From 2b72dad9d0247a73a808c541f42e792775504281 Mon Sep 17 00:00:00 2001 From: Hayden Young <22327045+hbjydev@users.noreply.github.com> Date: Sat, 1 Jun 2024 14:51:12 +0100 Subject: [PATCH 1/9] feat: switch to pkgs.nix-based alloy module & package --- flake.lock | 52 ++++++++++++++++++++++ flake.nix | 42 ++--------------- modules/mixins/alloy-forwarder/default.nix | 11 ++--- modules/mixins/alloy/default.nix | 47 ++++--------------- nix/images.nix | 18 ++++++++ nix/lib.nix | 24 ++++++++++ 6 files changed, 112 insertions(+), 82 deletions(-) create mode 100644 nix/images.nix create mode 100644 nix/lib.nix diff --git a/flake.lock b/flake.lock index c9f1c00..1e2196e 100644 --- a/flake.lock +++ b/flake.lock @@ -17,6 +17,24 @@ "type": "indirect" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1715865404, + "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "nixlib": { "locked": { "lastModified": 1712450863, @@ -81,11 +99,45 @@ "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" } }, + "nixpkgs-lib_2": { + "locked": { + "lastModified": 1714640452, + "narHash": "sha256-QBx10+k6JWz6u7VsohfSw8g8hjdBZEf8CFzXH1/1Z94=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" + } + }, + "pkgs-nix": { + "inputs": { + "flake-parts": "flake-parts_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716761908, + "narHash": "sha256-+SUec/ApJm5bUhvLaBINid9cl3i6puFUGTLNqI3Ud+Y=", + "owner": "ALT-F4-LLC", + "repo": "pkgs.nix", + "rev": "457a8955c9b349d4391564c4a1fd5fd88244dc8c", + "type": "github" + }, + "original": { + "owner": "ALT-F4-LLC", + "repo": "pkgs.nix", + "type": "github" + } + }, "root": { "inputs": { "flake-parts": "flake-parts", "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", + "pkgs-nix": "pkgs-nix", "srvos": "srvos" } }, diff --git a/flake.nix b/flake.nix index 3047d83..2e796a1 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,9 @@ srvos.url = "github:nix-community/srvos"; srvos.inputs.nixpkgs.follows = "nixpkgs"; + + pkgs-nix.url = "github:ALT-F4-LLC/pkgs.nix"; + pkgs-nix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = inputs @ {flake-parts, ...}: @@ -26,44 +29,7 @@ formatter = pkgs.alejandra; - packages = { - gc-fwd = inputs.nixos-generators.nixosGenerate { - inherit system; - modules = [ - inputs.srvos.nixosModules.server - inputs.srvos.nixosModules.hardware-amazon - ./modules/profiles/common.nix - ./modules/mixins/alloy-forwarder - ]; - format = "amazon"; # ami - }; - - ecs-node = inputs.nixos-generators.nixosGenerate { - inherit system; - modules = [ - inputs.srvos.nixosModules.server - inputs.srvos.nixosModules.hardware-amazon - ./modules/profiles/common.nix - ./modules/mixins/ecs-agent - ]; - format = "amazon"; # ami - }; - - actions-runner = inputs.nixos-generators.nixosGenerate { - inherit system; - modules = [ - ({...}: { amazonImage.sizeMB = 6 * 1024; }) - inputs.srvos.nixosModules.server - inputs.srvos.nixosModules.hardware-amazon - ./modules/profiles/common.nix - ./modules/mixins/github-actions - ]; - specialArgs = { - diskSize = 6 * 1024; # 6GB - }; - format = "amazon"; # ami - }; - }; + packages = import ./nix/images.nix { inherit system inputs; }; }; }; } diff --git a/modules/mixins/alloy-forwarder/default.nix b/modules/mixins/alloy-forwarder/default.nix index 83e3d34..cf422b1 100644 --- a/modules/mixins/alloy-forwarder/default.nix +++ b/modules/mixins/alloy-forwarder/default.nix @@ -1,13 +1,14 @@ -{lib, ...