From ac7815321a3e547f0c8d3ab4a8ff919d0ac3142e Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Fri, 23 Aug 2024 20:19:55 +0200
Subject: [PATCH] feat(pyroscope): add secrets and storage

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 secrets.nix                               |   2 ++
 secrets/pyroscope-secrets.age             | Bin 0 -> 1127 bytes
 services/monitoring/pyroscope/default.nix |  36 +++++++++++++++++++++-
 services/monitoring/pyroscope/module.nix  |   8 ++++-
 4 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 secrets/pyroscope-secrets.age

diff --git a/secrets.nix b/secrets.nix
index 3c4d143..e87fd0a 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -15,6 +15,8 @@ let
     grafana-oauth-secret = [ machines.meta01 ];
     loki-environment = [ machines.meta01 ];
     gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
+    pyroscope-secrets = [ machines.meta01 ];
+
 
     buildbot-worker-password = [ machines.buildbot ];
     buildbot-oauth-secret = [ machines.buildbot ];
diff --git a/secrets/pyroscope-secrets.age b/secrets/pyroscope-secrets.age
new file mode 100644
index 0000000000000000000000000000000000000000..45bfd2ede59c4674d908565299fb2155da99f425
GIT binary patch
literal 1127
zcmZY7xy$5q0LF0(8`BHBi0gojFgtJV3&h<VGkIs;$>f^JWYTD^NisPmzhp9*L<I#4
z3oiu0Ed&cKEEHw6aF-PiES6<g5M)7Y-bEJC(!xRuZQf@63qCv#UndL(LGG1pv5U9)
z(Y6fXJqit;=~Y!U2z-nrQMR|iN(^W{dJAtx-eefbl|<=8;O}80nA69?wj=tO0CGDf
zU0P}QEQEY^*+o3OBrC_?J3%dJa3Rs`be_!$3gd~nxl)0X;daP9sGZ<0&2v54bF@YX
z`wHfWeSys_5NuM5ln_^`0@>c!ITDF&%y+2<$?7s`37B?@xMp3jLpJ){bUalpWZ9BA
zg{Tf@b094=_@CAXW}SyU``DOy&erJk6gJCM2|N65zDC=SZdfrg63tH%qKWaD#XwbM
zkB9@7wn2mKygbVicOs~LAs;f0WbM!m5j9vsWZcL*+g4UiFDaM8RD)2D0X{eGU`_W7
z3K+PBtx=qq0gq01Qi)R|YCg0OxlvS7P8?T0@qIfo(LL^THRB}^CLwXaS%4P}eid$X
zKbmAanu;x?^j9bqz>*VM#V`SAt>HpD?wTErtv#eul>|PpB?Pv<Pj_}py2AyS7Au=w
zE{Y`phgdXcdRi2gQwaIAbjvuI9q?kDj~GJ}k3q=E^IFXzwek9FEo^PGG{`NVZTr{+
zL)x%n!~{3WmEJK9JKSTXSqmrn*ulBso~a}fZsbrx*9S=S`k3BY=2AwviQeh@Qn4yH
ziuPz@wRvP><N+MB+3`|A31hKSOR2&*LSKX~R;8wfLlRi)dBu@&V9r8hRLT>Vvcj{s
z&$@;8jpk{+Kv&ctlhg&UD?ILMO`$7MUe!a*0U0{y8>G+cVKy2`6?BXnsa4E05UxNc
zq9ZTri*^(V;X#^Z)>2z#o!=)@f{BR-HAH7=mFpp(X3Er%IHBFgX=JsNlr9!DTp50`
zc9o3ZkJDgkHz>b=_+3Y%n}WrQ`QEENN{|%54Z+HbsHATlxX$4t!f$ay|F5LMpr=pa
z6(`aTQAwd*#ofFf8<NM+M6u0bd&y*zOmh**)<FW@_~nJ0)9bTuzdw;L+`sS!B))s+
z-V>jy#^BU@>dB*{YnxkNKYRJB=XU3C>hD+H`z?Rx#haJzDzE<Y`@LJy>CxLS-SMxU
zqnz(PV?NqGMuXRXx(!`B|H$JvwtqaGKl;ht*Z!m)ZZF1{ZvFfa9bW$H;*~dFexA|R
f;~(C?e)aUNFRq+#fBo>skMCpOeDLMxsZRb2Sv!TU

literal 0
HcmV?d00001

diff --git a/services/monitoring/pyroscope/default.nix b/services/monitoring/pyroscope/default.nix
index 5f9ecbf..3ed665f 100644
--- a/services/monitoring/pyroscope/default.nix
+++ b/services/monitoring/pyroscope/default.nix
@@ -14,6 +14,40 @@ in
   ];
 
   config = mkIf cfg.enable {
-    services.pyroscope.enable = true;
+    age.secrets.pyroscope-secrets.file = ../../../secrets/pyroscope-secrets.age;
+    services.pyroscope = {
+      enable = true;
+      secretFile = config.age.secrets.pyroscope-secrets.path;
+      settings = {
+        target = "all";
+        multitenancy_enabled = false;
+
+        api.base-url = "https://pyroscope.forkos.org";
+        analytics.reporting_enabled = false;
+
+        storage = {
+          backend = "s3";
+          s3 = {
+            endpoint = "s3.delroth.net";
+            region = "garage";
+            bucket_name = "bagel-pyroscope";
+            access_key_id = "\${S3_KEY_ID}";
+            secret_access_key = "\${S3_KEY}";
+            force_path_style = true;
+          };
+        };
+        server = {
+          grpc_listen_port = 9097;
+          grpc_server_max_recv_msg_size = 104857600;
+          grpc_server_max_send_msg_size = 104857600;
+          grpc_server_max_concurrent_streams = 1000;
+        };
+
+        memberlist = {
+          advertise_port = 7948;
+          bind_port = 7948;
+        };
+      };
+    };
   };
 }
diff --git a/services/monitoring/pyroscope/module.nix b/services/monitoring/pyroscope/module.nix
index 1eeb722..35a3f63 100644
--- a/services/monitoring/pyroscope/module.nix
+++ b/services/monitoring/pyroscope/module.nix
@@ -9,6 +9,9 @@ in
   options.services.pyroscope = {
     enable = mkEnableOption "pyroscope, a continuous profiling platform";
     package = mkPackageOption pkgs "pyroscope" { };
+    secretFile = mkOption {
+      type = types.path;
+    };
     settings = mkOption {
       description = "Pyroscope settings. See <>";
 
@@ -22,14 +25,17 @@ in
     systemd.services.pyroscope = {
       description = "Pyroscope server - a continuous profiling platform";
       wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
       serviceConfig = {
-        ExecStart = "${cfg.package}/bin/pyroscope -config.file ${configFile}";
+        ExecStart = "${cfg.package}/bin/pyroscope -config.file ${configFile} -config.expand-env";
         WorkingDirectory = "/var/lib/pyroscope";
         User = "pyroscope";
         DynamicUser = true;
         Restart = "on-failure";
         RuntimeDirectory = "pyroscope";
         StateDirectory = "pyroscope";
+        EnvironmentFile = [ cfg.secretFile ];
       };
     };
   };