pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / monitoring / prometheus / default.nix
at 24.11-pre 62 kB view raw
1{ config, pkgs, lib, ... }: 2 3with lib; 4 5let 6 yaml = pkgs.formats.yaml { }; 7 cfg = config.services.prometheus; 8 checkConfigEnabled = 9 (lib.isBool cfg.checkConfig && cfg.checkConfig) 10 || cfg.checkConfig == "syntax-only"; 11 12 workingDir = "/var/lib/" + cfg.stateDir; 13 14 triggerReload = pkgs.writeShellScriptBin "trigger-reload-prometheus" '' 15 PATH="${makeBinPath (with pkgs; [ systemd ])}" 16 if systemctl -q is-active prometheus.service; then 17 systemctl reload prometheus.service 18 fi 19 ''; 20 21 reload = pkgs.writeShellScriptBin "reload-prometheus" '' 22 PATH="${makeBinPath (with pkgs; [ systemd coreutils gnugrep ])}" 23 cursor=$(journalctl --show-cursor -n0 | grep -oP "cursor: \K.*") 24 kill -HUP $MAINPID 25 journalctl -u prometheus.service --after-cursor="$cursor" -f \ 26 | grep -m 1 "Completed loading of configuration file" > /dev/null 27 ''; 28 29 # a wrapper that verifies that the configuration is valid 30 promtoolCheck = what: name: file: 31 if checkConfigEnabled then 32 pkgs.runCommandLocal 33 "${name}-${replaceStrings [" "] [""] what}-checked" 34 { nativeBuildInputs = [ cfg.package.cli ]; } '' 35 ln -s ${file} $out 36 promtool ${what} $out 37 '' else file; 38 39 generatedPrometheusYml = yaml.generate "prometheus.yml" promConfig; 40 41 # This becomes the main config file for Prometheus 42 promConfig = { 43 global = filterValidPrometheus cfg.globalConfig; 44 scrape_configs = filterValidPrometheus cfg.scrapeConfigs; 45 remote_write = filterValidPrometheus cfg.remoteWrite; 46 remote_read = filterValidPrometheus cfg.remoteRead; 47 rule_files = optionals (!(cfg.enableAgentMode)) (map (promtoolCheck "check rules" "rules") (cfg.ruleFiles ++ [ 48 (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg.rules)) 49 ])); 50 alerting = { 51 inherit (cfg) alertmanagers; 52 }; 53 }; 54 55 prometheusYml = 56 let 57 yml = 58 if cfg.configText != null then 59 pkgs.writeText "prometheus.yml" cfg.configText 60 else generatedPrometheusYml; 61 in 62 promtoolCheck "check config ${lib.optionalString (cfg.checkConfig == "syntax-only") "--syntax-only"}" "prometheus.yml" yml; 63 64 cmdlineArgs = cfg.extraFlags ++ [ 65 "--config.file=${ 66 if cfg.enableReload 67 then "/etc/prometheus/prometheus.yaml" 68 else prometheusYml 69 }" 70 "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" 71 ] ++ ( 72 if (cfg.enableAgentMode) then [ 73 "--enable-feature=agent" 74 ] else [ 75 "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity }" 76 "--storage.tsdb.path=${workingDir}/data/" 77 ]) 78 ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}" 79 ++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}" 80 ++ optional (cfg.webConfigFile != null) "--web.config.file=${cfg.webConfigFile}"; 81 82 filterValidPrometheus = filterAttrsListRecursive (n: v: !(n == "_module" || v == null)); 83 filterAttrsListRecursive = pred: x: 84 if isAttrs x then 85 listToAttrs 86 ( 87 concatMap 88 (name: 89 let v = x.${name}; in 90 if pred name v then [ 91 (nameValuePair name (filterAttrsListRecursive pred v)) 92 ] else [ ] 93 ) 94 (attrNames x) 95 ) 96 else if isList x then 97 map (filterAttrsListRecursive pred) x 98 else x; 99 100 # 101 # Config types: helper functions 102 # 103 104 mkDefOpt = type: defaultStr: description: mkOpt type (description + '' 105 106 Defaults to ````${defaultStr}```` in prometheus 107 when set to `null`. 108 ''); 109 110 mkOpt = type: description: mkOption { 111 type = types.nullOr type; 112 default = null; 113 description = description; 114 }; 115 116 mkSdConfigModule = extraOptions: types.submodule { 117 options = { 118 basic_auth = mkOpt promTypes.basic_auth '' 119 Optional HTTP basic authentication information. 120 ''; 121 122 authorization = mkOpt 123 (types.submodule { 124 options = { 125 type = mkDefOpt types.str "Bearer" '' 126 Sets the authentication type. 127 ''; 128 129 credentials = mkOpt types.str '' 130 Sets the credentials. It is mutually exclusive with `credentials_file`. 131 ''; 132 133 credentials_file = mkOpt types.str '' 134 Sets the credentials to the credentials read from the configured file. 135 It is mutually exclusive with `credentials`. 136 ''; 137 }; 138 }) '' 139 Optional `Authorization` header configuration. 140 ''; 141 142 oauth2 = mkOpt promtypes.oauth2 '' 143 Optional OAuth 2.0 configuration. 