pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / monitoring / prometheus / default.nix
at 23.11-pre 62 kB view raw
1{ config, pkgs, lib, ... }: 2 3with lib; 4 5let 6 yaml = pkgs.formats.yaml { }; 7 cfg = config.services.prometheus; 8 checkConfigEnabled = 9 (lib.isBool cfg.checkConfig && cfg.checkConfig) 10 || cfg.checkConfig == "syntax-only"; 11 12 workingDir = "/var/lib/" + cfg.stateDir; 13 14 triggerReload = pkgs.writeShellScriptBin "trigger-reload-prometheus" '' 15 PATH="${makeBinPath (with pkgs; [ systemd ])}" 16 if systemctl -q is-active prometheus.service; then 17 systemctl reload prometheus.service 18 fi 19 ''; 20 21 reload = pkgs.writeShellScriptBin "reload-prometheus" '' 22 PATH="${makeBinPath (with pkgs; [ systemd coreutils gnugrep ])}" 23 cursor=$(journalctl --show-cursor -n0 | grep -oP "cursor: \K.*") 24 kill -HUP $MAINPID 25 journalctl -u prometheus.service --after-cursor="$cursor" -f \ 26 | grep -m 1 "Completed loading of configuration file" > /dev/null 27 ''; 28 29 # a wrapper that verifies that the configuration is valid 30 promtoolCheck = what: name: file: 31 if checkConfigEnabled then 32 pkgs.runCommandLocal 33 "${name}-${replaceStrings [" "] [""] what}-checked" 34 { buildInputs = [ cfg.package.cli ]; } '' 35 ln -s ${file} $out 36 promtool ${what} $out 37 '' else file; 38 39 generatedPrometheusYml = yaml.generate "prometheus.yml" promConfig; 40 41 # This becomes the main config file for Prometheus 42 promConfig = { 43 global = filterValidPrometheus cfg.globalConfig; 44 rule_files = map (promtoolCheck "check rules" "rules") (cfg.ruleFiles ++ [ 45 (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg.rules)) 46 ]); 47 scrape_configs = filterValidPrometheus cfg.scrapeConfigs; 48 remote_write = filterValidPrometheus cfg.remoteWrite; 49 remote_read = filterValidPrometheus cfg.remoteRead; 50 alerting = { 51 inherit (cfg) alertmanagers; 52 }; 53 }; 54 55 prometheusYml = 56 let 57 yml = 58 if cfg.configText != null then 59 pkgs.writeText "prometheus.yml" cfg.configText 60 else generatedPrometheusYml; 61 in 62 promtoolCheck "check config ${lib.optionalString (cfg.checkConfig == "syntax-only") "--syntax-only"}" "prometheus.yml" yml; 63 64 cmdlineArgs = cfg.extraFlags ++ [ 65 "--storage.tsdb.path=${workingDir}/data/" 66 "--config.file=${ 67 if cfg.enableReload 68 then "/etc/prometheus/prometheus.yaml" 69 else prometheusYml 70 }" 71 "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" 72 "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" 73 ] ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}" 74 ++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}" 75 ++ optional (cfg.webConfigFile != null) "--web.config.file=${cfg.webConfigFile}"; 76 77 filterValidPrometheus = filterAttrsListRecursive (n: v: !(n == "_module" || v == null)); 78 filterAttrsListRecursive = pred: x: 79 if isAttrs x then 80 listToAttrs 81 ( 82 concatMap 83 (name: 84 let v = x.${name}; in 85 if pred name v then [ 86 (nameValuePair name (filterAttrsListRecursive pred v)) 87 ] else [ ] 88 ) 89 (attrNames x) 90 ) 91 else if isList x then 92 map (filterAttrsListRecursive pred) x 93 else x; 94 95 # 96 # Config types: helper functions 97 # 98 99 mkDefOpt = type: defaultStr: description: mkOpt type (description + '' 100 101 Defaults to ````${defaultStr}```` in prometheus 102 when set to `null`. 103 ''); 104 105 mkOpt = type: description: mkOption { 106 type = types.nullOr type; 107 default = null; 108 description = lib.mdDoc description; 109 }; 110 111 mkSdConfigModule = extraOptions: types.submodule { 112 options = { 113 basic_auth = mkOpt promTypes.basic_auth '' 114 Optional HTTP basic authentication information. 115 ''; 116 117 authorization = mkOpt 118 (types.submodule { 119 options = { 120 type = mkDefOpt types.str "Bearer" '' 121 Sets the authentication type. 122 ''; 123 124 credentials = mkOpt types.str '' 125 Sets the credentials. It is mutually exclusive with `credentials_file`. 126 ''; 127 128 credentials_file = mkOpt types.str '' 129 Sets the credentials to the credentials read from the configured file. 130 It is mutually exclusive with `credentials`. 131 ''; 132 }; 133 }) '' 134 Optional `Authorization` header configuration. 135 ''; 136 137 oauth2 = mkOpt promtypes.oauth2 '' 138 Optional OAuth 2.0 configuration. 139 Cannot be used at the same time as basic_auth or authorization. 140 ''; 141 142 proxy_url = mkOpt types.str '' 143 Optional proxy URL. 144 ''; 145 146 follow_redirects = mkDefOpt types.bool "true" '' 147 Configure whether HTTP requests follow HTTP 3xx redirects. 148 ''; 149 150 tls_config = mkOpt promTypes.tls_config '' 151 TLS configuration. 152 ''; 153 } // extraOptions; 154 }; 155 156 # 157 # Config types: general 158 # 159 160 promTypes.globalConfig = types.submodule { 161 options = { 162 scrape_interval = mkDefOpt types.str "1m" '' 163 How frequently to scrape targets by default. 164 ''; 165 166 scrape_timeout = mkDefOpt types.str "10s" '' 167 How long until a scrape request times out. 168 ''; 169 170 evaluation_interval = mkDefOpt types.str "1m" '' 171 How frequently to evaluate rules by default. 172 ''; 173 174 external_labels = mkOpt (types.attrsOf types.str) '' 175 The labels to add to any time series or alerts when 176 communicating with external systems (federation, remote 177 storage, Alertmanager). 178 ''; 179 }; 180 }; 181 182 promTypes.basic_auth = types.submodule { 183 options = { 184 username = mkOption { 185 type = types.str; 186 description = lib.mdDoc '' 187 HTTP username 188 ''; 189 }; 190 password = mkOpt types.str "HTTP password"; 191 password_file = mkOpt types.str "HTTP password file"; 192 }; 193 }; 194 195 promTypes.tls_config = types.submodule { 196 options = { 197 ca_file = mkOpt types.str '' 198 CA certificate to validate API server certificate with. 199 ''; 200 201 cert_file = mkOpt types.str '' 202 Certificate file for client cert authentication to the server. 203 ''; 204 205 key_file = mkOpt types.str '' 206 Key file for client cert authentication to the server. 207 ''; 208 209 server_name = mkOpt types.str '' 210 ServerName extension to indicate the name of the server. 211 http://tools.ietf.org/html/rfc4366#section-3.1 212 ''; 213 214 insecure_skip_verify = mkOpt types.bool '' 215 Disable validation of the server certificate. 216 ''; 217 }; 218 }; 219 220 promtypes.oauth2 = types.submodule { 221 options = { 222 client_id = mkOpt types.str '' 223 OAuth client ID. 224 ''; 225 226 client_secret = mkOpt types.str '' 227 OAuth client secret. 228 ''; 229 230 client_secret_file = mkOpt types.str '' 231 Read the client secret from a file. It is mutually exclusive with `client_secret`. 232 ''; 233 234 scopes = mkOpt (types.listOf types.str) '' 235 Scopes for the token request. 236 ''; 237 238 token_url = mkOpt types.str '' 239 The URL to fetch the token from. 240 ''; 241 242 endpoint_params = mkOpt (types.attrsOf types.str) '' 243 Optional parameters to append to the token URL. 244 ''; 245 }; 246 }; 247 248 promTypes.scrape_config = types.submodule { 249 options = { 250 authorization = mkOption { 251 type = types.nullOr types.attrs; 252 default = null; 253 description = lib.mdDoc '' 254 Sets the `Authorization` header on every scrape request with the configured credentials. 