loki

2026-01-14 16:55:00 +01:00 · 2024-08-07 23:45:25 +02:00 · 2024-08-07 23:45:25 +02:00 · 1e37277c31
commit 1e37277c31
parent bd33b898fe
21 changed files with 121 additions and 27 deletions
--- a/newinfra/nix/modules/garage/README.md
+++ b/newinfra/nix/modules/garage/README.md
@ -16,9 +16,14 @@
 ## buckets

 - `caddy-store`: Store for Caddy webservers
-    - key `caddy`
+    - key `caddy` RW
 - `docker-registry`
+    - key `docker-registry` RW
+- `loki`
+    - key `loki` RW

 ## keys

 - `caddy`: `GK25e33d4ba20d54231e513b80`
+- `docker-registry`: `GK48011ee5b5ccbaf4233c0e40`
+- `loki`: `GK84ffae2a0728abff0f96667b`
--- a/newinfra/nix/modules/prometheus/default.nix
+++ b/newinfra/nix/modules/prometheus/default.nix
@ -1,4 +1,4 @@
-{ config, ... }: {
+{ config, lib, ... }: {
  services.prometheus = {
    enable = true;
    globalConfig = { };
@ -55,7 +55,6 @@
  };

  age.secrets.grafana_admin_password.file = ../../secrets/grafana_admin_password.age;
-
  systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana_admin_password.path;
  services.grafana = {
    enable = true;
@ -83,8 +82,92 @@
              prometheusType = "Prometheus";
            };
          }
+          {
+            name = "loki";
+            type = "loki";
+            access = "proxy";
+            url = "http://vps3.local:3100";
+          }
        ];
      };
    };
  };
+
+  age.secrets.loki_env.file = ../../secrets/loki_env.age;
+  systemd.services.loki.serviceConfig.EnvironmentFile = config.age.secrets.loki_env.path;
+  services.loki = {
+    enable = true;
+    extraFlags = [ "-config.expand-env=true" ];
+    configuration = {
+      auth_enabled = false;
+      server = {
+        http_listen_port = 3100;
+      };
+      common = {
+        ring = {
+          instance_addr = "127.0.0.1";
+          kvstore.store = "inmemory";
+        };
+        replication_factor = 1;
+        path_prefix = "/var/lib/loki";
+      };
+      schema_config = {
+        configs = [
+          {
+            from = "2020-05-15";
+            store = "tsdb";
+            object_store = "s3";
+            schema = "v13";
+            index = {
+              prefix = "index_";
+              period = "24h";
+            };
+          }
+        ];
+      };
+      storage_config = {
+        tsdb_shipper = {
+          active_index_directory = "/var/lib/loki/index";
+          cache_location = "/var/lib/loki/cache";
+        };
+        aws = {
+          s3 = "s3://\${ACCESS_KEY}:\${SECRET_KEY}@http://127.0.0.1:3900/loki";
+          insecure = true;
+        };
+      };
+    };
+  };
+  system.activationScripts.makeLokiDir = lib.stringAfter [ "var" ] ''
+    mkdir -p /var/lib/loki/{index,cache}
+    chown ${config.services.loki.user}:${config.services.loki.group} -R /var/lib/loki
+  '';
+
+  services.promtail = {
+    enable = true;
+    configuration = {
+      server = {
+        disable = true;
+      };
+      clients = [
