From 7c259a3905435aa5ec7f80577f1d84b535bd87a9 Mon Sep 17 00:00:00 2001 From: Hayden <22327045+hbjydev@users.noreply.github.com> Date: Sat, 1 Jun 2024 23:13:05 +0100 Subject: [PATCH] feat: switch to pkgs.nix-based alloy module & package (#17) * feat: switch to pkgs.nix-based alloy module & package * fix: include extra ports in firewall for alloy, formatting fixes * feat: update flake lockfile * feat: update alloy configs * fix: pathing issue in alloy grafana cloud module import * feat: update gc-fwd config * feat: update generic alloy config * feat: remove cachix-agent * fix: update flake.lock --- flake.lock | 85 +++++++++++++++++---- flake.nix | 42 +--------- modules/mixins/alloy-forwarder/config.alloy | 22 ++++-- modules/mixins/alloy-forwarder/default.nix | 22 ++++-- modules/mixins/alloy/config.alloy | 20 ++--- modules/mixins/alloy/default.nix | 47 ++---------- modules/mixins/docker/default.nix | 2 +- modules/mixins/ecs-agent/default.nix | 4 +- modules/mixins/github-actions/default.nix | 2 +- modules/profiles/common.nix | 2 - nix/images.nix | 18 +++++ nix/lib.nix | 24 ++++++ 12 files changed, 170 insertions(+), 120 deletions(-) create mode 100644 nix/images.nix create mode 100644 nix/lib.nix diff --git a/flake.lock b/flake.lock index c9f1c00..3a09714 100644 --- a/flake.lock +++ b/flake.lock @@ -5,16 +5,33 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1714641030, - "narHash": "sha256-yzcRNDoyVP7+SCNX0wmuDju1NUCt8Dz9+lyUXEI0dbI=", + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "path": "/nix/store/xvyy5vh6cg7958a26p2bqyz6jg5wkz4g-source", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "path" + }, + "original": { + "id": "flake-parts", + "type": "indirect" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1715865404, + "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "e5d10a24b66c3ea8f150e47dfdb0416ab7c3390e", + "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9", "type": "github" }, "original": { - "id": "flake-parts", - "type": "indirect" + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" } }, "nixlib": { @@ -40,11 +57,11 @@ ] }, "locked": { - "lastModified": 1713783234, - "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=", + "lastModified": 1716210724, + "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e", + "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94", "type": "github" }, "original": { @@ -55,11 +72,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1714906307, - "narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=", + "lastModified": 1716948383, + "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588", + "rev": "ad57eef4ef0659193044870c731987a6df5cf56b", "type": "github" }, "original": { @@ -70,6 +87,24 @@ } }, "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1711703276, + "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib_2": { "locked": { "lastModified": 1714640452, "narHash": "sha256-QBx10+k6JWz6u7VsohfSw8g8hjdBZEf8CFzXH1/1Z94=", @@ -81,11 +116,33 @@ "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" } }, + "pkgs-nix": { + "inputs": { + "flake-parts": "flake-parts_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717279556, + "narHash": "sha256-msDwm0MHE+zvAfuWXtTBVR4PQhnI/MU9XQzx+4LbUP0=", + "owner": "ALT-F4-LLC", + "repo": "pkgs.nix", + "rev": "3143fc567c8d82edadda31efe90ccc5c2d5d5c64", + "type": "github" + }, + "original": { + "owner": "ALT-F4-LLC", + "repo": "pkgs.nix", + "type": "github" + } + }, "root": { "inputs": { "flake-parts": "flake-parts", "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", + "pkgs-nix": "pkgs-nix", "srvos": "srvos" } }, @@ -96,11 +153,11 @@ ] }, "locked": { - "lastModified": 1714956769, - "narHash": "sha256-49DQpGvr5N0l7rsFMP8zSwHeSa7f9N3NiY4mgdOwPn8=", + "lastModified": 1717058062, + "narHash": "sha256-R8Gb2MlJzfBE76DVWFmfZWODMdAanqxFnK+OOmkoQ7E=", "owner": "nix-community", "repo": "srvos", - "rev": "885d705a55f5a9bd5a85cb6869358a1e5c522009", + "rev": "414d1039a58b667e4512ad9f7068aa935ebf8d59", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3047d83..2e796a1 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,9 @@ srvos.url = "github:nix-community/srvos"; srvos.inputs.nixpkgs.follows = "nixpkgs"; + + pkgs-nix.url = "github:ALT-F4-LLC/pkgs.nix"; + pkgs-nix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = inputs @ {flake-parts, ...