pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / monitoring / prometheus / default.nix
at 22.05-pre 60 kB view raw
1{ config, pkgs, lib, ... }: 2 3with lib; 4 5let 6 cfg = config.services.prometheus; 7 8 workingDir = "/var/lib/" + cfg.stateDir; 9 10 prometheusYmlOut = "${workingDir}/prometheus-substituted.yaml"; 11 12 triggerReload = pkgs.writeShellScriptBin "trigger-reload-prometheus" '' 13 PATH="${makeBinPath (with pkgs; [ systemd ])}" 14 if systemctl -q is-active prometheus.service; then 15 systemctl reload prometheus.service 16 fi 17 ''; 18 19 reload = pkgs.writeShellScriptBin "reload-prometheus" '' 20 PATH="${makeBinPath (with pkgs; [ systemd coreutils gnugrep ])}" 21 cursor=$(journalctl --show-cursor -n0 | grep -oP "cursor: \K.*") 22 kill -HUP $MAINPID 23 journalctl -u prometheus.service --after-cursor="$cursor" -f \ 24 | grep -m 1 "Completed loading of configuration file" > /dev/null 25 ''; 26 27 # a wrapper that verifies that the configuration is valid 28 promtoolCheck = what: name: file: 29 if cfg.checkConfig then 30 pkgs.runCommandLocal 31 "${name}-${replaceStrings [" "] [""] what}-checked" 32 { buildInputs = [ cfg.package ]; } '' 33 ln -s ${file} $out 34 promtool ${what} $out 35 '' else file; 36 37 # Pretty-print JSON to a file 38 writePrettyJSON = name: x: 39 pkgs.runCommandLocal name { } '' 40 echo '${builtins.toJSON x}' | ${pkgs.jq}/bin/jq . > $out 41 ''; 42 43 generatedPrometheusYml = writePrettyJSON "prometheus.yml" promConfig; 44 45 # This becomes the main config file for Prometheus 46 promConfig = { 47 global = filterValidPrometheus cfg.globalConfig; 48 rule_files = map (promtoolCheck "check rules" "rules") (cfg.ruleFiles ++ [ 49 (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg.rules)) 50 ]); 51 scrape_configs = filterValidPrometheus cfg.scrapeConfigs; 52 remote_write = filterValidPrometheus cfg.remoteWrite; 53 remote_read = filterValidPrometheus cfg.remoteRead; 54 alerting = { 55 inherit (cfg) alertmanagers; 56 }; 57 }; 58 59 prometheusYml = 60 let 61 yml = 62 if cfg.configText != null then 63 pkgs.writeText "prometheus.yml" cfg.configText 64 else generatedPrometheusYml; 65 in 66 promtoolCheck "check config" "prometheus.yml" yml; 67 68 cmdlineArgs = cfg.extraFlags ++ [ 69 "--storage.tsdb.path=${workingDir}/data/" 70 "--config.file=${ 71 if cfg.enableReload 72 then "/etc/prometheus/prometheus.yaml" 73 else prometheusYml 74 }" 75 "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" 76 "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" 77 "--alertmanager.timeout=${toString cfg.alertmanagerTimeout}s" 78 ] ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}" 79 ++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}"; 80 81 filterValidPrometheus = filterAttrsListRecursive (n: v: !(n == "_module" || v == null)); 82 filterAttrsListRecursive = pred: x: 83 if isAttrs x then 84 listToAttrs 85 ( 86 concatMap 87 (name: 88 let v = x.${name}; in 89 if pred name v then [ 90 (nameValuePair name (filterAttrsListRecursive pred v)) 91 ] else [ ] 92 ) 93 (attrNames x) 94 ) 95 else if isList x then 96 map (filterAttrsListRecursive pred) x 97 else x; 98 99 # 100 # Config types: helper functions 101 # 102 103 mkDefOpt = type: defaultStr: description: mkOpt type (description + '' 104 105 Defaults to <literal>${defaultStr}</literal> in prometheus 106 when set to <literal>null</literal>. 107 ''); 108 109 mkOpt = type: description: mkOption { 110 type = types.nullOr type; 111 default = null; 112 inherit description; 113 }; 114 115 mkSdConfigModule = extraOptions: types.submodule { 116 options = { 117 basic_auth = mkOpt promTypes.basic_auth '' 118 Optional HTTP basic authentication information. 119 ''; 120 121 authorization = mkOpt 122 (types.submodule { 123 options = { 124 type = mkDefOpt types.str "Bearer" '' 125 Sets the authentication type. 126 ''; 127 128 credentials = mkOpt types.str '' 129 Sets the credentials. It is mutually exclusive with `credentials_file`. 130 ''; 131 132 credentials_file = mkOpt types.str '' 133 Sets the credentials to the credentials read from the configured file. 134 It is mutually exclusive with `credentials`. 135 ''; 136 }; 137 }) '' 138 Optional `Authorization` header configuration. 139 ''; 140 141 oauth2 = mkOpt promtypes.oauth2 '' 142 Optional OAuth 2.0 configuration. 143 Cannot be used at the same time as basic_auth or authorization. 144 ''; 145 146 proxy_url = mkOpt types.str '' 147 Optional proxy URL. 148 ''; 149 150 follow_redirects = mkDefOpt types.bool "true" '' 151 Configure whether HTTP requests follow HTTP 3xx redirects. 152 ''; 153 154 tls_config = mkOpt promTypes.tls_config '' 155 TLS configuration. 156 ''; 157 } // extraOptions; 158 }; 159 160 # 161 # Config types: general 162 # 163 164 promTypes.globalConfig = types.submodule { 165 options = { 166 scrape_interval = mkDefOpt types.str "1m" '' 167 How frequently to scrape targets by default. 168 ''; 169 170 scrape_timeout = mkDefOpt types.str "10s" '' 171 How long until a scrape request times out. 172 ''; 173 174 evaluation_interval = mkDefOpt types.str "1m" '' 175 How frequently to evaluate rules by default. 176 ''; 177 178 external_labels = mkOpt (types.attrsOf types.str) '' 179 The labels to add to any time series or alerts when 180 communicating with external systems (federation, remote 181 storage, Alertmanager). 182 ''; 183 }; 184 }; 185 186 promTypes.basic_auth = types.submodule { 187 options = { 188 username = mkOption { 189 type = types.str; 190 description = '' 191 HTTP username 192 ''; 193 }; 194 password = mkOpt types.str "HTTP password"; 195 password_file = mkOpt types.str "HTTP password file"; 196 }; 197 }; 198 199 promTypes.tls_config = types.submodule { 200 options = { 201 ca_file = mkOpt types.str '' 202 CA certificate to validate API server certificate with. 203 ''; 204 205 cert_file = mkOpt types.str '' 206 Certificate file for client cert authentication to the server. 207 ''; 208 209 key_file = mkOpt types.str '' 210 Key file for client cert authentication to the server. 211 ''; 212 213 server_name = mkOpt types.str '' 214 ServerName extension to indicate the name of the server. 215 http://tools.ietf.org/html/rfc4366#section-3.1 216 ''; 217 218 insecure_skip_verify = mkOpt types.bool '' 219 Disable validation of the server certificate. 220 ''; 221 }; 222 }; 223 224 promtypes.oauth2 = types.submodule { 225 options = { 226 client_id = mkOpt types.str '' 227 OAuth client ID. 228 ''; 229 230 client_secret = mkOpt types.str '' 231 OAuth client secret. 232 ''; 233 234 client_secret_file = mkOpt types.str '' 235 Read the client secret from a file. It is mutually exclusive with `client_secret`. 236 ''; 237 238 scopes = mkOpt (types.listOf types.str) '' 239 Scopes for the token request. 240 ''; 241 242 token_url = mkOpt types.str '' 243 The URL to fetch the token from. 244 ''; 245 246 endpoint_params = mkOpt (types.attrsOf types.str) '' 247 Optional parameters to append to the token URL. 248 ''; 249 }; 250 }; 251 252 promTypes.scrape_config = types.submodule { 253 options = { 254 job_name = mkOption { 255 type = types.str; 256 description = '' 257 The job name assigned to scraped metrics by default. 