144 Cannot be used at the same time as basic_auth or authorization. 145 ''; 146 147 proxy_url = mkOpt types.str '' 148 Optional proxy URL. 149 ''; 150 151 follow_redirects = mkDefOpt types.bool "true" '' 152 Configure whether HTTP requests follow HTTP 3xx redirects. 153 ''; 154 155 tls_config = mkOpt promTypes.tls_config '' 156 TLS configuration. 157 ''; 158 } // extraOptions; 159 }; 160 161 # 162 # Config types: general 163 # 164 165 promTypes.globalConfig = types.submodule { 166 options = { 167 scrape_interval = mkDefOpt types.str "1m" '' 168 How frequently to scrape targets by default. 169 ''; 170 171 scrape_timeout = mkDefOpt types.str "10s" '' 172 How long until a scrape request times out. 173 ''; 174 175 evaluation_interval = mkDefOpt types.str "1m" '' 176 How frequently to evaluate rules by default. 177 ''; 178 179 external_labels = mkOpt (types.attrsOf types.str) '' 180 The labels to add to any time series or alerts when 181 communicating with external systems (federation, remote 182 storage, Alertmanager). 183 ''; 184 }; 185 }; 186 187 promTypes.basic_auth = types.submodule { 188 options = { 189 username = mkOption { 190 type = types.str; 191 description = '' 192 HTTP username 193 ''; 194 }; 195 password = mkOpt types.str "HTTP password"; 196 password_file = mkOpt types.str "HTTP password file"; 197 }; 198 }; 199 200 promTypes.tls_config = types.submodule { 201 options = { 202 ca_file = mkOpt types.str '' 203 CA certificate to validate API server certificate with. 204 ''; 205 206 cert_file = mkOpt types.str '' 207 Certificate file for client cert authentication to the server. 208 ''; 209 210 key_file = mkOpt types.str '' 211 Key file for client cert authentication to the server. 212 ''; 213 214 server_name = mkOpt types.str '' 215 ServerName extension to indicate the name of the server. 216 http://tools.ietf.org/html/rfc4366#section-3.1 217 ''; 218 219 insecure_skip_verify = mkOpt types.bool '' 220 Disable validation of the server certificate. 221 ''; 222 }; 223 }; 224 225 promtypes.oauth2 = types.submodule { 226 options = { 227 client_id = mkOpt types.str '' 228 OAuth client ID. 229 ''; 230 231 client_secret = mkOpt types.str '' 232 OAuth client secret. 233 ''; 234 235 client_secret_file = mkOpt types.str '' 236 Read the client secret from a file. It is mutually exclusive with `client_secret`. 237 ''; 238 239 scopes = mkOpt (types.listOf types.str) '' 240 Scopes for the token request. 241 ''; 242 243 token_url = mkOpt types.str '' 244 The URL to fetch the token from. 245 ''; 246 247 endpoint_params = mkOpt (types.attrsOf types.str) '' 248 Optional parameters to append to the token URL. 249 ''; 250 }; 251 }; 252 253 promTypes.scrape_config = types.submodule { 254 options = { 255 authorization = mkOption { 256 type = types.nullOr types.attrs; 257 default = null; 258 description = '' 259 Sets the `Authorization` header on every scrape request with the configured credentials. 260 ''; 261 }; 262 job_name = mkOption { 263 type = types.str; 264 description = '' 265 The job name assigned to scraped metrics by default. 266 ''; 267 }; 268 scrape_interval = mkOpt types.str '' 269 How frequently to scrape targets from this job. Defaults to the 270 globally configured default. 271 ''; 272 273 scrape_timeout = mkOpt types.str '' 274 Per-target timeout when scraping this job. Defaults to the 275 globally configured default. 276 ''; 277 278 metrics_path = mkDefOpt types.str "/metrics" '' 279 The HTTP resource path on which to fetch metrics from targets. 280 ''; 281 282 honor_labels = mkDefOpt types.bool "false" '' 283 Controls how Prometheus handles conflicts between labels 284 that are already present in scraped data and labels that 285 Prometheus would attach server-side ("job" and "instance" 286 labels, manually configured target labels, and labels 287 generated by service discovery implementations). 288 289 If honor_labels is set to "true", label conflicts are 290 resolved by keeping label values from the scraped data and 291 ignoring the conflicting server-side labels. 292 293 If honor_labels is set to "false", label conflicts are 294 resolved by renaming conflicting labels in the scraped data 295 to "exported_\<original-label\>" (for example 296 "exported_instance", "exported_job") and then attaching 297 server-side labels. This is useful for use cases such as 298 federation, where all labels specified in the target should 299 be preserved. 