feat(gerrit): push pyroscope profiling to Pyroscope

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-23 20:49:37 +02:00 · 2024-08-23 20:49:37 +02:00 · 4f4a25a5ad
parent 702867cd62
commit 4f4a25a5ad
2 changed files with 64 additions and 0 deletions
--- a/hosts/gerrit01/default.nix
+++ b/hosts/gerrit01/default.nix
@ -30,6 +30,7 @@

  bagel.services.gerrit = {
    enable = true;
+    pyroscope.enable = true;
    domains = [
      "cl.forkos.org"
    ];
--- a/services/gerrit/default.nix
+++ b/services/gerrit/default.nix
@ -12,6 +12,10 @@ in
 {
  options.bagel.services.gerrit = {
    enable = mkEnableOption "Gerrit";
+    pyroscope.enable = mkEnableOption ''Pyroscope client,
+      this will send profiling of all Java processes on the current host
+      to our Pyroscope instance.
+    '';
    domains = mkOption {
      type = types.listOf types.str;
      description = "List of domains that Gerrit will answer to";
@ -41,6 +45,7 @@ in

  config = mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [ cfg.port ];
+    age.secrets.alloy-push-password.file = ../../secrets/metrics-push-password.age;

    environment.systemPackages = [ jdk pkgs.git ];

@ -55,6 +60,64 @@ in
    };
    users.groups.git = {};

+    services.alloy = {
+      enable = cfg.pyroscope.enable;
+      extraFlags = [
+        # Debugging interface.
+        "--server.http.listen-addr=127.0.0.1:15555"
+      ];
+    };
+    systemd.services.alloy.serviceConfig = {
+      User = lib.mkForce "root";
+      Group = lib.mkForce "root";
+      DynamicUser = lib.mkForce false;
+    };
+    systemd.services.alloy.serviceConfig.LoadCredential = [ "password:${config.age.secrets.alloy-push-password.path}" ];
+    environment.etc."alloy/config.alloy".text = ''
+      pyroscope.write "production" {
+        endpoint {
+          url = "https://pyroscope.forkos.org"
+          basic_auth {
+            username = "promtail"
+            password_file = "/run/credentials/password"
+          }
+        }
+      }
+
+      discovery.process "all" {
+        refresh_interval = "60s"
+        discover_config {
+          cwd = true
+          exe = true
+          commandline = true
+          username = true
+          uid = true
+          container_id = true
+        }
+      }
+
+      discovery.relabel "java" {
+        targets = discovery.process.all.targets
+        rule {
+          action = "keep"
+          regex = ".*/java$"
+          source_labels = ["__meta_process_exe"]
+        }
+      }
+
+      pyroscope.java "java" {
+        targets = discovery.relabel.java.output
+        forward_to = [pyroscope.write.production.receiver]
+        profiling_config {
+          interval = "60s"
+          alloc = "512k"
+          cpu = true
+          sample_rate = 100
+          lock = "1ms"
+        }
+      }
+    '';
+
    services.gerrit = {
      enable = true;
      listenAddress = "[::]:4778"; # 4778 - grrt