258 ''; 259 }; 260 scrape_interval = mkOpt types.str '' 261 How frequently to scrape targets from this job. Defaults to the 262 globally configured default. 263 ''; 264 265 scrape_timeout = mkOpt types.str '' 266 Per-target timeout when scraping this job. Defaults to the 267 globally configured default. 268 ''; 269 270 metrics_path = mkDefOpt types.str "/metrics" '' 271 The HTTP resource path on which to fetch metrics from targets. 272 ''; 273 274 honor_labels = mkDefOpt types.bool "false" '' 275 Controls how Prometheus handles conflicts between labels 276 that are already present in scraped data and labels that 277 Prometheus would attach server-side ("job" and "instance" 278 labels, manually configured target labels, and labels 279 generated by service discovery implementations). 280 281 If honor_labels is set to "true", label conflicts are 282 resolved by keeping label values from the scraped data and 283 ignoring the conflicting server-side labels. 284 285 If honor_labels is set to "false", label conflicts are 286 resolved by renaming conflicting labels in the scraped data 287 to "exported_&lt;original-label&gt;" (for example 288 "exported_instance", "exported_job") and then attaching 289 server-side labels. This is useful for use cases such as 290 federation, where all labels specified in the target should 291 be preserved. 292 ''; 293 294 honor_timestamps = mkDefOpt types.bool "true" '' 295 honor_timestamps controls whether Prometheus respects the timestamps present 296 in scraped data. 297 298 If honor_timestamps is set to <literal>true</literal>, the timestamps of the metrics exposed 299 by the target will be used. 300 301 If honor_timestamps is set to <literal>false</literal>, the timestamps of the metrics exposed 302 by the target will be ignored. 303 ''; 304 305 scheme = mkDefOpt (types.enum [ "http" "https" ]) "http" '' 306 The URL scheme with which to fetch metrics from targets. 307 ''; 308 309 params = mkOpt (types.attrsOf (types.listOf types.str)) '' 310 Optional HTTP URL parameters. 311 ''; 312 313 basic_auth = mkOpt promTypes.basic_auth '' 314 Sets the `Authorization` header on every scrape request with the 315 configured username and password. 316 password and password_file are mutually exclusive. 317 ''; 318 319 bearer_token = mkOpt types.str '' 320 Sets the `Authorization` header on every scrape request with 321 the configured bearer token. It is mutually exclusive with 322 <option>bearer_token_file</option>. 323 ''; 324 325 bearer_token_file = mkOpt types.str '' 326 Sets the `Authorization` header on every scrape request with 327 the bearer token read from the configured file. It is mutually 328 exclusive with <option>bearer_token</option>. 329 ''; 330 331 tls_config = mkOpt promTypes.tls_config '' 332 Configures the scrape request's TLS settings. 333 ''; 334 335 proxy_url = mkOpt types.str '' 336 Optional proxy URL. 337 ''; 338 339 azure_sd_configs = mkOpt (types.listOf promTypes.azure_sd_config) '' 340 List of Azure service discovery configurations. 341 ''; 342 343 consul_sd_configs = mkOpt (types.listOf promTypes.consul_sd_config) '' 344 List of Consul service discovery configurations. 345 ''; 346 347 digitalocean_sd_configs = mkOpt (types.listOf promTypes.digitalocean_sd_config) '' 348 List of DigitalOcean service discovery configurations. 349 ''; 350 351 docker_sd_configs = mkOpt (types.listOf promTypes.docker_sd_config) '' 352 List of Docker service discovery configurations. 353 ''; 354 355 dockerswarm_sd_configs = mkOpt (types.listOf promTypes.dockerswarm_sd_config) '' 356 List of Docker Swarm service discovery configurations. 357 ''; 358 359 dns_sd_configs = mkOpt (types.listOf promTypes.dns_sd_config) '' 360 List of DNS service discovery configurations. 361 ''; 362 363 ec2_sd_configs = mkOpt (types.listOf promTypes.ec2_sd_config) '' 364 List of EC2 service discovery configurations. 365 ''; 366 367 eureka_sd_configs = mkOpt (types.listOf promTypes.eureka_sd_config) '' 368 List of Eureka service discovery configurations. 369 ''; 370 371 file_sd_configs = mkOpt (types.listOf promTypes.file_sd_config) '' 372 List of file service discovery configurations. 373 ''; 374 375 gce_sd_configs = mkOpt (types.listOf promTypes.gce_sd_config) '' 376 List of Google Compute Engine service discovery configurations. 377 378 See <link 379 xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config">the 380 relevant Prometheus configuration docs</link> for more detail. 381 ''; 382 383 hetzner_sd_configs = mkOpt (types.listOf promTypes.hetzner_sd_config) '' 384 List of Hetzner service discovery configurations. 385 ''; 386 387 http_sd_configs = mkOpt (types.listOf promTypes.http_sd_config) '' 388 List of HTTP service discovery configurations. 389 ''; 390 391 kubernetes_sd_configs = mkOpt (types.listOf promTypes.kubernetes_sd_config) '' 392 List of Kubernetes service discovery configurations. 393 ''; 394 395 kuma_sd_configs = mkOpt (types.listOf promTypes.kuma_sd_config) '' 396 List of Kuma service discovery configurations. 397 ''; 398 399 lightsail_sd_configs = mkOpt (types.listOf promTypes.lightsail_sd_config) '' 400 List of Lightsail service discovery configurations. 401 ''; 402 403 linode_sd_configs = mkOpt (types.listOf promTypes.linode_sd_config) '' 404 List of Linode service discovery configurations. 405 ''; 406 407 marathon_sd_configs = mkOpt (types.listOf promTypes.marathon_sd_config) '' 408 List of Marathon service discovery configurations. 409 ''; 410 411 nerve_sd_configs = mkOpt (types.listOf promTypes.nerve_sd_config) '' 412 List of AirBnB's Nerve service discovery configurations. 413 ''; 414 415 openstack_sd_configs = mkOpt (types.listOf promTypes.openstack_sd_config) '' 416 List of OpenStack service discovery configurations. 417 ''; 418 419 puppetdb_sd_configs = mkOpt (types.listOf promTypes.puppetdb_sd_config) '' 420 List of PuppetDB service discovery configurations. 421 ''; 422 423 scaleway_sd_configs = mkOpt (types.listOf promTypes.scaleway_sd_config) '' 424 List of Scaleway service discovery configurations. 425 ''; 426 427 serverset_sd_configs = mkOpt (types.listOf promTypes.serverset_sd_config) '' 428 List of Zookeeper Serverset service discovery configurations. 429 ''; 430 431 triton_sd_configs = mkOpt (types.listOf promTypes.triton_sd_config) '' 432 List of Triton Serverset service discovery configurations. 433 ''; 434 435 uyuni_sd_configs = mkOpt (types.listOf promTypes.uyuni_sd_config) '' 436 List of Uyuni Serverset service discovery configurations. 437 ''; 438 439 static_configs = mkOpt (types.listOf promTypes.static_config) '' 440 List of labeled target groups for this job. 441 ''; 442 443 relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 444 List of relabel configurations. 445 ''; 446 447 metric_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 448 List of metric relabel configurations. 449 ''; 450 451 body_size_limit = mkDefOpt types.str "0" '' 452 An uncompressed response body larger than this many bytes will cause the 453 scrape to fail. 0 means no limit. Example: 100MB. 454 This is an experimental feature, this behaviour could 455 change or be removed in the future. 