torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
e81ebb0e752e88b0307bb6687d831cb4a1701911
nixos-servers/system/monitoring/logs.nix
Torjus Håkestad a6013d3950
Some checks failed
Run nix flake check / flake-check (push) Failing after 6m25s
Details
Run nix flake check / flake-check (pull_request) Failing after 3m52s
Details
monitoring02: enable alerting and migrate CNAMEs from http-proxy 
- Switch vmalert from blackhole mode to sending alerts to local
  Alertmanager
- Import alerttonotify service so alerts route to NATS notifications
- Move alertmanager and grafana CNAMEs from http-proxy to monitoring02
- Add monitoring CNAME to monitoring02
- Add Caddy reverse proxy entries for alertmanager and grafana
- Remove prometheus, alertmanager, and grafana Caddy entries from
  http-proxy (now served directly by monitoring02)
- Move monitoring02 Vault AppRole to hosts-generated.tf with
  extra_policies support and prometheus-metrics policy
- Update Promtail to use authenticated loki.home.2rjus.net endpoint
  only (remove unauthenticated monitoring01 client)
- Update pipe-to-loki and bootstrap to use loki.home.2rjus.net with
  basic auth from Vault secret
- Move migration plan to completed

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 21:23:21 +01:00

95 lines
2.5 KiB
Nix
Raw Blame History

{ config, lib, ... }:
let
hostLabels = {
hostname = config.networking.hostName;
tier = config.homelab.host.tier;
} // lib.optionalAttrs (config.homelab.host.role != null) {
role = config.homelab.host.role;
};
in
{
# Configure journald
services.journald = {
rateLimitInterval = "10s";
extraConfig = ''
SystemMaxUse=100M
SystemKeepFree=1G
'';
};
# Fetch Loki push password from Vault (only on hosts with Vault enabled)
vault.secrets.promtail-loki-auth = lib.mkIf config.vault.enable {
secretPath = "shared/loki/push-auth";
extractKey = "password";
owner = "promtail";
group = "promtail";
services = [ "promtail" ];
};
# Configure promtail
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_address = "0.0.0.0";
http_listen_port = 9099;
grpc_listen_address = "0.0.0.0";
grpc_listen_port = 9098;
};
clients = [
{
url = "https://loki.home.2rjus.net/loki/api/v1/push";
basic_auth = {
username = "promtail";
password_file = "/run/secrets/promtail-loki-auth";
};
}
];
scrape_configs = [
{
job_name = "journal";
journal = {
json = true;
labels = {
job = "systemd-journal";
} // hostLabels;
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "systemd_unit";
}
];
pipeline_stages = [
# Extract PRIORITY from journal JSON
{ json.expressions.priority = "PRIORITY"; }
# Map numeric PRIORITY to level name
{
template = {
source = "priority";
template = ''{{ if or (eq .Value "0") (eq .Value "1") (eq .Value "2") }}critical{{ else if eq .Value "3" }}error{{ else if eq .Value "4" }}warning{{ else if eq .Value "5" }}notice{{ else if eq .Value "6" }}info{{ else if eq .Value "7" }}debug{{ end }}'';
};
}
# Attach as level label
{ labels.level = "priority"; }
];
}
{
job_name = "varlog";
static_configs = [
{
targets = [ "localhost" ];
labels = {
job = "varlog";
__path__ = "/var/log/**/*.log";
} // hostLabels;
}
];
}
];
};
};
}
Reference in New Issue View Git Blame Copy Permalink