diff options
| author | Philipp Kern <phil@philkern.de> | 2020-10-31 20:52:13 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-10-31 20:52:13 +0100 |
| commit | ec6b0950efcafeb6b431de068a7f61eca7797a85 (patch) | |
| tree | 0e5e8719803ae4a73ed8a7d9c605479b4207f06d /nixos/modules/services | |
| parent | eaaf9254aafe298dbb9168ac051738a820f644a6 (diff) | |
| download | nixpkgs-ec6b0950efcafeb6b431de068a7f61eca7797a85.tar nixpkgs-ec6b0950efcafeb6b431de068a7f61eca7797a85.tar.gz nixpkgs-ec6b0950efcafeb6b431de068a7f61eca7797a85.tar.bz2 nixpkgs-ec6b0950efcafeb6b431de068a7f61eca7797a85.tar.lz nixpkgs-ec6b0950efcafeb6b431de068a7f61eca7797a85.tar.xz nixpkgs-ec6b0950efcafeb6b431de068a7f61eca7797a85.tar.zst nixpkgs-ec6b0950efcafeb6b431de068a7f61eca7797a85.zip | |
nixos/prometheus: Support environmentFile (#97933)
For the same reason Alertmanager supports environmentFile to pass secrets along, it is useful to support the same for Prometheus' configuration to store bearer tokens outside the Nix store.
Diffstat (limited to 'nixos/modules/services')
| -rw-r--r-- | nixos/modules/services/monitoring/prometheus/default.nix | 48 |
1 files changed, 47 insertions, 1 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index 98aaa9c0f03..72428957109 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -45,7 +45,7 @@ let cmdlineArgs = cfg.extraFlags ++ [ "--storage.tsdb.path=${workingDir}/data/" - "--config.file=${prometheusYml}" + "--config.file=/run/prometheus/prometheus-substituted.yaml" "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" "--alertmanager.timeout=${toString cfg.alertmanagerTimeout}s" @@ -522,6 +522,45 @@ in { ''; }; + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/root/prometheus.env"; + description = '' + Environment file as defined in <citerefentry> + <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>. + + Secrets may be passed to the service without adding them to the + world-readable Nix store, by specifying placeholder variables as + the option value in Nix and setting these variables accordingly in the + environment file. + + Environment variables from this file will be interpolated into the + config file using envsubst with this syntax: + <literal>$ENVIRONMENT ''${VARIABLE}</literal> + + <programlisting> + # Example scrape config entry handling an OAuth bearer token + { + job_name = "home_assistant"; + metrics_path = "/api/prometheus"; + scheme = "https"; + bearer_token = "\''${HOME_ASSISTANT_BEARER_TOKEN}"; + [...] + } + </programlisting> + + <programlisting> + # Content of the environment file + HOME_ASSISTANT_BEARER_TOKEN=someoauthbearertoken + </programlisting> + + Note that this file needs to be available on the host on which + <literal>Prometheus</literal> is running. + ''; + }; + configText = mkOption { type = types.nullOr types.lines; default = null; @@ -662,12 +701,19 @@ in { systemd.services.prometheus = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; + preStart = '' + ${lib.getBin pkgs.envsubst}/bin/envsubst -o "/run/prometheus/prometheus-substituted.yaml" \ + -i "${prometheusYml}" + ''; serviceConfig = { ExecStart = "${cfg.package}/bin/prometheus" + optionalString (length cmdlineArgs != 0) (" \\\n " + concatStringsSep " \\\n " cmdlineArgs); User = "prometheus"; Restart = "always"; + EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; + RuntimeDirectory = "prometheus"; + RuntimeDirectoryMode = "0700"; WorkingDirectory = workingDir; StateDirectory = cfg.stateDir; }; |