feat(access): monitoring

2026-02-09 04:19:19 -08:00 · 2024-05-30 15:09:27 -07:00 · 2024-05-30 15:09:27 -07:00 · 0397043f88
commit 0397043f88
parent 511a02931a
13 changed files with 323 additions and 94 deletions
--- a/modules/nixos/monitoring/ingest/grafana.nix
+++ b/modules/nixos/monitoring/ingest/grafana.nix
@ -1,11 +1,19 @@
-_: {
+{
+  config,
+  system,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkDefault;
+  cfg = config.services.grafana;
+  service = system.exports.services.grafana;
+in {
  services.grafana = {
-    #enable = true;
    settings.server = {
-      domain = "gensokyo.zone";
-      http_port = 9092;
-      http_addr = "0.0.0.0";
-      root_url = "https://mon.gensokyo.zone";
+      domain = mkDefault config.networking.domain;
+      http_port = mkDefault 9092;
+      http_addr = mkDefault "::";
+      root_url = mkDefault "https://${service.id}.${cfg.settings.server.domain}";
    };
  };
 }
--- a/modules/nixos/monitoring/ingest/loki.nix
+++ b/modules/nixos/monitoring/ingest/loki.nix
@ -1,5 +1,4 @@
 {
-  pkgs,
  config,
  lib,
  access,
@ -7,6 +6,7 @@
  ...
 }: let
  inherit (gensokyo-zone) systems;
+  inherit (lib.modules) mkIf mkOptionDefault;
  inherit (lib.attrsets) filterAttrs mapAttrsToList;
  promtailSystems =
    filterAttrs (
@ -15,61 +15,38 @@
        && system.config.exports.services.promtail.enable
    )
    systems;
-  inherit (builtins) toJSON;
-  inherit (lib.options) mkOption;
-  inherit (lib.types) port;
  cfg = config.services.loki;
 in {
-  options.services.loki.settings = {
-    httpListenPort = mkOption {
-      type = port;
-      description = "Port to listen on over HTTP";
-      default = 9093;
-    };
-    grpcListenPort = mkOption {
-      type = port;
-      description = "Port to listen on over gRPC";
-      default = 0;
-    };
-  };
  config = {
    services.loki = {
-      #enable = true;
-      configFile = pkgs.writeTextFile {
-        name = "config.yaml";
-        executable = false;
-        text = toJSON {
-          server = {
-            http_listen_port = cfg.settings.httpListenPort;
-            grpc_listen_port = cfg.settings.grpcListenPort;
-          };
-          positions = {
-            filename = "/tmp/positions.yaml";
-          };
-          clients =
-            mapAttrsToList (_: system: {
-              url = "${access.getAddressFor system.config.name "lan"}:${toString system.config.exports.services.promtail.ports.default.port}";
-            })
-            promtailSystems;
-          scrape_configs =
-            mapAttrsToList (_: system: {
-              job_name = "${system.config.name}-journal";
-              journal = {
-                max_age = "${toString (24 * 7)}h";
-                labels = {
-                  job = "systemd-journal";
-                  host = system.config.name;
-                };
-              };
-              relabel_configs = [
-                {
-                  source_labels = ["__journal__systemd_unit"];
-                  target_label = "unit";
-                }
-              ];
-            })
-            promtailSystems;
+      configuration = {
+        server = {
+          http_listen_port = mkOptionDefault 9093;
+          grpc_listen_port = mkOptionDefault 0;
        };
+        # https://grafana.com/docs/loki/latest/configure/examples/configuration-examples/#1-local-configuration-exampleyaml
+        auth_enabled = mkOptionDefault false;
+        common = {
+          ring = {
+            instance_addr = mkOptionDefault "127.0.0.1";
+            kvstore.store = mkOptionDefault "inmemory";
+          };
+          replication_factor = 1;
+          path_prefix = mkOptionDefault cfg.dataDir;
+        };
+        schema_config.configs = [
+          {
+            from = "2020-05-15";
+            store = "tsdb";
+            object_store = "filesystem";
+            schema = "v13";
+            index = {
+              prefix = "index_";
+              period = "24h";
+            };
+          }
+        ];
+        storage_config.filesystem.directory = mkOptionDefault "${cfg.dataDir}/chunks";
      };
    };
  };
--- a/modules/nixos/monitoring/source/promtail.nix
+++ b/modules/nixos/monitoring/source/promtail.nix
@ -1,27 +1,54 @@
 {
  config,
+  system,
+  access,
  lib,
  ...