255 ''; 256 }; 257 job_name = mkOption { 258 type = types.str; 259 description = lib.mdDoc '' 260 The job name assigned to scraped metrics by default. 261 ''; 262 }; 263 scrape_interval = mkOpt types.str '' 264 How frequently to scrape targets from this job. Defaults to the 265 globally configured default. 266 ''; 267 268 scrape_timeout = mkOpt types.str '' 269 Per-target timeout when scraping this job. Defaults to the 270 globally configured default. 271 ''; 272 273 metrics_path = mkDefOpt types.str "/metrics" '' 274 The HTTP resource path on which to fetch metrics from targets. 275 ''; 276 277 honor_labels = mkDefOpt types.bool "false" '' 278 Controls how Prometheus handles conflicts between labels 279 that are already present in scraped data and labels that 280 Prometheus would attach server-side ("job" and "instance" 281 labels, manually configured target labels, and labels 282 generated by service discovery implementations). 283 284 If honor_labels is set to "true", label conflicts are 285 resolved by keeping label values from the scraped data and 286 ignoring the conflicting server-side labels. 287 288 If honor_labels is set to "false", label conflicts are 289 resolved by renaming conflicting labels in the scraped data 290 to "exported_\<original-label\>" (for example 291 "exported_instance", "exported_job") and then attaching 292 server-side labels. This is useful for use cases such as 293 federation, where all labels specified in the target should 294 be preserved. 295 ''; 296 297 honor_timestamps = mkDefOpt types.bool "true" '' 298 honor_timestamps controls whether Prometheus respects the timestamps present 299 in scraped data. 300 301 If honor_timestamps is set to `true`, the timestamps of the metrics exposed 302 by the target will be used. 303 304 If honor_timestamps is set to `false`, the timestamps of the metrics exposed 305 by the target will be ignored. 306 ''; 307 308 scheme = mkDefOpt (types.enum [ "http" "https" ]) "http" '' 309 The URL scheme with which to fetch metrics from targets. 310 ''; 311 312 params = mkOpt (types.attrsOf (types.listOf types.str)) '' 313 Optional HTTP URL parameters. 314 ''; 315 316 basic_auth = mkOpt promTypes.basic_auth '' 317 Sets the `Authorization` header on every scrape request with the 318 configured username and password. 319 password and password_file are mutually exclusive. 320 ''; 321 322 bearer_token = mkOpt types.str '' 323 Sets the `Authorization` header on every scrape request with 324 the configured bearer token. It is mutually exclusive with 325 {option}`bearer_token_file`. 326 ''; 327 328 bearer_token_file = mkOpt types.str '' 329 Sets the `Authorization` header on every scrape request with 330 the bearer token read from the configured file. It is mutually 331 exclusive with {option}`bearer_token`. 332 ''; 333 334 tls_config = mkOpt promTypes.tls_config '' 335 Configures the scrape request's TLS settings. 336 ''; 337 338 proxy_url = mkOpt types.str '' 339 Optional proxy URL. 340 ''; 341 342 azure_sd_configs = mkOpt (types.listOf promTypes.azure_sd_config) '' 343 List of Azure service discovery configurations. 344 ''; 345 346 consul_sd_configs = mkOpt (types.listOf promTypes.consul_sd_config) '' 347 List of Consul service discovery configurations. 348 ''; 349 350 digitalocean_sd_configs = mkOpt (types.listOf promTypes.digitalocean_sd_config) '' 351 List of DigitalOcean service discovery configurations. 352 ''; 353 354 docker_sd_configs = mkOpt (types.listOf promTypes.docker_sd_config) '' 355 List of Docker service discovery configurations. 356 ''; 357 358 dockerswarm_sd_configs = mkOpt (types.listOf promTypes.dockerswarm_sd_config) '' 359 List of Docker Swarm service discovery configurations. 360 ''; 361 362 dns_sd_configs = mkOpt (types.listOf promTypes.dns_sd_config) '' 363 List of DNS service discovery configurations. 364 ''; 365 366 ec2_sd_configs = mkOpt (types.listOf promTypes.ec2_sd_config) '' 367 List of EC2 service discovery configurations. 368 ''; 369 370 eureka_sd_configs = mkOpt (types.listOf promTypes.eureka_sd_config) '' 371 List of Eureka service discovery configurations. 372 ''; 373 374 file_sd_configs = mkOpt (types.listOf promTypes.file_sd_config) '' 375 List of file service discovery configurations. 376 ''; 377 378 gce_sd_configs = mkOpt (types.listOf promTypes.gce_sd_config) '' 379 List of Google Compute Engine service discovery configurations. 380 381 See [the relevant Prometheus configuration docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config) 382 for more detail. 383 ''; 384 385 hetzner_sd_configs = mkOpt (types.listOf promTypes.hetzner_sd_config) '' 386 List of Hetzner service discovery configurations. 387 ''; 388 389 http_sd_configs = mkOpt (types.listOf promTypes.http_sd_config) '' 390 List of HTTP service discovery configurations. 391 ''; 392 393 kubernetes_sd_configs = mkOpt (types.listOf promTypes.kubernetes_sd_config) '' 394 List of Kubernetes service discovery configurations. 395 ''; 396 397 kuma_sd_configs = mkOpt (types.listOf promTypes.kuma_sd_config) '' 398 List of Kuma service discovery configurations. 399 ''; 400 401 lightsail_sd_configs = mkOpt (types.listOf promTypes.lightsail_sd_config) '' 402 List of Lightsail service discovery configurations. 403 ''; 404 405 linode_sd_configs = mkOpt (types.listOf promTypes.linode_sd_config) '' 406 List of Linode service discovery configurations. 407 ''; 408 409 marathon_sd_configs = mkOpt (types.listOf promTypes.marathon_sd_config) '' 410 List of Marathon service discovery configurations. 411 ''; 412 413 nerve_sd_configs = mkOpt (types.listOf promTypes.nerve_sd_config) '' 414 List of AirBnB's Nerve service discovery configurations. 415 ''; 416 417 openstack_sd_configs = mkOpt (types.listOf promTypes.openstack_sd_config) '' 418 List of OpenStack service discovery configurations. 419 ''; 420 421 puppetdb_sd_configs = mkOpt (types.listOf promTypes.puppetdb_sd_config) '' 422 List of PuppetDB service discovery configurations. 423 ''; 424 425 scaleway_sd_configs = mkOpt (types.listOf promTypes.scaleway_sd_config) '' 426 List of Scaleway service discovery configurations. 427 ''; 428 429 serverset_sd_configs = mkOpt (types.listOf promTypes.serverset_sd_config) '' 430 List of Zookeeper Serverset service discovery configurations. 431 ''; 432 433 triton_sd_configs = mkOpt (types.listOf promTypes.triton_sd_config) '' 434 List of Triton Serverset service discovery configurations. 435 ''; 436 437 uyuni_sd_configs = mkOpt (types.listOf promTypes.uyuni_sd_config) '' 438 List of Uyuni Serverset service discovery configurations. 439 ''; 440 441 static_configs = mkOpt (types.listOf promTypes.static_config) '' 442 List of labeled target groups for this job. 443 ''; 444 445 relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 446 List of relabel configurations. 447 ''; 448 449 metric_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 450 List of metric relabel configurations. 451 ''; 452 453 body_size_limit = mkDefOpt types.str "0" '' 454 An uncompressed response body larger than this many bytes will cause the 455 scrape to fail. 0 means no limit. Example: 100MB. 456 This is an experimental feature, this behaviour could 457 change or be removed in the future. 458 ''; 459 460 sample_limit = mkDefOpt types.int "0" '' 461 Per-scrape limit on number of scraped samples that will be accepted. 