300 ''; 301 302 honor_timestamps = mkDefOpt types.bool "true" '' 303 honor_timestamps controls whether Prometheus respects the timestamps present 304 in scraped data. 305 306 If honor_timestamps is set to `true`, the timestamps of the metrics exposed 307 by the target will be used. 308 309 If honor_timestamps is set to `false`, the timestamps of the metrics exposed 310 by the target will be ignored. 311 ''; 312 313 scheme = mkDefOpt (types.enum [ "http" "https" ]) "http" '' 314 The URL scheme with which to fetch metrics from targets. 315 ''; 316 317 params = mkOpt (types.attrsOf (types.listOf types.str)) '' 318 Optional HTTP URL parameters. 319 ''; 320 321 basic_auth = mkOpt promTypes.basic_auth '' 322 Sets the `Authorization` header on every scrape request with the 323 configured username and password. 324 password and password_file are mutually exclusive. 325 ''; 326 327 bearer_token = mkOpt types.str '' 328 Sets the `Authorization` header on every scrape request with 329 the configured bearer token. It is mutually exclusive with 330 {option}`bearer_token_file`. 331 ''; 332 333 bearer_token_file = mkOpt types.str '' 334 Sets the `Authorization` header on every scrape request with 335 the bearer token read from the configured file. It is mutually 336 exclusive with {option}`bearer_token`. 337 ''; 338 339 tls_config = mkOpt promTypes.tls_config '' 340 Configures the scrape request's TLS settings. 341 ''; 342 343 proxy_url = mkOpt types.str '' 344 Optional proxy URL. 345 ''; 346 347 azure_sd_configs = mkOpt (types.listOf promTypes.azure_sd_config) '' 348 List of Azure service discovery configurations. 349 ''; 350 351 consul_sd_configs = mkOpt (types.listOf promTypes.consul_sd_config) '' 352 List of Consul service discovery configurations. 353 ''; 354 355 digitalocean_sd_configs = mkOpt (types.listOf promTypes.digitalocean_sd_config) '' 356 List of DigitalOcean service discovery configurations. 357 ''; 358 359 docker_sd_configs = mkOpt (types.listOf promTypes.docker_sd_config) '' 360 List of Docker service discovery configurations. 361 ''; 362 363 dockerswarm_sd_configs = mkOpt (types.listOf promTypes.dockerswarm_sd_config) '' 364 List of Docker Swarm service discovery configurations. 365 ''; 366 367 dns_sd_configs = mkOpt (types.listOf promTypes.dns_sd_config) '' 368 List of DNS service discovery configurations. 369 ''; 370 371 ec2_sd_configs = mkOpt (types.listOf promTypes.ec2_sd_config) '' 372 List of EC2 service discovery configurations. 373 ''; 374 375 eureka_sd_configs = mkOpt (types.listOf promTypes.eureka_sd_config) '' 376 List of Eureka service discovery configurations. 377 ''; 378 379 file_sd_configs = mkOpt (types.listOf promTypes.file_sd_config) '' 380 List of file service discovery configurations. 381 ''; 382 383 gce_sd_configs = mkOpt (types.listOf promTypes.gce_sd_config) '' 384 List of Google Compute Engine service discovery configurations. 385 386 See [the relevant Prometheus configuration docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config) 387 for more detail. 388 ''; 389 390 hetzner_sd_configs = mkOpt (types.listOf promTypes.hetzner_sd_config) '' 391 List of Hetzner service discovery configurations. 392 ''; 393 394 http_sd_configs = mkOpt (types.listOf promTypes.http_sd_config) '' 395 List of HTTP service discovery configurations. 396 ''; 397 398 kubernetes_sd_configs = mkOpt (types.listOf promTypes.kubernetes_sd_config) '' 399 List of Kubernetes service discovery configurations. 400 ''; 401 402 kuma_sd_configs = mkOpt (types.listOf promTypes.kuma_sd_config) '' 403 List of Kuma service discovery configurations. 404 ''; 405 406 lightsail_sd_configs = mkOpt (types.listOf promTypes.lightsail_sd_config) '' 407 List of Lightsail service discovery configurations. 408 ''; 409 410 linode_sd_configs = mkOpt (types.listOf promTypes.linode_sd_config) '' 411 List of Linode service discovery configurations. 412 ''; 413 414 marathon_sd_configs = mkOpt (types.listOf promTypes.marathon_sd_config) '' 415 List of Marathon service discovery configurations. 416 ''; 417 418 nerve_sd_configs = mkOpt (types.listOf promTypes.nerve_sd_config) '' 419 List of AirBnB's Nerve service discovery configurations. 420 ''; 421 422 openstack_sd_configs = mkOpt (types.listOf promTypes.openstack_sd_config) '' 423 List of OpenStack service discovery configurations. 