diff options
Diffstat (limited to 'nixos/modules/services/logging')
-rw-r--r-- | nixos/modules/services/logging/graylog.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/logging/logstash.nix | 7 | ||||
-rw-r--r-- | nixos/modules/services/logging/promtail.nix | 87 | ||||
-rw-r--r-- | nixos/modules/services/logging/vector.nix | 64 |
4 files changed, 156 insertions, 8 deletions
diff --git a/nixos/modules/services/logging/graylog.nix b/nixos/modules/services/logging/graylog.nix index a889a44d4b2..af70d27fcf9 100644 --- a/nixos/modules/services/logging/graylog.nix +++ b/nixos/modules/services/logging/graylog.nix @@ -39,7 +39,6 @@ in type = types.package; default = pkgs.graylog; defaultText = "pkgs.graylog"; - example = literalExample "pkgs.graylog"; description = "Graylog package to use."; }; @@ -138,14 +137,13 @@ in "d '${cfg.messageJournalDir}' - ${cfg.user} - - -" ]; - systemd.services.graylog = with pkgs; { + systemd.services.graylog = { description = "Graylog Server"; wantedBy = [ "multi-user.target" ]; environment = { - JAVA_HOME = jre; GRAYLOG_CONF = "${confFile}"; }; - path = [ pkgs.jre_headless pkgs.which pkgs.procps ]; + path = [ pkgs.which pkgs.procps ]; preStart = '' rm -rf /var/lib/graylog/plugins || true mkdir -p /var/lib/graylog/plugins -m 755 diff --git a/nixos/modules/services/logging/logstash.nix b/nixos/modules/services/logging/logstash.nix index bf92425f998..7a2f5681612 100644 --- a/nixos/modules/services/logging/logstash.nix +++ b/nixos/modules/services/logging/logstash.nix @@ -100,7 +100,7 @@ in inputConfig = mkOption { type = types.lines; - default = ''generator { }''; + default = "generator { }"; description = "Logstash input configuration."; example = '' # Read from journal @@ -131,7 +131,7 @@ in outputConfig = mkOption { type = types.lines; - default = ''stdout { codec => rubydebug }''; + default = "stdout { codec => rubydebug }"; description = "Logstash output configuration."; example = '' redis { host => ["localhost"] data_type => "list" key => "logstash" codec => json } @@ -159,10 +159,9 @@ in ###### implementation config = mkIf cfg.enable { - systemd.services.logstash = with pkgs; { + systemd.services.logstash = { description = "Logstash Daemon"; wantedBy = [ "multi-user.target" ]; - environment = { JAVA_HOME = jre; }; path = [ pkgs.bash ]; serviceConfig = { ExecStartPre = ''${pkgs.coreutils}/bin/mkdir -p "${cfg.dataDir}" ; ${pkgs.coreutils}/bin/chmod 700 "${cfg.dataDir}"''; diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix new file mode 100644 index 00000000000..34211687dc1 --- /dev/null +++ b/nixos/modules/services/logging/promtail.nix @@ -0,0 +1,87 @@ +{ config, lib, pkgs, ... }: with lib; +let + cfg = config.services.promtail; + + prettyJSON = conf: pkgs.runCommandLocal "promtail-config.json" {} '' + echo '${builtins.toJSON conf}' | ${pkgs.buildPackages.jq}/bin/jq 'del(._module)' > $out + ''; + + allowSystemdJournal = cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs; +in { + options.services.promtail = with types; { + enable = mkEnableOption "the Promtail ingresser"; + + + configuration = mkOption { + type = (pkgs.formats.json {}).type; + description = '' + Specify the configuration for Promtail in Nix. + ''; + }; + + extraFlags = mkOption { + type = listOf str; + default = []; + example = [ "--server.http-listen-port=3101" ]; + description = '' + Specify a list of additional command line flags, + which get escaped and are then passed to Loki. + ''; + }; + }; + + config = mkIf cfg.enable { + services.promtail.configuration.positions.filename = mkDefault "/var/cache/promtail/positions.yaml"; + + systemd.services.promtail = { + description = "Promtail log ingress"; + wantedBy = [ "multi-user.target" ]; + stopIfChanged = false; + + serviceConfig = { + Restart = "on-failure"; + TimeoutStopSec = 10; + + ExecStart = "${pkgs.grafana-loki}/bin/promtail -config.file=${prettyJSON cfg.configuration} ${escapeShellArgs cfg.extraFlags}"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + CacheDirectory = "promtail"; + + User = "promtail"; + Group = "promtail"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + + ProtectKernelModules = true; + SystemCallArchitectures = "native"; + ProtectKernelLogs = true; + ProtectClock = true; + + LockPersonality = true; + ProtectHostname = true; + RestrictRealtime = true; + MemoryDenyWriteExecute = true; + PrivateUsers = true; + + SupplementaryGroups = lib.optional (allowSystemdJournal) "systemd-journal"; + } // (optionalAttrs (!pkgs.stdenv.isAarch64) { # FIXME: figure out why this breaks on aarch64 + SystemCallFilter = "@system-service"; + }); + }; + + users.groups.promtail = {}; + users.users.promtail = { + description = "Promtail service user"; + isSystemUser = true; + group = "promtail"; + }; + }; +} diff --git a/nixos/modules/services/logging/vector.nix b/nixos/modules/services/logging/vector.nix new file mode 100644 index 00000000000..be36b2a41bb --- /dev/null +++ b/nixos/modules/services/logging/vector.nix @@ -0,0 +1,64 @@ +{ config, lib, pkgs, ... }: + +with lib; +let cfg = config.services.vector; + +in +{ + options.services.vector = { + enable = mkEnableOption "Vector"; + + journaldAccess = mkOption { + type = types.bool; + default = false; + description = '' + Enable Vector to access journald. + ''; + }; + + settings = mkOption { + type = (pkgs.formats.json { }).type; + default = { }; + description = '' + Specify the configuration for Vector in Nix. + ''; + }; + }; + + config = mkIf cfg.enable { + + users.groups.vector = { }; + users.users.vector = { + description = "Vector service user"; + group = "vector"; + isSystemUser = true; + }; + systemd.services.vector = { + description = "Vector event and log aggregator"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + requires = [ "network-online.target" ]; + serviceConfig = + let + format = pkgs.formats.toml { }; + conf = format.generate "vector.toml" cfg.settings; + validateConfig = file: + pkgs.runCommand "validate-vector-conf" { } '' + ${pkgs.vector}/bin/vector validate --no-environment "${file}" + ln -s "${file}" "$out" + ''; + in + { + ExecStart = "${pkgs.vector}/bin/vector --config ${validateConfig conf}"; + User = "vector"; + Group = "vector"; + Restart = "no"; + StateDirectory = "vector"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + # This group is required for accessing journald. + SupplementaryGroups = mkIf cfg.journaldAccess "systemd-journal"; + }; + }; + }; +} |