462 If more than this number of samples are present after metric relabelling 463 the entire scrape will be treated as failed. 0 means no limit. 464 ''; 465 466 label_limit = mkDefOpt types.int "0" '' 467 Per-scrape limit on number of labels that will be accepted for a sample. If 468 more than this number of labels are present post metric-relabeling, the 469 entire scrape will be treated as failed. 0 means no limit. 470 ''; 471 472 label_name_length_limit = mkDefOpt types.int "0" '' 473 Per-scrape limit on length of labels name that will be accepted for a sample. 474 If a label name is longer than this number post metric-relabeling, the entire 475 scrape will be treated as failed. 0 means no limit. 476 ''; 477 478 label_value_length_limit = mkDefOpt types.int "0" '' 479 Per-scrape limit on length of labels value that will be accepted for a sample. 480 If a label value is longer than this number post metric-relabeling, the 481 entire scrape will be treated as failed. 0 means no limit. 482 ''; 483 484 target_limit = mkDefOpt types.int "0" '' 485 Per-scrape config limit on number of unique targets that will be 486 accepted. If more than this number of targets are present after target 487 relabeling, Prometheus will mark the targets as failed without scraping them. 488 0 means no limit. This is an experimental feature, this behaviour could 489 change in the future. 490 ''; 491 }; 492 }; 493 494 # 495 # Config types: service discovery 496 # 497 498 # For this one, the docs actually define all types needed to use mkSdConfigModule, but a bunch 499 # of them are marked with 'currently not support by Azure' so we don't bother adding them in 500 # here. 501 promTypes.azure_sd_config = types.submodule { 502 options = { 503 environment = mkDefOpt types.str "AzurePublicCloud" '' 504 The Azure environment. 505 ''; 506 507 authentication_method = mkDefOpt (types.enum [ "OAuth" "ManagedIdentity" ]) "OAuth" '' 508 The authentication method, either OAuth or ManagedIdentity. 509 See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview 510 ''; 511 512 subscription_id = mkOption { 513 type = types.str; 514 description = lib.mdDoc '' 515 The subscription ID. 516 ''; 517 }; 518 519 tenant_id = mkOpt types.str '' 520 Optional tenant ID. Only required with authentication_method OAuth. 521 ''; 522 523 client_id = mkOpt types.str '' 524 Optional client ID. Only required with authentication_method OAuth. 525 ''; 526 527 client_secret = mkOpt types.str '' 528 Optional client secret. Only required with authentication_method OAuth. 529 ''; 530 531 refresh_interval = mkDefOpt types.str "300s" '' 532 Refresh interval to re-read the instance list. 533 ''; 534 535 port = mkDefOpt types.int "80" '' 536 The port to scrape metrics from. If using the public IP 537 address, this must instead be specified in the relabeling 538 rule. 539 ''; 540 541 proxy_url = mkOpt types.str '' 542 Optional proxy URL. 543 ''; 544 545 follow_redirects = mkDefOpt types.bool "true" '' 546 Configure whether HTTP requests follow HTTP 3xx redirects. 547 ''; 548 549 tls_config = mkOpt promTypes.tls_config '' 550 TLS configuration. 551 ''; 552 }; 553 }; 554 555 promTypes.consul_sd_config = mkSdConfigModule { 556 server = mkDefOpt types.str "localhost:8500" '' 557 Consul server to query. 558 ''; 559 560 token = mkOpt types.str "Consul token"; 561 562 datacenter = mkOpt types.str "Consul datacenter"; 563 564 scheme = mkDefOpt types.str "http" "Consul scheme"; 565 566 username = mkOpt types.str "Consul username"; 567 568 password = mkOpt types.str "Consul password"; 569 570 tls_config = mkOpt promTypes.tls_config '' 571 Configures the Consul request's TLS settings. 572 ''; 573 574 services = mkOpt (types.listOf types.str) '' 575 A list of services for which targets are retrieved. 576 ''; 577 578 tags = mkOpt (types.listOf types.str) '' 579 An optional list of tags used to filter nodes for a given 580 service. Services must contain all tags in the list. 581 ''; 582 583 node_meta = mkOpt (types.attrsOf types.str) '' 584 Node metadata used to filter nodes for a given service. 585 ''; 586 587 tag_separator = mkDefOpt types.str "," '' 588 The string by which Consul tags are joined into the tag label. 589 ''; 590 591 allow_stale = mkOpt types.bool '' 592 Allow stale Consul results 593 (see <https://www.consul.io/api/index.html#consistency-modes>). 594 595 Will reduce load on Consul. 596 ''; 597 598 refresh_interval = mkDefOpt types.str "30s" '' 599 The time after which the provided names are refreshed. 600 601 On large setup it might be a good idea to increase this value 602 because the catalog will change all the time. 603 ''; 604 }; 605 606 promTypes.digitalocean_sd_config = mkSdConfigModule { 607 port = mkDefOpt types.int "80" '' 608 The port to scrape metrics from. 609 ''; 610 611 refresh_interval = mkDefOpt types.str "60s" '' 612 The time after which the droplets are refreshed. 613 ''; 614 }; 615 616 mkDockerSdConfigModule = extraOptions: mkSdConfigModule ({ 617 host = mkOption { 618 type = types.str; 619 description = lib.mdDoc '' 620 Address of the Docker daemon. 621 ''; 622 }; 623 624 port = mkDefOpt types.int "80" '' 625 The port to scrape metrics from, when `role` is nodes, and for discovered 626 tasks and services that don't have published ports. 627 ''; 628 629 filters = mkOpt 630 (types.listOf (types.submodule { 631 options = { 632 name = mkOption { 633 type = types.str; 634 description = lib.mdDoc '' 635 Name of the filter. The available filters are listed in the upstream documentation: 636 Services: <https://docs.docker.com/engine/api/v1.40/#operation/ServiceList> 637 Tasks: <https://docs.docker.com/engine/api/v1.40/#operation/TaskList> 638 Nodes: <https://docs.docker.com/engine/api/v1.40/#operation/NodeList> 639 ''; 640 }; 641 values = mkOption { 642 type = types.str; 643 description = lib.mdDoc '' 644 Value for the filter. 645 ''; 646 }; 647 }; 648 })) '' 649 Optional filters to limit the discovery process to a subset of available resources. 650 ''; 651 652 refresh_interval = mkDefOpt types.str "60s" '' 653 The time after which the containers are refreshed. 654 ''; 655 } // extraOptions); 656 657 promTypes.docker_sd_config = mkDockerSdConfigModule { 658 host_networking_host = mkDefOpt types.str "localhost" '' 659 The host to use if the container is in host networking mode. 660 ''; 661 }; 662 663 promTypes.dockerswarm_sd_config = mkDockerSdConfigModule { 664 role = mkOption { 665 type = types.enum [ "services" "tasks" "nodes" ]; 666 description = lib.mdDoc '' 667 Role of the targets to retrieve. Must be `services`, `tasks`, or `nodes`. 668 ''; 669 }; 670 }; 671 672 promTypes.dns_sd_config = types.submodule { 673 options = { 674 names = mkOption { 675 type = types.listOf types.str; 676 description = lib.mdDoc '' 677 A list of DNS SRV record names to be queried. 678 ''; 679 }; 680 681 type = mkDefOpt (types.enum [ "SRV" "A" "AAAA" ]) "SRV" '' 682 The type of DNS query to perform. One of SRV, A, or AAAA. 683 ''; 684 685 port = mkOpt types.int '' 686 The port number used if the query type is not SRV. 687 ''; 688 689 refresh_interval = mkDefOpt types.str "30s" '' 690 The time after which the provided names are refreshed. 