456 ''; 457 458 sample_limit = mkDefOpt types.int "0" '' 459 Per-scrape limit on number of scraped samples that will be accepted. 460 If more than this number of samples are present after metric relabelling 461 the entire scrape will be treated as failed. 0 means no limit. 462 ''; 463 464 label_limit = mkDefOpt types.int "0" '' 465 Per-scrape limit on number of labels that will be accepted for a sample. If 466 more than this number of labels are present post metric-relabeling, the 467 entire scrape will be treated as failed. 0 means no limit. 468 ''; 469 470 label_name_length_limit = mkDefOpt types.int "0" '' 471 Per-scrape limit on length of labels name that will be accepted for a sample. 472 If a label name is longer than this number post metric-relabeling, the entire 473 scrape will be treated as failed. 0 means no limit. 474 ''; 475 476 label_value_length_limit = mkDefOpt types.int "0" '' 477 Per-scrape limit on length of labels value that will be accepted for a sample. 478 If a label value is longer than this number post metric-relabeling, the 479 entire scrape will be treated as failed. 0 means no limit. 480 ''; 481 482 target_limit = mkDefOpt types.int "0" '' 483 Per-scrape config limit on number of unique targets that will be 484 accepted. If more than this number of targets are present after target 485 relabeling, Prometheus will mark the targets as failed without scraping them. 486 0 means no limit. This is an experimental feature, this behaviour could 487 change in the future. 488 ''; 489 }; 490 }; 491 492 # 493 # Config types: service discovery 494 # 495 496 # For this one, the docs actually define all types needed to use mkSdConfigModule, but a bunch 497 # of them are marked with 'currently not support by Azure' so we don't bother adding them in 498 # here. 499 promTypes.azure_sd_config = types.submodule { 500 options = { 501 environment = mkDefOpt types.str "AzurePublicCloud" '' 502 The Azure environment. 503 ''; 504 505 authentication_method = mkDefOpt (types.enum [ "OAuth" "ManagedIdentity" ]) "OAuth" '' 506 The authentication method, either OAuth or ManagedIdentity. 507 See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview 508 ''; 509 510 subscription_id = mkOption { 511 type = types.str; 512 description = '' 513 The subscription ID. 514 ''; 515 }; 516 517 tenant_id = mkOpt types.str '' 518 Optional tenant ID. Only required with authentication_method OAuth. 519 ''; 520 521 client_id = mkOpt types.str '' 522 Optional client ID. Only required with authentication_method OAuth. 523 ''; 524 525 client_secret = mkOpt types.str '' 526 Optional client secret. Only required with authentication_method OAuth. 527 ''; 528 529 refresh_interval = mkDefOpt types.str "300s" '' 530 Refresh interval to re-read the instance list. 531 ''; 532 533 port = mkDefOpt types.int "80" '' 534 The port to scrape metrics from. If using the public IP 535 address, this must instead be specified in the relabeling 536 rule. 537 ''; 538 539 proxy_url = mkOpt types.str '' 540 Optional proxy URL. 541 ''; 542 543 follow_redirects = mkDefOpt types.bool "true" '' 544 Configure whether HTTP requests follow HTTP 3xx redirects. 545 ''; 546 547 tls_config = mkOpt promTypes.tls_config '' 548 TLS configuration. 549 ''; 550 }; 551 }; 552 553 promTypes.consul_sd_config = mkSdConfigModule { 554 server = mkDefOpt types.str "localhost:8500" '' 555 Consul server to query. 556 ''; 557 558 token = mkOpt types.str "Consul token"; 559 560 datacenter = mkOpt types.str "Consul datacenter"; 561 562 scheme = mkDefOpt types.str "http" "Consul scheme"; 563 564 username = mkOpt types.str "Consul username"; 565 566 password = mkOpt types.str "Consul password"; 567 568 tls_config = mkOpt promTypes.tls_config '' 569 Configures the Consul request's TLS settings. 570 ''; 571 572 services = mkOpt (types.listOf types.str) '' 573 A list of services for which targets are retrieved. 574 ''; 575 576 tags = mkOpt (types.listOf types.str) '' 577 An optional list of tags used to filter nodes for a given 578 service. Services must contain all tags in the list. 579 ''; 580 581 node_meta = mkOpt (types.attrsOf types.str) '' 582 Node metadata used to filter nodes for a given service. 583 ''; 584 585 tag_separator = mkDefOpt types.str "," '' 586 The string by which Consul tags are joined into the tag label. 587 ''; 588 589 allow_stale = mkOpt types.bool '' 590 Allow stale Consul results 591 (see <link xlink:href="https://www.consul.io/api/index.html#consistency-modes"/>). 592 593 Will reduce load on Consul. 594 ''; 595 596 refresh_interval = mkDefOpt types.str "30s" '' 597 The time after which the provided names are refreshed. 598 599 On large setup it might be a good idea to increase this value 600 because the catalog will change all the time. 601 ''; 602 }; 603 604 promTypes.digitalocean_sd_config = mkSdConfigModule { 605 port = mkDefOpt types.int "80" '' 606 The port to scrape metrics from. 607 ''; 608 609 refresh_interval = mkDefOpt types.str "60s" '' 610 The time after which the droplets are refreshed. 611 ''; 612 }; 613 614 mkDockerSdConfigModule = extraOptions: mkSdConfigModule ({ 615 host = mkOption { 616 type = types.str; 617 description = '' 618 Address of the Docker daemon. 619 ''; 620 }; 621 622 port = mkDefOpt types.int "80" '' 623 The port to scrape metrics from, when `role` is nodes, and for discovered 624 tasks and services that don't have published ports. 625 ''; 626 627 filters = mkOpt 628 (types.listOf (types.submodule { 629 options = { 630 name = mkOption { 631 type = types.str; 632 description = '' 633 Name of the filter. The available filters are listed in the upstream documentation: 634 Services: <link xlink:href="https://docs.docker.com/engine/api/v1.40/#operation/ServiceList"/> 635 Tasks: <link xlink:href="https://docs.docker.com/engine/api/v1.40/#operation/TaskList"/> 636 Nodes: <link xlink:href="https://docs.docker.com/engine/api/v1.40/#operation/NodeList"/> 637 ''; 638 }; 639 values = mkOption { 640 type = types.str; 641 description = '' 642 Value for the filter. 643 ''; 644 }; 645 }; 646 })) '' 647 Optional filters to limit the discovery process to a subset of available resources. 648 ''; 649 650 refresh_interval = mkDefOpt types.str "60s" '' 651 The time after which the containers are refreshed. 652 ''; 653 } // extraOptions); 654 655 promTypes.docker_sd_config = mkDockerSdConfigModule { 656 host_networking_host = mkDefOpt types.str "localhost" '' 657 The host to use if the container is in host networking mode. 658 ''; 659 }; 660 661 promTypes.dockerswarm_sd_config = mkDockerSdConfigModule { 662 role = mkOption { 663 type = types.enum [ "services" "tasks" "nodes" ]; 664 description = '' 665 Role of the targets to retrieve. Must be `services`, `tasks`, or `nodes`. 666 ''; 667 }; 668 }; 669 670 promTypes.dns_sd_config = types.submodule { 671 options = { 672 names = mkOption { 673 type = types.listOf types.str; 674 description = '' 675 A list of DNS SRV record names to be queried. 