}: { - imports = [../alloy]; +{ lib, ... }: { + imports = [ ../alloy ]; # Only change from normal Alloy mixin is an overridden config file environment.etc."alloy/config.alloy".source = lib.mkForce ./config.alloy; - virtualisation.oci-containers.containers.alloy = { - environmentFiles = ["/run/keys/grafana-cloud"]; + services.alloy = { + extraArgs = "--stability.level public-preview"; - environment = { + environmentFiles = [ "/run/keys/grafana-cloud" ]; + extraEnvironment = { GRAFANA_CLOUD_STACK = "altf4llc"; }; }; diff --git a/modules/mixins/alloy/default.nix b/modules/mixins/alloy/default.nix index 16aa45b..1ea3c69 100644 --- a/modules/mixins/alloy/default.nix +++ b/modules/mixins/alloy/default.nix @@ -1,6 +1,5 @@ -{...}: { - # see TODO further down - imports = [../docker]; +{ pkgs-nix, pkgs, ... }: { + imports = [ pkgs-nix.nixosModules.alloy ]; environment.etc."alloy/config.alloy" = { source = ./config.alloy; @@ -8,42 +7,12 @@ user = "root"; }; - # TODO: Replace this once there's an Alloy package merged into Nixpkgs - # https://github.com/NixOS/nixpkgs/pull/306048 - virtualisation.oci-containers.containers.alloy = { - autoStart = true; - image = "grafana/alloy:v1.0.0"; - + services.alloy = { + enable = true; + package = pkgs-nix.packages.${pkgs.system}.alloy; + openFirewall = true; + configPath = "/etc/alloy"; + group = "root"; user = "root"; - - ports = [ - "12345:12345" - ]; - - cmd = [ - "run" - "--server.http.listen-addr=0.0.0.0:12345" - "--storage.path=/var/lib/alloy/data" - "--stability.level=public-preview" - - # we give a path to the directory so it loads every file, instead of - # one config file. this allows us to add extra configuration in other - # mixins. - "/etc/alloy" - ]; - - volumes = [ - # Alloy - "/var/log:/var/log:ro" - "/etc/alloy:/etc/alloy:ro" - - "/var/lib/alloy/data" - - # Node Exporter - "/proc:/host/proc:ro" - "/sys:/host/sys:ro" - "/run/udev/data:/host/run/udev/data:ro" - "/:/rootfs:ro" - ]; }; } diff --git a/nix/images.nix b/nix/images.nix new file mode 100644 index 0000000..c73ac6e --- /dev/null +++ b/nix/images.nix @@ -0,0 +1,18 @@ +{ inputs, system }: +let + inherit (import ./lib.nix { inherit inputs system; }) newAmazonImage; +in +{ + gc-fwd = newAmazonImage [ + ../modules/mixins/alloy-forwarder + ]; + + ecs-node = newAmazonImage [ + ../modules/mixins/ecs-agent + ]; + + actions-runner = newAmazonImage [ + ({ ... }: { amazonImage.sizeMB = 6 * 1024; }) + ../modules/mixins/github-actions + ]; +} diff --git a/nix/lib.nix b/nix/lib.nix new file mode 100644 index 0000000..0f7ed1e --- /dev/null +++ b/nix/lib.nix @@ -0,0 +1,24 @@ +{ inputs, system }: +rec { + newImage = modules: format: inputs.nixos-generators.nixosGenerate { + inherit system format; + modules = [ + inputs.srvos.nixosModules.server + ../modules/profiles/common.nix + ] ++ modules; + specialArgs = { + inherit (inputs) + nixpkgs + srvos + pkgs-nix; + }; + }; + + newAmazonImage = modules: + let + _modules = [ + inputs.srvos.nixosModules.hardware-amazon + ] ++ modules; + in + newImage _modules "amazon"; +} From d633dac353121724e7058b9e7daf11d32a41ad9a Mon Sep 17 00:00:00 2001 From: Hayden Young <22327045+hbjydev@users.noreply.github.com> Date: Sat, 1 Jun 2024 15:20:16 +0100 