pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / monitoring / prometheus / default.nix
at 23.05-pre 61 kB view raw
1{ config, pkgs, lib, ... }: 2 3with lib; 4 5let 6 json = pkgs.formats.json { }; 7 cfg = config.services.prometheus; 8 checkConfigEnabled = 9 (lib.isBool cfg.checkConfig && cfg.checkConfig) 10 || cfg.checkConfig == "syntax-only"; 11 12 workingDir = "/var/lib/" + cfg.stateDir; 13 14 prometheusYmlOut = "${workingDir}/prometheus-substituted.yaml"; 15 16 triggerReload = pkgs.writeShellScriptBin "trigger-reload-prometheus" '' 17 PATH="${makeBinPath (with pkgs; [ systemd ])}" 18 if systemctl -q is-active prometheus.service; then 19 systemctl reload prometheus.service 20 fi 21 ''; 22 23 reload = pkgs.writeShellScriptBin "reload-prometheus" '' 24 PATH="${makeBinPath (with pkgs; [ systemd coreutils gnugrep ])}" 25 cursor=$(journalctl --show-cursor -n0 | grep -oP "cursor: \K.*") 26 kill -HUP $MAINPID 27 journalctl -u prometheus.service --after-cursor="$cursor" -f \ 28 | grep -m 1 "Completed loading of configuration file" > /dev/null 29 ''; 30 31 # a wrapper that verifies that the configuration is valid 32 promtoolCheck = what: name: file: 33 if checkConfigEnabled then 34 pkgs.runCommandLocal 35 "${name}-${replaceStrings [" "] [""] what}-checked" 36 { buildInputs = [ cfg.package ]; } '' 37 ln -s ${file} $out 38 promtool ${what} $out 39 '' else file; 40 41 generatedPrometheusYml = json.generate "prometheus.yml" promConfig; 42 43 # This becomes the main config file for Prometheus 44 promConfig = { 45 global = filterValidPrometheus cfg.globalConfig; 46 rule_files = map (promtoolCheck "check rules" "rules") (cfg.ruleFiles ++ [ 47 (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg.rules)) 48 ]); 49 scrape_configs = filterValidPrometheus cfg.scrapeConfigs; 50 remote_write = filterValidPrometheus cfg.remoteWrite; 51 remote_read = filterValidPrometheus cfg.remoteRead; 52 alerting = { 53 inherit (cfg) alertmanagers; 54 }; 55 }; 56 57 prometheusYml = 58 let 59 yml = 60 if cfg.configText != null then 61 pkgs.writeText "prometheus.yml" cfg.configText 62 else generatedPrometheusYml; 63 in 64 promtoolCheck "check config ${lib.optionalString (cfg.checkConfig == "syntax-only") "--syntax-only"}" "prometheus.yml" yml; 65 66 cmdlineArgs = cfg.extraFlags ++ [ 67 "--storage.tsdb.path=${workingDir}/data/" 68 "--config.file=${ 69 if cfg.enableReload 70 then "/etc/prometheus/prometheus.yaml" 71 else prometheusYml 72 }" 73 "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" 74 "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" 75 ] ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}" 76 ++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}"; 77 78 filterValidPrometheus = filterAttrsListRecursive (n: v: !(n == "_module" || v == null)); 79 filterAttrsListRecursive = pred: x: 80 if isAttrs x then 81 listToAttrs 82 ( 83 concatMap 84 (name: 85 let v = x.${name}; in 86 if pred name v then [ 87 (nameValuePair name (filterAttrsListRecursive pred v)) 88 ] else [ ] 89 ) 90 (attrNames x) 91 ) 92 else if isList x then 93 map (filterAttrsListRecursive pred) x 94 else x; 95 96 # 97 # Config types: helper functions 98 # 99 100 mkDefOpt = type: defaultStr: description: mkOpt type (description + '' 101 102 Defaults to ````${defaultStr}```` in prometheus 103 when set to `null`. 104 ''); 105 106 mkOpt = type: description: mkOption { 107 type = types.nullOr type; 108 default = null; 109 description = lib.mdDoc description; 110 }; 111 112 mkSdConfigModule = extraOptions: types.submodule { 113 options = { 114 basic_auth = mkOpt promTypes.basic_auth '' 115 Optional HTTP basic authentication information. 116 ''; 117 118 authorization = mkOpt 119 (types.submodule { 120 options = { 121 type = mkDefOpt types.str "Bearer" '' 122 Sets the authentication type. 123 ''; 124 125 credentials = mkOpt types.str '' 126 Sets the credentials. It is mutually exclusive with `credentials_file`. 127 ''; 128 129 credentials_file = mkOpt types.str '' 130 Sets the credentials to the credentials read from the configured file. 131 It is mutually exclusive with `credentials`. 132 ''; 133 }; 134 }) '' 135 Optional `Authorization` header configuration. 136 ''; 137 138 oauth2 = mkOpt promtypes.oauth2 '' 139 Optional OAuth 2.0 configuration. 140 Cannot be used at the same time as basic_auth or authorization. 141 ''; 142 143 proxy_url = mkOpt types.str '' 144 Optional proxy URL. 145 ''; 146 147 follow_redirects = mkDefOpt types.bool "true" '' 148 Configure whether HTTP requests follow HTTP 3xx redirects. 149 ''; 150 151 tls_config = mkOpt promTypes.tls_config '' 152 TLS configuration. 153 ''; 154 } // extraOptions; 155 }; 156 157 # 158 # Config types: general 159 # 160 161 promTypes.globalConfig = types.submodule { 162 options = { 163 scrape_interval = mkDefOpt types.str "1m" '' 164 How frequently to scrape targets by default. 165 ''; 166 167 scrape_timeout = mkDefOpt types.str "10s" '' 168 How long until a scrape request times out. 169 ''; 170 171 evaluation_interval = mkDefOpt types.str "1m" '' 172 How frequently to evaluate rules by default. 173 ''; 174 175 external_labels = mkOpt (types.attrsOf types.str) '' 176 The labels to add to any time series or alerts when 177 communicating with external systems (federation, remote 178 storage, Alertmanager). 179 ''; 180 }; 181 }; 182 183 promTypes.basic_auth = types.submodule { 184 options = { 185 username = mkOption { 186 type = types.str; 187 description = lib.mdDoc '' 188 HTTP username 189 ''; 190 }; 191 password = mkOpt types.str "HTTP password"; 192 password_file = mkOpt types.str "HTTP password file"; 193 }; 194 }; 195 196 promTypes.tls_config = types.submodule { 197 options = { 198 ca_file = mkOpt types.str '' 199 CA certificate to validate API server certificate with. 200 ''; 201 202 cert_file = mkOpt types.str '' 203 Certificate file for client cert authentication to the server. 204 ''; 205 206 key_file = mkOpt types.str '' 207 Key file for client cert authentication to the server. 208 ''; 209 210 server_name = mkOpt types.str '' 211 ServerName extension to indicate the name of the server. 212 http://tools.ietf.org/html/rfc4366#section-3.1 213 ''; 214 215 insecure_skip_verify = mkOpt types.bool '' 216 Disable validation of the server certificate. 217 ''; 218 }; 219 }; 220 221 promtypes.oauth2 = types.submodule { 222 options = { 223 client_id = mkOpt types.str '' 224 OAuth client ID. 225 ''; 226 227 client_secret = mkOpt types.str '' 228 OAuth client secret. 229 ''; 230 231 client_secret_file = mkOpt types.str '' 232 Read the client secret from a file. It is mutually exclusive with `client_secret`. 233 ''; 234 235 scopes = mkOpt (types.listOf types.str) '' 236 Scopes for the token request. 237 ''; 238 239 token_url = mkOpt types.str '' 240 The URL to fetch the token from. 241 ''; 242 243 endpoint_params = mkOpt (types.attrsOf types.str) '' 244 Optional parameters to append to the token URL. 245 ''; 246 }; 247 }; 248 249 promTypes.scrape_config = types.submodule { 250 options = { 251 authorization = mkOption { 252 type = types.nullOr types.attrs; 253 default = null; 254 description = lib.mdDoc '' 255 Sets the `Authorization` header on every scrape request with the configured credentials. 