691 ''; 692 }; 693 }; 694 695 promTypes.ec2_sd_config = types.submodule { 696 options = { 697 region = mkOption { 698 type = types.str; 699 description = lib.mdDoc '' 700 The AWS Region. If blank, the region from the instance metadata is used. 701 ''; 702 }; 703 endpoint = mkOpt types.str '' 704 Custom endpoint to be used. 705 ''; 706 707 access_key = mkOpt types.str '' 708 The AWS API key id. If blank, the environment variable 709 `AWS_ACCESS_KEY_ID` is used. 710 ''; 711 712 secret_key = mkOpt types.str '' 713 The AWS API key secret. If blank, the environment variable 714 `AWS_SECRET_ACCESS_KEY` is used. 715 ''; 716 717 profile = mkOpt types.str '' 718 Named AWS profile used to connect to the API. 719 ''; 720 721 role_arn = mkOpt types.str '' 722 AWS Role ARN, an alternative to using AWS API keys. 723 ''; 724 725 refresh_interval = mkDefOpt types.str "60s" '' 726 Refresh interval to re-read the instance list. 727 ''; 728 729 port = mkDefOpt types.int "80" '' 730 The port to scrape metrics from. If using the public IP 731 address, this must instead be specified in the relabeling 732 rule. 733 ''; 734 735 filters = mkOpt 736 (types.listOf (types.submodule { 737 options = { 738 name = mkOption { 739 type = types.str; 740 description = lib.mdDoc '' 741 See [this list](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html) 742 for the available filters. 743 ''; 744 }; 745 746 values = mkOption { 747 type = types.listOf types.str; 748 default = [ ]; 749 description = lib.mdDoc '' 750 Value of the filter. 751 ''; 752 }; 753 }; 754 })) '' 755 Filters can be used optionally to filter the instance list by other criteria. 756 ''; 757 }; 758 }; 759 760 promTypes.eureka_sd_config = mkSdConfigModule { 761 server = mkOption { 762 type = types.str; 763 description = lib.mdDoc '' 764 The URL to connect to the Eureka server. 765 ''; 766 }; 767 }; 768 769 promTypes.file_sd_config = types.submodule { 770 options = { 771 files = mkOption { 772 type = types.listOf types.str; 773 description = lib.mdDoc '' 774 Patterns for files from which target groups are extracted. Refer 775 to the Prometheus documentation for permitted filename patterns 776 and formats. 777 ''; 778 }; 779 780 refresh_interval = mkDefOpt types.str "5m" '' 781 Refresh interval to re-read the files. 782 ''; 783 }; 784 }; 785 786 promTypes.gce_sd_config = types.submodule { 787 options = { 788 # Use `mkOption` instead of `mkOpt` for project and zone because they are 789 # required configuration values for `gce_sd_config`. 790 project = mkOption { 791 type = types.str; 792 description = lib.mdDoc '' 793 The GCP Project. 794 ''; 795 }; 796 797 zone = mkOption { 798 type = types.str; 799 description = lib.mdDoc '' 800 The zone of the scrape targets. If you need multiple zones use multiple 801 gce_sd_configs. 802 ''; 803 }; 804 805 filter = mkOpt types.str '' 806 Filter can be used optionally to filter the instance list by other 807 criteria Syntax of this filter string is described here in the filter 808 query parameter section: <https://cloud.google.com/compute/docs/reference/latest/instances/list>. 809 ''; 810 811 refresh_interval = mkDefOpt types.str "60s" '' 812 Refresh interval to re-read the cloud instance list. 813 ''; 814 815 port = mkDefOpt types.port "80" '' 816 The port to scrape metrics from. If using the public IP address, this 817 must instead be specified in the relabeling rule. 818 ''; 819 820 tag_separator = mkDefOpt types.str "," '' 821 The tag separator used to separate concatenated GCE instance network tags. 822 823 See the GCP documentation on network tags for more information: 824 <https://cloud.google.com/vpc/docs/add-remove-network-tags> 825 ''; 826 }; 827 }; 828 829 promTypes.hetzner_sd_config = mkSdConfigModule { 830 role = mkOption { 831 type = types.enum [ "robot" "hcloud" ]; 832 description = lib.mdDoc '' 833 The Hetzner role of entities that should be discovered. 834 One of `robot` or `hcloud`. 835 ''; 836 }; 837 838 port = mkDefOpt types.int "80" '' 839 The port to scrape metrics from. 840 ''; 841 842 refresh_interval = mkDefOpt types.str "60s" '' 843 The time after which the servers are refreshed. 844 ''; 845 }; 846 847 promTypes.http_sd_config = types.submodule { 848 options = { 849 url = mkOption { 850 type = types.str; 851 description = lib.mdDoc '' 852 URL from which the targets are fetched. 853 ''; 854 }; 855 856 refresh_interval = mkDefOpt types.str "60s" '' 857 Refresh interval to re-query the endpoint. 858 ''; 859 860 basic_auth = mkOpt promTypes.basic_auth '' 861 Authentication information used to authenticate to the API server. 862 password and password_file are mutually exclusive. 863 ''; 864 865 proxy_url = mkOpt types.str '' 866 Optional proxy URL. 867 ''; 868 869 follow_redirects = mkDefOpt types.bool "true" '' 870 Configure whether HTTP requests follow HTTP 3xx redirects. 871 ''; 872 873 tls_config = mkOpt promTypes.tls_config '' 874 Configures the scrape request's TLS settings. 875 ''; 876 }; 877 }; 878 879 promTypes.kubernetes_sd_config = mkSdConfigModule { 880 api_server = mkOpt types.str '' 881 The API server addresses. If left empty, Prometheus is assumed to run inside 882 of the cluster and will discover API servers automatically and use the pod's 883 CA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/. 884 ''; 885 886 role = mkOption { 887 type = types.enum [ "endpoints" "service" "pod" "node" "ingress" ]; 888 description = lib.mdDoc '' 889 The Kubernetes role of entities that should be discovered. 890 One of endpoints, service, pod, node, or ingress. 891 ''; 892 }; 893 894 kubeconfig_file = mkOpt types.str '' 895 Optional path to a kubeconfig file. 896 Note that api_server and kube_config are mutually exclusive. 897 ''; 898 899 namespaces = mkOpt 900 ( 901 types.submodule { 902 options = { 903 names = mkOpt (types.listOf types.str) '' 904 Namespace name. 905 ''; 906 }; 907 } 908 ) '' 909 Optional namespace discovery. If omitted, all namespaces are used. 910 ''; 911 912 selectors = mkOpt 913 ( 914 types.listOf ( 915 types.submodule { 916 options = { 917 role = mkOption { 918 type = types.str; 919 description = lib.mdDoc '' 920 Selector role 921 ''; 922 }; 923 924 label = mkOpt types.str '' 925 Selector label 926 ''; 927 928 field = mkOpt types.str '' 929 Selector field 930 ''; 931 }; 932 } 933 ) 934 ) '' 935 Optional label and field selectors to limit the discovery process to a subset of available resources. 936 See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/ 937 and https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ to learn more about the possible 938 filters that can be used. Endpoints role supports pod, service and endpoints selectors, other roles 939 only support selectors matching the role itself (e.g. node role can only contain node selectors). 940 941 Note: When making decision about using field/label selector make sure that this 942 is the best approach - it will prevent Prometheus from reusing single list/watch 943 for all scrape configs. This might result in a bigger load on the Kubernetes API, 944 because per each selector combination there will be additional LIST/WATCH. On the other hand, 945 if you just want to monitor small subset of pods in large cluster it's recommended to use selectors. 946 Decision, if selectors should be used or not depends on the particular situation. 