raito
92560708b8
Lix may have its own secrets and we want to maintain a certain generalization level on the NixOS modules, so we can decorrelate which secret we select dynamically by having a simple tenancy hierarchy system. This unfortunately requires to rewrite all call sites with a floral prefix until we migrate them to the simple internal secret module which is aware of this. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
130 lines
3.9 KiB
Nix
130 lines
3.9 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.bagel.monitoring.grafana-agent;
|
|
inherit (lib) mkEnableOption mkOption mkIf types;
|
|
passwordAsCredential = "\${CREDENTIALS_DIRECTORY}/password";
|
|
in
|
|
{
|
|
options.bagel.monitoring.grafana-agent = {
|
|
enable = (mkEnableOption "Grafana Agent") // { default = true; };
|
|
|
|
exporters = mkOption {
|
|
description = ''
|
|
Set of additional exporters to scrape.
|
|
|
|
The attribute name will be used as `job_name`
|
|
internally, which ends up exported as `job` label
|
|
on all metrics of that exporter.
|
|
'';
|
|
type = types.attrsOf (types.submodule ({ config, name, ... }: {
|
|
options.port = mkOption {
|
|
description = "Exporter port";
|
|
type = types.int;
|
|
};
|
|
options.bearerTokenFile = mkOption {
|
|
description = "File containing a bearer token";
|
|
type = types.nullOr types.path;
|
|
default = null;
|
|
};
|
|
|
|
options.scrapeConfig = mkOption {
|
|
description = "Prometheus scrape config";
|
|
type = types.attrs;
|
|
};
|
|
config.scrapeConfig = lib.mkMerge [{
|
|
job_name = name;
|
|
static_configs = [
|
|
{ targets = [ "localhost:${toString config.port}" ]; }
|
|
];
|
|
} (lib.mkIf (config.bearerTokenFile != null) {
|
|
authorization.credentials_file = "\${CREDENTIALS_DIRECTORY}/${name}-bearer-token";
|
|
})];
|
|
|
|
options.secrets = mkOption {
|
|
description = "Secrets required for scrape config";
|
|
type = types.attrs;
|
|
internal = true;
|
|
default = {};
|
|
};
|
|
config.secrets = lib.mkIf (config.bearerTokenFile != null) {
|
|
"${name}-bearer-token" = config.bearerTokenFile;
|
|
};
|
|
}));
|
|
default = {};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
age.secrets.grafana-agent-password.file = ../../secrets/floral/metrics-push-password.age;
|
|
|
|
services.grafana-agent = {
|
|
enable = true;
|
|
credentials = lib.mkMerge ([{ password = config.age.secrets.grafana-agent-password.path; }] ++
|
|
lib.mapAttrsToList (name: value: value.secrets) config.bagel.monitoring.grafana-agent.exporters);
|
|
settings = {
|
|
metrics = {
|
|
global.remote_write = [
|
|
{
|
|
url = "https://mimir.forkos.org/api/v1/push";
|
|
basic_auth = {
|
|
username = "promtail";
|
|
password_file = passwordAsCredential;
|
|
};
|
|
}
|
|
];
|
|
global.external_labels.hostname = config.networking.hostName;
|
|
configs = [
|
|
{
|
|
name = config.networking.hostName;
|
|
scrape_configs = lib.mapAttrsToList (name: value: value.scrapeConfig) config.bagel.monitoring.grafana-agent.exporters;
|
|
}
|
|
];
|
|
};
|
|
logs = {
|
|
global.clients = [
|
|
{
|
|
url = "https://loki.forkos.org/loki/api/v1/push";
|
|
basic_auth = {
|
|
username = "promtail";
|
|
password_file = passwordAsCredential;
|
|
};
|
|
}
|
|
];
|
|
configs = [
|
|
{
|
|
name = "journald";
|
|
scrape_configs = [
|
|
{
|
|
job_name = "system";
|
|
journal = {
|
|
max_age = "12h";
|
|
labels = {
|
|
job = "systemd-journal";
|
|
host = config.networking.hostName;
|
|
};
|
|
};
|
|
relabel_configs = [
|
|
{
|
|
source_labels = [ "__journal__systemd_unit" ];
|
|
target_label = "unit";
|
|
}
|
|
];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
positions_directory = "\${STATE_DIRECTORY}/positions";
|
|
};
|
|
integrations.node_exporter.enable_collectors = [
|
|
"processes"
|
|
"systemd"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|