256 ''; 257 }; 258 job_name = mkOption { 259 type = types.str; 260 description = lib.mdDoc '' 261 The job name assigned to scraped metrics by default. 262 ''; 263 }; 264 scrape_interval = mkOpt types.str '' 265 How frequently to scrape targets from this job. Defaults to the 266 globally configured default. 267 ''; 268 269 scrape_timeout = mkOpt types.str '' 270 Per-target timeout when scraping this job. Defaults to the 271 globally configured default. 272 ''; 273 274 metrics_path = mkDefOpt types.str "/metrics" '' 275 The HTTP resource path on which to fetch metrics from targets. 276 ''; 277 278 honor_labels = mkDefOpt types.bool "false" '' 279 Controls how Prometheus handles conflicts between labels 280 that are already present in scraped data and labels that 281 Prometheus would attach server-side ("job" and "instance" 282 labels, manually configured target labels, and labels 283 generated by service discovery implementations). 284 285 If honor_labels is set to "true", label conflicts are 286 resolved by keeping label values from the scraped data and 287 ignoring the conflicting server-side labels. 288 289 If honor_labels is set to "false", label conflicts are 290 resolved by renaming conflicting labels in the scraped data 291 to "exported_\<original-label\>" (for example 292 "exported_instance", "exported_job") and then attaching 293 server-side labels. This is useful for use cases such as 294 federation, where all labels specified in the target should 295 be preserved. 296 ''; 297 298 honor_timestamps = mkDefOpt types.bool "true" '' 299 honor_timestamps controls whether Prometheus respects the timestamps present 300 in scraped data. 301 302 If honor_timestamps is set to `true`, the timestamps of the metrics exposed 303 by the target will be used. 304 305 If honor_timestamps is set to `false`, the timestamps of the metrics exposed 306 by the target will be ignored. 307 ''; 308 309 scheme = mkDefOpt (types.enum [ "http" "https" ]) "http" '' 310 The URL scheme with which to fetch metrics from targets. 311 ''; 312 313 params = mkOpt (types.attrsOf (types.listOf types.str)) '' 314 Optional HTTP URL parameters. 315 ''; 316 317 basic_auth = mkOpt promTypes.basic_auth '' 318 Sets the `Authorization` header on every scrape request with the 319 configured username and password. 320 password and password_file are mutually exclusive. 321 ''; 322 323 bearer_token = mkOpt types.str '' 324 Sets the `Authorization` header on every scrape request with 325 the configured bearer token. It is mutually exclusive with 326 {option}`bearer_token_file`. 327 ''; 328 329 bearer_token_file = mkOpt types.str '' 330 Sets the `Authorization` header on every scrape request with 331 the bearer token read from the configured file. It is mutually 332 exclusive with {option}`bearer_token`. 333 ''; 334 335 tls_config = mkOpt promTypes.tls_config '' 336 Configures the scrape request's TLS settings. 337 ''; 338 339 proxy_url = mkOpt types.str '' 340 Optional proxy URL. 341 ''; 342 343 azure_sd_configs = mkOpt (types.listOf promTypes.azure_sd_config) '' 344 List of Azure service discovery configurations. 345 ''; 346 347 consul_sd_configs = mkOpt (types.listOf promTypes.consul_sd_config) '' 348 List of Consul service discovery configurations. 349 ''; 350 351 digitalocean_sd_configs = mkOpt (types.listOf promTypes.digitalocean_sd_config) '' 352 List of DigitalOcean service discovery configurations. 353 ''; 354 355 docker_sd_configs = mkOpt (types.listOf promTypes.docker_sd_config) '' 356 List of Docker service discovery configurations. 357 ''; 358 359 dockerswarm_sd_configs = mkOpt (types.listOf promTypes.dockerswarm_sd_config) '' 360 List of Docker Swarm service discovery configurations. 361 ''; 362 363 dns_sd_configs = mkOpt (types.listOf promTypes.dns_sd_config) '' 364 List of DNS service discovery configurations. 365 ''; 366 367 ec2_sd_configs = mkOpt (types.listOf promTypes.ec2_sd_config) '' 368 List of EC2 service discovery configurations. 369 ''; 370 371 eureka_sd_configs = mkOpt (types.listOf promTypes.eureka_sd_config) '' 372 List of Eureka service discovery configurations. 373 ''; 374 375 file_sd_configs = mkOpt (types.listOf promTypes.file_sd_config) '' 376 List of file service discovery configurations. 377 ''; 378 379 gce_sd_configs = mkOpt (types.listOf promTypes.gce_sd_config) '' 380 List of Google Compute Engine service discovery configurations. 381 382 See [the relevant Prometheus configuration docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config) 383 for more detail. 384 ''; 385 386 hetzner_sd_configs = mkOpt (types.listOf promTypes.hetzner_sd_config) '' 387 List of Hetzner service discovery configurations. 388 ''; 389 390 http_sd_configs = mkOpt (types.listOf promTypes.http_sd_config) '' 391 List of HTTP service discovery configurations. 392 ''; 393 394 kubernetes_sd_configs = mkOpt (types.listOf promTypes.kubernetes_sd_config) '' 395 List of Kubernetes service discovery configurations. 396 ''; 397 398 kuma_sd_configs = mkOpt (types.listOf promTypes.kuma_sd_config) '' 399 List of Kuma service discovery configurations. 400 ''; 401 402 lightsail_sd_configs = mkOpt (types.listOf promTypes.lightsail_sd_config) '' 403 List of Lightsail service discovery configurations. 404 ''; 405 406 linode_sd_configs = mkOpt (types.listOf promTypes.linode_sd_config) '' 407 List of Linode service discovery configurations. 408 ''; 409 410 marathon_sd_configs = mkOpt (types.listOf promTypes.marathon_sd_config) '' 411 List of Marathon service discovery configurations. 412 ''; 413 414 nerve_sd_configs = mkOpt (types.listOf promTypes.nerve_sd_config) '' 415 List of AirBnB's Nerve service discovery configurations. 416 ''; 417 418 openstack_sd_configs = mkOpt (types.listOf promTypes.openstack_sd_config) '' 419 List of OpenStack service discovery configurations. 420 ''; 421 422 puppetdb_sd_configs = mkOpt (types.listOf promTypes.puppetdb_sd_config) '' 423 List of PuppetDB service discovery configurations. 424 ''; 425 426 scaleway_sd_configs = mkOpt (types.listOf promTypes.scaleway_sd_config) '' 427 List of Scaleway service discovery configurations. 428 ''; 429 430 serverset_sd_configs = mkOpt (types.listOf promTypes.serverset_sd_config) '' 431 List of Zookeeper Serverset service discovery configurations. 432 ''; 433 434 triton_sd_configs = mkOpt (types.listOf promTypes.triton_sd_config) '' 435 List of Triton Serverset service discovery configurations. 436 ''; 437 438 uyuni_sd_configs = mkOpt (types.listOf promTypes.uyuni_sd_config) '' 439 List of Uyuni Serverset service discovery configurations. 440 ''; 441 442 static_configs = mkOpt (types.listOf promTypes.static_config) '' 443 List of labeled target groups for this job. 444 ''; 445 446 relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 447 List of relabel configurations. 448 ''; 449 450 metric_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 451 List of metric relabel configurations. 452 ''; 453 454 body_size_limit = mkDefOpt types.str "0" '' 455 An uncompressed response body larger than this many bytes will cause the 456 scrape to fail. 0 means no limit. Example: 100MB. 457 This is an experimental feature, this behaviour could 458 change or be removed in the future. 459 ''; 460 461 sample_limit = mkDefOpt types.int "0" '' 462 Per-scrape limit on number of scraped samples that will be accepted. 