+        {
+          url = "http://localhost:3100/loki/api/v1/push";
+        }
+      ];
+      scrape_configs = [
+        {
+          job_name = "journal";
+          journal = {
+            max_age = "12h";
+            labels = {
+              job = "systemd-journal";
+            };
+          };
+          relabel_configs = [{
+            source_labels = [ "__journal__systemd_unit" ];
+            target_label = "unit";
+          }];
+        }
+      ];
+    };
+  };
 }
--- a/newinfra/nix/secrets/caddy_s3_key_secret.age
+++ b/newinfra/nix/secrets/caddy_s3_key_secret.age
@ -1,13 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg suW24NAhcPEuIWyA1lFQSrtkVIoVUQV4qRppIwoH7n4
-XzB5wU21Od/y+nFQAFVesSSPhTPlRHJNTStOJVCVKNI
-> ssh-ed25519 XzACZQ v7FU9k53H5FZQZ2fiYElpDBcXT6+b9KNVTZ4g+2VjgI
-UUulUURY2fEui2ycv6r9PsVd5sZ662Kin2ZFfdJY9AY
-> ssh-ed25519 51bcvA 3CnO+G1LnAwYshp5DcnwfKmuFezJy0qADOzhcH6huWg
-B9CG7W4V9Z/oRvd54vOXsTopWiA+s3aXqypVREt+Njc
-> ssh-ed25519 vT7ExA nmuJNZLqv2n7pTQ2f2VgmonBh63O6RSm41vqxSrCTTQ
-lJXeHl4mKwYoaU2lI8lgGGNkBkU9ZRpqRzxm6UrPZ0U
--- lsYfgJSFOhYj0aR8B8t83su6POtmOdkPQJw39ku/bn0
-I6óÈqöST»bcƒ7'QT¢Í“¾4¨<34>²Ã’Tt¾gÇxÀœqÐbcpŽ?l®oíC8eÛ÷øo]ôJ*µDÐx®þ.OVßwvºãOš›
-È¹ðŒ3§‘_bm 9ML}×ƒîÉ"„ovu"’B[Ö#›w{I%]<5D>\9™:
-mÏKnƒç§:/ÉP£ZÀ´I 
+-> ssh-ed25519 qM6TYg CLDRFpO2DZRai0abyFUHTP0WWOBtLFS7rLOq5h5QtUs
+5gFHSYcctBGWkbe8LikjpTam/BHbilhbtMcWDBi9Oik
+-> ssh-ed25519 XzACZQ kx9bB9qiKbd/SLSaDjI1qODeLyBYfUrb12qC8adCvWs
+UpjT6xLfv7L1DnZnVcj72KIeClbryQ1efxgHeXTjngM
+-> ssh-ed25519 51bcvA 8nm/Z6VJacqmezgeYa1CsShZnclZgK0dfMBCgdD/unc
+6H2w2snEEhMvn4a4uXJdC4SfnvgQ/4B3qL7kpZ93Veg
+-> ssh-ed25519 vT7ExA Du6mW/IczVv0+SNLDT+6ghumvoNIL7wW+lKFuZ8SLTQ
+aqah8fBN8JgOoi6WsrspCqqKjk4Znnl4WZQhlt/AUQ4
+--- ljnxwBBY5gkLMQCwJvVfS8UJJ3VH4GVxh5G6CYcJvtA
+lm)
túÐ3Á€GßŽŸ¤åNÑ<4E>è=[·ç<C2B7>×?Õ¾jóž(Ñ,{Û0œRS!“4Îé#òe¯k&ëU6E¦ÓÂ€$¨w»
ÝvÐ£˜t×J6I,sÝ6Óe·nžƒ‡,ò—a÷êiÆs¤Ã”mJÔ9»–Øv~<7E>ñ<EFBFBD>Š0äøÄ¬Ol4KÔƒdÔ<18>SâŽ]ßp(d“|r
--- a/newinfra/nix/secrets/docker_registry_password.age
+++ b/newinfra/nix/secrets/docker_registry_password.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg p6LIIYNxXoumgg777+rrmMoUBuudQrDb5R6p8EW/cC0
-bSwO9YTpnCxexbHiZANFykICHucznaA54C4hSdRnUo8
--- 3NVOMR4M/OUerHG/m+8srOq3JVt5D+ctjMvvkzQv47E
-´Ez<¸¦<C2B8>IuWÿX¤<qMÜn›Ëñˆ‡0"Oø„•¾<E280A2>ÂLÙ)1ÐÆ¦þÝÏVá½h‘
+-> ssh-ed25519 qM6TYg NvguOs7htIflYp6bh6oiiH7Cp2l/0Mf4mcf/4b8ReQg
+BngCQfbilctBfNKjE+TkEhE3Bk2pkIlc1UYdAFISP/g
+--- 3hA+KfCqIAvwuL+mr4PFW9hVlpsc+t0uwG8I8Uc8JXY
+JŸÄ@¡zI´9ì5/Š`…Ÿ…VfWß¤æßp#™0;DÔ ËØ¯w'¬r²ÞgËÁ+n
--- a/newinfra/nix/secrets/garage_secrets.age
+++ b/newinfra/nix/secrets/garage_secrets.age
--- a/newinfra/nix/secrets/grafana_admin_password.age
+++ b/newinfra/nix/secrets/grafana_admin_password.age
@ -1,5 +1,6 @@
 age-encryption.org/v1
-> ssh-ed25519 XzACZQ 3tsILL/SbH8Q9HSLdHXp7bCp6qFpPvM+i9oY1ig7w2s
-wXY15JDZ1OJ/EOcRNcptCeJL6hJm3b9Qv979+GNTmmQ
--- Q+TStd6iOYR9XlxmSclv//8J+PZr2M7KwK/+Wrs65zY
-*<2A>·;<3B>x6ß=”<>%ä[´°Zg™·ì=:Tîs-2Ögî“º#â‰®‹‚”ë½ò· ûÙha³Fû…IDr.¯fÃ‡¥;û‘ÕªgíØ·~DŸãˆÈ¢udÁèÕMÉf»ýdÁ˜zÞå