947 ''; 948 }; 949 950 promTypes.kuma_sd_config = mkSdConfigModule { 951 server = mkOption { 952 type = types.str; 953 description = lib.mdDoc '' 954 Address of the Kuma Control Plane's MADS xDS server. 955 ''; 956 }; 957 958 refresh_interval = mkDefOpt types.str "30s" '' 959 The time to wait between polling update requests. 960 ''; 961 962 fetch_timeout = mkDefOpt types.str "2m" '' 963 The time after which the monitoring assignments are refreshed. 964 ''; 965 }; 966 967 promTypes.lightsail_sd_config = types.submodule { 968 options = { 969 region = mkOpt types.str '' 970 The AWS region. If blank, the region from the instance metadata is used. 971 ''; 972 973 endpoint = mkOpt types.str '' 974 Custom endpoint to be used. 975 ''; 976 977 access_key = mkOpt types.str '' 978 The AWS API keys. If blank, the environment variable `AWS_ACCESS_KEY_ID` is used. 979 ''; 980 981 secret_key = mkOpt types.str '' 982 The AWS API keys. If blank, the environment variable `AWS_SECRET_ACCESS_KEY` is used. 983 ''; 984 985 profile = mkOpt types.str '' 986 Named AWS profile used to connect to the API. 987 ''; 988 989 role_arn = mkOpt types.str '' 990 AWS Role ARN, an alternative to using AWS API keys. 991 ''; 992 993 refresh_interval = mkDefOpt types.str "60s" '' 994 Refresh interval to re-read the instance list. 995 ''; 996 997 port = mkDefOpt types.int "80" '' 998 The port to scrape metrics from. If using the public IP address, this must 999 instead be specified in the relabeling rule. 1000 ''; 1001 }; 1002 }; 1003 1004 promTypes.linode_sd_config = mkSdConfigModule { 1005 port = mkDefOpt types.int "80" '' 1006 The port to scrape metrics from. 1007 ''; 1008 1009 tag_separator = mkDefOpt types.str "," '' 1010 The string by which Linode Instance tags are joined into the tag label. 1011 ''; 1012 1013 refresh_interval = mkDefOpt types.str "60s" '' 1014 The time after which the linode instances are refreshed. 1015 ''; 1016 }; 1017 1018 promTypes.marathon_sd_config = mkSdConfigModule { 1019 servers = mkOption { 1020 type = types.listOf types.str; 1021 description = lib.mdDoc '' 1022 List of URLs to be used to contact Marathon servers. You need to provide at least one server URL. 1023 ''; 1024 }; 1025 1026 refresh_interval = mkDefOpt types.str "30s" '' 1027 Polling interval. 1028 ''; 1029 1030 auth_token = mkOpt types.str '' 1031 Optional authentication information for token-based authentication: 1032 <https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token> 1033 It is mutually exclusive with `auth_token_file` and other authentication mechanisms. 1034 ''; 1035 1036 auth_token_file = mkOpt types.str '' 1037 Optional authentication information for token-based authentication: 1038 <https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token> 1039 It is mutually exclusive with `auth_token` and other authentication mechanisms. 1040 ''; 1041 }; 1042 1043 promTypes.nerve_sd_config = types.submodule { 1044 options = { 1045 servers = mkOption { 1046 type = types.listOf types.str; 1047 description = lib.mdDoc '' 1048 The Zookeeper servers. 1049 ''; 1050 }; 1051 1052 paths = mkOption { 1053 type = types.listOf types.str; 1054 description = lib.mdDoc '' 1055 Paths can point to a single service, or the root of a tree of services. 1056 ''; 1057 }; 1058 1059 timeout = mkDefOpt types.str "10s" '' 1060 Timeout value. 1061 ''; 1062 }; 1063 }; 1064 1065 promTypes.openstack_sd_config = types.submodule { 1066 options = 1067 let 1068 userDescription = '' 1069 username is required if using Identity V2 API. Consult with your provider's 1070 control panel to discover your account's username. In Identity V3, either 1071 userid or a combination of username and domain_id or domain_name are needed. 1072 ''; 1073 1074 domainDescription = '' 1075 At most one of domain_id and domain_name must be provided if using username 1076 with Identity V3. Otherwise, either are optional. 1077 ''; 1078 1079 projectDescription = '' 1080 The project_id and project_name fields are optional for the Identity V2 API. 1081 Some providers allow you to specify a project_name instead of the project_id. 1082 Some require both. Your provider's authentication policies will determine 1083 how these fields influence authentication. 1084 ''; 1085 1086 applicationDescription = '' 1087 The application_credential_id or application_credential_name fields are 1088 required if using an application credential to authenticate. Some providers 1089 allow you to create an application credential to authenticate rather than a 1090 password. 1091 ''; 1092 in 1093 { 1094 role = mkOption { 1095 type = types.str; 1096 description = lib.mdDoc '' 1097 The OpenStack role of entities that should be discovered. 1098 ''; 1099 }; 1100 1101 region = mkOption { 1102 type = types.str; 1103 description = lib.mdDoc '' 1104 The OpenStack Region. 1105 ''; 1106 }; 1107 1108 identity_endpoint = mkOpt types.str '' 1109 identity_endpoint specifies the HTTP endpoint that is required to work with 1110 the Identity API of the appropriate version. While it's ultimately needed by 1111 all of the identity services, it will often be populated by a provider-level 1112 function. 1113 ''; 1114 1115 username = mkOpt types.str userDescription; 1116 userid = mkOpt types.str userDescription; 1117 1118 password = mkOpt types.str '' 1119 password for the Identity V2 and V3 APIs. Consult with your provider's 1120 control panel to discover your account's preferred method of authentication. 1121 ''; 1122 1123 domain_name = mkOpt types.str domainDescription; 1124 domain_id = mkOpt types.str domainDescription; 1125 1126 project_name = mkOpt types.str projectDescription; 1127 project_id = mkOpt types.str projectDescription; 1128 1129 application_credential_name = mkOpt types.str applicationDescription; 1130 application_credential_id = mkOpt types.str applicationDescription; 1131 1132 application_credential_secret = mkOpt types.str '' 1133 The application_credential_secret field is required if using an application 1134 credential to authenticate. 1135 ''; 1136 1137 all_tenants = mkDefOpt types.bool "false" '' 1138 Whether the service discovery should list all instances for all projects. 1139 It is only relevant for the 'instance' role and usually requires admin permissions. 1140 ''; 1141 1142 refresh_interval = mkDefOpt types.str "60s" '' 1143 Refresh interval to re-read the instance list. 1144 ''; 1145 1146 port = mkDefOpt types.int "80" '' 1147 The port to scrape metrics from. If using the public IP address, this must 1148 instead be specified in the relabeling rule. 1149 ''; 1150 1151 availability = mkDefOpt (types.enum [ "public" "admin" "internal" ]) "public" '' 1152 The availability of the endpoint to connect to. Must be one of public, admin or internal. 1153 ''; 1154 1155 tls_config = mkOpt promTypes.tls_config '' 1156 TLS configuration. 1157 ''; 1158 }; 1159 }; 1160 1161 promTypes.puppetdb_sd_config = mkSdConfigModule { 1162 url = mkOption { 1163 type = types.str; 1164 description = lib.mdDoc '' 1165 The URL of the PuppetDB root query endpoint. 1166 ''; 1167 }; 1168 1169 query = mkOption { 1170 type = types.str; 1171 description = lib.mdDoc '' 1172 Puppet Query Language (PQL) query. Only resources are supported. 1173 https://puppet.com/docs/puppetdb/latest/api/query/v4/pql.html 1174 ''; 1175 }; 1176 1177 include_parameters = mkDefOpt types.bool "false" '' 1178 Whether to include the parameters as meta labels. 