Subject: [PATCH 2/9] fix: include extra ports in firewall for alloy, formatting fixes --- modules/mixins/alloy-forwarder/default.nix | 11 +++++++++++ modules/mixins/docker/default.nix | 2 +- modules/mixins/ecs-agent/default.nix | 4 ++-- modules/mixins/github-actions/default.nix | 2 +- 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/modules/mixins/alloy-forwarder/default.nix b/modules/mixins/alloy-forwarder/default.nix index cf422b1..6b50c44 100644 --- a/modules/mixins/alloy-forwarder/default.nix +++ b/modules/mixins/alloy-forwarder/default.nix @@ -4,6 +4,17 @@ # Only change from normal Alloy mixin is an overridden config file environment.etc."alloy/config.alloy".source = lib.mkForce ./config.alloy; + networking.firewall.allowedTCPPorts = [ + 9090 # Prometheus + 3100 # Loki + 4317 # OTLP/gRPC + 4318 # OTLP/HTTP + ]; + + networking.firewall.allowedUDPPorts = [ + 4317 # OTLP/gRPC + ]; + services.alloy = { extraArgs = "--stability.level public-preview"; diff --git a/modules/mixins/docker/default.nix b/modules/mixins/docker/default.nix index 58c8103..481b969 100644 --- a/modules/mixins/docker/default.nix +++ b/modules/mixins/docker/default.nix @@ -1,4 +1,4 @@ -{...}: { +{ ... }: { virtualisation.docker.enable = true; virtualisation.oci-containers.backend = "docker"; diff --git a/modules/mixins/ecs-agent/default.nix b/modules/mixins/ecs-agent/default.nix index 4e544d5..0f12c9f 100644 --- a/modules/mixins/ecs-agent/default.nix +++ b/modules/mixins/ecs-agent/default.nix @@ -1,4 +1,4 @@ -{...}: { +{ ... }: { imports = [ ../docker ../alloy @@ -27,7 +27,7 @@ "--net=host" ]; - environmentFiles = ["/run/keys/ecs.config"]; + environmentFiles = [ "/run/keys/ecs.config" ]; environment = { ECS_ENABLE_PROMETHEUS_METRICS = "true"; ECS_LOGLEVEL = "info"; diff --git a/modules/mixins/github-actions/default.nix b/modules/mixins/github-actions/default.nix index 51e8edb..45445b9 100644 --- a/modules/mixins/github-actions/default.nix +++ b/modules/mixins/github-actions/default.nix @@ -22,7 +22,7 @@ in }; }; - users.groups.github-runner = {}; + users.groups.github-runner = { }; users.users.github-runner = { group = "github-runner"; extraGroups = [ "docker" ]; From 903e918c1d77de10d3d4f9bb69531437c8ab5b40 Mon Sep 17 00:00:00 2001 From: Hayden Young <22327045+hbjydev@users.noreply.github.com> Date: Sat, 1 Jun 2024 15:22:02 +0100 Subject: [PATCH 3/9] feat: update flake lockfile --- flake.lock | 47 ++++++++++++++++++++++++++--------------------- 1 file changed, 26 insertions(+), 21 deletions(-) diff --git a/flake.lock b/flake.lock index 1e2196e..0a7da6a 100644 --- a/flake.lock +++ b/flake.lock @@ -5,12 +5,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1714641030, - "narHash": "sha256-yzcRNDoyVP7+SCNX0wmuDju1NUCt8Dz9+lyUXEI0dbI=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "e5d10a24b66c3ea8f150e47dfdb0416ab7c3390e", - "type": "github" + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "path": "/nix/store/xvyy5vh6cg7958a26p2bqyz6jg5wkz4g-source", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "path" }, "original": { "id": "flake-parts", @@ -58,11 +57,11 @@ ] }, "locked": { - "lastModified": 1713783234, - "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=", + "lastModified": 