{ pkgs, ... }: let # TLS endpoints to monitor for certificate expiration # These are all services using ACME certificates from OpenBao PKI tlsTargets = [ # Direct ACME certs (security.acme.certs) "https://vault.home.2rjus.net:8200" "https://auth.home.2rjus.net" "https://testvm01.home.2rjus.net" # Caddy auto-TLS on http-proxy "https://nzbget.home.2rjus.net" "https://radarr.home.2rjus.net" "https://sonarr.home.2rjus.net" "https://ha.home.2rjus.net" "https://z2m.home.2rjus.net" "https://prometheus.home.2rjus.net" "https://alertmanager.home.2rjus.net" "https://grafana.home.2rjus.net" "https://jelly.home.2rjus.net" "https://pyroscope.home.2rjus.net" "https://pushgw.home.2rjus.net" # Caddy auto-TLS on nix-cache01 "https://nix-cache.home.2rjus.net" # Caddy auto-TLS on grafana01 "https://grafana-test.home.2rjus.net" ]; in { services.prometheus.exporters.blackbox = { enable = true; configFile = pkgs.writeText "blackbox.yml" '' modules: https_cert: prober: http timeout: 10s http: fail_if_not_ssl: true preferred_ip_protocol: ip4 ''; }; # Add blackbox scrape config to Prometheus # Alert rules are in rules.yml (certificate_rules group) services.prometheus.scrapeConfigs = [ { job_name = "blackbox_tls"; metrics_path = "/probe"; params = { module = [ "https_cert" ]; }; static_configs = [{ targets = tlsTargets; }]; relabel_configs = [ # Pass the target URL to blackbox as a parameter { source_labels = [ "__address__" ]; target_label = "__param_target"; } # Use the target URL as the instance label { source_labels = [ "__param_target" ]; target_label = "instance"; } # Point the actual scrape at the local blackbox exporter { target_label = "__address__"; replacement = "127.0.0.1:9115"; } ]; } ]; }