Torjus Håkestad
6184f4cbbb
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
- Switch vmalert from blackhole mode to sending alerts to local Alertmanager - Import alerttonotify service so alerts route to NATS notifications - Move alertmanager and grafana CNAMEs from http-proxy to monitoring02 - Add monitoring CNAME to monitoring02 - Add Caddy reverse proxy entries for alertmanager and grafana - Remove prometheus, alertmanager, and grafana Caddy entries from http-proxy (now served directly by monitoring02) - Move monitoring02 Vault AppRole to hosts-generated.tf with extra_policies support and prometheus-metrics policy - Update Promtail to use authenticated loki.home.2rjus.net endpoint only (remove unauthenticated monitoring01 client) - Update pipe-to-loki and bootstrap to use loki.home.2rjus.net with basic auth from Vault secret - Update migration plan with current status Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
95 lines
2.5 KiB
Nix
95 lines
2.5 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
hostLabels = {
|
|
hostname = config.networking.hostName;
|
|
tier = config.homelab.host.tier;
|
|
} // lib.optionalAttrs (config.homelab.host.role != null) {
|
|
role = config.homelab.host.role;
|
|
};
|
|
in
|
|
{
|
|
# Configure journald
|
|
services.journald = {
|
|
rateLimitInterval = "10s";
|
|
extraConfig = ''
|
|
SystemMaxUse=100M
|
|
SystemKeepFree=1G
|
|
'';
|
|
};
|
|
|
|
# Fetch Loki push password from Vault (only on hosts with Vault enabled)
|
|
vault.secrets.promtail-loki-auth = lib.mkIf config.vault.enable {
|
|
secretPath = "shared/loki/push-auth";
|
|
extractKey = "password";
|
|
owner = "promtail";
|
|
group = "promtail";
|
|
services = [ "promtail" ];
|
|
};
|
|
|
|
# Configure promtail
|
|
services.promtail = {
|
|
enable = true;
|
|
configuration = {
|
|
server = {
|
|
http_listen_address = "0.0.0.0";
|
|
http_listen_port = 9099;
|
|
grpc_listen_address = "0.0.0.0";
|
|
grpc_listen_port = 9098;
|
|
};
|
|
|
|
clients = [
|
|
{
|
|
url = "https://loki.home.2rjus.net/loki/api/v1/push";
|
|
basic_auth = {
|
|
username = "promtail";
|
|
password_file = "/run/secrets/promtail-loki-auth";
|
|
};
|
|
}
|
|
];
|
|
|
|
scrape_configs = [
|
|
{
|
|
job_name = "journal";
|
|
journal = {
|
|
json = true;
|
|
labels = {
|
|
job = "systemd-journal";
|
|
} // hostLabels;
|
|
};
|
|
relabel_configs = [
|
|
{
|
|
source_labels = [ "__journal__systemd_unit" ];
|
|
target_label = "systemd_unit";
|
|
}
|
|
];
|
|
pipeline_stages = [
|
|
# Extract PRIORITY from journal JSON
|
|
{ json.expressions.priority = "PRIORITY"; }
|
|
# Map numeric PRIORITY to level name
|
|
{
|
|
template = {
|
|
source = "priority";
|
|
template = ''{{ if or (eq .Value "0") (eq .Value "1") (eq .Value "2") }}critical{{ else if eq .Value "3" }}error{{ else if eq .Value "4" }}warning{{ else if eq .Value "5" }}notice{{ else if eq .Value "6" }}info{{ else if eq .Value "7" }}debug{{ end }}'';
|
|
};
|
|
}
|
|
# Attach as level label
|
|
{ labels.level = "priority"; }
|
|
];
|
|
}
|
|
{
|
|
job_name = "varlog";
|
|
static_configs = [
|
|
{
|
|
targets = [ "localhost" ];
|
|
labels = {
|
|
job = "varlog";
|
|
__path__ = "/var/log/**/*.log";
|
|
} // hostLabels;
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
}
|