1716210724, + "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e", + "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94", "type": "github" }, "original": { @@ -73,11 +72,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1714906307, - "narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=", + "lastModified": 1716948383, + "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588", + "rev": "ad57eef4ef0659193044870c731987a6df5cf56b", "type": "github" }, "original": { @@ -89,14 +88,20 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1714640452, - "narHash": "sha256-QBx10+k6JWz6u7VsohfSw8g8hjdBZEf8CFzXH1/1Z94=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" + "dir": "lib", + "lastModified": 1711703276, + "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-lib_2": { @@ -148,11 +153,11 @@ ] }, "locked": { - "lastModified": 1714956769, - "narHash": "sha256-49DQpGvr5N0l7rsFMP8zSwHeSa7f9N3NiY4mgdOwPn8=", + "lastModified": 1717058062, + "narHash": "sha256-R8Gb2MlJzfBE76DVWFmfZWODMdAanqxFnK+OOmkoQ7E=", "owner": "nix-community", "repo": "srvos", - "rev": "885d705a55f5a9bd5a85cb6869358a1e5c522009", + "rev": "414d1039a58b667e4512ad9f7068aa935ebf8d59", "type": "github" }, "original": { From f4bd7222c929ddc9d3671e640003de0da03205aa Mon Sep 17 00:00:00 2001 From: Hayden Young <22327045+hbjydev@users.noreply.github.com> Date: Sat, 1 Jun 2024 16:06:58 +0100 Subject: [PATCH 4/9] feat: update alloy configs --- modules/mixins/alloy-forwarder/config.alloy | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/mixins/alloy-forwarder/config.alloy b/modules/mixins/alloy-forwarder/config.alloy index c37d37d..2ca0375 100644 --- a/modules/mixins/alloy-forwarder/config.alloy +++ b/modules/mixins/alloy-forwarder/config.alloy @@ -1,13 +1,13 @@ -import.git "gcloud" { +import.git "grafana_cloud" { repository = "https://github.com/grafana/alloy-modules.git" path = "modules/cloud/grafana/cloud/module.river" revision = "main" pull_frequency = "0s" } -gcloud.stack "default" { - stack_name = env("GRAFANA_CLOUD_STACK") - token = env("GRAFANA_CLOUD_TOKEN") +grafana_cloud.stack "receivers" { + stack_name = env("GRAFANA_CLOUD_STACK") + token = env("GRAFANA_CLOUD_TOKEN") } prometheus.receive_http "forward" { From a046507b6b4a9acb0d3774c23ce6d34ac4753a19 Mon Sep 17 00:00:00 2001 From: Hayden Young <22327045+hbjydev@users.noreply.github.com> Date: Sat, 1 Jun 2024 17:35:25 +0100 Subject: [PATCH 5/9] fix: pathing issue in alloy grafana cloud module import --- modules/mixins/alloy-forwarder/config.alloy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/mixins/alloy-forwarder/config.alloy b/modules/mixins/alloy-forwarder/config.alloy index 2ca0375..77c111d 100644 --- a/modules/mixins/alloy-forwarder/config.alloy +++ b/modules/mixins/alloy-forwarder/config.alloy @@ -1,6 +1,6 @@ import.git "grafana_cloud" { repository = "https://github.com/grafana/alloy-modules.git" - path = "modules/cloud/grafana/cloud/module.river" + path = "modules/cloud/grafana/cloud/module.alloy" revision = "main" pull_frequency = "0s" } From abef5a3d8b3dd7df0a3283fd44446405ab042809 Mon Sep 17 00:00:00 2001 From: Hayden Young <22327045+hbjydev@users.noreply.github.com> Date: Sat, 1 Jun 2024 17:51:30 +0100 Subject: [PATCH 6/9] feat: update gc-fwd config --- modules/mixins/alloy-forwarder/config.alloy | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/modules/mixins/alloy-forwarder/config.alloy