463 If more than this number of samples are present after metric relabelling 464 the entire scrape will be treated as failed. 0 means no limit. 465 ''; 466 467 label_limit = mkDefOpt types.int "0" '' 468 Per-scrape limit on number of labels that will be accepted for a sample. If 469 more than this number of labels are present post metric-relabeling, the 470 entire scrape will be treated as failed. 0 means no limit. 471 ''; 472 473 label_name_length_limit = mkDefOpt types.int "0" '' 474 Per-scrape limit on length of labels name that will be accepted for a sample. 475 If a label name is longer than this number post metric-relabeling, the entire 476 scrape will be treated as failed. 0 means no limit. 477 ''; 478 479 label_value_length_limit = mkDefOpt types.int "0" '' 480 Per-scrape limit on length of labels value that will be accepted for a sample. 481 If a label value is longer than this number post metric-relabeling, the 482 entire scrape will be treated as failed. 0 means no limit. 483 ''; 484 485 target_limit = mkDefOpt types.int "0" '' 486 Per-scrape config limit on number of unique targets that will be 487 accepted. If more than this number of targets are present after target 488 relabeling, Prometheus will mark the targets as failed without scraping them. 489 0 means no limit. This is an experimental feature, this behaviour could 490 change in the future. 491 ''; 492 }; 493 }; 494 495 # 496 # Config types: service discovery 497 # 498 499 # For this one, the docs actually define all types needed to use mkSdConfigModule, but a bunch 500 # of them are marked with 'currently not support by Azure' so we don't bother adding them in 501 # here. 502 promTypes.azure_sd_config = types.submodule { 503 options = { 504 environment = mkDefOpt types.str "AzurePublicCloud" '' 505 The Azure environment. 506 ''; 507 508 authentication_method = mkDefOpt (types.enum [ "OAuth" "ManagedIdentity" ]) "OAuth" '' 509 The authentication method, either OAuth or ManagedIdentity. 510 See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview 511 ''; 512 513 subscription_id = mkOption { 514 type = types.str; 515 description = lib.mdDoc '' 516 The subscription ID. 517 ''; 518 }; 519 520 tenant_id = mkOpt types.str '' 521 Optional tenant ID. Only required with authentication_method OAuth. 522 ''; 523 524 client_id = mkOpt types.str '' 525 Optional client ID. Only required with authentication_method OAuth. 526 ''; 527 528 client_secret = mkOpt types.str '' 529 Optional client secret. Only required with authentication_method OAuth. 530 ''; 531 532 refresh_interval = mkDefOpt types.str "300s" '' 533 Refresh interval to re-read the instance list. 534 ''; 535 536 port = mkDefOpt types.int "80" '' 537 The port to scrape metrics from. If using the public IP 538 address, this must instead be specified in the relabeling 539 rule. 540 ''; 541 542 proxy_url = mkOpt types.str '' 543 Optional proxy URL. 544 ''; 545 546 follow_redirects = mkDefOpt types.bool "true" '' 547 Configure whether HTTP requests follow HTTP 3xx redirects. 548 ''; 549 550 tls_config = mkOpt promTypes.tls_config '' 551 TLS configuration. 552 ''; 553 }; 554 }; 555 556 promTypes.consul_sd_config = mkSdConfigModule { 557 server = mkDefOpt types.str "localhost:8500" '' 558 Consul server to query. 559 ''; 560 561 token = mkOpt types.str "Consul token"; 562 563 datacenter = mkOpt types.str "Consul datacenter"; 564 565 scheme = mkDefOpt types.str "http" "Consul scheme"; 566 567 username = mkOpt types.str "Consul username"; 568 569 password = mkOpt types.str "Consul password"; 570 571 tls_config = mkOpt promTypes.tls_config '' 572 Configures the Consul request's TLS settings. 573 ''; 574 575 services = mkOpt (types.listOf types.str) '' 576 A list of services for which targets are retrieved. 577 ''; 578 579 tags = mkOpt (types.listOf types.str) '' 580 An optional list of tags used to filter nodes for a given 581 service. Services must contain all tags in the list. 582 ''; 583 584 node_meta = mkOpt (types.attrsOf types.str) '' 585 Node metadata used to filter nodes for a given service. 586 ''; 587 588 tag_separator = mkDefOpt types.str "," '' 589 The string by which Consul tags are joined into the tag label. 590 ''; 591 592 allow_stale = mkOpt types.bool '' 593 Allow stale Consul results 594 (see <https://www.consul.io/api/index.html#consistency-modes>). 595 596 Will reduce load on Consul. 597 ''; 598 599 refresh_interval = mkDefOpt types.str "30s" '' 600 The time after which the provided names are refreshed. 601 602 On large setup it might be a good idea to increase this value 603 because the catalog will change all the time. 604 ''; 605 }; 606 607 promTypes.digitalocean_sd_config = mkSdConfigModule { 608 port = mkDefOpt types.int "80" '' 609 The port to scrape metrics from. 610 ''; 611 612 refresh_interval = mkDefOpt types.str "60s" '' 613 The time after which the droplets are refreshed. 614 ''; 615 }; 616 617 mkDockerSdConfigModule = extraOptions: mkSdConfigModule ({ 618 host = mkOption { 619 type = types.str; 620 description = lib.mdDoc '' 621 Address of the Docker daemon. 622 ''; 623 }; 624 625 port = mkDefOpt types.int "80" '' 626 The port to scrape metrics from, when `role` is nodes, and for discovered 627 tasks and services that don't have published ports. 628 ''; 629 630 filters = mkOpt 631 (types.listOf (types.submodule { 632 options = { 633 name = mkOption { 634 type = types.str; 635 description = lib.mdDoc '' 636 Name of the filter. The available filters are listed in the upstream documentation: 637 Services: <https://docs.docker.com/engine/api/v1.40/#operation/ServiceList> 638 Tasks: <https://docs.docker.com/engine/api/v1.40/#operation/TaskList> 639 Nodes: <https://docs.docker.com/engine/api/v1.40/#operation/NodeList> 640 ''; 641 }; 642 values = mkOption { 643 type = types.str; 644 description = lib.mdDoc '' 645 Value for the filter. 646 ''; 647 }; 648 }; 649 })) '' 650 Optional filters to limit the discovery process to a subset of available resources. 651 ''; 652 653 refresh_interval = mkDefOpt types.str "60s" '' 654 The time after which the containers are refreshed. 655 ''; 656 } // extraOptions); 657 658 promTypes.docker_sd_config = mkDockerSdConfigModule { 659 host_networking_host = mkDefOpt types.str "localhost" '' 660 The host to use if the container is in host networking mode. 661 ''; 662 }; 663 664 promTypes.dockerswarm_sd_config = mkDockerSdConfigModule { 665 role = mkOption { 666 type = types.enum [ "services" "tasks" "nodes" ]; 667 description = lib.mdDoc '' 668 Role of the targets to retrieve. Must be `services`, `tasks`, or `nodes`. 669 ''; 670 }; 671 }; 672 673 promTypes.dns_sd_config = types.submodule { 674 options = { 675 names = mkOption { 676 type = types.listOf types.str; 677 description = lib.mdDoc '' 678 A list of DNS SRV record names to be queried. 679 ''; 680 }; 681 682 type = mkDefOpt (types.enum [ "SRV" "A" "AAAA" ]) "SRV" '' 683 The type of DNS query to perform. One of SRV, A, or AAAA. 684 ''; 685 686 port = mkOpt types.int '' 687 The port number used if the query type is not SRV. 688 ''; 689 690 refresh_interval = mkDefOpt types.str "30s" '' 691 The time after which the provided names are refreshed. 