diff options
Diffstat (limited to 'modules/nixos/custom/victorialogs.nix')
| -rw-r--r-- | modules/nixos/custom/victorialogs.nix | 129 |
1 files changed, 0 insertions, 129 deletions
diff --git a/modules/nixos/custom/victorialogs.nix b/modules/nixos/custom/victorialogs.nix deleted file mode 100644 index ab6be3a..0000000 --- a/modules/nixos/custom/victorialogs.nix +++ /dev/null @@ -1,129 +0,0 @@ -# From https://github.com/NixOS/nixpkgs/pull/376834 -{ - config, - pkgs, - lib, - ... -}: - -let - inherit (lib) - getBin - hasPrefix - literalExpression - mkBefore - mkEnableOption - mkIf - mkOption - mkPackageOption - optionalString - types - ; - - cfg = config.borealis.victorialogs; - - startCLIList = [ - "${cfg.package}/bin/victoria-logs" - "-storageDataPath=/var/lib/${cfg.stateDir}" - "-httpListenAddr=${cfg.listenAddress}" - ] ++ cfg.extraOptions; -in - -{ - options.borealis.victorialogs = { - enable = mkEnableOption "VictoriaLogs is an open source user-friendly database for logs from VictoriaMetrics"; - package = mkPackageOption pkgs "victoriametrics" { }; - listenAddress = lib.mkOption { - default = "127.0.0.1:9428"; - type = types.str; - description = '' - TCP address to listen for incoming http requests. - ''; - }; - stateDir = mkOption { - type = types.str; - default = "victorialogs"; - description = '' - Directory below `/var/lib` to store VictoriaLogs data. - This directory will be created automatically using systemd's StateDirectory mechanism. - ''; - }; - extraOptions = mkOption { - type = types.listOf types.str; - default = [ ]; - example = literalExpression '' - [ - "-httpAuth.username=username" - "-httpAuth.password=file:///abs/path/to/file" - "-loggerLevel=WARN" - ] - ''; - description = '' - Extra options to pass to VictoriaLogs. See {command}`victoria-logs -help` for - possible options. - ''; - }; - }; - config = mkIf cfg.enable { - systemd.services.victorialogs = { - description = "VictoriaLogs logs database"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - startLimitBurst = 5; - - serviceConfig = { - ExecStart = lib.escapeShellArgs startCLIList; - DynamicUser = true; - RestartSec = 1; - Restart = "on-failure"; - RuntimeDirectory = "victorialogs"; - RuntimeDirectoryMode = "0700"; - StateDirectory = cfg.stateDir; - StateDirectoryMode = "0700"; - - # Hardening - DeviceAllow = [ "/dev/null rw" ]; - DevicePolicy = "strict"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "full"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_UNIX" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged" - ]; - }; - - postStart = - let - bindAddr = (optionalString (hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress; - in - mkBefore '' - until ${getBin pkgs.curl}/bin/curl -s -o /dev/null http://${bindAddr}/ping; do - sleep 1; - done - ''; - }; - }; -} |