b/modules/mixins/alloy-forwarder/config.alloy index 77c111d..49d3f83 100644 --- a/modules/mixins/alloy-forwarder/config.alloy +++ b/modules/mixins/alloy-forwarder/config.alloy @@ -22,14 +22,20 @@ prometheus.receive_http "forward" { prometheus.scrape "linux_node" { targets = prometheus.exporter.unix.node.targets - forward_to = [ - grafana_cloud.stack.receivers.metrics, - ] + forward_to = [ grafana_cloud.stack.receivers.metrics ] } prometheus.exporter.unix "node" { } +prometheus.exporter.self "agent" { +} + +prometheus.scrape "agent" { + targets = prometheus.exporter.self.agent.targets + forward_to = [ grafana_cloud.stack.receivers.metrics ] +} + loki.source.api "receive" { http { listen_address = "0.0.0.0" From 40370af3361d917db84657930cf05c57dc968f84 Mon Sep 17 00:00:00 2001 From: Hayden Young <22327045+hbjydev@users.noreply.github.com> Date: Sat, 1 Jun 2024 17:53:43 +0100 Subject: [PATCH 7/9] feat: update generic alloy config --- modules/mixins/alloy/config.alloy | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/mixins/alloy/config.alloy b/modules/mixins/alloy/config.alloy index e79c2ba..0edad40 100644 --- a/modules/mixins/alloy/config.alloy +++ b/modules/mixins/alloy/config.alloy @@ -69,16 +69,7 @@ prometheus.relabel "instance" { } // Export system metrics -prometheus.exporter.unix "host" { - procfs_path = "/host/proc" - sysfs_path = "/host/sys" - rootfs_path = "/rootfs" - udev_data_path = "/host/run/udev/data" - - filesystem { - mount_points_exclude = "^/(sys|proc|dev|host|etc)($$|/)" - } -} +prometheus.exporter.unix "host" {} // Scrape system metrics prometheus.scrape "host" { @@ -86,4 +77,13 @@ prometheus.scrape "host" { forward_to = [prometheus.relabel.instance.receiver] } +// Export agent metrics +prometheus.exporter.self "agent" {} + +// Scrape agent metrics +prometheus.scrape "agent" { + targets = prometheus.exporter.self.agent.targets + forward_to = [prometheus.relabel.instance.receiver] +} + // vim:ft=hcl From 4ef17333be9ecd324ef39fb7df4c0e2363dc0476 Mon Sep 17 00:00:00 2001 From: Hayden Young <22327045+hbjydev@users.noreply.github.com> Date: Sat, 1 Jun 2024 18:00:05 +0100 Subject: [PATCH 8/9] feat: remove cachix-agent --- modules/profiles/common.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/profiles/common.nix b/modules/profiles/common.nix index 0ed27e6..3d6101f 100644 --- a/modules/profiles/common.nix +++ b/modules/profiles/common.nix @@ -1,6 +1,4 @@ {...}: { - services.cachix-agent.enable = true; - boot.loader.efi.canTouchEfiVariables = true; services.openssh.enable = true; From d629f739fd87ef9a516374e3e4d501ca1f591d10 Mon Sep 17 00:00:00 2001 From: Hayden Young <22327045+hbjydev@users.noreply.github.com> Date: Sat, 1 Jun 2024 23:06:22 +0100 Subject: [PATCH 9/9] fix: update flake.lock --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 0a7da6a..3a09714 100644 --- a/flake.lock +++ b/flake.lock @@ -124,11 +124,11 @@ ] }, "locked": { - "lastModified": 1716761908, - "narHash": "sha256-+SUec/ApJm5bUhvLaBINid9cl3i6puFUGTLNqI3Ud+Y=", + "lastModified": 1717279556, + "narHash": "sha256-msDwm0MHE+zvAfuWXtTBVR4PQhnI/MU9XQzx+4LbUP0=", "owner": "ALT-F4-LLC", "repo": "pkgs.nix", - "rev": "457a8955c9b349d4391564c4a1fd5fd88244dc8c", + "rev": "3143fc567c8d82edadda31efe90ccc5c2d5d5c64", "type": "github" }, "original": {