692 ''; 693 }; 694 }; 695 696 promTypes.ec2_sd_config = types.submodule { 697 options = { 698 region = mkOption { 699 type = types.str; 700 description = lib.mdDoc '' 701 The AWS Region. If blank, the region from the instance metadata is used. 702 ''; 703 }; 704 endpoint = mkOpt types.str '' 705 Custom endpoint to be used. 706 ''; 707 708 access_key = mkOpt types.str '' 709 The AWS API key id. If blank, the environment variable 710 `AWS_ACCESS_KEY_ID` is used. 711 ''; 712 713 secret_key = mkOpt types.str '' 714 The AWS API key secret. If blank, the environment variable 715 `AWS_SECRET_ACCESS_KEY` is used. 716 ''; 717 718 profile = mkOpt types.str '' 719 Named AWS profile used to connect to the API. 720 ''; 721 722 role_arn = mkOpt types.str '' 723 AWS Role ARN, an alternative to using AWS API keys. 724 ''; 725 726 refresh_interval = mkDefOpt types.str "60s" '' 727 Refresh interval to re-read the instance list. 728 ''; 729 730 port = mkDefOpt types.int "80" '' 731 The port to scrape metrics from. If using the public IP 732 address, this must instead be specified in the relabeling 733 rule. 734 ''; 735 736 filters = mkOpt 737 (types.listOf (types.submodule { 738 options = { 739 name = mkOption { 740 type = types.str; 741 description = lib.mdDoc '' 742 See [this list](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html) 743 for the available filters. 744 ''; 745 }; 746 747 values = mkOption { 748 type = types.listOf types.str; 749 default = [ ]; 750 description = lib.mdDoc '' 751 Value of the filter. 752 ''; 753 }; 754 }; 755 })) '' 756 Filters can be used optionally to filter the instance list by other criteria. 757 ''; 758 }; 759 }; 760 761 promTypes.eureka_sd_config = mkSdConfigModule { 762 server = mkOption { 763 type = types.str; 764 description = lib.mdDoc '' 765 The URL to connect to the Eureka server. 766 ''; 767 }; 768 }; 769 770 promTypes.file_sd_config = types.submodule { 771 options = { 772 files = mkOption { 773 type = types.listOf types.str; 774 description = lib.mdDoc '' 775 Patterns for files from which target groups are extracted. Refer 776 to the Prometheus documentation for permitted filename patterns 777 and formats. 778 ''; 779 }; 780 781 refresh_interval = mkDefOpt types.str "5m" '' 782 Refresh interval to re-read the files. 783 ''; 784 }; 785 }; 786 787 promTypes.gce_sd_config = types.submodule { 788 options = { 789 # Use `mkOption` instead of `mkOpt` for project and zone because they are 790 # required configuration values for `gce_sd_config`. 791 project = mkOption { 792 type = types.str; 793 description = lib.mdDoc '' 794 The GCP Project. 795 ''; 796 }; 797 798 zone = mkOption { 799 type = types.str; 800 description = lib.mdDoc '' 801 The zone of the scrape targets. If you need multiple zones use multiple 802 gce_sd_configs. 803 ''; 804 }; 805 806 filter = mkOpt types.str '' 807 Filter can be used optionally to filter the instance list by other 808 criteria Syntax of this filter string is described here in the filter 809 query parameter section: <https://cloud.google.com/compute/docs/reference/latest/instances/list>. 810 ''; 811 812 refresh_interval = mkDefOpt types.str "60s" '' 813 Refresh interval to re-read the cloud instance list. 814 ''; 815 816 port = mkDefOpt types.port "80" '' 817 The port to scrape metrics from. If using the public IP address, this 818 must instead be specified in the relabeling rule. 819 ''; 820 821 tag_separator = mkDefOpt types.str "," '' 822 The tag separator used to separate concatenated GCE instance network tags. 823 824 See the GCP documentation on network tags for more information: 825 <https://cloud.google.com/vpc/docs/add-remove-network-tags> 826 ''; 827 }; 828 }; 829 830 promTypes.hetzner_sd_config = mkSdConfigModule { 831 role = mkOption { 832 type = types.enum [ "robot" "hcloud" ]; 833 description = lib.mdDoc '' 834 The Hetzner role of entities that should be discovered. 835 One of `robot` or `hcloud`. 836 ''; 837 }; 838 839 port = mkDefOpt types.int "80" '' 840 The port to scrape metrics from. 841 ''; 842 843 refresh_interval = mkDefOpt types.str "60s" '' 844 The time after which the servers are refreshed. 845 ''; 846 }; 847 848 promTypes.http_sd_config = types.submodule { 849 options = { 850 url = mkOption { 851 type = types.str; 852 description = lib.mdDoc '' 853 URL from which the targets are fetched. 854 ''; 855 }; 856 857 refresh_interval = mkDefOpt types.str "60s" '' 858 Refresh interval to re-query the endpoint. 859 ''; 860 861 basic_auth = mkOpt promTypes.basic_auth '' 862 Authentication information used to authenticate to the API server. 863 password and password_file are mutually exclusive. 864 ''; 865 866 proxy_url = mkOpt types.str '' 867 Optional proxy URL. 868 ''; 869 870 follow_redirects = mkDefOpt types.bool "true" '' 871 Configure whether HTTP requests follow HTTP 3xx redirects. 872 ''; 873 874 tls_config = mkOpt promTypes.tls_config '' 875 Configures the scrape request's TLS settings. 876 ''; 877 }; 878 }; 879 880 promTypes.kubernetes_sd_config = mkSdConfigModule { 881 api_server = mkOpt types.str '' 882 The API server addresses. If left empty, Prometheus is assumed to run inside 883 of the cluster and will discover API servers automatically and use the pod's 884 CA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/. 885 ''; 886 887 role = mkOption { 888 type = types.enum [ "endpoints" "service" "pod" "node" "ingress" ]; 889 description = lib.mdDoc '' 890 The Kubernetes role of entities that should be discovered. 891 One of endpoints, service, pod, node, or ingress. 892 ''; 893 }; 894 895 kubeconfig_file = mkOpt types.str '' 896 Optional path to a kubeconfig file. 897 Note that api_server and kube_config are mutually exclusive. 898 ''; 899 900 namespaces = mkOpt 901 ( 902 types.submodule { 903 options = { 904 names = mkOpt (types.listOf types.str) '' 905 Namespace name. 906 ''; 907 }; 908 } 909 ) '' 910 Optional namespace discovery. If omitted, all namespaces are used. 911 ''; 912 913 selectors = mkOpt 914 ( 915 types.listOf ( 916 types.submodule { 917 options = { 918 role = mkOption { 919 type = types.str; 920 description = lib.mdDoc '' 921 Selector role 922 ''; 923 }; 924 925 label = mkOpt types.str '' 926 Selector label 927 ''; 928 929 field = mkOpt types.str '' 930 Selector field 931 ''; 932 }; 933 } 934 ) 935 ) '' 936 Optional label and field selectors to limit the discovery process to a subset of available resources. 937 See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/ 938 and https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ to learn more about the possible 939 filters that can be used. Endpoints role supports pod, service and endpoints selectors, other roles 940 only support selectors matching the role itself (e.g. node role can only contain node selectors). 941 942 Note: When making decision about using field/label selector make sure that this 943 is the best approach - it will prevent Prometheus from reusing single list/watch 944 for all scrape configs. This might result in a bigger load on the Kubernetes API, 945 because per each selector combination there will be additional LIST/WATCH. On the other hand, 946 if you just want to monitor small subset of pods in large cluster it's recommended to use selectors. 