From 3a0933447bc9b5d44e13a12a845c0d70662a92a5 Mon Sep 17 00:00:00 2001 From: Seth Flynn Date: Fri, 14 Feb 2025 23:04:43 -0500 Subject: nixos/victorialogs: init --- modules/nixos/custom/default.nix | 1 + modules/nixos/custom/victorialogs.nix | 129 ++++++++++++++++++++++++++++++++++ 2 files changed, 130 insertions(+) create mode 100644 modules/nixos/custom/victorialogs.nix (limited to 'modules/nixos') diff --git a/modules/nixos/custom/default.nix b/modules/nixos/custom/default.nix index 8b9df32..4b14136 100644 --- a/modules/nixos/custom/default.nix +++ b/modules/nixos/custom/default.nix @@ -5,5 +5,6 @@ ./nvd-diff.nix ./nvk.nix ./remote-builders.nix + ./victorialogs.nix ]; } diff --git a/modules/nixos/custom/victorialogs.nix b/modules/nixos/custom/victorialogs.nix new file mode 100644 index 0000000..ab6be3a --- /dev/null +++ b/modules/nixos/custom/victorialogs.nix @@ -0,0 +1,129 @@ +# From https://github.com/NixOS/nixpkgs/pull/376834 +{ + config, + pkgs, + lib, + ... +}: + +let + inherit (lib) + getBin + hasPrefix + literalExpression + mkBefore + mkEnableOption + mkIf + mkOption + mkPackageOption + optionalString + types + ; + + cfg = config.borealis.victorialogs; + + startCLIList = [ + "${cfg.package}/bin/victoria-logs" + "-storageDataPath=/var/lib/${cfg.stateDir}" + "-httpListenAddr=${cfg.listenAddress}" + ] ++ cfg.extraOptions; +in + +{ + options.borealis.victorialogs = { + enable = mkEnableOption "VictoriaLogs is an open source user-friendly database for logs from VictoriaMetrics"; + package = mkPackageOption pkgs "victoriametrics" { }; + listenAddress = lib.mkOption { + default = "127.0.0.1:9428"; + type = types.str; + description = '' + TCP address to listen for incoming http requests. + ''; + }; + stateDir = mkOption { + type = types.str; + default = "victorialogs"; + description = '' + Directory below `/var/lib` to store VictoriaLogs data. + This directory will be created automatically using systemd's StateDirectory mechanism. + ''; + }; + extraOptions = mkOption { + type = types.listOf types.str; + default = [ ]; + example = literalExpression '' + [ + "-httpAuth.username=username" + "-httpAuth.password=file:///abs/path/to/file" + "-loggerLevel=WARN" + ] + ''; + description = '' + Extra options to pass to VictoriaLogs. See {command}`victoria-logs -help` for + possible options. + ''; + }; + }; + config = mkIf cfg.enable { + systemd.services.victorialogs = { + description = "VictoriaLogs logs database"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + startLimitBurst = 5; + + serviceConfig = { + ExecStart = lib.escapeShellArgs startCLIList; + DynamicUser = true; + RestartSec = 1; + Restart = "on-failure"; + RuntimeDirectory = "victorialogs"; + RuntimeDirectoryMode = "0700"; + StateDirectory = cfg.stateDir; + StateDirectoryMode = "0700"; + + # Hardening + DeviceAllow = [ "/dev/null rw" ]; + DevicePolicy = "strict"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "full"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + }; + + postStart = + let + bindAddr = (optionalString (hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress; + in + mkBefore '' + until ${getBin pkgs.curl}/bin/curl -s -o /dev/null http://${bindAddr}/ping; do + sleep 1; + done + ''; + }; + }; +} -- cgit v1.2.3