424 ''; 425 426 puppetdb_sd_configs = mkOpt (types.listOf promTypes.puppetdb_sd_config) '' 427 List of PuppetDB service discovery configurations. 428 ''; 429 430 scaleway_sd_configs = mkOpt (types.listOf promTypes.scaleway_sd_config) '' 431 List of Scaleway service discovery configurations. 432 ''; 433 434 serverset_sd_configs = mkOpt (types.listOf promTypes.serverset_sd_config) '' 435 List of Zookeeper Serverset service discovery configurations. 436 ''; 437 438 triton_sd_configs = mkOpt (types.listOf promTypes.triton_sd_config) '' 439 List of Triton Serverset service discovery configurations. 440 ''; 441 442 uyuni_sd_configs = mkOpt (types.listOf promTypes.uyuni_sd_config) '' 443 List of Uyuni Serverset service discovery configurations. 444 ''; 445 446 static_configs = mkOpt (types.listOf promTypes.static_config) '' 447 List of labeled target groups for this job. 448 ''; 449 450 relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 451 List of relabel configurations. 452 ''; 453 454 metric_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 455 List of metric relabel configurations. 456 ''; 457 458 body_size_limit = mkDefOpt types.str "0" '' 459 An uncompressed response body larger than this many bytes will cause the 460 scrape to fail. 0 means no limit. Example: 100MB. 461 This is an experimental feature, this behaviour could 462 change or be removed in the future. 463 ''; 464 465 sample_limit = mkDefOpt types.int "0" '' 466 Per-scrape limit on number of scraped samples that will be accepted. 467 If more than this number of samples are present after metric relabelling 468 the entire scrape will be treated as failed. 0 means no limit. 469 ''; 470 471 label_limit = mkDefOpt types.int "0" '' 472 Per-scrape limit on number of labels that will be accepted for a sample. If 473 more than this number of labels are present post metric-relabeling, the 474 entire scrape will be treated as failed. 0 means no limit. 475 ''; 476 477 label_name_length_limit = mkDefOpt types.int "0" '' 478 Per-scrape limit on length of labels name that will be accepted for a sample. 479 If a label name is longer than this number post metric-relabeling, the entire 480 scrape will be treated as failed. 0 means no limit. 481 ''; 482 483 label_value_length_limit = mkDefOpt types.int "0" '' 484 Per-scrape limit on length of labels value that will be accepted for a sample. 485 If a label value is longer than this number post metric-relabeling, the 486 entire scrape will be treated as failed. 0 means no limit. 487 ''; 488 489 target_limit = mkDefOpt types.int "0" '' 490 Per-scrape config limit on number of unique targets that will be 491 accepted. If more than this number of targets are present after target 492 relabeling, Prometheus will mark the targets as failed without scraping them. 493 0 means no limit. This is an experimental feature, this behaviour could 494 change in the future. 495 ''; 496 }; 497 }; 498 499 # 500 # Config types: service discovery 501 # 502 503 # For this one, the docs actually define all types needed to use mkSdConfigModule, but a bunch 504 # of them are marked with 'currently not support by Azure' so we don't bother adding them in 505 # here. 506 promTypes.azure_sd_config = types.submodule { 507 options = { 508 environment = mkDefOpt types.str "AzurePublicCloud" '' 509 The Azure environment. 510 ''; 511 512 authentication_method = mkDefOpt (types.enum [ "OAuth" "ManagedIdentity" ]) "OAuth" '' 513 The authentication method, either OAuth or ManagedIdentity. 514 See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview 515 ''; 516 517 subscription_id = mkOption { 518 type = types.str; 519 description = '' 520 The subscription ID. 521 ''; 522 }; 523 524 tenant_id = mkOpt types.str '' 525 Optional tenant ID. Only required with authentication_method OAuth. 526 ''; 527 528 client_id = mkOpt types.str '' 529 Optional client ID. Only required with authentication_method OAuth. 530 ''; 531 532 client_secret = mkOpt types.str '' 533 Optional client secret. Only required with authentication_method OAuth. 534 ''; 535 536 refresh_interval = mkDefOpt types.str "300s" '' 537 Refresh interval to re-read the instance list. 538 ''; 539 540 port = mkDefOpt types.port "80" '' 541 The port to scrape metrics from. If using the public IP 542 address, this must instead be specified in the relabeling 543 rule. 544 ''; 545 546 proxy_url = mkOpt types.str '' 547 Optional proxy URL. 548 ''; 549 550 follow_redirects = mkDefOpt types.bool "true" '' 551 Configure whether HTTP requests follow HTTP 3xx redirects. 