1179 Due to the differences between parameter types and Prometheus labels, 1180 some parameters might not be rendered. The format of the parameters might 1181 also change in future releases. 1182 1183 Note: Enabling this exposes parameters in the Prometheus UI and API. Make sure 1184 that you don't have secrets exposed as parameters if you enable this. 1185 ''; 1186 1187 refresh_interval = mkDefOpt types.str "60s" '' 1188 Refresh interval to re-read the resources list. 1189 ''; 1190 1191 port = mkDefOpt types.int "80" '' 1192 The port to scrape metrics from. 1193 ''; 1194 }; 1195 1196 promTypes.scaleway_sd_config = types.submodule { 1197 options = { 1198 access_key = mkOption { 1199 type = types.str; 1200 description = lib.mdDoc '' 1201 Access key to use. https://console.scaleway.com/project/credentials 1202 ''; 1203 }; 1204 1205 secret_key = mkOpt types.str '' 1206 Secret key to use when listing targets. https://console.scaleway.com/project/credentials 1207 It is mutually exclusive with `secret_key_file`. 1208 ''; 1209 1210 secret_key_file = mkOpt types.str '' 1211 Sets the secret key with the credentials read from the configured file. 1212 It is mutually exclusive with `secret_key`. 1213 ''; 1214 1215 project_id = mkOption { 1216 type = types.str; 1217 description = lib.mdDoc '' 1218 Project ID of the targets. 1219 ''; 1220 }; 1221 1222 role = mkOption { 1223 type = types.enum [ "instance" "baremetal" ]; 1224 description = lib.mdDoc '' 1225 Role of the targets to retrieve. Must be `instance` or `baremetal`. 1226 ''; 1227 }; 1228 1229 port = mkDefOpt types.int "80" '' 1230 The port to scrape metrics from. 1231 ''; 1232 1233 api_url = mkDefOpt types.str "https://api.scaleway.com" '' 1234 API URL to use when doing the server listing requests. 1235 ''; 1236 1237 zone = mkDefOpt types.str "fr-par-1" '' 1238 Zone is the availability zone of your targets (e.g. fr-par-1). 1239 ''; 1240 1241 name_filter = mkOpt types.str '' 1242 Specify a name filter (works as a LIKE) to apply on the server listing request. 1243 ''; 1244 1245 tags_filter = mkOpt (types.listOf types.str) '' 1246 Specify a tag filter (a server needs to have all defined tags to be listed) to apply on the server listing request. 1247 ''; 1248 1249 refresh_interval = mkDefOpt types.str "60s" '' 1250 Refresh interval to re-read the managed targets list. 1251 ''; 1252 1253 proxy_url = mkOpt types.str '' 1254 Optional proxy URL. 1255 ''; 1256 1257 follow_redirects = mkDefOpt types.bool "true" '' 1258 Configure whether HTTP requests follow HTTP 3xx redirects. 1259 ''; 1260 1261 tls_config = mkOpt promTypes.tls_config '' 1262 TLS configuration. 1263 ''; 1264 }; 1265 }; 1266 1267 # These are exactly the same. 1268 promTypes.serverset_sd_config = promTypes.nerve_sd_config; 1269 1270 promTypes.triton_sd_config = types.submodule { 1271 options = { 1272 account = mkOption { 1273 type = types.str; 1274 description = lib.mdDoc '' 1275 The account to use for discovering new targets. 1276 ''; 1277 }; 1278 1279 role = mkDefOpt (types.enum [ "container" "cn" ]) "container" '' 1280 The type of targets to discover, can be set to: 1281 - "container" to discover virtual machines (SmartOS zones, lx/KVM/bhyve branded zones) running on Triton 1282 - "cn" to discover compute nodes (servers/global zones) making up the Triton infrastructure 1283 ''; 1284 1285 dns_suffix = mkOption { 1286 type = types.str; 1287 description = lib.mdDoc '' 1288 The DNS suffix which should be applied to target. 1289 ''; 1290 }; 1291 1292 endpoint = mkOption { 1293 type = types.str; 1294 description = lib.mdDoc '' 1295 The Triton discovery endpoint (e.g. `cmon.us-east-3b.triton.zone`). This is 1296 often the same value as dns_suffix. 1297 ''; 1298 }; 1299 1300 groups = mkOpt (types.listOf types.str) '' 1301 A list of groups for which targets are retrieved, only supported when targeting the `container` role. 1302 If omitted all containers owned by the requesting account are scraped. 1303 ''; 1304 1305 port = mkDefOpt types.int "9163" '' 1306 The port to use for discovery and metric scraping. 1307 ''; 1308 1309 refresh_interval = mkDefOpt types.str "60s" '' 1310 The interval which should be used for refreshing targets. 1311 ''; 1312 1313 version = mkDefOpt types.int "1" '' 1314 The Triton discovery API version. 1315 ''; 1316 1317 tls_config = mkOpt promTypes.tls_config '' 1318 TLS configuration. 1319 ''; 1320 }; 1321 }; 1322 1323 promTypes.uyuni_sd_config = mkSdConfigModule { 1324 server = mkOption { 1325 type = types.str; 1326 description = lib.mdDoc '' 1327 The URL to connect to the Uyuni server. 1328 ''; 1329 }; 1330 1331 username = mkOption { 1332 type = types.str; 1333 description = lib.mdDoc '' 1334 Credentials are used to authenticate the requests to Uyuni API. 1335 ''; 1336 }; 1337 1338 password = mkOption { 1339 type = types.str; 1340 description = lib.mdDoc '' 1341 Credentials are used to authenticate the requests to Uyuni API. 1342 ''; 1343 }; 1344 1345 entitlement = mkDefOpt types.str "monitoring_entitled" '' 1346 The entitlement string to filter eligible systems. 1347 ''; 1348 1349 separator = mkDefOpt types.str "," '' 1350 The string by which Uyuni group names are joined into the groups label 1351 ''; 1352 1353 refresh_interval = mkDefOpt types.str "60s" '' 1354 Refresh interval to re-read the managed targets list. 1355 ''; 1356 }; 1357 1358 promTypes.static_config = types.submodule { 1359 options = { 1360 targets = mkOption { 1361 type = types.listOf types.str; 1362 description = lib.mdDoc '' 1363 The targets specified by the target group. 1364 ''; 1365 }; 1366 labels = mkOption { 1367 type = types.attrsOf types.str; 1368 default = { }; 1369 description = lib.mdDoc '' 1370 Labels assigned to all metrics scraped from the targets. 1371 ''; 1372 }; 1373 }; 1374 }; 1375 1376 # 1377 # Config types: relabling 1378 # 1379 1380 promTypes.relabel_config = types.submodule { 1381 options = { 1382 source_labels = mkOpt (types.listOf types.str) '' 1383 The source labels select values from existing labels. Their content 1384 is concatenated using the configured separator and matched against 1385 the configured regular expression. 1386 ''; 1387 1388 separator = mkDefOpt types.str ";" '' 1389 Separator placed between concatenated source label values. 1390 ''; 1391 1392 target_label = mkOpt types.str '' 1393 Label to which the resulting value is written in a replace action. 1394 It is mandatory for replace actions. 1395 ''; 1396 1397 regex = mkDefOpt types.str "(.*)" '' 1398 Regular expression against which the extracted value is matched. 1399 ''; 1400 1401 modulus = mkOpt types.int '' 1402 Modulus to take of the hash of the source label values. 1403 ''; 1404 1405 replacement = mkDefOpt types.str "$1" '' 1406 Replacement value against which a regex replace is performed if the 1407 regular expression matches. 1408 ''; 1409 1410 action = 1411 mkDefOpt (types.enum [ "replace" "lowercase" "uppercase" "keep" "drop" "hashmod" "labelmap" "labeldrop" "labelkeep" ]) "replace" '' 1412 Action to perform based on regex matching. 1413 ''; 1414 }; 1415 }; 1416 1417 # 1418 # Config types : remote read / write 1419 # 1420 1421 promTypes.remote_write = types.submodule { 1422 options = { 1423 url = mkOption { 1424 type = types.str; 1425 description = lib.mdDoc '' 1426 ServerName extension to indicate the name of the server. 