}: @@ -26,44 +29,7 @@ formatter = pkgs.alejandra; - packages = { - gc-fwd = inputs.nixos-generators.nixosGenerate { - inherit system; - modules = [ - inputs.srvos.nixosModules.server - inputs.srvos.nixosModules.hardware-amazon - ./modules/profiles/common.nix - ./modules/mixins/alloy-forwarder - ]; - format = "amazon"; # ami - }; - - ecs-node = inputs.nixos-generators.nixosGenerate { - inherit system; - modules = [ - inputs.srvos.nixosModules.server - inputs.srvos.nixosModules.hardware-amazon - ./modules/profiles/common.nix - ./modules/mixins/ecs-agent - ]; - format = "amazon"; # ami - }; - - actions-runner = inputs.nixos-generators.nixosGenerate { - inherit system; - modules = [ - ({...}: { amazonImage.sizeMB = 6 * 1024; }) - inputs.srvos.nixosModules.server - inputs.srvos.nixosModules.hardware-amazon - ./modules/profiles/common.nix - ./modules/mixins/github-actions - ]; - specialArgs = { - diskSize = 6 * 1024; # 6GB - }; - format = "amazon"; # ami - }; - }; + packages = import ./nix/images.nix { inherit system inputs; }; }; }; } diff --git a/modules/mixins/alloy-forwarder/config.alloy b/modules/mixins/alloy-forwarder/config.alloy index c37d37d..49d3f83 100644 --- a/modules/mixins/alloy-forwarder/config.alloy +++ b/modules/mixins/alloy-forwarder/config.alloy @@ -1,13 +1,13 @@ -import.git "gcloud" { +import.git "grafana_cloud" { repository = "https://github.com/grafana/alloy-modules.git" - path = "modules/cloud/grafana/cloud/module.river" + path = "modules/cloud/grafana/cloud/module.alloy" revision = "main" pull_frequency = "0s" } -gcloud.stack "default" { - stack_name = env("GRAFANA_CLOUD_STACK") - token = env("GRAFANA_CLOUD_TOKEN") +grafana_cloud.stack "receivers" { + stack_name = env("GRAFANA_CLOUD_STACK") + token = env("GRAFANA_CLOUD_TOKEN") } prometheus.receive_http "forward" { @@ -22,14 +22,20 @@ prometheus.receive_http "forward" { prometheus.scrape "linux_node" { targets = prometheus.exporter.unix.node.targets - forward_to = [ - grafana_cloud.stack.receivers.metrics, - ] + forward_to = [ grafana_cloud.stack.receivers.metrics ] } prometheus.exporter.unix "node" { } +prometheus.exporter.self "agent" { +} + +prometheus.scrape "agent" { + targets = prometheus.exporter.self.agent.targets + forward_to = [ grafana_cloud.stack.receivers.metrics ] +} + loki.source.api "receive" { http { listen_address = "0.0.0.0" diff --git a/modules/mixins/alloy-forwarder/default.nix b/modules/mixins/alloy-forwarder/default.nix index 83e3d34..6b50c44 100644 --- a/modules/mixins/alloy-forwarder/default.nix +++ b/modules/mixins/alloy-forwarder/default.nix @@ -1,13 +1,25 @@ -{lib, ...}: { - imports = [../alloy]; +{ lib, ... }: { + imports = [ ../alloy ]; # Only change from normal Alloy mixin is an overridden config file environment.etc."alloy/config.alloy".source = lib.mkForce ./config.alloy; - virtualisation.oci-containers.containers.alloy = { - environmentFiles = ["/run/keys/grafana-cloud"]; + networking.firewall.allowedTCPPorts = [ + 9090 # Prometheus + 3100 # Loki + 4317 # OTLP/gRPC + 4318 # OTLP/HTTP + ]; - environment = { + networking.firewall.allowedUDPPorts = [ + 4317 # OTLP/gRPC + ]; + + services.alloy = { + extraArgs = "--stability.level public-preview"; + + environmentFiles = [ "/run/keys/grafana-cloud" ]; + extraEnvironment = { GRAFANA_CLOUD_STACK = "altf4llc"; }; }; diff --git a/modules/mixins/alloy/config.alloy b/modules/mixins/alloy/config.alloy index e79c2ba..0edad40 100644 --- a/modules/mixins/alloy/config.alloy +++ b/modules/mixins/alloy/config.alloy @@ -69,16 +69,7 @@ prometheus.relabel "instance" { } // Export system metrics -prometheus.exporter.unix "host" { - procfs_path = "/host/proc" - sysfs_path = "/host/sys" - rootfs_path = "/rootfs" - udev_data_path = "/host/run/udev/data" - - filesystem { - mount_points_exclude = "^/(sys|proc|dev|host|etc)($$|/)" - } -} +prometheus.exporter.unix "host" {} // Scrape system metrics prometheus.scrape "host" { @@ -86,4 +77,13 @@ prometheus.scrape "host" { forward_to = [prometheus.relabel.instance.receiver] } +// Export agent metrics +prometheus.exporter.self "agent" {} + +// Scrape agent metrics +prometheus.scrape "agent" { + targets = prometheus.exporter.self.agent.targets + forward_to = [prometheus.relabel.instance.receiver] +} + // vim:ft=hcl diff --git a/modules/mixins/alloy/default.nix b/modules/mixins/alloy/default.nix index 16aa45b..1ea3c69 100644 --- a/modules/mixins/alloy/default.nix +++ b/modules/mixins/alloy/default.nix @@ -1,6 +1,5 @@ -{...