From 689eb49d4261296acefcc175d93e77f6599b4ed9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 10 Nov 2020 10:15:54 +0100 Subject: [PATCH 1/5] nixos/loki: add logcli to system path Admins quite likely want to query loki for debugging purpose. --- nixos/modules/services/monitoring/loki.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/services/monitoring/loki.nix b/nixos/modules/services/monitoring/loki.nix index f4eec7e0d28..d5e7beeb043 100644 --- a/nixos/modules/services/monitoring/loki.nix +++ b/nixos/modules/services/monitoring/loki.nix @@ -78,6 +78,8 @@ in { ''; }]; + environment.systemPackages = [ pkgs.grafana-loki ]; # logcli + users.groups.${cfg.group} = { }; users.users.${cfg.user} = { description = "Loki Service User"; From 88d1da8e5d94202c88d65816bb5793829f1baa7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 10 Nov 2020 10:28:06 +0100 Subject: [PATCH 2/5] nixos/promtail: use json type for configuration --- nixos/modules/services/logging/promtail.nix | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix index 834bb99bb1d..1d3e9d8e9b9 100644 --- a/nixos/modules/services/logging/promtail.nix +++ b/nixos/modules/services/logging/promtail.nix @@ -11,20 +11,7 @@ in { enable = mkEnableOption "the Promtail ingresser"; configuration = mkOption { - type = with lib.types; let - valueType = nullOr (oneOf [ - bool - int - float - str - (lazyAttrsOf valueType) - (listOf valueType) - ]) // { - description = "JSON value"; - emptyValue.value = {}; - deprecationMessage = null; - }; - in valueType; + type = (pkgs.formats.json {}).type; description = '' Specify the configuration for Promtail in Nix. ''; From 4c64fa224eca82883088852914fa8fd28789dc32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 10 Nov 2020 10:29:18 +0100 Subject: [PATCH 3/5] nixos/loki: mergeable configuration type.attrs is not mergable --- nixos/modules/services/monitoring/loki.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/monitoring/loki.nix b/nixos/modules/services/monitoring/loki.nix index d5e7beeb043..51cabaa274a 100644 --- a/nixos/modules/services/monitoring/loki.nix +++ b/nixos/modules/services/monitoring/loki.nix @@ -39,7 +39,7 @@ in { }; configuration = mkOption { - type = types.attrs; + type = (pkgs.formats.json {}).type; default = {}; description = '' Specify the configuration for Loki in Nix. From 31a0b5dff6d9baa8c7aee4f77c379ed8fd3d1e19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 10 Nov 2020 10:36:53 +0100 Subject: [PATCH 4/5] nixos/promtail: fix access to journal --- nixos/modules/services/logging/promtail.nix | 4 ++++ nixos/tests/loki.nix | 2 ++ 2 files changed, 6 insertions(+) diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix index 1d3e9d8e9b9..19b12daa415 100644 --- a/nixos/modules/services/logging/promtail.nix +++ b/nixos/modules/services/logging/promtail.nix @@ -6,10 +6,12 @@ let echo '${builtins.toJSON conf}' | ${pkgs.buildPackages.jq}/bin/jq 'del(._module)' > $out ''; + allowSystemdJournal = cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs; in { options.services.promtail = with types; { enable = mkEnableOption "the Promtail ingresser"; + configuration = mkOption { type = (pkgs.formats.json {}).type; description = '' @@ -67,6 +69,8 @@ in { RestrictRealtime = true; MemoryDenyWriteExecute = true; PrivateUsers = true; + + SupplementaryGroups = lib.optional (allowSystemdJournal) "systemd-journal"; } // (optionalAttrs (!pkgs.stdenv.isAarch64) { # FIXME: figure out why this breaks on aarch64 SystemCallFilter = "@system-service"; }); diff --git a/nixos/tests/loki.nix b/nixos/tests/loki.nix index eaee717cf87..bede775b7d3 100644 --- a/nixos/tests/loki.nix +++ b/nixos/tests/loki.nix @@ -45,6 +45,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: machine.wait_for_open_port(3100) machine.wait_for_open_port(9080) machine.succeed("echo 'Loki Ingestion Test' > /var/log/testlog") + # should not have access to journal unless specified + machine.fail("systemctl show --property=SupplementaryGroups promtail | grep -q systemd-journal") machine.wait_until_succeeds( "${pkgs.grafana-loki}/bin/logcli --addr='http://localhost:3100' query --no-labels '{job=\"varlogs\",filename=\"/var/log/testlog\"}' | grep -q 'Loki Ingestion Test'" ) From 37a7436356c4d28e7c85bb3bf8bb453fe20e145c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 10 Nov 2020 10:46:30 +0100 Subject: [PATCH 5/5] loki: reference nixosTests --- pkgs/servers/monitoring/loki/default.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pkgs/servers/monitoring/loki/default.nix b/pkgs/servers/monitoring/loki/default.nix index c4bfeed8c88..f1cefdc0b1d 100644 --- a/pkgs/servers/monitoring/loki/default.nix +++ b/pkgs/servers/monitoring/loki/default.nix @@ -1,4 +1,12 @@ -{ stdenv, lib, buildGoModule, fetchFromGitHub, makeWrapper, systemd, fetchpatch }: +{ stdenv +, lib +, buildGoModule +, fetchFromGitHub +, makeWrapper +, nixosTests +, systemd +, fetchpatch +}: buildGoModule rec { version = "2.0.0"; @@ -32,6 +40,8 @@ buildGoModule rec { --prefix LD_LIBRARY_PATH : "${lib.getLib systemd}/lib" ''; + passthru.tests = { inherit (nixosTests) loki; }; + doCheck = true; meta = with stdenv.lib; {