nixos: introduce a service for prometheus-tailscale-exporter

- [conman](https://github.com/dun/conman), a serial console management program. Available as [services.conman](#opt-services.conman.enable).

- [Prometheus Tailscale Exporter](https://github.com/adinhodovic/tailscale-exporter), a Prometheus exporter for Tailscale Tailnet metrics.

- [KMinion](https://github.com/redpanda-data/kminion), feature-rich Prometheus exporter for Apache Kafka. Available as [services.prometheus.exporters.kafka](options.html#opt-services.prometheus.exporters.kafka).

- [Spoolman](https://github.com/Donkie/Spoolman), a inventory management system for Filament spools. Available as [services.spoolman](#opt-services.spoolman.enable).

        "storagebox"

        "surfboard"

        "systemd"

        "tailscale"

        "tibber"

        "unbound"

        "unpoller"

{

  config,

  lib,

  pkgs,

  utils,

  ...

}:

let

  inherit (lib)

    getExe

    mkOption

    mkPackageOption

    types

    ;

  inherit (utils) escapeSystemdExecArgs;

  cfg = config.services.prometheus.exporters.tailscale;

in

{

  port = 9250;

  extraOpts = with types; {

    package = mkPackageOption pkgs "prometheus-tailscale-exporter" { };

    environmentFile = mkOption {

      type = path;

      description = ''

        Environment file containg at least the TAILSCALE_TAILNET,

        TAILSCALE_OAUTH_CLIENT_ID, and TAILSCALE_OAUTH_CLIENT_SECRET

        environment variables.

      '';

    };

  };

  serviceOpts = {

    serviceConfig = {

      EnvironmentFile = cfg.environmentFile;

      ExecStart = escapeSystemdExecArgs (

        [

          (getExe cfg.package)

          "--listen-address"

          "${cfg.listenAddress}:${toString cfg.port}"

        ]

        ++ cfg.extraFlags

      );

    };

  };

}

      '';

    };

    tailscale = {

      exporterConfig = {

        package = pkgs.prometheus-tailscale-exporter.overrideAttrs {

          patches = [

            # This patch prevents the exporter from exiting immediately upon

            # startup when no credentials are provided, which is useful for

            # testing the NixOS module.

            (pkgs.writeText "allow-running-without-credentials" ''

              diff --git a/cmd/tailscale-exporter/root.go b/cmd/tailscale-exporter/root.go

              index 2ff11cb..2fb576f 100644

              --- a/cmd/tailscale-exporter/root.go

              +++ b/cmd/tailscale-exporter/root.go

              @@ -137,14 +137,6 @@ func runExporter(cmd *cobra.Command, args []string) error {

              ''\t// Create HTTP client that automatically handles token refresh

              ''\thttpClient := oauthConfig.Client(context.Background())

              -''\t// Test OAuth token generation

              -''\ttoken, err := oauthConfig.Token(context.Background())

              -''\tif err != nil {

              -''\t''\treturn fmt.Errorf("failed to obtain OAuth token: %w", err)

              -''\t}

              -''\tlogger.Info("OAuth token obtained", "token_type", token.TokenType)

              -''\tlogger.Info("Successfully obtained OAuth token", "expires", token.Expiry)

              -

              ''\t// Default labels for all metrics

              ''\tdefaultLabels := prometheus.Labels{"tailnet": tailnet}

              ''\treg := prometheus.WrapRegistererWith(

            '')

          ];

        };

        enable = true;

        environmentFile = pkgs.writeText "tailscale-exporter-env" ''

          TAILSCALE_OAUTH_CLIENT_ID=12345678

          TAILSCALE_OAUTH_CLIENT_SECRET=12345678

          TAILSCALE_TAILNET=example.com

        '';

      };

      exporterTest = ''

        wait_for_unit("prometheus-tailscale-exporter.service")

        wait_for_open_port(9250)

        succeed("curl -sSf localhost:9250/metrics | grep 'tailscale_up{tailnet=\"example.com\"} 1'")

      '';

    };

    unpoller = {

      nodeName = "unpoller";

      exporterConfig.enable = true;