552 ''; 553 554 tls_config = mkOpt promTypes.tls_config '' 555 TLS configuration. 556 ''; 557 }; 558 }; 559 560 promTypes.consul_sd_config = mkSdConfigModule { 561 server = mkDefOpt types.str "localhost:8500" '' 562 Consul server to query. 563 ''; 564 565 token = mkOpt types.str "Consul token"; 566 567 datacenter = mkOpt types.str "Consul datacenter"; 568 569 scheme = mkDefOpt types.str "http" "Consul scheme"; 570 571 username = mkOpt types.str "Consul username"; 572 573 password = mkOpt types.str "Consul password"; 574 575 tls_config = mkOpt promTypes.tls_config '' 576 Configures the Consul request's TLS settings. 577 ''; 578 579 services = mkOpt (types.listOf types.str) '' 580 A list of services for which targets are retrieved. 581 ''; 582 583 tags = mkOpt (types.listOf types.str) '' 584 An optional list of tags used to filter nodes for a given 585 service. Services must contain all tags in the list. 586 ''; 587 588 node_meta = mkOpt (types.attrsOf types.str) '' 589 Node metadata used to filter nodes for a given service. 590 ''; 591 592 tag_separator = mkDefOpt types.str "," '' 593 The string by which Consul tags are joined into the tag label. 594 ''; 595 596 allow_stale = mkOpt types.bool '' 597 Allow stale Consul results 598 (see <https://www.consul.io/api/index.html#consistency-modes>). 599 600 Will reduce load on Consul. 601 ''; 602 603 refresh_interval = mkDefOpt types.str "30s" '' 604 The time after which the provided names are refreshed. 605 606 On large setup it might be a good idea to increase this value 607 because the catalog will change all the time. 608 ''; 609 }; 610 611 promTypes.digitalocean_sd_config = mkSdConfigModule { 612 port = mkDefOpt types.port "80" '' 613 The port to scrape metrics from. 614 ''; 615 616 refresh_interval = mkDefOpt types.str "60s" '' 617 The time after which the droplets are refreshed. 618 ''; 619 }; 620 621 mkDockerSdConfigModule = extraOptions: mkSdConfigModule ({ 622 host = mkOption { 623 type = types.str; 624 description = '' 625 Address of the Docker daemon. 626 ''; 627 }; 628 629 port = mkDefOpt types.port "80" '' 630 The port to scrape metrics from, when `role` is nodes, and for discovered 631 tasks and services that don't have published ports. 632 ''; 633 634 filters = mkOpt 635 (types.listOf (types.submodule { 636 options = { 637 name = mkOption { 638 type = types.str; 639 description = '' 640 Name of the filter. The available filters are listed in the upstream documentation: 641 Services: <https://docs.docker.com/engine/api/v1.40/#operation/ServiceList> 642 Tasks: <https://docs.docker.com/engine/api/v1.40/#operation/TaskList> 643 Nodes: <https://docs.docker.com/engine/api/v1.40/#operation/NodeList> 644 ''; 645 }; 646 values = mkOption { 647 type = types.str; 648 description = '' 649 Value for the filter. 650 ''; 651 }; 652 }; 653 })) '' 654 Optional filters to limit the discovery process to a subset of available resources. 655 ''; 656 657 refresh_interval = mkDefOpt types.str "60s" '' 658 The time after which the containers are refreshed. 659 ''; 660 } // extraOptions); 661 662 promTypes.docker_sd_config = mkDockerSdConfigModule { 663 host_networking_host = mkDefOpt types.str "localhost" '' 664 The host to use if the container is in host networking mode. 665 ''; 666 }; 667 668 promTypes.dockerswarm_sd_config = mkDockerSdConfigModule { 669 role = mkOption { 670 type = types.enum [ "services" "tasks" "nodes" ]; 671 description = '' 672 Role of the targets to retrieve. Must be `services`, `tasks`, or `nodes`. 673 ''; 674 }; 675 }; 676 677 promTypes.dns_sd_config = types.submodule { 678 options = { 679 names = mkOption { 680 type = types.listOf types.str; 681 description = '' 682 A list of DNS SRV record names to be queried. 683 ''; 684 }; 685 686 type = mkDefOpt (types.enum [ "SRV" "A" "AAAA" ]) "SRV" '' 687 The type of DNS query to perform. One of SRV, A, or AAAA. 688 ''; 689 690 port = mkOpt types.port '' 691 The port number used if the query type is not SRV. 692 ''; 693 694 refresh_interval = mkDefOpt types.str "30s" '' 695 The time after which the provided names are refreshed. 