947 Decision, if selectors should be used or not depends on the particular situation. 948 ''; 949 }; 950 951 promTypes.kuma_sd_config = mkSdConfigModule { 952 server = mkOption { 953 type = types.str; 954 description = lib.mdDoc '' 955 Address of the Kuma Control Plane's MADS xDS server. 956 ''; 957 }; 958 959 refresh_interval = mkDefOpt types.str "30s" '' 960 The time to wait between polling update requests. 961 ''; 962 963 fetch_timeout = mkDefOpt types.str "2m" '' 964 The time after which the monitoring assignments are refreshed. 965 ''; 966 }; 967 968 promTypes.lightsail_sd_config = types.submodule { 969 options = { 970 region = mkOpt types.str '' 971 The AWS region. If blank, the region from the instance metadata is used. 972 ''; 973 974 endpoint = mkOpt types.str '' 975 Custom endpoint to be used. 976 ''; 977 978 access_key = mkOpt types.str '' 979 The AWS API keys. If blank, the environment variable `AWS_ACCESS_KEY_ID` is used. 980 ''; 981 982 secret_key = mkOpt types.str '' 983 The AWS API keys. If blank, the environment variable `AWS_SECRET_ACCESS_KEY` is used. 984 ''; 985 986 profile = mkOpt types.str '' 987 Named AWS profile used to connect to the API. 988 ''; 989 990 role_arn = mkOpt types.str '' 991 AWS Role ARN, an alternative to using AWS API keys. 992 ''; 993 994 refresh_interval = mkDefOpt types.str "60s" '' 995 Refresh interval to re-read the instance list. 996 ''; 997 998 port = mkDefOpt types.int "80" '' 999 The port to scrape metrics from. If using the public IP address, this must 1000 instead be specified in the relabeling rule. 1001 ''; 1002 }; 1003 }; 1004 1005 promTypes.linode_sd_config = mkSdConfigModule { 1006 port = mkDefOpt types.int "80" '' 1007 The port to scrape metrics from. 1008 ''; 1009 1010 tag_separator = mkDefOpt types.str "," '' 1011 The string by which Linode Instance tags are joined into the tag label. 1012 ''; 1013 1014 refresh_interval = mkDefOpt types.str "60s" '' 1015 The time after which the linode instances are refreshed. 1016 ''; 1017 }; 1018 1019 promTypes.marathon_sd_config = mkSdConfigModule { 1020 servers = mkOption { 1021 type = types.listOf types.str; 1022 description = lib.mdDoc '' 1023 List of URLs to be used to contact Marathon servers. You need to provide at least one server URL. 1024 ''; 1025 }; 1026 1027 refresh_interval = mkDefOpt types.str "30s" '' 1028 Polling interval. 1029 ''; 1030 1031 auth_token = mkOpt types.str '' 1032 Optional authentication information for token-based authentication: 1033 <https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token> 1034 It is mutually exclusive with `auth_token_file` and other authentication mechanisms. 1035 ''; 1036 1037 auth_token_file = mkOpt types.str '' 1038 Optional authentication information for token-based authentication: 1039 <https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token> 1040 It is mutually exclusive with `auth_token` and other authentication mechanisms. 1041 ''; 1042 }; 1043 1044 promTypes.nerve_sd_config = types.submodule { 1045 options = { 1046 servers = mkOption { 1047 type = types.listOf types.str; 1048 description = lib.mdDoc '' 1049 The Zookeeper servers. 1050 ''; 1051 }; 1052 1053 paths = mkOption { 1054 type = types.listOf types.str; 1055 description = lib.mdDoc '' 1056 Paths can point to a single service, or the root of a tree of services. 1057 ''; 1058 }; 1059 1060 timeout = mkDefOpt types.str "10s" '' 1061 Timeout value. 1062 ''; 1063 }; 1064 }; 1065 1066 promTypes.openstack_sd_config = types.submodule { 1067 options = 1068 let 1069 userDescription = '' 1070 username is required if using Identity V2 API. Consult with your provider's 1071 control panel to discover your account's username. In Identity V3, either 1072 userid or a combination of username and domain_id or domain_name are needed. 1073 ''; 1074 1075 domainDescription = '' 1076 At most one of domain_id and domain_name must be provided if using username 1077 with Identity V3. Otherwise, either are optional. 1078 ''; 1079 1080 projectDescription = '' 1081 The project_id and project_name fields are optional for the Identity V2 API. 1082 Some providers allow you to specify a project_name instead of the project_id. 1083 Some require both. Your provider's authentication policies will determine 1084 how these fields influence authentication. 1085 ''; 1086 1087 applicationDescription = '' 1088 The application_credential_id or application_credential_name fields are 1089 required if using an application credential to authenticate. Some providers 1090 allow you to create an application credential to authenticate rather than a 1091 password. 1092 ''; 1093 in 1094 { 1095 role = mkOption { 1096 type = types.str; 1097 description = lib.mdDoc '' 1098 The OpenStack role of entities that should be discovered. 1099 ''; 1100 }; 1101 1102 region = mkOption { 1103 type = types.str; 1104 description = lib.mdDoc '' 1105 The OpenStack Region. 1106 ''; 1107 }; 1108 1109 identity_endpoint = mkOpt types.str '' 1110 identity_endpoint specifies the HTTP endpoint that is required to work with 1111 the Identity API of the appropriate version. While it's ultimately needed by 1112 all of the identity services, it will often be populated by a provider-level 1113 function. 1114 ''; 1115 1116 username = mkOpt types.str userDescription; 1117 userid = mkOpt types.str userDescription; 1118 1119 password = mkOpt types.str '' 1120 password for the Identity V2 and V3 APIs. Consult with your provider's 1121 control panel to discover your account's preferred method of authentication. 1122 ''; 1123 1124 domain_name = mkOpt types.str domainDescription; 1125 domain_id = mkOpt types.str domainDescription; 1126 1127 project_name = mkOpt types.str projectDescription; 1128 project_id = mkOpt types.str projectDescription; 1129 1130 application_credential_name = mkOpt types.str applicationDescription; 1131 application_credential_id = mkOpt types.str applicationDescription; 1132 1133 application_credential_secret = mkOpt types.str '' 1134 The application_credential_secret field is required if using an application 1135 credential to authenticate. 1136 ''; 1137 1138 all_tenants = mkDefOpt types.bool "false" '' 1139 Whether the service discovery should list all instances for all projects. 1140 It is only relevant for the 'instance' role and usually requires admin permissions. 1141 ''; 1142 1143 refresh_interval = mkDefOpt types.str "60s" '' 1144 Refresh interval to re-read the instance list. 1145 ''; 1146 1147 port = mkDefOpt types.int "80" '' 1148 The port to scrape metrics from. If using the public IP address, this must 1149 instead be specified in the relabeling rule. 1150 ''; 1151 1152 availability = mkDefOpt (types.enum [ "public" "admin" "internal" ]) "public" '' 1153 The availability of the endpoint to connect to. Must be one of public, admin or internal. 1154 ''; 1155 1156 tls_config = mkOpt promTypes.tls_config '' 1157 TLS configuration. 1158 ''; 1159 }; 1160 }; 1161 1162 promTypes.puppetdb_sd_config = mkSdConfigModule { 1163 url = mkOption { 1164 type = types.str; 1165 description = lib.mdDoc '' 1166 The URL of the PuppetDB root query endpoint. 1167 ''; 1168 }; 1169 1170 query = mkOption { 1171 type = types.str; 1172 description = lib.mdDoc '' 1173 Puppet Query Language (PQL) query. Only resources are supported. 