1427 http://tools.ietf.org/html/rfc4366#section-3.1 1428 ''; 1429 }; 1430 remote_timeout = mkOpt types.str '' 1431 Timeout for requests to the remote write endpoint. 1432 ''; 1433 write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 1434 List of remote write relabel configurations. 1435 ''; 1436 name = mkOpt types.str '' 1437 Name of the remote write config, which if specified must be unique among remote write configs. 1438 The name will be used in metrics and logging in place of a generated value to help users distinguish between 1439 remote write configs. 1440 ''; 1441 basic_auth = mkOpt promTypes.basic_auth '' 1442 Sets the `Authorization` header on every remote write request with the 1443 configured username and password. 1444 password and password_file are mutually exclusive. 1445 ''; 1446 bearer_token = mkOpt types.str '' 1447 Sets the `Authorization` header on every remote write request with 1448 the configured bearer token. It is mutually exclusive with `bearer_token_file`. 1449 ''; 1450 bearer_token_file = mkOpt types.str '' 1451 Sets the `Authorization` header on every remote write request with the bearer token 1452 read from the configured file. It is mutually exclusive with `bearer_token`. 1453 ''; 1454 tls_config = mkOpt promTypes.tls_config '' 1455 Configures the remote write request's TLS settings. 1456 ''; 1457 proxy_url = mkOpt types.str "Optional Proxy URL."; 1458 queue_config = mkOpt 1459 (types.submodule { 1460 options = { 1461 capacity = mkOpt types.int '' 1462 Number of samples to buffer per shard before we block reading of more 1463 samples from the WAL. It is recommended to have enough capacity in each 1464 shard to buffer several requests to keep throughput up while processing 1465 occasional slow remote requests. 1466 ''; 1467 max_shards = mkOpt types.int '' 1468 Maximum number of shards, i.e. amount of concurrency. 1469 ''; 1470 min_shards = mkOpt types.int '' 1471 Minimum number of shards, i.e. amount of concurrency. 1472 ''; 1473 max_samples_per_send = mkOpt types.int '' 1474 Maximum number of samples per send. 1475 ''; 1476 batch_send_deadline = mkOpt types.str '' 1477 Maximum time a sample will wait in buffer. 1478 ''; 1479 min_backoff = mkOpt types.str '' 1480 Initial retry delay. Gets doubled for every retry. 1481 ''; 1482 max_backoff = mkOpt types.str '' 1483 Maximum retry delay. 1484 ''; 1485 }; 1486 }) '' 1487 Configures the queue used to write to remote storage. 1488 ''; 1489 metadata_config = mkOpt 1490 (types.submodule { 1491 options = { 1492 send = mkOpt types.bool '' 1493 Whether metric metadata is sent to remote storage or not. 1494 ''; 1495 send_interval = mkOpt types.str '' 1496 How frequently metric metadata is sent to remote storage. 1497 ''; 1498 }; 1499 }) '' 1500 Configures the sending of series metadata to remote storage. 1501 Metadata configuration is subject to change at any point 1502 or be removed in future releases. 1503 ''; 1504 }; 1505 }; 1506 1507 promTypes.remote_read = types.submodule { 1508 options = { 1509 url = mkOption { 1510 type = types.str; 1511 description = lib.mdDoc '' 1512 ServerName extension to indicate the name of the server. 1513 http://tools.ietf.org/html/rfc4366#section-3.1 1514 ''; 1515 }; 1516 name = mkOpt types.str '' 1517 Name of the remote read config, which if specified must be unique among remote read configs. 1518 The name will be used in metrics and logging in place of a generated value to help users distinguish between 1519 remote read configs. 1520 ''; 1521 required_matchers = mkOpt (types.attrsOf types.str) '' 1522 An optional list of equality matchers which have to be 1523 present in a selector to query the remote read endpoint. 1524 ''; 1525 remote_timeout = mkOpt types.str '' 1526 Timeout for requests to the remote read endpoint. 1527 ''; 1528 read_recent = mkOpt types.bool '' 1529 Whether reads should be made for queries for time ranges that 1530 the local storage should have complete data for. 1531 ''; 1532 basic_auth = mkOpt promTypes.basic_auth '' 1533 Sets the `Authorization` header on every remote read request with the 1534 configured username and password. 1535 password and password_file are mutually exclusive. 1536 ''; 1537 bearer_token = mkOpt types.str '' 1538 Sets the `Authorization` header on every remote read request with 1539 the configured bearer token. It is mutually exclusive with `bearer_token_file`. 1540 ''; 1541 bearer_token_file = mkOpt types.str '' 1542 Sets the `Authorization` header on every remote read request with the bearer token 1543 read from the configured file. It is mutually exclusive with `bearer_token`. 1544 ''; 1545 tls_config = mkOpt promTypes.tls_config '' 1546 Configures the remote read request's TLS settings. 1547 ''; 1548 proxy_url = mkOpt types.str "Optional Proxy URL."; 1549 }; 1550 }; 1551 1552in 1553{ 1554 1555 imports = [ 1556 (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) 1557 (mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ] 1558 "It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`.") 1559 (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerTimeout" ] 1560 "Deprecated upstream and no longer had any effect") 1561 ]; 1562 1563 options.services.prometheus = { 1564 1565 enable = mkEnableOption (lib.mdDoc "Prometheus monitoring daemon"); 1566 1567 package = mkOption { 1568 type = types.package; 1569 default = pkgs.prometheus; 1570 defaultText = literalExpression "pkgs.prometheus"; 1571 description = lib.mdDoc '' 1572 The prometheus package that should be used. 1573 ''; 1574 }; 1575 1576 port = mkOption { 1577 type = types.port; 1578 default = 9090; 1579 description = lib.mdDoc '' 1580 Port to listen on. 1581 ''; 1582 }; 1583 1584 listenAddress = mkOption { 1585 type = types.str; 1586 default = "0.0.0.0"; 1587 description = lib.mdDoc '' 1588 Address to listen on for the web interface, API, and telemetry. 1589 ''; 1590 }; 1591 1592 stateDir = mkOption { 1593 type = types.str; 1594 default = "prometheus2"; 1595 description = lib.mdDoc '' 1596 Directory below `/var/lib` to store Prometheus metrics data. 1597 This directory will be created automatically using systemd's StateDirectory mechanism. 1598 ''; 1599 }; 1600 1601 extraFlags = mkOption { 1602 type = types.listOf types.str; 1603 default = [ ]; 1604 description = lib.mdDoc '' 1605 Extra commandline options when launching Prometheus. 1606 ''; 1607 }; 1608 1609 enableReload = mkOption { 1610 default = false; 1611 type = types.bool; 1612 description = lib.mdDoc '' 1613 Reload prometheus when configuration file changes (instead of restart). 1614 1615 The following property holds: switching to a configuration 1616 (`switch-to-configuration`) that changes the prometheus 1617 configuration only finishes successfully when prometheus has finished 1618 loading the new configuration. 1619 ''; 1620 }; 1621 1622 configText = mkOption { 1623 type = types.nullOr types.lines; 1624 default = null; 1625 description = lib.mdDoc '' 1626 If non-null, this option defines the text that is written to 1627 prometheus.yml. If null, the contents of prometheus.yml is generated 1628 from the structured config options. 