696 ''; 697 }; 698 }; 699 700 promTypes.ec2_sd_config = types.submodule { 701 options = { 702 region = mkOption { 703 type = types.str; 704 description = '' 705 The AWS Region. If blank, the region from the instance metadata is used. 706 ''; 707 }; 708 endpoint = mkOpt types.str '' 709 Custom endpoint to be used. 710 ''; 711 712 access_key = mkOpt types.str '' 713 The AWS API key id. If blank, the environment variable 714 `AWS_ACCESS_KEY_ID` is used. 715 ''; 716 717 secret_key = mkOpt types.str '' 718 The AWS API key secret. If blank, the environment variable 719 `AWS_SECRET_ACCESS_KEY` is used. 720 ''; 721 722 profile = mkOpt types.str '' 723 Named AWS profile used to connect to the API. 724 ''; 725 726 role_arn = mkOpt types.str '' 727 AWS Role ARN, an alternative to using AWS API keys. 728 ''; 729 730 refresh_interval = mkDefOpt types.str "60s" '' 731 Refresh interval to re-read the instance list. 732 ''; 733 734 port = mkDefOpt types.port "80" '' 735 The port to scrape metrics from. If using the public IP 736 address, this must instead be specified in the relabeling 737 rule. 738 ''; 739 740 filters = mkOpt 741 (types.listOf (types.submodule { 742 options = { 743 name = mkOption { 744 type = types.str; 745 description = '' 746 See [this list](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html) 747 for the available filters. 748 ''; 749 }; 750 751 values = mkOption { 752 type = types.listOf types.str; 753 default = [ ]; 754 description = '' 755 Value of the filter. 756 ''; 757 }; 758 }; 759 })) '' 760 Filters can be used optionally to filter the instance list by other criteria. 761 ''; 762 }; 763 }; 764 765 promTypes.eureka_sd_config = mkSdConfigModule { 766 server = mkOption { 767 type = types.str; 768 description = '' 769 The URL to connect to the Eureka server. 770 ''; 771 }; 772 }; 773 774 promTypes.file_sd_config = types.submodule { 775 options = { 776 files = mkOption { 777 type = types.listOf types.str; 778 description = '' 779 Patterns for files from which target groups are extracted. Refer 780 to the Prometheus documentation for permitted filename patterns 781 and formats. 782 ''; 783 }; 784 785 refresh_interval = mkDefOpt types.str "5m" '' 786 Refresh interval to re-read the files. 787 ''; 788 }; 789 }; 790 791 promTypes.gce_sd_config = types.submodule { 792 options = { 793 # Use `mkOption` instead of `mkOpt` for project and zone because they are 794 # required configuration values for `gce_sd_config`. 795 project = mkOption { 796 type = types.str; 797 description = '' 798 The GCP Project. 799 ''; 800 }; 801 802 zone = mkOption { 803 type = types.str; 804 description = '' 805 The zone of the scrape targets. If you need multiple zones use multiple 806 gce_sd_configs. 807 ''; 808 }; 809 810 filter = mkOpt types.str '' 811 Filter can be used optionally to filter the instance list by other 812 criteria Syntax of this filter string is described here in the filter 813 query parameter section: <https://cloud.google.com/compute/docs/reference/latest/instances/list>. 814 ''; 815 816 refresh_interval = mkDefOpt types.str "60s" '' 817 Refresh interval to re-read the cloud instance list. 818 ''; 819 820 port = mkDefOpt types.port "80" '' 821 The port to scrape metrics from. If using the public IP address, this 822 must instead be specified in the relabeling rule. 823 ''; 824 825 tag_separator = mkDefOpt types.str "," '' 826 The tag separator used to separate concatenated GCE instance network tags. 827 828 See the GCP documentation on network tags for more information: 829 <https://cloud.google.com/vpc/docs/add-remove-network-tags> 830 ''; 831 }; 832 }; 833 834 promTypes.hetzner_sd_config = mkSdConfigModule { 835 role = mkOption { 836 type = types.enum [ "robot" "hcloud" ]; 837 description = '' 838 The Hetzner role of entities that should be discovered. 839 One of `robot` or `hcloud`. 840 ''; 841 }; 842 843 port = mkDefOpt types.port "80" '' 844 The port to scrape metrics from. 845 ''; 846 847 refresh_interval = mkDefOpt types.str "60s" '' 848 The time after which the servers are refreshed. 849 ''; 850 }; 851 852 promTypes.http_sd_config = types.submodule { 853 options = { 854 url = mkOption { 855 type = types.str; 856 description = '' 857 URL from which the targets are fetched. 858 ''; 859 }; 860 861 refresh_interval = mkDefOpt types.str "60s" '' 862 Refresh interval to re-query the endpoint. 863 ''; 864 865 basic_auth = mkOpt promTypes.basic_auth '' 866 Authentication information used to authenticate to the API server. 