1174 https://puppet.com/docs/puppetdb/latest/api/query/v4/pql.html 1175 ''; 1176 }; 1177 1178 include_parameters = mkDefOpt types.bool "false" '' 1179 Whether to include the parameters as meta labels. 1180 Due to the differences between parameter types and Prometheus labels, 1181 some parameters might not be rendered. The format of the parameters might 1182 also change in future releases. 1183 1184 Note: Enabling this exposes parameters in the Prometheus UI and API. Make sure 1185 that you don't have secrets exposed as parameters if you enable this. 1186 ''; 1187 1188 refresh_interval = mkDefOpt types.str "60s" '' 1189 Refresh interval to re-read the resources list. 1190 ''; 1191 1192 port = mkDefOpt types.int "80" '' 1193 The port to scrape metrics from. 1194 ''; 1195 }; 1196 1197 promTypes.scaleway_sd_config = types.submodule { 1198 options = { 1199 access_key = mkOption { 1200 type = types.str; 1201 description = lib.mdDoc '' 1202 Access key to use. https://console.scaleway.com/project/credentials 1203 ''; 1204 }; 1205 1206 secret_key = mkOpt types.str '' 1207 Secret key to use when listing targets. https://console.scaleway.com/project/credentials 1208 It is mutually exclusive with `secret_key_file`. 1209 ''; 1210 1211 secret_key_file = mkOpt types.str '' 1212 Sets the secret key with the credentials read from the configured file. 1213 It is mutually exclusive with `secret_key`. 1214 ''; 1215 1216 project_id = mkOption { 1217 type = types.str; 1218 description = lib.mdDoc '' 1219 Project ID of the targets. 1220 ''; 1221 }; 1222 1223 role = mkOption { 1224 type = types.enum [ "instance" "baremetal" ]; 1225 description = lib.mdDoc '' 1226 Role of the targets to retrieve. Must be `instance` or `baremetal`. 1227 ''; 1228 }; 1229 1230 port = mkDefOpt types.int "80" '' 1231 The port to scrape metrics from. 1232 ''; 1233 1234 api_url = mkDefOpt types.str "https://api.scaleway.com" '' 1235 API URL to use when doing the server listing requests. 1236 ''; 1237 1238 zone = mkDefOpt types.str "fr-par-1" '' 1239 Zone is the availability zone of your targets (e.g. fr-par-1). 1240 ''; 1241 1242 name_filter = mkOpt types.str '' 1243 Specify a name filter (works as a LIKE) to apply on the server listing request. 1244 ''; 1245 1246 tags_filter = mkOpt (types.listOf types.str) '' 1247 Specify a tag filter (a server needs to have all defined tags to be listed) to apply on the server listing request. 1248 ''; 1249 1250 refresh_interval = mkDefOpt types.str "60s" '' 1251 Refresh interval to re-read the managed targets list. 1252 ''; 1253 1254 proxy_url = mkOpt types.str '' 1255 Optional proxy URL. 1256 ''; 1257 1258 follow_redirects = mkDefOpt types.bool "true" '' 1259 Configure whether HTTP requests follow HTTP 3xx redirects. 1260 ''; 1261 1262 tls_config = mkOpt promTypes.tls_config '' 1263 TLS configuration. 1264 ''; 1265 }; 1266 }; 1267 1268 # These are exactly the same. 1269 promTypes.serverset_sd_config = promTypes.nerve_sd_config; 1270 1271 promTypes.triton_sd_config = types.submodule { 1272 options = { 1273 account = mkOption { 1274 type = types.str; 1275 description = lib.mdDoc '' 1276 The account to use for discovering new targets. 1277 ''; 1278 }; 1279 1280 role = mkDefOpt (types.enum [ "container" "cn" ]) "container" '' 1281 The type of targets to discover, can be set to: 1282 - "container" to discover virtual machines (SmartOS zones, lx/KVM/bhyve branded zones) running on Triton 1283 - "cn" to discover compute nodes (servers/global zones) making up the Triton infrastructure 1284 ''; 1285 1286 dns_suffix = mkOption { 1287 type = types.str; 1288 description = lib.mdDoc '' 1289 The DNS suffix which should be applied to target. 1290 ''; 1291 }; 1292 1293 endpoint = mkOption { 1294 type = types.str; 1295 description = lib.mdDoc '' 1296 The Triton discovery endpoint (e.g. `cmon.us-east-3b.triton.zone`). This is 1297 often the same value as dns_suffix. 1298 ''; 1299 }; 1300 1301 groups = mkOpt (types.listOf types.str) '' 1302 A list of groups for which targets are retrieved, only supported when targeting the `container` role. 1303 If omitted all containers owned by the requesting account are scraped. 1304 ''; 1305 1306 port = mkDefOpt types.int "9163" '' 1307 The port to use for discovery and metric scraping. 1308 ''; 1309 1310 refresh_interval = mkDefOpt types.str "60s" '' 1311 The interval which should be used for refreshing targets. 1312 ''; 1313 1314 version = mkDefOpt types.int "1" '' 1315 The Triton discovery API version. 1316 ''; 1317 1318 tls_config = mkOpt promTypes.tls_config '' 1319 TLS configuration. 1320 ''; 1321 }; 1322 }; 1323 1324 promTypes.uyuni_sd_config = mkSdConfigModule { 1325 server = mkOption { 1326 type = types.str; 1327 description = lib.mdDoc '' 1328 The URL to connect to the Uyuni server. 1329 ''; 1330 }; 1331 1332 username = mkOption { 1333 type = types.str; 1334 description = lib.mdDoc '' 1335 Credentials are used to authenticate the requests to Uyuni API. 1336 ''; 1337 }; 1338 1339 password = mkOption { 1340 type = types.str; 1341 description = lib.mdDoc '' 1342 Credentials are used to authenticate the requests to Uyuni API. 1343 ''; 1344 }; 1345 1346 entitlement = mkDefOpt types.str "monitoring_entitled" '' 1347 The entitlement string to filter eligible systems. 1348 ''; 1349 1350 separator = mkDefOpt types.str "," '' 1351 The string by which Uyuni group names are joined into the groups label 1352 ''; 1353 1354 refresh_interval = mkDefOpt types.str "60s" '' 1355 Refresh interval to re-read the managed targets list. 1356 ''; 1357 }; 1358 1359 promTypes.static_config = types.submodule { 1360 options = { 1361 targets = mkOption { 1362 type = types.listOf types.str; 1363 description = lib.mdDoc '' 1364 The targets specified by the target group. 1365 ''; 1366 }; 1367 labels = mkOption { 1368 type = types.attrsOf types.str; 1369 default = { }; 1370 description = lib.mdDoc '' 1371 Labels assigned to all metrics scraped from the targets. 1372 ''; 1373 }; 1374 }; 1375 }; 1376 1377 # 1378 # Config types: relabling 1379 # 1380 1381 promTypes.relabel_config = types.submodule { 1382 options = { 1383 source_labels = mkOpt (types.listOf types.str) '' 1384 The source labels select values from existing labels. Their content 1385 is concatenated using the configured separator and matched against 1386 the configured regular expression. 1387 ''; 1388 1389 separator = mkDefOpt types.str ";" '' 1390 Separator placed between concatenated source label values. 1391 ''; 1392 1393 target_label = mkOpt types.str '' 1394 Label to which the resulting value is written in a replace action. 1395 It is mandatory for replace actions. 1396 ''; 1397 1398 regex = mkDefOpt types.str "(.*)" '' 1399 Regular expression against which the extracted value is matched. 1400 ''; 1401 1402 modulus = mkOpt types.int '' 1403 Modulus to take of the hash of the source label values. 1404 ''; 1405 1406 replacement = mkDefOpt types.str "$1" '' 1407 Replacement value against which a regex replace is performed if the 1408 regular expression matches. 1409 ''; 1410 1411 action = 1412 mkDefOpt (types.enum [ "replace" "keep" "drop" "hashmod" "labelmap" "labeldrop" "labelkeep" ]) "replace" '' 1413 Action to perform based on regex matching. 