From 18ab08a86cde01d5b715a9ce036787190b90dc1c Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Thu, 1 Dec 2022 17:25:53 +0100
Subject: [PATCH] staging: run node_exporter from nixos; run synapse as
 non-root

---
 cluster/staging/app/im/deploy/im-nix.hcl      |  4 --
 .../app/telemetry/deploy/telemetry-system.hcl | 47 +++++++++----------
 2 files changed, 22 insertions(+), 29 deletions(-)

diff --git a/cluster/staging/app/im/deploy/im-nix.hcl b/cluster/staging/app/im/deploy/im-nix.hcl
index 4cc3b0e..0d7b79d 100644
--- a/cluster/staging/app/im/deploy/im-nix.hcl
+++ b/cluster/staging/app/im/deploy/im-nix.hcl
@@ -46,7 +46,6 @@ job "im" {
           "secrets/litestream.yml" = "/etc/litestream.yml"
         }
       }
-      user = "root"
 
       template {
         data = file("../config/litestream.yml")
@@ -82,7 +81,6 @@ job "im" {
       env = {
         SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"
       }
-      user = "root"
 
       template {
         data = file("flake.nix")
@@ -148,7 +146,6 @@ job "im" {
           "../alloc/data" = "/ephemeral",
         }
       }
-      user = "root"
 
       template {
         data = file("flake.nix")
@@ -195,7 +192,6 @@ EOH
           "secrets/litestream.yml" = "/etc/litestream.yml"
         }
       }
-      user = "root"
 
       template {
         data = file("../config/litestream.yml")
diff --git a/cluster/staging/app/telemetry/deploy/telemetry-system.hcl b/cluster/staging/app/telemetry/deploy/telemetry-system.hcl
index e2bad61..7cbb01a 100644
--- a/cluster/staging/app/telemetry/deploy/telemetry-system.hcl
+++ b/cluster/staging/app/telemetry/deploy/telemetry-system.hcl
@@ -1,40 +1,37 @@
 job "telemetry-system" {
-	datacenters = ["neptune"]
-	type = "system"
-	priority = "100"
+  datacenters = ["neptune"]
+  type = "system"
+  priority = "100"
 
-	group "collector" {
+  group "collector" {
     network {
       port "node_exporter" { static = 9100 }
     }
 
-		task "node_exporter" {
-			driver = "docker"
+    task "node_exporter" {
+      driver = "nix2"
 
-			config {
-				image = "quay.io/prometheus/node-exporter:v1.1.2"
-				network_mode = "host"
-				volumes = [
-					"/:/host:ro,rslave"
-				]
-				args = [ "--path.rootfs=/host" ]
-			}
+      config {
+        packages = [ "#prometheus-node-exporter" ]
+        command = "node_exporter"
+        args = [ "--path.rootfs=/host" ]
+        bind_read_only = {
+          "/" = "/host"
+        }
+      }
 
-			resources {
-				cpu = 50
-				memory = 40
-			}
+      resources {
+        cpu = 50
+        memory = 40
+      }
 
       service {
-        tags = [ "telemetry" ]
-        port = 9100
-        address_mode = "driver"
         name = "node-exporter"
+        tags = [ "telemetry" ]
+        port = "node_exporter"
         check {
           type = "http"
           path = "/"
-          port = 9100
-          address_mode = "driver"
           interval = "60s"
           timeout = "5s"
           check_restart {
@@ -44,6 +41,6 @@ job "telemetry-system" {
           }
         }
       }
-		}
-	}
+    }
+  }
 }