867 password and password_file are mutually exclusive. 868 ''; 869 870 proxy_url = mkOpt types.str '' 871 Optional proxy URL. 872 ''; 873 874 follow_redirects = mkDefOpt types.bool "true" '' 875 Configure whether HTTP requests follow HTTP 3xx redirects. 876 ''; 877 878 tls_config = mkOpt promTypes.tls_config '' 879 Configures the scrape request's TLS settings. 880 ''; 881 }; 882 }; 883 884 promTypes.kubernetes_sd_config = mkSdConfigModule { 885 api_server = mkOpt types.str '' 886 The API server addresses. If left empty, Prometheus is assumed to run inside 887 of the cluster and will discover API servers automatically and use the pod's 888 CA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/. 889 ''; 890 891 role = mkOption { 892 type = types.enum [ "endpoints" "service" "pod" "node" "ingress" ]; 893 description = '' 894 The Kubernetes role of entities that should be discovered. 895 One of endpoints, service, pod, node, or ingress. 896 ''; 897 }; 898 899 kubeconfig_file = mkOpt types.str '' 900 Optional path to a kubeconfig file. 901 Note that api_server and kube_config are mutually exclusive. 902 ''; 903 904 namespaces = mkOpt 905 ( 906 types.submodule { 907 options = { 908 names = mkOpt (types.listOf types.str) '' 909 Namespace name. 910 ''; 911 }; 912 } 913 ) '' 914 Optional namespace discovery. If omitted, all namespaces are used. 915 ''; 916 917 selectors = mkOpt 918 ( 919 types.listOf ( 920 types.submodule { 921 options = { 922 role = mkOption { 923 type = types.str; 924 description = '' 925 Selector role 926 ''; 927 }; 928 929 label = mkOpt types.str '' 930 Selector label 931 ''; 932 933 field = mkOpt types.str '' 934 Selector field 935 ''; 936 }; 937 } 938 ) 939 ) '' 940 Optional label and field selectors to limit the discovery process to a subset of available resources. 941 See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/ 942 and https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ to learn more about the possible 943 filters that can be used. Endpoints role supports pod, service and endpoints selectors, other roles 944 only support selectors matching the role itself (e.g. node role can only contain node selectors). 945 946 Note: When making decision about using field/label selector make sure that this 947 is the best approach - it will prevent Prometheus from reusing single list/watch 948 for all scrape configs. This might result in a bigger load on the Kubernetes API, 949 because per each selector combination there will be additional LIST/WATCH. On the other hand, 950 if you just want to monitor small subset of pods in large cluster it's recommended to use selectors. 951 Decision, if selectors should be used or not depends on the particular situation. 952 ''; 953 }; 954 955 promTypes.kuma_sd_config = mkSdConfigModule { 956 server = mkOption { 957 type = types.str; 958 description = '' 959 Address of the Kuma Control Plane's MADS xDS server. 960 ''; 961 }; 962 963 refresh_interval = mkDefOpt types.str "30s" '' 964 The time to wait between polling update requests. 965 ''; 966 967 fetch_timeout = mkDefOpt types.str "2m" '' 968 The time after which the monitoring assignments are refreshed. 969 ''; 970 }; 971 972 promTypes.lightsail_sd_config = types.submodule { 973 options = { 974 region = mkOpt types.str '' 975 The AWS region. If blank, the region from the instance metadata is used. 976 ''; 977 978 endpoint = mkOpt types.str '' 979 Custom endpoint to be used. 980 ''; 981 982 access_key = mkOpt types.str '' 983 The AWS API keys. If blank, the environment variable `AWS_ACCESS_KEY_ID` is used. 984 ''; 985 986 secret_key = mkOpt types.str '' 987 The AWS API keys. If blank, the environment variable `AWS_SECRET_ACCESS_KEY` is used. 988 ''; 989 990 profile = mkOpt types.str '' 991 Named AWS profile used to connect to the API. 992 ''; 993 994 role_arn = mkOpt types.str '' 995 AWS Role ARN, an alternative to using AWS API keys. 996 ''; 997 998 refresh_interval = mkDefOpt types.str "60s" '' 999 Refresh interval to re-read the instance list. 1000 ''; 1001 1002 port = mkDefOpt types.port "80" '' 1003 The port to scrape metrics from. If using the public IP address, this must 1004 instead be specified in the relabeling rule. 1005 ''; 1006 }; 1007 }; 1008 1009 promTypes.linode_sd_config = mkSdConfigModule { 1010 port = mkDefOpt types.port "80" '' 1011 The port to scrape metrics from. 1012 ''; 1013 1014 tag_separator = mkDefOpt types.str "," '' 1015 The string by which Linode Instance tags are joined into the tag label. 