1414 ''; 1415 }; 1416 }; 1417 1418 # 1419 # Config types : remote read / write 1420 # 1421 1422 promTypes.remote_write = types.submodule { 1423 options = { 1424 url = mkOption { 1425 type = types.str; 1426 description = lib.mdDoc '' 1427 ServerName extension to indicate the name of the server. 1428 http://tools.ietf.org/html/rfc4366#section-3.1 1429 ''; 1430 }; 1431 remote_timeout = mkOpt types.str '' 1432 Timeout for requests to the remote write endpoint. 1433 ''; 1434 write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 1435 List of remote write relabel configurations. 1436 ''; 1437 name = mkOpt types.str '' 1438 Name of the remote write config, which if specified must be unique among remote write configs. 1439 The name will be used in metrics and logging in place of a generated value to help users distinguish between 1440 remote write configs. 1441 ''; 1442 basic_auth = mkOpt promTypes.basic_auth '' 1443 Sets the `Authorization` header on every remote write request with the 1444 configured username and password. 1445 password and password_file are mutually exclusive. 1446 ''; 1447 bearer_token = mkOpt types.str '' 1448 Sets the `Authorization` header on every remote write request with 1449 the configured bearer token. It is mutually exclusive with `bearer_token_file`. 1450 ''; 1451 bearer_token_file = mkOpt types.str '' 1452 Sets the `Authorization` header on every remote write request with the bearer token 1453 read from the configured file. It is mutually exclusive with `bearer_token`. 1454 ''; 1455 tls_config = mkOpt promTypes.tls_config '' 1456 Configures the remote write request's TLS settings. 1457 ''; 1458 proxy_url = mkOpt types.str "Optional Proxy URL."; 1459 queue_config = mkOpt 1460 (types.submodule { 1461 options = { 1462 capacity = mkOpt types.int '' 1463 Number of samples to buffer per shard before we block reading of more 1464 samples from the WAL. It is recommended to have enough capacity in each 1465 shard to buffer several requests to keep throughput up while processing 1466 occasional slow remote requests. 1467 ''; 1468 max_shards = mkOpt types.int '' 1469 Maximum number of shards, i.e. amount of concurrency. 1470 ''; 1471 min_shards = mkOpt types.int '' 1472 Minimum number of shards, i.e. amount of concurrency. 1473 ''; 1474 max_samples_per_send = mkOpt types.int '' 1475 Maximum number of samples per send. 1476 ''; 1477 batch_send_deadline = mkOpt types.str '' 1478 Maximum time a sample will wait in buffer. 1479 ''; 1480 min_backoff = mkOpt types.str '' 1481 Initial retry delay. Gets doubled for every retry. 1482 ''; 1483 max_backoff = mkOpt types.str '' 1484 Maximum retry delay. 1485 ''; 1486 }; 1487 }) '' 1488 Configures the queue used to write to remote storage. 1489 ''; 1490 metadata_config = mkOpt 1491 (types.submodule { 1492 options = { 1493 send = mkOpt types.bool '' 1494 Whether metric metadata is sent to remote storage or not. 1495 ''; 1496 send_interval = mkOpt types.str '' 1497 How frequently metric metadata is sent to remote storage. 1498 ''; 1499 }; 1500 }) '' 1501 Configures the sending of series metadata to remote storage. 1502 Metadata configuration is subject to change at any point 1503 or be removed in future releases. 1504 ''; 1505 }; 1506 }; 1507 1508 promTypes.remote_read = types.submodule { 1509 options = { 1510 url = mkOption { 1511 type = types.str; 1512 description = lib.mdDoc '' 1513 ServerName extension to indicate the name of the server. 1514 http://tools.ietf.org/html/rfc4366#section-3.1 1515 ''; 1516 }; 1517 name = mkOpt types.str '' 1518 Name of the remote read config, which if specified must be unique among remote read configs. 1519 The name will be used in metrics and logging in place of a generated value to help users distinguish between 1520 remote read configs. 1521 ''; 1522 required_matchers = mkOpt (types.attrsOf types.str) '' 1523 An optional list of equality matchers which have to be 1524 present in a selector to query the remote read endpoint. 1525 ''; 1526 remote_timeout = mkOpt types.str '' 1527 Timeout for requests to the remote read endpoint. 1528 ''; 1529 read_recent = mkOpt types.bool '' 1530 Whether reads should be made for queries for time ranges that 1531 the local storage should have complete data for. 1532 ''; 1533 basic_auth = mkOpt promTypes.basic_auth '' 1534 Sets the `Authorization` header on every remote read request with the 1535 configured username and password. 1536 password and password_file are mutually exclusive. 1537 ''; 1538 bearer_token = mkOpt types.str '' 1539 Sets the `Authorization` header on every remote read request with 1540 the configured bearer token. It is mutually exclusive with `bearer_token_file`. 1541 ''; 1542 bearer_token_file = mkOpt types.str '' 1543 Sets the `Authorization` header on every remote read request with the bearer token 1544 read from the configured file. It is mutually exclusive with `bearer_token`. 1545 ''; 1546 tls_config = mkOpt promTypes.tls_config '' 1547 Configures the remote read request's TLS settings. 1548 ''; 1549 proxy_url = mkOpt types.str "Optional Proxy URL."; 1550 }; 1551 }; 1552 1553in 1554{ 1555 1556 imports = [ 1557 (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) 1558 (mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ] 1559 "It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`.") 1560 (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerTimeout" ] 1561 "Deprecated upstream and no longer had any effect") 1562 ]; 1563 1564 options.services.prometheus = { 1565 1566 enable = mkEnableOption (lib.mdDoc "Prometheus monitoring daemon"); 1567 1568 package = mkOption { 1569 type = types.package; 1570 default = pkgs.prometheus; 1571 defaultText = literalExpression "pkgs.prometheus"; 1572 description = lib.mdDoc '' 1573 The prometheus package that should be used. 1574 ''; 1575 }; 1576 1577 port = mkOption { 1578 type = types.port; 1579 default = 9090; 1580 description = lib.mdDoc '' 1581 Port to listen on. 1582 ''; 1583 }; 1584 1585 listenAddress = mkOption { 1586 type = types.str; 1587 default = "0.0.0.0"; 1588 description = lib.mdDoc '' 1589 Address to listen on for the web interface, API, and telemetry. 1590 ''; 1591 }; 1592 1593 stateDir = mkOption { 1594 type = types.str; 1595 default = "prometheus2"; 1596 description = lib.mdDoc '' 1597 Directory below `/var/lib` to store Prometheus metrics data. 1598 This directory will be created automatically using systemd's StateDirectory mechanism. 1599 ''; 1600 }; 1601 1602 extraFlags = mkOption { 1603 type = types.listOf types.str; 1604 default = [ ]; 1605 description = lib.mdDoc '' 1606 Extra commandline options when launching Prometheus. 1607 ''; 1608 }; 1609 1610 enableReload = mkOption { 1611 default = false; 1612 type = types.bool; 1613 description = lib.mdDoc '' 1614 Reload prometheus when configuration file changes (instead of restart). 1615 1616 The following property holds: switching to a configuration 1617 (`switch-to-configuration`) that changes the prometheus 1618 configuration only finishes successully when prometheus has finished 1619 loading the new configuration. 