Torjus Håkestad
c13921d302
Some checks failed
Run nix flake check / flake-check (push) Failing after 4m36s
- Loki bound to localhost, Caddy reverse proxy with basic_auth - Vault secret (shared/loki/push-auth) for password, bcrypt hash generated at boot for Caddy environment - Promtail dual-ships to monitoring01 (direct) and loki.home.2rjus.net (with basic auth), conditional on vault.enable - Terraform: new shared loki-push policy added to all AppRoles Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
97 lines
2.6 KiB
Nix
97 lines
2.6 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
hostLabels = {
|
|
hostname = config.networking.hostName;
|
|
tier = config.homelab.host.tier;
|
|
} // lib.optionalAttrs (config.homelab.host.role != null) {
|
|
role = config.homelab.host.role;
|
|
};
|
|
in
|
|
{
|
|
# Configure journald
|
|
services.journald = {
|
|
rateLimitInterval = "10s";
|
|
extraConfig = ''
|
|
SystemMaxUse=100M
|
|
SystemKeepFree=1G
|
|
'';
|
|
};
|
|
|
|
# Fetch Loki push password from Vault (only on hosts with Vault enabled)
|
|
vault.secrets.promtail-loki-auth = lib.mkIf config.vault.enable {
|
|
secretPath = "shared/loki/push-auth";
|
|
extractKey = "password";
|
|
services = [ "promtail" ];
|
|
};
|
|
|
|
# Configure promtail
|
|
services.promtail = {
|
|
enable = true;
|
|
configuration = {
|
|
server = {
|
|
http_listen_address = "0.0.0.0";
|
|
http_listen_port = 9099;
|
|
grpc_listen_address = "0.0.0.0";
|
|
grpc_listen_port = 9098;
|
|
};
|
|
|
|
clients = [
|
|
{
|
|
url = "http://monitoring01.home.2rjus.net:3100/loki/api/v1/push";
|
|
}
|
|
] ++ lib.optionals config.vault.enable [
|
|
{
|
|
url = "https://loki.home.2rjus.net/loki/api/v1/push";
|
|
basic_auth = {
|
|
username = "promtail";
|
|
password_file = "/run/secrets/promtail-loki-auth";
|
|
};
|
|
}
|
|
];
|
|
|
|
scrape_configs = [
|
|
{
|
|
job_name = "journal";
|
|
journal = {
|
|
json = true;
|
|
labels = {
|
|
job = "systemd-journal";
|
|
} // hostLabels;
|
|
};
|
|
relabel_configs = [
|
|
{
|
|
source_labels = [ "__journal__systemd_unit" ];
|
|
target_label = "systemd_unit";
|
|
}
|
|
];
|
|
pipeline_stages = [
|
|
# Extract PRIORITY from journal JSON
|
|
{ json.expressions.priority = "PRIORITY"; }
|
|
# Map numeric PRIORITY to level name
|
|
{
|
|
template = {
|
|
source = "priority";
|
|
template = ''{{ if or (eq .Value "0") (eq .Value "1") (eq .Value "2") }}critical{{ else if eq .Value "3" }}error{{ else if eq .Value "4" }}warning{{ else if eq .Value "5" }}notice{{ else if eq .Value "6" }}info{{ else if eq .Value "7" }}debug{{ end }}'';
|
|
};
|
|
}
|
|
# Attach as level label
|
|
{ labels.level = "priority"; }
|
|
];
|
|
}
|
|
{
|
|
job_name = "varlog";
|
|
static_configs = [
|
|
{
|
|
targets = [ "localhost" ];
|
|
labels = {
|
|
job = "varlog";
|
|
__path__ = "/var/log/**/*.log";
|
|
} // hostLabels;
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
}
|