}: { - # see TODO further down - imports = [../docker]; +{ pkgs-nix, pkgs, ... }: { + imports = [ pkgs-nix.nixosModules.alloy ]; environment.etc."alloy/config.alloy" = { source = ./config.alloy; @@ -8,42 +7,12 @@ user = "root"; }; - # TODO: Replace this once there's an Alloy package merged into Nixpkgs - # https://github.com/NixOS/nixpkgs/pull/306048 - virtualisation.oci-containers.containers.alloy = { - autoStart = true; - image = "grafana/alloy:v1.0.0"; - + services.alloy = { + enable = true; + package = pkgs-nix.packages.${pkgs.system}.alloy; + openFirewall = true; + configPath = "/etc/alloy"; + group = "root"; user = "root"; - - ports = [ - "12345:12345" - ]; - - cmd = [ - "run" - "--server.http.listen-addr=0.0.0.0:12345" - "--storage.path=/var/lib/alloy/data" - "--stability.level=public-preview" - - # we give a path to the directory so it loads every file, instead of - # one config file. this allows us to add extra configuration in other - # mixins. - "/etc/alloy" - ]; - - volumes = [ - # Alloy - "/var/log:/var/log:ro" - "/etc/alloy:/etc/alloy:ro" - - "/var/lib/alloy/data" - - # Node Exporter - "/proc:/host/proc:ro" - "/sys:/host/sys:ro" - "/run/udev/data:/host/run/udev/data:ro" - "/:/rootfs:ro" - ]; }; } diff --git a/modules/mixins/docker/default.nix b/modules/mixins/docker/default.nix index 58c8103..481b969 100644 --- a/modules/mixins/docker/default.nix +++ b/modules/mixins/docker/default.nix @@ -1,4 +1,4 @@ -{...}: { +{ ... }: { virtualisation.docker.enable = true; virtualisation.oci-containers.backend = "docker"; diff --git a/modules/mixins/ecs-agent/default.nix b/modules/mixins/ecs-agent/default.nix index 4e544d5..0f12c9f 100644 --- a/modules/mixins/ecs-agent/default.nix +++ b/modules/mixins/ecs-agent/default.nix @@ -1,4 +1,4 @@ -{...}: { +{ ... }: { imports = [ ../docker ../alloy @@ -27,7 +27,7 @@ "--net=host" ]; - environmentFiles = ["/run/keys/ecs.config"]; + environmentFiles = [ "/run/keys/ecs.config" ]; environment = { ECS_ENABLE_PROMETHEUS_METRICS = "true"; ECS_LOGLEVEL = "info"; diff --git a/modules/mixins/github-actions/default.nix b/modules/mixins/github-actions/default.nix index 51e8edb..45445b9 100644 --- a/modules/mixins/github-actions/default.nix +++ b/modules/mixins/github-actions/default.nix @@ -22,7 +22,7 @@ in }; }; - users.groups.github-runner = {}; + users.groups.github-runner = { }; users.users.github-runner = { group = "github-runner"; extraGroups = [ "docker" ]; diff --git a/modules/profiles/common.nix b/modules/profiles/common.nix index 0ed27e6..3d6101f 100644 --- a/modules/profiles/common.nix +++ b/modules/profiles/common.nix @@ -1,6 +1,4 @@ {...}: { - services.cachix-agent.enable = true; - boot.loader.efi.canTouchEfiVariables = true; services.openssh.enable = true; diff --git a/nix/images.nix b/nix/images.nix new file mode 100644 index 0000000..c73ac6e --- /dev/null +++ b/nix/images.nix @@ -0,0 +1,18 @@ +{ inputs, system }: +let + inherit (import ./lib.nix { inherit inputs system; }) newAmazonImage; +in +{ + gc-fwd = newAmazonImage [ + ../modules/mixins/alloy-forwarder + ]; + + ecs-node = newAmazonImage [ + ../modules/mixins/ecs-agent + ]; + + actions-runner = newAmazonImage [ + ({ ... }: { amazonImage.sizeMB = 6 * 1024; }) + ../modules/mixins/github-actions + ]; +} diff --git a/nix/lib.nix b/nix/lib.nix new file mode 100644 index 0000000..0f7ed1e --- /dev/null +++ b/nix/lib.nix @@ -0,0 +1,24 @@ +{ inputs, system }: +rec { + newImage = modules: format: inputs.nixos-generators.nixosGenerate { + inherit system format; + modules = [ + inputs.srvos.nixosModules.server + ../modules/profiles/common.nix + ] ++ modules; + specialArgs = { + inherit (inputs) + nixpkgs + srvos + pkgs-nix; + }; + }; + + newAmazonImage = modules: + let + _modules = [ + inputs.srvos.nixosModules.hardware-amazon + ] ++ modules; + in + newImage _modules "amazon"; +}