676 ''; 677 }; 678 679 type = mkDefOpt (types.enum [ "SRV" "A" "AAAA" ]) "SRV" '' 680 The type of DNS query to perform. One of SRV, A, or AAAA. 681 ''; 682 683 port = mkOpt types.int '' 684 The port number used if the query type is not SRV. 685 ''; 686 687 refresh_interval = mkDefOpt types.str "30s" '' 688 The time after which the provided names are refreshed. 689 ''; 690 }; 691 }; 692 693 promTypes.ec2_sd_config = types.submodule { 694 options = { 695 region = mkOption { 696 type = types.str; 697 description = '' 698 The AWS Region. If blank, the region from the instance metadata is used. 699 ''; 700 }; 701 endpoint = mkOpt types.str '' 702 Custom endpoint to be used. 703 ''; 704 705 access_key = mkOpt types.str '' 706 The AWS API key id. If blank, the environment variable 707 <literal>AWS_ACCESS_KEY_ID</literal> is used. 708 ''; 709 710 secret_key = mkOpt types.str '' 711 The AWS API key secret. If blank, the environment variable 712 <literal>AWS_SECRET_ACCESS_KEY</literal> is used. 713 ''; 714 715 profile = mkOpt types.str '' 716 Named AWS profile used to connect to the API. 717 ''; 718 719 role_arn = mkOpt types.str '' 720 AWS Role ARN, an alternative to using AWS API keys. 721 ''; 722 723 refresh_interval = mkDefOpt types.str "60s" '' 724 Refresh interval to re-read the instance list. 725 ''; 726 727 port = mkDefOpt types.int "80" '' 728 The port to scrape metrics from. If using the public IP 729 address, this must instead be specified in the relabeling 730 rule. 731 ''; 732 733 filters = mkOpt 734 (types.listOf (types.submodule { 735 options = { 736 name = mkOption { 737 type = types.str; 738 description = '' 739 See <link xlink:href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html">this list</link> 740 for the available filters. 741 ''; 742 }; 743 744 values = mkOption { 745 type = types.listOf types.str; 746 default = [ ]; 747 description = '' 748 Value of the filter. 749 ''; 750 }; 751 }; 752 })) '' 753 Filters can be used optionally to filter the instance list by other criteria. 754 ''; 755 }; 756 }; 757 758 promTypes.eureka_sd_config = mkSdConfigModule { 759 server = mkOption { 760 type = types.str; 761 description = '' 762 The URL to connect to the Eureka server. 763 ''; 764 }; 765 }; 766 767 promTypes.file_sd_config = types.submodule { 768 options = { 769 files = mkOption { 770 type = types.listOf types.str; 771 description = '' 772 Patterns for files from which target groups are extracted. Refer 773 to the Prometheus documentation for permitted filename patterns 774 and formats. 775 ''; 776 }; 777 778 refresh_interval = mkDefOpt types.str "5m" '' 779 Refresh interval to re-read the files. 780 ''; 781 }; 782 }; 783 784 promTypes.gce_sd_config = types.submodule { 785 options = { 786 # Use `mkOption` instead of `mkOpt` for project and zone because they are 787 # required configuration values for `gce_sd_config`. 788 project = mkOption { 789 type = types.str; 790 description = '' 791 The GCP Project. 792 ''; 793 }; 794 795 zone = mkOption { 796 type = types.str; 797 description = '' 798 The zone of the scrape targets. If you need multiple zones use multiple 799 gce_sd_configs. 800 ''; 801 }; 802 803 filter = mkOpt types.str '' 804 Filter can be used optionally to filter the instance list by other 805 criteria Syntax of this filter string is described here in the filter 806 query parameter section: <link 807 xlink:href="https://cloud.google.com/compute/docs/reference/latest/instances/list" 808 />. 809 ''; 810 811 refresh_interval = mkDefOpt types.str "60s" '' 812 Refresh interval to re-read the cloud instance list. 813 ''; 814 815 port = mkDefOpt types.port "80" '' 816 The port to scrape metrics from. If using the public IP address, this 817 must instead be specified in the relabeling rule. 818 ''; 819 820 tag_separator = mkDefOpt types.str "," '' 821 The tag separator used to separate concatenated GCE instance network tags. 822 823 See the GCP documentation on network tags for more information: 824 <link xlink:href="https://cloud.google.com/vpc/docs/add-remove-network-tags" /> 825 ''; 826 }; 827 }; 828 829 promTypes.hetzner_sd_config = mkSdConfigModule { 830 role = mkOption { 831 type = types.enum [ "robot" "hcloud" ]; 832 description = '' 833 The Hetzner role of entities that should be discovered. 834 One of <literal>robot</literal> or <literal>hcloud</literal>. 835 ''; 836 }; 837 838 port = mkDefOpt types.int "80" '' 839 The port to scrape metrics from. 840 ''; 841 842 refresh_interval = mkDefOpt types.str "60s" '' 843 The time after which the servers are refreshed. 844 ''; 845 }; 846 847 promTypes.http_sd_config = types.submodule { 848 options = { 849 url = mkOption { 850 type = types.str; 851 description = '' 852 URL from which the targets are fetched. 853 ''; 854 }; 855 856 refresh_interval = mkDefOpt types.str "60s" '' 857 Refresh interval to re-query the endpoint. 858 ''; 859 860 basic_auth = mkOpt promTypes.basic_auth '' 861 Authentication information used to authenticate to the API server. 862 password and password_file are mutually exclusive. 863 ''; 864 865 proxy_url = mkOpt types.str '' 866 Optional proxy URL. 867 ''; 868 869 follow_redirects = mkDefOpt types.bool "true" '' 870 Configure whether HTTP requests follow HTTP 3xx redirects. 871 ''; 872 873 tls_config = mkOpt promTypes.tls_config '' 874 Configures the scrape request's TLS settings. 875 ''; 876 }; 877 }; 878 879 promTypes.kubernetes_sd_config = mkSdConfigModule { 880 api_server = mkOpt types.str '' 881 The API server addresses. If left empty, Prometheus is assumed to run inside 882 of the cluster and will discover API servers automatically and use the pod's 883 CA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/. 884 ''; 885 886 role = mkOption { 887 type = types.enum [ "endpoints" "service" "pod" "node" "ingress" ]; 888 description = '' 889 The Kubernetes role of entities that should be discovered. 890 One of endpoints, service, pod, node, or ingress. 891 ''; 892 }; 893 894 kubeconfig_file = mkOpt types.str '' 895 Optional path to a kubeconfig file. 896 Note that api_server and kube_config are mutually exclusive. 897 ''; 898 899 namespaces = mkOpt 900 ( 901 types.submodule { 902 options = { 903 names = mkOpt (types.listOf types.str) '' 904 Namespace name. 905 ''; 906 }; 907 } 908 ) '' 909 Optional namespace discovery. If omitted, all namespaces are used. 910 ''; 911 912 selectors = mkOpt 913 ( 914 types.listOf ( 915 types.submodule { 916 options = { 917 role = mkOption { 918 type = types.str; 919 description = '' 920 Selector role 921 ''; 922 }; 923 924 label = mkOpt types.str '' 925 Selector label 926 ''; 927 928 field = mkOpt types.str '' 929 Selector field 930 ''; 931 }; 932 } 933 ) 934 ) '' 935 Optional label and field selectors to limit the discovery process to a subset of available resources. 936 See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/ 937 and https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ to learn more about the possible 938 filters that can be used. Endpoints role supports pod, service and endpoints selectors, other roles 939 only support selectors matching the role itself (e.g. node role can only contain node selectors). 