`}];`
			`}`
feat: systemd exporter 2024-07-26 16:31:03 +00:00			`{`
test cadvisor 2024-07-26 22:17:57 +00:00			`job_name = "cadvisor";`
feat: systemd exporter 2024-07-26 16:31:03 +00:00			`static_configs = [{`
			`targets = [ "127.0.0.1:9003" ];`
			`}];`
			`}`
feat: add prometheus monitoring service 2024-06-09 18:04:14 +00:00			`];`
			`};`
add more audit rules 2024-07-30 04:53:58 +00:00			`services.logrotate = {`
			`enable = true;`
			`settings = {`
			`"/var/log/audit/audit.log" = {`
			`rotate = 7;`
			`compress = true;`
			`missingok = true;`
			`notifempty = true;`
			`sharedscripts = true;`
			`postrotate = "systemctl kill -s USR1 auditd.service";`
			`};`
			`};`
			`};`
Add systemd slices to all SP modules 2024-07-26 23:52:21 +00:00			`systemd = {`
			`services = {`
			`prometheus.serviceConfig.Slice = "monitoring.slice";`
			`prometheus-node-exporter.serviceConfig.Slice = "monitoring.slice";`
			`cadvisor.serviceConfig.Slice = "monitoring.slice";`
			`};`
			`slices.monitoring = {`
			`description = "Monitoring service slice";`
			`};`
			`};`
feat: add prometheus monitoring service 2024-06-09 18:04:14 +00:00			`};`
feat: support binds for prometheus monitoring service 2024-07-17 17:45:23 +00:00			`}`