diff options
Diffstat (limited to 'infra/libkookie/nixpkgs/nixos/modules/services/logging')
-rw-r--r-- | infra/libkookie/nixpkgs/nixos/modules/services/logging/promtail.nix | 86 | ||||
-rw-r--r-- | infra/libkookie/nixpkgs/nixos/modules/services/logging/vector.nix | 61 |
2 files changed, 147 insertions, 0 deletions
diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/logging/promtail.nix b/infra/libkookie/nixpkgs/nixos/modules/services/logging/promtail.nix new file mode 100644 index 000000000000..19b12daa4152 --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/logging/promtail.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, ... }: with lib; +let + cfg = config.services.promtail; + + prettyJSON = conf: pkgs.runCommandLocal "promtail-config.json" {} '' + echo '${builtins.toJSON conf}' | ${pkgs.buildPackages.jq}/bin/jq 'del(._module)' > $out + ''; + + allowSystemdJournal = cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs; +in { + options.services.promtail = with types; { + enable = mkEnableOption "the Promtail ingresser"; + + + configuration = mkOption { + type = (pkgs.formats.json {}).type; + description = '' + Specify the configuration for Promtail in Nix. + ''; + }; + + extraFlags = mkOption { + type = listOf str; + default = []; + example = [ "--server.http-listen-port=3101" ]; + description = '' + Specify a list of additional command line flags, + which get escaped and are then passed to Loki. + ''; + }; + }; + + config = mkIf cfg.enable { + services.promtail.configuration.positions.filename = mkDefault "/var/cache/promtail/positions.yaml"; + + systemd.services.promtail = { + description = "Promtail log ingress"; + wantedBy = [ "multi-user.target" ]; + stopIfChanged = false; + + serviceConfig = { + Restart = "on-failure"; + + ExecStart = "${pkgs.grafana-loki}/bin/promtail -config.file=${prettyJSON cfg.configuration} ${escapeShellArgs cfg.extraFlags}"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + CacheDirectory = "promtail"; + + User = "promtail"; + Group = "promtail"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + + ProtectKernelModules = true; + SystemCallArchitectures = "native"; + ProtectKernelLogs = true; + ProtectClock = true; + + LockPersonality = true; + ProtectHostname = true; + RestrictRealtime = true; + MemoryDenyWriteExecute = true; + PrivateUsers = true; + + SupplementaryGroups = lib.optional (allowSystemdJournal) "systemd-journal"; + } // (optionalAttrs (!pkgs.stdenv.isAarch64) { # FIXME: figure out why this breaks on aarch64 + SystemCallFilter = "@system-service"; + }); + }; + + users.groups.promtail = {}; + users.users.promtail = { + description = "Promtail service user"; + isSystemUser = true; + group = "promtail"; + }; + }; +} diff --git a/infra/libkookie/nixpkgs/nixos/modules/services/logging/vector.nix b/infra/libkookie/nixpkgs/nixos/modules/services/logging/vector.nix new file mode 100644 index 000000000000..a7c54ad75fde --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/services/logging/vector.nix @@ -0,0 +1,61 @@ +{ config, lib, pkgs, ... }: + +with lib; +let cfg = config.services.vector; + +in { + options.services.vector = { + enable = mkEnableOption "Vector"; + + journaldAccess = mkOption { + type = types.bool; + default = false; + description = '' + Enable Vector to access journald. + ''; + }; + + settings = mkOption { + type = (pkgs.formats.json { }).type; + default = { }; + description = '' + Specify the configuration for Vector in Nix. + ''; + }; + }; + + config = mkIf cfg.enable { + + users.groups.vector = { }; + users.users.vector = { + description = "Vector service user"; + group = "vector"; + isSystemUser = true; + }; + systemd.services.vector = { + description = "Vector event and log aggregator"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + requires = [ "network-online.target" ]; + serviceConfig = let + format = pkgs.formats.toml { }; + conf = format.generate "vector.toml" cfg.settings; + validateConfig = file: + pkgs.runCommand "validate-vector-conf" { } '' + ${pkgs.vector}/bin/vector validate --no-topology --no-environment "${file}" + ln -s "${file}" "$out" + ''; + in { + ExecStart = "${pkgs.vector}/bin/vector --config ${validateConfig conf}"; + User = "vector"; + Group = "vector"; + Restart = "no"; + StateDirectory = "vector"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + # This group is required for accessing journald. + SupplementaryGroups = mkIf cfg.journaldAccess "systemd-journal"; + }; + }; + }; +} |