940 941 Note: When making decision about using field/label selector make sure that this 942 is the best approach - it will prevent Prometheus from reusing single list/watch 943 for all scrape configs. This might result in a bigger load on the Kubernetes API, 944 because per each selector combination there will be additional LIST/WATCH. On the other hand, 945 if you just want to monitor small subset of pods in large cluster it's recommended to use selectors. 946 Decision, if selectors should be used or not depends on the particular situation. 947 ''; 948 }; 949 950 promTypes.kuma_sd_config = mkSdConfigModule { 951 server = mkOption { 952 type = types.str; 953 description = '' 954 Address of the Kuma Control Plane's MADS xDS server. 955 ''; 956 }; 957 958 refresh_interval = mkDefOpt types.str "30s" '' 959 The time to wait between polling update requests. 960 ''; 961 962 fetch_timeout = mkDefOpt types.str "2m" '' 963 The time after which the monitoring assignments are refreshed. 964 ''; 965 }; 966 967 promTypes.lightsail_sd_config = types.submodule { 968 options = { 969 region = mkOpt types.str '' 970 The AWS region. If blank, the region from the instance metadata is used. 971 ''; 972 973 endpoint = mkOpt types.str '' 974 Custom endpoint to be used. 975 ''; 976 977 access_key = mkOpt types.str '' 978 The AWS API keys. If blank, the environment variable <literal>AWS_ACCESS_KEY_ID</literal> is used. 979 ''; 980 981 secret_key = mkOpt types.str '' 982 The AWS API keys. If blank, the environment variable <literal>AWS_SECRET_ACCESS_KEY</literal> is used. 983 ''; 984 985 profile = mkOpt types.str '' 986 Named AWS profile used to connect to the API. 987 ''; 988 989 role_arn = mkOpt types.str '' 990 AWS Role ARN, an alternative to using AWS API keys. 991 ''; 992 993 refresh_interval = mkDefOpt types.str "60s" '' 994 Refresh interval to re-read the instance list. 995 ''; 996 997 port = mkDefOpt types.int "80" '' 998 The port to scrape metrics from. If using the public IP address, this must 999 instead be specified in the relabeling rule. 1000 ''; 1001 }; 1002 }; 1003 1004 promTypes.linode_sd_config = mkSdConfigModule { 1005 port = mkDefOpt types.int "80" '' 1006 The port to scrape metrics from. 1007 ''; 1008 1009 tag_separator = mkDefOpt types.str "," '' 1010 The string by which Linode Instance tags are joined into the tag label. 1011 ''; 1012 1013 refresh_interval = mkDefOpt types.str "60s" '' 1014 The time after which the linode instances are refreshed. 1015 ''; 1016 }; 1017 1018 promTypes.marathon_sd_config = mkSdConfigModule { 1019 servers = mkOption { 1020 type = types.listOf types.str; 1021 description = '' 1022 List of URLs to be used to contact Marathon servers. You need to provide at least one server URL. 1023 ''; 1024 }; 1025 1026 refresh_interval = mkDefOpt types.str "30s" '' 1027 Polling interval. 1028 ''; 1029 1030 auth_token = mkOpt types.str '' 1031 Optional authentication information for token-based authentication: 1032 <link xlink:href="https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token" /> 1033 It is mutually exclusive with <literal>auth_token_file</literal> and other authentication mechanisms. 1034 ''; 1035 1036 auth_token_file = mkOpt types.str '' 1037 Optional authentication information for token-based authentication: 1038 <link xlink:href="https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token" /> 1039 It is mutually exclusive with <literal>auth_token</literal> and other authentication mechanisms. 1040 ''; 1041 }; 1042 1043 promTypes.nerve_sd_config = types.submodule { 1044 options = { 1045 servers = mkOption { 1046 type = types.listOf types.str; 1047 description = '' 1048 The Zookeeper servers. 1049 ''; 1050 }; 1051 1052 paths = mkOption { 1053 type = types.listOf types.str; 1054 description = '' 1055 Paths can point to a single service, or the root of a tree of services. 1056 ''; 1057 }; 1058 1059 timeout = mkDefOpt types.str "10s" '' 1060 Timeout value. 1061 ''; 1062 }; 1063 }; 1064 1065 promTypes.openstack_sd_config = types.submodule { 1066 options = 1067 let 1068 userDescription = '' 1069 username is required if using Identity V2 API. Consult with your provider's 1070 control panel to discover your account's username. In Identity V3, either 1071 userid or a combination of username and domain_id or domain_name are needed. 1072 ''; 1073 1074 domainDescription = '' 1075 At most one of domain_id and domain_name must be provided if using username 1076 with Identity V3. Otherwise, either are optional. 1077 ''; 1078 1079 projectDescription = '' 1080 The project_id and project_name fields are optional for the Identity V2 API. 1081 Some providers allow you to specify a project_name instead of the project_id. 1082 Some require both. Your provider's authentication policies will determine 1083 how these fields influence authentication. 1084 ''; 1085 1086 applicationDescription = '' 1087 The application_credential_id or application_credential_name fields are 1088 required if using an application credential to authenticate. Some providers 1089 allow you to create an application credential to authenticate rather than a 1090 password. 1091 ''; 1092 in 1093 { 1094 role = mkOption { 1095 type = types.str; 1096 description = '' 1097 The OpenStack role of entities that should be discovered. 1098 ''; 1099 }; 1100 1101 region = mkOption { 1102 type = types.str; 1103 description = '' 1104 The OpenStack Region. 1105 ''; 1106 }; 1107 1108 identity_endpoint = mkOpt types.str '' 1109 identity_endpoint specifies the HTTP endpoint that is required to work with 1110 the Identity API of the appropriate version. While it's ultimately needed by 1111 all of the identity services, it will often be populated by a provider-level 1112 function. 1113 ''; 1114 1115 username = mkOpt types.str userDescription; 1116 userid = mkOpt types.str userDescription; 1117 1118 password = mkOpt types.str '' 1119 password for the Identity V2 and V3 APIs. Consult with your provider's 1120 control panel to discover your account's preferred method of authentication. 1121 ''; 1122 1123 domain_name = mkOpt types.str domainDescription; 1124 domain_id = mkOpt types.str domainDescription; 1125 1126 project_name = mkOpt types.str projectDescription; 1127 project_id = mkOpt types.str projectDescription; 1128 1129 application_credential_name = mkOpt types.str applicationDescription; 1130 application_credential_id = mkOpt types.str applicationDescription; 1131 1132 application_credential_secret = mkOpt types.str '' 1133 The application_credential_secret field is required if using an application 1134 credential to authenticate. 1135 ''; 1136 1137 all_tenants = mkDefOpt types.bool "false" '' 1138 Whether the service discovery should list all instances for all projects. 1139 It is only relevant for the 'instance' role and usually requires admin permissions. 1140 ''; 1141 1142 refresh_interval = mkDefOpt types.str "60s" '' 1143 Refresh interval to re-read the instance list. 1144 ''; 1145 1146 port = mkDefOpt types.int "80" '' 1147 The port to scrape metrics from. If using the public IP address, this must 1148 instead be specified in the relabeling rule. 1149 ''; 1150 1151 availability = mkDefOpt (types.enum [ "public" "admin" "internal" ]) "public" '' 1152 The availability of the endpoint to connect to. Must be one of public, admin or internal. 