 }: let
-  inherit (builtins) toString;
-  inherit (lib.options) mkOption;
-  inherit (lib.modules) mkIf;
-  inherit (lib.types) port;
+  inherit (lib.modules) mkIf mkOptionDefault;
  cfg = config.services.promtail;
 in {
-  options.services.promtail.settings = {
-    httpListenPort = mkOption {
-      type = port;
-      description = "Port to listen on over HTTP";
-      default = 9094;
+  config.services.promtail = {
+    configuration = {
+      server = {
+        http_listen_port = mkOptionDefault 9094;
+        grpc_listen_port = mkOptionDefault 0;
+      };
+      clients = let
+        baseUrl = access.proxyUrlFor { serviceName = "loki"; };
+      in [
+        {
+          url = "${baseUrl}/loki/api/v1/push";
+        }
+      ];
+      scrape_configs = [
+        {
+          job_name = "${system.name}-journald";
+          journal = {
+            max_age = "${toString (24 * 7)}h";
+            labels = {
+              job = "systemd-journald";
+              system = system.name;
+              host = config.networking.fqdn;
+            };
+          };
+          relabel_configs = [
+            {
+              source_labels = ["__journal__systemd_unit"];
+              target_label = "unit";
+            }
+          ];
+        }
+      ];
    };
  };
-  config.services.promtail = {
-    extraFlags = [
-      "--server.http-listen-port=${toString cfg.settings.httpListenPort}"
-    ];
-  };
-  config.networking.firewall.interfaces.lan = mkIf cfg.enable {
-    allowedTCPPorts = [ cfg.settings.httpListenPort ];
-  };
+  config.networking.firewall.interfaces.lan = let
+    inherit (cfg.configuration) server;
+  in
+    mkIf cfg.enable {
+      allowedTCPPorts = [
+        server.http_listen_port
+        (mkIf (server.grpc_listen_port != 0) server.grpc_listen_port)
+      ];
+    };
 }
--- a/modules/system/exports/monitoring.nix
+++ b/modules/system/exports/monitoring.nix
@ -99,7 +99,6 @@ in
    config.exports.services =
      {
        prometheus = {config, ...}: {
-          id = mkAlmostOptionDefault "prometheus";
          nixos = {
            serviceAttr = "prometheus";
            assertions = mkIf config.enable [
@ -115,7 +114,7 @@ in
          };
        };
        grafana = {config, ...}: {
-          id = mkAlmostOptionDefault "grafana";
+          id = mkAlmostOptionDefault "mon";
          nixos = {
            serviceAttr = "grafana";
            assertions = mkIf config.enable [
@ -131,26 +130,29 @@ in
          };
        };
        loki = {config, ...}: {
-          id = mkAlmostOptionDefault "loki";
+          id = mkAlmostOptionDefault "logs";
          nixos = {
            serviceAttr = "loki";
            assertions = mkIf config.enable [
-              (nixosConfig: {
-                assertion = config.ports.default.port == nixosConfig.services.loki.settings.httpListenPort;
+              (nixosConfig: let
+                inherit (nixosConfig.services.loki.configuration.server) http_listen_port;
+              in {
+                assertion = config.ports.default.port == http_listen_port;
                message = "port mismatch";
              })
              (nixosConfig: let
-                inherit (nixosConfig.services.loki.settings) grpcListenPort;
+                inherit (nixosConfig.services.loki.configuration.server) grpc_listen_port;
              in {
-                assertion = !config.ports.grpc.enable || config.ports.grpc.port == grpcListenPort;
+                assertion = !config.ports.grpc.enable || config.ports.grpc.port == grpc_listen_port;
                message = "gRPC port mismatch";
              })
              (nixosConfig: let
-                inherit (nixosConfig.services.loki.settings) grpcListenPort;
+                inherit (nixosConfig.services.loki.configuration.server) grpc_listen_port;
              in {
-                assertion = if config.ports.grpc.enable
-                  then grpcListenPort != 0
-                  else grpcListenPort == 0;
+                assertion =
+                  if config.ports.grpc.enable
+                  then grpc_listen_port != 0
+                  else grpc_listen_port == 0;
                message = "gRPC enable mismatch";
              })
            ];
@ -174,7 +176,7 @@ in
            serviceAttr = "promtail";
            assertions = mkIf config.enable [
              (nixosConfig: {
-                assertion = config.ports.default.port == nixosConfig.services.promtail.settings.httpListenPort;
+                assertion = config.ports.default.port == nixosConfig.services.promtail.configuration.server.http_listen_port;
                message = "port mismatch";
              })
            ];
@ -187,6 +189,7 @@ in
            // {
              prometheus.exporter.enable = true;
            };
+          #ports.grpc = ...
        };
      }
      // exporters;