1629 ''; 1630 }; 1631 1632 globalConfig = mkOption { 1633 type = promTypes.globalConfig; 1634 default = { }; 1635 description = lib.mdDoc '' 1636 Parameters that are valid in all configuration contexts. They 1637 also serve as defaults for other configuration sections 1638 ''; 1639 }; 1640 1641 remoteRead = mkOption { 1642 type = types.listOf promTypes.remote_read; 1643 default = [ ]; 1644 description = lib.mdDoc '' 1645 Parameters of the endpoints to query from. 1646 See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read) for more information. 1647 ''; 1648 }; 1649 1650 remoteWrite = mkOption { 1651 type = types.listOf promTypes.remote_write; 1652 default = [ ]; 1653 description = lib.mdDoc '' 1654 Parameters of the endpoints to send samples to. 1655 See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write) for more information. 1656 ''; 1657 }; 1658 1659 rules = mkOption { 1660 type = types.listOf types.str; 1661 default = [ ]; 1662 description = lib.mdDoc '' 1663 Alerting and/or Recording rules to evaluate at runtime. 1664 ''; 1665 }; 1666 1667 ruleFiles = mkOption { 1668 type = types.listOf types.path; 1669 default = [ ]; 1670 description = lib.mdDoc '' 1671 Any additional rules files to include in this configuration. 1672 ''; 1673 }; 1674 1675 scrapeConfigs = mkOption { 1676 type = types.listOf promTypes.scrape_config; 1677 default = [ ]; 1678 description = lib.mdDoc '' 1679 A list of scrape configurations. 1680 ''; 1681 }; 1682 1683 alertmanagers = mkOption { 1684 type = types.listOf types.attrs; 1685 example = literalExpression '' 1686 [ { 1687 scheme = "https"; 1688 path_prefix = "/alertmanager"; 1689 static_configs = [ { 1690 targets = [ 1691 "prometheus.domain.tld" 1692 ]; 1693 } ]; 1694 } ] 1695 ''; 1696 default = [ ]; 1697 description = lib.mdDoc '' 1698 A list of alertmanagers to send alerts to. 1699 See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config) for more information. 1700 ''; 1701 }; 1702 1703 alertmanagerNotificationQueueCapacity = mkOption { 1704 type = types.int; 1705 default = 10000; 1706 description = lib.mdDoc '' 1707 The capacity of the queue for pending alert manager notifications. 1708 ''; 1709 }; 1710 1711 webExternalUrl = mkOption { 1712 type = types.nullOr types.str; 1713 default = null; 1714 example = "https://example.com/"; 1715 description = lib.mdDoc '' 1716 The URL under which Prometheus is externally reachable (for example, 1717 if Prometheus is served via a reverse proxy). 1718 ''; 1719 }; 1720 1721 webConfigFile = mkOption { 1722 type = types.nullOr types.path; 1723 default = null; 1724 description = lib.mdDoc '' 1725 Specifies which file should be used as web.config.file and be passed on startup. 1726 See https://prometheus.io/docs/prometheus/latest/configuration/https/ for valid options. 1727 ''; 1728 }; 1729 1730 checkConfig = mkOption { 1731 type = with types; either bool (enum [ "syntax-only" ]); 1732 default = true; 1733 example = "syntax-only"; 1734 description = lib.mdDoc '' 1735 Check configuration with `promtool check`. The call to `promtool` is 1736 subject to sandboxing by Nix. 1737 1738 If you use credentials stored in external files 1739 (`password_file`, `bearer_token_file`, etc), 1740 they will not be visible to `promtool` 1741 and it will report errors, despite a correct configuration. 1742 To resolve this, you may set this option to `"syntax-only"` 1743 in order to only syntax check the Prometheus configuration. 1744 ''; 1745 }; 1746 1747 retentionTime = mkOption { 1748 type = types.nullOr types.str; 1749 default = null; 1750 example = "15d"; 1751 description = lib.mdDoc '' 1752 How long to retain samples in storage. 1753 ''; 1754 }; 1755 }; 1756 1757 config = mkIf cfg.enable { 1758 assertions = [ 1759 ( 1760 let 1761 # Match something with dots (an IPv4 address) or something ending in 1762 # a square bracket (an IPv6 addresses) followed by a port number. 1763 legacy = builtins.match "(.*\\..*|.*]):([[:digit:]]+)" cfg.listenAddress; 1764 in 1765 { 1766 assertion = legacy == null; 1767 message = '' 1768 Do not specify the port for Prometheus to listen on in the 1769 listenAddress option; use the port option instead: 1770 services.prometheus.listenAddress = ${builtins.elemAt legacy 0}; 1771 services.prometheus.port = ${builtins.elemAt legacy 1}; 1772 ''; 1773 } 1774 ) 1775 ]; 1776 1777 users.groups.prometheus.gid = config.ids.gids.prometheus; 1778 users.users.prometheus = { 1779 description = "Prometheus daemon user"; 1780 uid = config.ids.uids.prometheus; 1781 group = "prometheus"; 1782 }; 1783 environment.etc."prometheus/prometheus.yaml" = mkIf cfg.enableReload { 1784 source = prometheusYml; 1785 }; 1786 systemd.services.prometheus = { 1787 wantedBy = [ "multi-user.target" ]; 1788 after = [ "network.target" ]; 1789 serviceConfig = { 1790 ExecStart = "${cfg.package}/bin/prometheus" + 1791 optionalString (length cmdlineArgs != 0) (" \\\n " + 1792 concatStringsSep " \\\n " cmdlineArgs); 1793 ExecReload = mkIf cfg.enableReload "+${reload}/bin/reload-prometheus"; 1794 User = "prometheus"; 1795 Restart = "always"; 1796 RuntimeDirectory = "prometheus"; 1797 RuntimeDirectoryMode = "0700"; 1798 WorkingDirectory = workingDir; 1799 StateDirectory = cfg.stateDir; 1800 StateDirectoryMode = "0700"; 1801 # Hardening 1802 AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; 1803 CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ]; 1804 DeviceAllow = [ "/dev/null rw" ]; 1805 DevicePolicy = "strict"; 1806 LockPersonality = true; 1807 MemoryDenyWriteExecute = true; 1808 NoNewPrivileges = true; 1809 PrivateDevices = true; 1810 PrivateTmp = true; 1811 PrivateUsers = true; 1812 ProtectClock = true; 1813 ProtectControlGroups = true; 1814 ProtectHome = true; 1815 ProtectHostname = true; 1816 ProtectKernelLogs = true; 1817 ProtectKernelModules = true; 1818 ProtectKernelTunables = true; 1819 ProtectProc = "invisible"; 1820 ProtectSystem = "full"; 1821 RemoveIPC = true; 1822 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; 1823 RestrictNamespaces = true; 1824 RestrictRealtime = true; 1825 RestrictSUIDSGID = true; 1826 SystemCallArchitectures = "native"; 1827 SystemCallFilter = [ "@system-service" "~@privileged" ]; 1828 }; 1829 }; 1830 # prometheus-config-reload will activate after prometheus. However, what we 1831 # don't want is that on startup it immediately reloads prometheus because 1832 # prometheus itself might have just started. 1833 # 1834 # Instead we only want to reload prometheus when the config file has 1835 # changed. So on startup prometheus-config-reload will just output a 1836 # harmless message and then stay active (RemainAfterExit). 1837 # 1838 # Then, when the config file has changed, switch-to-configuration notices 1839 # that this service has changed (restartTriggers) and needs to be reloaded 1840 # (reloadIfChanged). The reload command then reloads prometheus. 1841 systemd.services.prometheus-config-reload = mkIf cfg.enableReload { 1842 wantedBy = [ "prometheus.service" ]; 1843 after = [ "prometheus.service" ]; 1844 reloadIfChanged = true; 1845 restartTriggers = [ prometheusYml ]; 1846 serviceConfig = { 1847 Type = "oneshot"; 1848 RemainAfterExit = true; 1849 TimeoutSec = 60; 1850 ExecStart = "${pkgs.logger}/bin/logger 'prometheus-config-reload will only reload prometheus when reloaded itself.'"; 1851 ExecReload = [ "${triggerReload}/bin/trigger-reload-prometheus" ]; 1852 }; 1853 }; 1854 }; 1855}