1153 ''; 1154 1155 tls_config = mkOpt promTypes.tls_config '' 1156 TLS configuration. 1157 ''; 1158 }; 1159 }; 1160 1161 promTypes.puppetdb_sd_config = mkSdConfigModule { 1162 url = mkOption { 1163 type = types.str; 1164 description = '' 1165 The URL of the PuppetDB root query endpoint. 1166 ''; 1167 }; 1168 1169 query = mkOption { 1170 type = types.str; 1171 description = '' 1172 Puppet Query Language (PQL) query. Only resources are supported. 1173 https://puppet.com/docs/puppetdb/latest/api/query/v4/pql.html 1174 ''; 1175 }; 1176 1177 include_parameters = mkDefOpt types.bool "false" '' 1178 Whether to include the parameters as meta labels. 1179 Due to the differences between parameter types and Prometheus labels, 1180 some parameters might not be rendered. The format of the parameters might 1181 also change in future releases. 1182 1183 Note: Enabling this exposes parameters in the Prometheus UI and API. Make sure 1184 that you don't have secrets exposed as parameters if you enable this. 1185 ''; 1186 1187 refresh_interval = mkDefOpt types.str "60s" '' 1188 Refresh interval to re-read the resources list. 1189 ''; 1190 1191 port = mkDefOpt types.int "80" '' 1192 The port to scrape metrics from. 1193 ''; 1194 }; 1195 1196 promTypes.scaleway_sd_config = types.submodule { 1197 options = { 1198 access_key = mkOption { 1199 type = types.str; 1200 description = '' 1201 Access key to use. https://console.scaleway.com/project/credentials 1202 ''; 1203 }; 1204 1205 secret_key = mkOpt types.str '' 1206 Secret key to use when listing targets. https://console.scaleway.com/project/credentials 1207 It is mutually exclusive with `secret_key_file`. 1208 ''; 1209 1210 secret_key_file = mkOpt types.str '' 1211 Sets the secret key with the credentials read from the configured file. 1212 It is mutually exclusive with `secret_key`. 1213 ''; 1214 1215 project_id = mkOption { 1216 type = types.str; 1217 description = '' 1218 Project ID of the targets. 1219 ''; 1220 }; 1221 1222 role = mkOption { 1223 type = types.enum [ "instance" "baremetal" ]; 1224 description = '' 1225 Role of the targets to retrieve. Must be `instance` or `baremetal`. 1226 ''; 1227 }; 1228 1229 port = mkDefOpt types.int "80" '' 1230 The port to scrape metrics from. 1231 ''; 1232 1233 api_url = mkDefOpt types.str "https://api.scaleway.com" '' 1234 API URL to use when doing the server listing requests. 1235 ''; 1236 1237 zone = mkDefOpt types.str "fr-par-1" '' 1238 Zone is the availability zone of your targets (e.g. fr-par-1). 1239 ''; 1240 1241 name_filter = mkOpt types.str '' 1242 Specify a name filter (works as a LIKE) to apply on the server listing request. 1243 ''; 1244 1245 tags_filter = mkOpt (types.listOf types.str) '' 1246 Specify a tag filter (a server needs to have all defined tags to be listed) to apply on the server listing request. 1247 ''; 1248 1249 refresh_interval = mkDefOpt types.str "60s" '' 1250 Refresh interval to re-read the managed targets list. 1251 ''; 1252 1253 proxy_url = mkOpt types.str '' 1254 Optional proxy URL. 1255 ''; 1256 1257 follow_redirects = mkDefOpt types.bool "true" '' 1258 Configure whether HTTP requests follow HTTP 3xx redirects. 1259 ''; 1260 1261 tls_config = mkOpt promTypes.tls_config '' 1262 TLS configuration. 1263 ''; 1264 }; 1265 }; 1266 1267 # These are exactly the same. 1268 promTypes.serverset_sd_config = promTypes.nerve_sd_config; 1269 1270 promTypes.triton_sd_config = types.submodule { 1271 options = { 1272 account = mkOption { 1273 type = types.str; 1274 description = '' 1275 The account to use for discovering new targets. 1276 ''; 1277 }; 1278 1279 role = mkDefOpt (types.enum [ "container" "cn" ]) "container" '' 1280 The type of targets to discover, can be set to: 1281 - "container" to discover virtual machines (SmartOS zones, lx/KVM/bhyve branded zones) running on Triton 1282 - "cn" to discover compute nodes (servers/global zones) making up the Triton infrastructure 1283 ''; 1284 1285 dns_suffix = mkOption { 1286 type = types.str; 1287 description = '' 1288 The DNS suffix which should be applied to target. 1289 ''; 1290 }; 1291 1292 endpoint = mkOption { 1293 type = types.str; 1294 description = '' 1295 The Triton discovery endpoint (e.g. <literal>cmon.us-east-3b.triton.zone</literal>). This is 1296 often the same value as dns_suffix. 1297 ''; 1298 }; 1299 1300 groups = mkOpt (types.listOf types.str) '' 1301 A list of groups for which targets are retrieved, only supported when targeting the <literal>container</literal> role. 1302 If omitted all containers owned by the requesting account are scraped. 1303 ''; 1304 1305 port = mkDefOpt types.int "9163" '' 1306 The port to use for discovery and metric scraping. 1307 ''; 1308 1309 refresh_interval = mkDefOpt types.str "60s" '' 1310 The interval which should be used for refreshing targets. 1311 ''; 1312 1313 version = mkDefOpt types.int "1" '' 1314 The Triton discovery API version. 1315 ''; 1316 1317 tls_config = mkOpt promTypes.tls_config '' 1318 TLS configuration. 1319 ''; 1320 }; 1321 }; 1322 1323 promTypes.uyuni_sd_config = mkSdConfigModule { 1324 server = mkOption { 1325 type = types.str; 1326 description = '' 1327 The URL to connect to the Uyuni server. 1328 ''; 1329 }; 1330 1331 username = mkOption { 1332 type = types.str; 1333 description = '' 1334 Credentials are used to authenticate the requests to Uyuni API. 1335 ''; 1336 }; 1337 1338 password = mkOption { 1339 type = types.str; 1340 description = '' 1341 Credentials are used to authenticate the requests to Uyuni API. 1342 ''; 1343 }; 1344 1345 entitlement = mkDefOpt types.str "monitoring_entitled" '' 1346 The entitlement string to filter eligible systems. 1347 ''; 1348 1349 separator = mkDefOpt types.str "," '' 1350 The string by which Uyuni group names are joined into the groups label 1351 ''; 1352 1353 refresh_interval = mkDefOpt types.str "60s" '' 1354 Refresh interval to re-read the managed targets list. 1355 ''; 1356 }; 1357 1358 promTypes.static_config = types.submodule { 1359 options = { 1360 targets = mkOption { 1361 type = types.listOf types.str; 1362 description = '' 1363 The targets specified by the target group. 1364 ''; 1365 }; 1366 labels = mkOption { 1367 type = types.attrsOf types.str; 1368 default = { }; 1369 description = '' 1370 Labels assigned to all metrics scraped from the targets. 1371 ''; 1372 }; 1373 }; 1374 }; 1375 1376 # 1377 # Config types: relabling 1378 # 1379 1380 promTypes.relabel_config = types.submodule { 1381 options = { 1382 source_labels = mkOpt (types.listOf types.str) '' 1383 The source labels select values from existing labels. Their content 1384 is concatenated using the configured separator and matched against 1385 the configured regular expression. 1386 ''; 1387 1388 separator = mkDefOpt types.str ";" '' 1389 Separator placed between concatenated source label values. 