1620 ''; 1621 }; 1622 1623 configText = mkOption { 1624 type = types.nullOr types.lines; 1625 default = null; 1626 description = lib.mdDoc '' 1627 If non-null, this option defines the text that is written to 1628 prometheus.yml. If null, the contents of prometheus.yml is generated 1629 from the structured config options. 1630 ''; 1631 }; 1632 1633 globalConfig = mkOption { 1634 type = promTypes.globalConfig; 1635 default = { }; 1636 description = lib.mdDoc '' 1637 Parameters that are valid in all configuration contexts. They 1638 also serve as defaults for other configuration sections 1639 ''; 1640 }; 1641 1642 remoteRead = mkOption { 1643 type = types.listOf promTypes.remote_read; 1644 default = [ ]; 1645 description = lib.mdDoc '' 1646 Parameters of the endpoints to query from. 1647 See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read) for more information. 1648 ''; 1649 }; 1650 1651 remoteWrite = mkOption { 1652 type = types.listOf promTypes.remote_write; 1653 default = [ ]; 1654 description = lib.mdDoc '' 1655 Parameters of the endpoints to send samples to. 1656 See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write) for more information. 1657 ''; 1658 }; 1659 1660 rules = mkOption { 1661 type = types.listOf types.str; 1662 default = [ ]; 1663 description = lib.mdDoc '' 1664 Alerting and/or Recording rules to evaluate at runtime. 1665 ''; 1666 }; 1667 1668 ruleFiles = mkOption { 1669 type = types.listOf types.path; 1670 default = [ ]; 1671 description = lib.mdDoc '' 1672 Any additional rules files to include in this configuration. 1673 ''; 1674 }; 1675 1676 scrapeConfigs = mkOption { 1677 type = types.listOf promTypes.scrape_config; 1678 default = [ ]; 1679 description = lib.mdDoc '' 1680 A list of scrape configurations. 1681 ''; 1682 }; 1683 1684 alertmanagers = mkOption { 1685 type = types.listOf types.attrs; 1686 example = literalExpression '' 1687 [ { 1688 scheme = "https"; 1689 path_prefix = "/alertmanager"; 1690 static_configs = [ { 1691 targets = [ 1692 "prometheus.domain.tld" 1693 ]; 1694 } ]; 1695 } ] 1696 ''; 1697 default = [ ]; 1698 description = lib.mdDoc '' 1699 A list of alertmanagers to send alerts to. 1700 See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config) for more information. 1701 ''; 1702 }; 1703 1704 alertmanagerNotificationQueueCapacity = mkOption { 1705 type = types.int; 1706 default = 10000; 1707 description = lib.mdDoc '' 1708 The capacity of the queue for pending alert manager notifications. 1709 ''; 1710 }; 1711 1712 webExternalUrl = mkOption { 1713 type = types.nullOr types.str; 1714 default = null; 1715 example = "https://example.com/"; 1716 description = lib.mdDoc '' 1717 The URL under which Prometheus is externally reachable (for example, 1718 if Prometheus is served via a reverse proxy). 1719 ''; 1720 }; 1721 1722 checkConfig = mkOption { 1723 type = with types; either bool (enum [ "syntax-only" ]); 1724 default = true; 1725 example = "syntax-only"; 1726 description = lib.mdDoc '' 1727 Check configuration with `promtool check`. The call to `promtool` is 1728 subject to sandboxing by Nix. 1729 1730 If you use credentials stored in external files 1731 (`password_file`, `bearer_token_file`, etc), 1732 they will not be visible to `promtool` 1733 and it will report errors, despite a correct configuration. 1734 To resolve this, you may set this option to `"syntax-only"` 1735 in order to only syntax check the Prometheus configuration. 1736 ''; 1737 }; 1738 1739 retentionTime = mkOption { 1740 type = types.nullOr types.str; 1741 default = null; 1742 example = "15d"; 1743 description = lib.mdDoc '' 1744 How long to retain samples in storage. 1745 ''; 1746 }; 1747 }; 1748 1749 config = mkIf cfg.enable { 1750 assertions = [ 1751 ( 1752 let 1753 # Match something with dots (an IPv4 address) or something ending in 1754 # a square bracket (an IPv6 addresses) followed by a port number. 1755 legacy = builtins.match "(.*\\..*|.*]):([[:digit:]]+)" cfg.listenAddress; 1756 in 1757 { 1758 assertion = legacy == null; 1759 message = '' 1760 Do not specify the port for Prometheus to listen on in the 1761 listenAddress option; use the port option instead: 1762 services.prometheus.listenAddress = ${builtins.elemAt legacy 0}; 1763 services.prometheus.port = ${builtins.elemAt legacy 1}; 1764 ''; 1765 } 1766 ) 1767 ]; 1768 1769 users.groups.prometheus.gid = config.ids.gids.prometheus; 1770 users.users.prometheus = { 1771 description = "Prometheus daemon user"; 1772 uid = config.ids.uids.prometheus; 1773 group = "prometheus"; 1774 }; 1775 environment.etc."prometheus/prometheus.yaml" = mkIf cfg.enableReload { 1776 source = prometheusYml; 1777 }; 1778 systemd.services.prometheus = { 1779 wantedBy = [ "multi-user.target" ]; 1780 after = [ "network.target" ]; 1781 serviceConfig = { 1782 ExecStart = "${cfg.package}/bin/prometheus" + 1783 optionalString (length cmdlineArgs != 0) (" \\\n " + 1784 concatStringsSep " \\\n " cmdlineArgs); 1785 ExecReload = mkIf cfg.enableReload "+${reload}/bin/reload-prometheus"; 1786 User = "prometheus"; 1787 Restart = "always"; 1788 RuntimeDirectory = "prometheus"; 1789 RuntimeDirectoryMode = "0700"; 1790 WorkingDirectory = workingDir; 1791 StateDirectory = cfg.stateDir; 1792 StateDirectoryMode = "0700"; 1793 # Hardening 1794 AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; 1795 CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ]; 1796 DeviceAllow = [ "/dev/null rw" ]; 1797 DevicePolicy = "strict"; 1798 LockPersonality = true; 1799 MemoryDenyWriteExecute = true; 1800 NoNewPrivileges = true; 1801 PrivateDevices = true; 1802 PrivateTmp = true; 1803 PrivateUsers = true; 1804 ProtectClock = true; 1805 ProtectControlGroups = true; 1806 ProtectHome = true; 1807 ProtectHostname = true; 1808 ProtectKernelLogs = true; 1809 ProtectKernelModules = true; 1810 ProtectKernelTunables = true; 1811 ProtectProc = "invisible"; 1812 ProtectSystem = "full"; 1813 RemoveIPC = true; 1814 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; 1815 RestrictNamespaces = true; 1816 RestrictRealtime = true; 1817 RestrictSUIDSGID = true; 1818 SystemCallArchitectures = "native"; 1819 SystemCallFilter = [ "@system-service" "~@privileged" ]; 1820 }; 1821 }; 1822 # prometheus-config-reload will activate after prometheus. However, what we 1823 # don't want is that on startup it immediately reloads prometheus because 1824 # prometheus itself might have just started. 1825 # 1826 # Instead we only want to reload prometheus when the config file has 1827 # changed. So on startup prometheus-config-reload will just output a 1828 # harmless message and then stay active (RemainAfterExit). 1829 # 1830 # Then, when the config file has changed, switch-to-configuration notices 1831 # that this service has changed (restartTriggers) and needs to be reloaded 1832 # (reloadIfChanged). The reload command then reloads prometheus. 1833 systemd.services.prometheus-config-reload = mkIf cfg.enableReload { 1834 wantedBy = [ "prometheus.service" ]; 1835 after = [ "prometheus.service" ]; 1836 reloadIfChanged = true; 1837 restartTriggers = [ prometheusYml ]; 1838 serviceConfig = { 1839 Type = "oneshot"; 1840 RemainAfterExit = true; 1841 TimeoutSec = 60; 1842 ExecStart = "${pkgs.logger}/bin/logger 'prometheus-config-reload will only reload prometheus when reloaded itself.'"; 1843 ExecReload = [ "${triggerReload}/bin/trigger-reload-prometheus" ]; 1844 }; 1845 }; 1846 }; 1847}