+-> ssh-ed25519 XzACZQ SosFhSCAHF2iDSk+H05bziuG9qOxe+/wTjQxut+KggA
+4/f30HxHreEh28+oQwhZCP9zvg/8Wr5IVLciCWJjSmo
+--- 7p+ykQtDZWxlMpzcdjG8AMgBeo/zbrWet5A9uV5KuCo
+‚Ò”$Åê"¨íë?0¹k—¹£¥<C2A3>ŽÏì6'!’O4Á™¼C‰á\	¸E	#Rÿ>Mé+³+‡]êWZ	ntmÃ±Ê»ëdý
+¹¶KbŸU9Lâ“l“á;É}u=ÔÓ?®7¼ÛÀNy<4E>
--- a/newinfra/nix/secrets/hugochat_db_password.age
+++ b/newinfra/nix/secrets/hugochat_db_password.age
--- a/newinfra/nix/secrets/loki_env.age
+++ b/newinfra/nix/secrets/loki_env.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 XzACZQ duC8HdUu3AuNHooD0lOyoQthZ2g7agHxE+o39iHljAk
+nOySC3inXaD1MjbosV1NcxJhXYKmU3gJu5M4CtdFwK0
+--- QkN5D8JfVCTCyBlWIou4mmV58gHZ5qgS1CY4APxm2wU
+³€'9<>NPp˜Ìí@5<>x<EFBFBD>@E“>X8˜“džæ}þ<>‰MqåGL1~¡_ áÍrxy–”Ë÷Ò0)%(DT@å[¾eÆËw2Îž©ó…yÊˆBôõ¬‰}<1
+Í‹Y1Z+ÏI§y$\X1e)–µe?yáKlÑG¾\
´N£[<5B>aÁ¼ÿÇYqŒôKà<1F>œ¼>ž×
--- a/newinfra/nix/secrets/minio_env_file.age
+++ b/newinfra/nix/secrets/minio_env_file.age
--- a/newinfra/nix/secrets/registry_htpasswd.age
+++ b/newinfra/nix/secrets/registry_htpasswd.age
--- a/newinfra/nix/secrets/registry_s3_key_secret.age
+++ b/newinfra/nix/secrets/registry_s3_key_secret.age
--- a/newinfra/nix/secrets/secrets.nix
+++ b/newinfra/nix/secrets/secrets.nix
@ -17,6 +17,7 @@ in
  "registry_htpasswd.age".publicKeys = [ vps1 ];
  "registry_s3_key_secret.age".publicKeys = [ vps1 ];
  "grafana_admin_password.age".publicKeys = [ vps3 ];
+  "loki_env.age".publicKeys = [ vps3 ];
  "wg_private_dns1.age".publicKeys = [ dns1 ];
  "wg_private_dns2.age".publicKeys = [ dns2 ];
  "wg_private_vps1.age".publicKeys = [ vps1 ];
--- a/newinfra/nix/secrets/wg_private_dns1.age
+++ b/newinfra/nix/secrets/wg_private_dns1.age
--- a/newinfra/nix/secrets/wg_private_dns2.age
+++ b/newinfra/nix/secrets/wg_private_dns2.age
--- a/newinfra/nix/secrets/wg_private_vps1.age
+++ b/newinfra/nix/secrets/wg_private_vps1.age
--- a/newinfra/nix/secrets/wg_private_vps3.age
+++ b/newinfra/nix/secrets/wg_private_vps3.age
--- a/newinfra/nix/secrets/wg_private_vps4.age
+++ b/newinfra/nix/secrets/wg_private_vps4.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 51bcvA ji2zWkOp9u2bor9xScXWckGZN3733piHLN/gd+quiW0
-uzciBDLzZiizL3fFbn3vjiIoHGJWdFlHff3vjSWHs7g
--- fE0bz9m5izwJX90w3RjhmzNaCPuKjhpM5M0qngI9c/A
-ð·ß/žéË3^é¥'%‹(<28>Ö¡!æk›eîG`ò<>ébÚ<62>ê¹¯ÅJ´ù×0£L.»™–Ð´Ê<C2AD>îp¯ ŽeŸs,<2C>1ÚÈ·øÖ
+-> ssh-ed25519 51bcvA rPz/FYX2fQZl6qKVGi4lysbaEfcUlZLqgz5dTkiGEmc
+XFG3Mio/jSyD11sWTASw820p78mohiZ8e5vrP6ZQJO4
+--- 97H29fZ0yb9XByMaOEM7RcRfsEOYwjC5C7kZERehCEU
+VÙ”ïà^G~À×,s‘àô-Ù\uÒƒU(Èî2pÙ®r,½1¢¥†ÝÈ*dÎpÉ)?g/byày¢nÏMcŸ}dÌÄ¤3Ãv*WS`»	e¨
--- a/newinfra/nix/secrets/wg_private_vps5.age
+++ b/newinfra/nix/secrets/wg_private_vps5.age
--- a/newinfra/nix/secrets/widetom_bot_token.age
+++ b/newinfra/nix/secrets/widetom_bot_token.age
--- a/newinfra/nix/secrets/widetom_config_toml.age
+++ b/newinfra/nix/secrets/widetom_config_toml.age
--- a/newinfra/secrets-git-crypt/loki_env
+++ b/newinfra/secrets-git-crypt/loki_env