1390 ''; 1391 1392 target_label = mkOpt types.str '' 1393 Label to which the resulting value is written in a replace action. 1394 It is mandatory for replace actions. 1395 ''; 1396 1397 regex = mkDefOpt types.str "(.*)" '' 1398 Regular expression against which the extracted value is matched. 1399 ''; 1400 1401 modulus = mkOpt types.int '' 1402 Modulus to take of the hash of the source label values. 1403 ''; 1404 1405 replacement = mkDefOpt types.str "$1" '' 1406 Replacement value against which a regex replace is performed if the 1407 regular expression matches. 1408 ''; 1409 1410 action = 1411 mkDefOpt (types.enum [ "replace" "keep" "drop" "hashmod" "labelmap" "labeldrop" "labelkeep" ]) "replace" '' 1412 Action to perform based on regex matching. 1413 ''; 1414 }; 1415 }; 1416 1417 # 1418 # Config types : remote read / write 1419 # 1420 1421 promTypes.remote_write = types.submodule { 1422 options = { 1423 url = mkOption { 1424 type = types.str; 1425 description = '' 1426 ServerName extension to indicate the name of the server. 1427 http://tools.ietf.org/html/rfc4366#section-3.1 1428 ''; 1429 }; 1430 remote_timeout = mkOpt types.str '' 1431 Timeout for requests to the remote write endpoint. 1432 ''; 1433 write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 1434 List of remote write relabel configurations. 1435 ''; 1436 name = mkOpt types.str '' 1437 Name of the remote write config, which if specified must be unique among remote write configs. 1438 The name will be used in metrics and logging in place of a generated value to help users distinguish between 1439 remote write configs. 1440 ''; 1441 basic_auth = mkOpt promTypes.basic_auth '' 1442 Sets the `Authorization` header on every remote write request with the 1443 configured username and password. 1444 password and password_file are mutually exclusive. 1445 ''; 1446 bearer_token = mkOpt types.str '' 1447 Sets the `Authorization` header on every remote write request with 1448 the configured bearer token. It is mutually exclusive with `bearer_token_file`. 1449 ''; 1450 bearer_token_file = mkOpt types.str '' 1451 Sets the `Authorization` header on every remote write request with the bearer token 1452 read from the configured file. It is mutually exclusive with `bearer_token`. 1453 ''; 1454 tls_config = mkOpt promTypes.tls_config '' 1455 Configures the remote write request's TLS settings. 1456 ''; 1457 proxy_url = mkOpt types.str "Optional Proxy URL."; 1458 queue_config = mkOpt 1459 (types.submodule { 1460 options = { 1461 capacity = mkOpt types.int '' 1462 Number of samples to buffer per shard before we block reading of more 1463 samples from the WAL. It is recommended to have enough capacity in each 1464 shard to buffer several requests to keep throughput up while processing 1465 occasional slow remote requests. 1466 ''; 1467 max_shards = mkOpt types.int '' 1468 Maximum number of shards, i.e. amount of concurrency. 1469 ''; 1470 min_shards = mkOpt types.int '' 1471 Minimum number of shards, i.e. amount of concurrency. 1472 ''; 1473 max_samples_per_send = mkOpt types.int '' 1474 Maximum number of samples per send. 1475 ''; 1476 batch_send_deadline = mkOpt types.str '' 1477 Maximum time a sample will wait in buffer. 1478 ''; 1479 min_backoff = mkOpt types.str '' 1480 Initial retry delay. Gets doubled for every retry. 1481 ''; 1482 max_backoff = mkOpt types.str '' 1483 Maximum retry delay. 1484 ''; 1485 }; 1486 }) '' 1487 Configures the queue used to write to remote storage. 1488 ''; 1489 metadata_config = mkOpt 1490 (types.submodule { 1491 options = { 1492 send = mkOpt types.bool '' 1493 Whether metric metadata is sent to remote storage or not. 1494 ''; 1495 send_interval = mkOpt types.str '' 1496 How frequently metric metadata is sent to remote storage. 1497 ''; 1498 }; 1499 }) '' 1500 Configures the sending of series metadata to remote storage. 1501 Metadata configuration is subject to change at any point 1502 or be removed in future releases. 1503 ''; 1504 }; 1505 }; 1506 1507 promTypes.remote_read = types.submodule { 1508 options = { 1509 url = mkOption { 1510 type = types.str; 1511 description = '' 1512 ServerName extension to indicate the name of the server. 1513 http://tools.ietf.org/html/rfc4366#section-3.1 1514 ''; 1515 }; 1516 name = mkOpt types.str '' 1517 Name of the remote read config, which if specified must be unique among remote read configs. 1518 The name will be used in metrics and logging in place of a generated value to help users distinguish between 1519 remote read configs. 1520 ''; 1521 required_matchers = mkOpt (types.attrsOf types.str) '' 1522 An optional list of equality matchers which have to be 1523 present in a selector to query the remote read endpoint. 1524 ''; 1525 remote_timeout = mkOpt types.str '' 1526 Timeout for requests to the remote read endpoint. 1527 ''; 1528 read_recent = mkOpt types.bool '' 1529 Whether reads should be made for queries for time ranges that 1530 the local storage should have complete data for. 1531 ''; 1532 basic_auth = mkOpt promTypes.basic_auth '' 1533 Sets the `Authorization` header on every remote read request with the 1534 configured username and password. 1535 password and password_file are mutually exclusive. 1536 ''; 1537 bearer_token = mkOpt types.str '' 1538 Sets the `Authorization` header on every remote read request with 1539 the configured bearer token. It is mutually exclusive with `bearer_token_file`. 1540 ''; 1541 bearer_token_file = mkOpt types.str '' 1542 Sets the `Authorization` header on every remote read request with the bearer token 1543 read from the configured file. It is mutually exclusive with `bearer_token`. 1544 ''; 1545 tls_config = mkOpt promTypes.tls_config '' 1546 Configures the remote read request's TLS settings. 1547 ''; 1548 proxy_url = mkOpt types.str "Optional Proxy URL."; 1549 }; 1550 }; 1551 1552in 1553{ 1554 1555 imports = [ 1556 (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) 1557 (mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ] 1558 "It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`.") 1559 ]; 1560 1561 options.services.prometheus = { 1562 1563 enable = mkOption { 1564 type = types.bool; 1565 default = false; 1566 description = '' 1567 Enable the Prometheus monitoring daemon. 1568 ''; 1569 }; 1570 1571 package = mkOption { 1572 type = types.package; 1573 default = pkgs.prometheus; 1574 defaultText = literalExpression "pkgs.prometheus"; 1575 description = '' 1576 The prometheus package that should be used. 1577 ''; 1578 }; 1579 1580 port = mkOption { 1581 type = types.port; 1582 default = 9090; 1583 description = '' 1584 Port to listen on. 1585 ''; 1586 }; 1587 1588 listenAddress = mkOption { 1589 type = types.str; 1590 default = "0.0.0.0"; 1591 description = '' 1592 Address to listen on for the web interface, API, and telemetry. 1593 ''; 1594 }; 1595 1596 stateDir = mkOption { 1597 type = types.str; 1598 default = "prometheus2"; 1599 description = '' 1600 Directory below <literal>/var/lib</literal> to store Prometheus metrics data. 1601 This directory will be created automatically using systemd's StateDirectory mechanism. 