From f28ea2244d33d0ed663e7864de55a77899e7f226 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Sat, 28 Aug 2021 13:40:28 +0200
Subject: [PATCH] hcloud_exporter: init module

---
 flake.nix                  |  8 ++++
 hcloud_exporter/module.nix | 75 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+)
 create mode 100644 hcloud_exporter/module.nix

diff --git a/flake.nix b/flake.nix
index b0b1676..9eb095b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,6 +11,14 @@
 
   outputs = { self, flake-utils, nixpkgs, nix-pre-commit-hooks }: {
     overlay = import ./default.nix;
+
+    nixosModules =
+      let
+        inherit (nixpkgs) lib;
+      in
+      {
+        hcloud_exporter.imports = lib.singleton ./hcloud_exporter/module.nix;
+      };
   } // flake-utils.lib.eachDefaultSystem (system:
     let
       pkgs = import nixpkgs { inherit system; overlays = [ self.overlay ]; };
diff --git a/hcloud_exporter/module.nix b/hcloud_exporter/module.nix
new file mode 100644
index 0000000..9541326
--- /dev/null
+++ b/hcloud_exporter/module.nix
@@ -0,0 +1,75 @@
+{ config, lib, options, pkgs, ... }:
+let
+  cfg = config.services.hcloud_exporter;
+in
+{
+  options.services.hcloud_exporter = {
+    enable = lib.mkEnableOption "the prometheus hcloud exporter";
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.hcloud_exporter;
+      description = "The package to use for hcloud_exporter";
+    };
+    listenAddress = lib.mkOption {
+      type = lib.types.str;
+      default = "0.0.0.0:9501";
+      example = "127.0.0.1:9501";
+      description = "The address hcloud_exporter should listen on";
+    };
+    collectors = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ "floating-ips" "images" "pricing" "servers" "ssh-keys" ];
+      example = [ "servers" "volumes" ];
+      description = "The collectors to enable";
+    };
+    environmentFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      example = "/path/to/hcloud_exporter.env";
+      description = ''
+        A file including environment variables being passed to hcloud_exporter
+        to allow storing the token outside of the nix store.
+        It should be formatted according to the specification of systemd.exec(5)’s EnvironmentFile.
+      '';
+    };
+  };
+
+  config = {
+    systemd.services.hcloud_exporter = lib.mkIf cfg.enable {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      environment = {
+        HCLOUD_EXPORTER_WEB_ADDRESS = cfg.listenAddress;
+      } // (
+        let
+          defaultCollectors = options.services.hcloud_exporter.collectors.default;
+          enabledCollectors = cfg.collectors;
+          disabledCollectors = lib.subtractLists enabledCollectors defaultCollectors;
+          collectorAttrs = lib.listToAttrs
+            (map (lib.flip lib.nameValuePair "true") enabledCollectors
+              ++ map (lib.flip lib.nameValuePair "false") disabledCollectors);
+          toUpperSnakeCase = x: lib.toUpper (lib.replaceStrings [ "-" ] [ "_" ] x);
+          collectorStateToEnv = collector: state: lib.nameValuePair "HCLOUD_EXPORTER_COLLECTOR_${toUpperSnakeCase collector}" state;
+        in
+        lib.mapAttrs' collectorStateToEnv collectorAttrs
+      );
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/hcloud_exporter";
+        Restart = "always";
+
+        EnvironmentFile = cfg.environmentFile;
+
+        # systemd-analyze --no-pager security hcloud_exporter.service
+        CapabilityBoundingSet = null;
+        DynamicUser = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHome = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
+      };
+    };
+  };
+}