feat(pyroscope): add secrets and storage

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-08-23 20:19:55 +02:00 · 2024-08-23 20:19:55 +02:00 · ac7815321a
parent db46b01ae9
commit ac7815321a
4 changed files with 44 additions and 2 deletions
--- a/secrets.nix
+++ b/secrets.nix
@ -15,6 +15,8 @@ let
    grafana-oauth-secret = [ machines.meta01 ];
    loki-environment = [ machines.meta01 ];
    gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
+    pyroscope-secrets = [ machines.meta01 ];
+

    buildbot-worker-password = [ machines.buildbot ];
    buildbot-oauth-secret = [ machines.buildbot ];
--- a/secrets/pyroscope-secrets.age
+++ b/secrets/pyroscope-secrets.age
--- a/services/monitoring/pyroscope/default.nix
+++ b/services/monitoring/pyroscope/default.nix
@ -14,6 +14,40 @@ in
  ];

  config = mkIf cfg.enable {
-    services.pyroscope.enable = true;
+    age.secrets.pyroscope-secrets.file = ../../../secrets/pyroscope-secrets.age;
+    services.pyroscope = {
+      enable = true;
+      secretFile = config.age.secrets.pyroscope-secrets.path;
+      settings = {
+        target = "all";
+        multitenancy_enabled = false;
+
+        api.base-url = "https://pyroscope.forkos.org";
+        analytics.reporting_enabled = false;
+
+        storage = {
+          backend = "s3";
+          s3 = {
+            endpoint = "s3.delroth.net";
+            region = "garage";
+            bucket_name = "bagel-pyroscope";
+            access_key_id = "\${S3_KEY_ID}";
+            secret_access_key = "\${S3_KEY}";
+            force_path_style = true;
+          };
+        };
+        server = {
+          grpc_listen_port = 9097;
+          grpc_server_max_recv_msg_size = 104857600;
+          grpc_server_max_send_msg_size = 104857600;
+          grpc_server_max_concurrent_streams = 1000;
+        };
+
+        memberlist = {
+          advertise_port = 7948;
+          bind_port = 7948;
+        };
+      };
+    };
  };
 }
--- a/services/monitoring/pyroscope/module.nix
+++ b/services/monitoring/pyroscope/module.nix
@ -9,6 +9,9 @@ in
  options.services.pyroscope = {
    enable = mkEnableOption "pyroscope, a continuous profiling platform";
    package = mkPackageOption pkgs "pyroscope" { };
+    secretFile = mkOption {
+      type = types.path;
+    };
    settings = mkOption {
      description = "Pyroscope settings. See <>";

@ -22,14 +25,17 @@ in
    systemd.services.pyroscope = {
      description = "Pyroscope server - a continuous profiling platform";
      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/pyroscope -config.file ${configFile}";
+        ExecStart = "${cfg.package}/bin/pyroscope -config.file ${configFile} -config.expand-env";
        WorkingDirectory = "/var/lib/pyroscope";
        User = "pyroscope";
        DynamicUser = true;
        Restart = "on-failure";
        RuntimeDirectory = "pyroscope";
        StateDirectory = "pyroscope";
+        EnvironmentFile = [ cfg.secretFile ];
      };
    };
  };