1602 ''; 1603 }; 1604 1605 extraFlags = mkOption { 1606 type = types.listOf types.str; 1607 default = [ ]; 1608 description = '' 1609 Extra commandline options when launching Prometheus. 1610 ''; 1611 }; 1612 1613 enableReload = mkOption { 1614 default = false; 1615 type = types.bool; 1616 description = '' 1617 Reload prometheus when configuration file changes (instead of restart). 1618 1619 The following property holds: switching to a configuration 1620 (<literal>switch-to-configuration</literal>) that changes the prometheus 1621 configuration only finishes successully when prometheus has finished 1622 loading the new configuration. 1623 ''; 1624 }; 1625 1626 configText = mkOption { 1627 type = types.nullOr types.lines; 1628 default = null; 1629 description = '' 1630 If non-null, this option defines the text that is written to 1631 prometheus.yml. If null, the contents of prometheus.yml is generated 1632 from the structured config options. 1633 ''; 1634 }; 1635 1636 globalConfig = mkOption { 1637 type = promTypes.globalConfig; 1638 default = { }; 1639 description = '' 1640 Parameters that are valid in all configuration contexts. They 1641 also serve as defaults for other configuration sections 1642 ''; 1643 }; 1644 1645 remoteRead = mkOption { 1646 type = types.listOf promTypes.remote_read; 1647 default = [ ]; 1648 description = '' 1649 Parameters of the endpoints to query from. 1650 See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read">the official documentation</link> for more information. 1651 ''; 1652 }; 1653 1654 remoteWrite = mkOption { 1655 type = types.listOf promTypes.remote_write; 1656 default = [ ]; 1657 description = '' 1658 Parameters of the endpoints to send samples to. 1659 See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write">the official documentation</link> for more information. 1660 ''; 1661 }; 1662 1663 rules = mkOption { 1664 type = types.listOf types.str; 1665 default = [ ]; 1666 description = '' 1667 Alerting and/or Recording rules to evaluate at runtime. 1668 ''; 1669 }; 1670 1671 ruleFiles = mkOption { 1672 type = types.listOf types.path; 1673 default = [ ]; 1674 description = '' 1675 Any additional rules files to include in this configuration. 1676 ''; 1677 }; 1678 1679 scrapeConfigs = mkOption { 1680 type = types.listOf promTypes.scrape_config; 1681 default = [ ]; 1682 description = '' 1683 A list of scrape configurations. 1684 ''; 1685 }; 1686 1687 alertmanagers = mkOption { 1688 type = types.listOf types.attrs; 1689 example = literalExpression '' 1690 [ { 1691 scheme = "https"; 1692 path_prefix = "/alertmanager"; 1693 static_configs = [ { 1694 targets = [ 1695 "prometheus.domain.tld" 1696 ]; 1697 } ]; 1698 } ] 1699 ''; 1700 default = [ ]; 1701 description = '' 1702 A list of alertmanagers to send alerts to. 1703 See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config">the official documentation</link> for more information. 1704 ''; 1705 }; 1706 1707 alertmanagerNotificationQueueCapacity = mkOption { 1708 type = types.int; 1709 default = 10000; 1710 description = '' 1711 The capacity of the queue for pending alert manager notifications. 1712 ''; 1713 }; 1714 1715 alertmanagerTimeout = mkOption { 1716 type = types.int; 1717 default = 10; 1718 description = '' 1719 Alert manager HTTP API timeout (in seconds). 1720 ''; 1721 }; 1722 1723 webExternalUrl = mkOption { 1724 type = types.nullOr types.str; 1725 default = null; 1726 example = "https://example.com/"; 1727 description = '' 1728 The URL under which Prometheus is externally reachable (for example, 1729 if Prometheus is served via a reverse proxy). 1730 ''; 1731 }; 1732 1733 checkConfig = mkOption { 1734 type = types.bool; 1735 default = true; 1736 description = '' 1737 Check configuration with <literal>promtool 1738 check</literal>. The call to <literal>promtool</literal> is 1739 subject to sandboxing by Nix. When credentials are stored in 1740 external files (<literal>password_file</literal>, 1741 <literal>bearer_token_file</literal>, etc), they will not be 1742 visible to <literal>promtool</literal> and it will report 1743 errors, despite a correct configuration. 1744 ''; 1745 }; 1746 1747 retentionTime = mkOption { 1748 type = types.nullOr types.str; 1749 default = null; 1750 example = "15d"; 1751 description = '' 1752 How long to retain samples in storage. 1753 ''; 1754 }; 1755 }; 1756 1757 config = mkIf cfg.enable { 1758 assertions = [ 1759 ( 1760 let 1761 # Match something with dots (an IPv4 address) or something ending in 1762 # a square bracket (an IPv6 addresses) followed by a port number. 1763 legacy = builtins.match "(.*\\..*|.*]):([[:digit:]]+)" cfg.listenAddress; 1764 in 1765 { 1766 assertion = legacy == null; 1767 message = '' 1768 Do not specify the port for Prometheus to listen on in the 1769 listenAddress option; use the port option instead: 1770 services.prometheus.listenAddress = ${builtins.elemAt legacy 0}; 1771 services.prometheus.port = ${builtins.elemAt legacy 1}; 1772 ''; 1773 } 1774 ) 1775 ]; 1776 1777 users.groups.prometheus.gid = config.ids.gids.prometheus; 1778 users.users.prometheus = { 1779 description = "Prometheus daemon user"; 1780 uid = config.ids.uids.prometheus; 1781 group = "prometheus"; 1782 }; 1783 environment.etc."prometheus/prometheus.yaml" = mkIf cfg.enableReload { 1784 source = prometheusYml; 1785 }; 1786 systemd.services.prometheus = { 1787 wantedBy = [ "multi-user.target" ]; 1788 after = [ "network.target" ]; 1789 serviceConfig = { 1790 ExecStart = "${cfg.package}/bin/prometheus" + 1791 optionalString (length cmdlineArgs != 0) (" \\\n " + 1792 concatStringsSep " \\\n " cmdlineArgs); 1793 ExecReload = mkIf cfg.enableReload "+${reload}/bin/reload-prometheus"; 1794 User = "prometheus"; 1795 Restart = "always"; 1796 RuntimeDirectory = "prometheus"; 1797 RuntimeDirectoryMode = "0700"; 1798 WorkingDirectory = workingDir; 1799 StateDirectory = cfg.stateDir; 1800 StateDirectoryMode = "0700"; 1801 }; 1802 }; 1803 # prometheus-config-reload will activate after prometheus. However, what we 1804 # don't want is that on startup it immediately reloads prometheus because 1805 # prometheus itself might have just started. 1806 # 1807 # Instead we only want to reload prometheus when the config file has 1808 # changed. So on startup prometheus-config-reload will just output a 1809 # harmless message and then stay active (RemainAfterExit). 1810 # 1811 # Then, when the config file has changed, switch-to-configuration notices 1812 # that this service has changed (restartTriggers) and needs to be reloaded 1813 # (reloadIfChanged). The reload command then reloads prometheus. 1814 systemd.services.prometheus-config-reload = mkIf cfg.enableReload { 1815 wantedBy = [ "prometheus.service" ]; 1816 after = [ "prometheus.service" ]; 1817 reloadIfChanged = true; 1818 restartTriggers = [ prometheusYml ]; 1819 serviceConfig = { 1820 Type = "oneshot"; 1821 RemainAfterExit = true; 1822 TimeoutSec = 60; 1823 ExecStart = "${pkgs.logger}/bin/logger 'prometheus-config-reload will only reload prometheus when reloaded itself.'"; 1824 ExecReload = [ "${triggerReload}/bin/trigger-reload-prometheus" ]; 1825 }; 1826 }; 1827 }; 1828}