1016 ''; 1017 1018 refresh_interval = mkDefOpt types.str "60s" '' 1019 The time after which the linode instances are refreshed. 1020 ''; 1021 }; 1022 1023 promTypes.marathon_sd_config = mkSdConfigModule { 1024 servers = mkOption { 1025 type = types.listOf types.str; 1026 description = '' 1027 List of URLs to be used to contact Marathon servers. You need to provide at least one server URL. 1028 ''; 1029 }; 1030 1031 refresh_interval = mkDefOpt types.str "30s" '' 1032 Polling interval. 1033 ''; 1034 1035 auth_token = mkOpt types.str '' 1036 Optional authentication information for token-based authentication: 1037 <https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token> 1038 It is mutually exclusive with `auth_token_file` and other authentication mechanisms. 1039 ''; 1040 1041 auth_token_file = mkOpt types.str '' 1042 Optional authentication information for token-based authentication: 1043 <https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token> 1044 It is mutually exclusive with `auth_token` and other authentication mechanisms. 1045 ''; 1046 }; 1047 1048 promTypes.nerve_sd_config = types.submodule { 1049 options = { 1050 servers = mkOption { 1051 type = types.listOf types.str; 1052 description = '' 1053 The Zookeeper servers. 1054 ''; 1055 }; 1056 1057 paths = mkOption { 1058 type = types.listOf types.str; 1059 description = '' 1060 Paths can point to a single service, or the root of a tree of services. 1061 ''; 1062 }; 1063 1064 timeout = mkDefOpt types.str "10s" '' 1065 Timeout value. 1066 ''; 1067 }; 1068 }; 1069 1070 promTypes.openstack_sd_config = types.submodule { 1071 options = 1072 let 1073 userDescription = '' 1074 username is required if using Identity V2 API. Consult with your provider's 1075 control panel to discover your account's username. In Identity V3, either 1076 userid or a combination of username and domain_id or domain_name are needed. 1077 ''; 1078 1079 domainDescription = '' 1080 At most one of domain_id and domain_name must be provided if using username 1081 with Identity V3. Otherwise, either are optional. 1082 ''; 1083 1084 projectDescription = '' 1085 The project_id and project_name fields are optional for the Identity V2 API. 1086 Some providers allow you to specify a project_name instead of the project_id. 1087 Some require both. Your provider's authentication policies will determine 1088 how these fields influence authentication. 1089 ''; 1090 1091 applicationDescription = '' 1092 The application_credential_id or application_credential_name fields are 1093 required if using an application credential to authenticate. Some providers 1094 allow you to create an application credential to authenticate rather than a 1095 password. 1096 ''; 1097 in 1098 { 1099 role = mkOption { 1100 type = types.str; 1101 description = '' 1102 The OpenStack role of entities that should be discovered. 1103 ''; 1104 }; 1105 1106 region = mkOption { 1107 type = types.str; 1108 description = '' 1109 The OpenStack Region. 1110 ''; 1111 }; 1112 1113 identity_endpoint = mkOpt types.str '' 1114 identity_endpoint specifies the HTTP endpoint that is required to work with 1115 the Identity API of the appropriate version. While it's ultimately needed by 1116 all of the identity services, it will often be populated by a provider-level 1117 function. 1118 ''; 1119 1120 username = mkOpt types.str userDescription; 1121 userid = mkOpt types.str userDescription; 1122 1123 password = mkOpt types.str '' 1124 password for the Identity V2 and V3 APIs. Consult with your provider's 1125 control panel to discover your account's preferred method of authentication. 1126 ''; 1127 1128 domain_name = mkOpt types.str domainDescription; 1129 domain_id = mkOpt types.str domainDescription; 1130 1131 project_name = mkOpt types.str projectDescription; 1132 project_id = mkOpt types.str projectDescription; 1133 1134 application_credential_name = mkOpt types.str applicationDescription; 1135 application_credential_id = mkOpt types.str applicationDescription; 1136 1137 application_credential_secret = mkOpt types.str '' 1138 The application_credential_secret field is required if using an application 1139 credential to authenticate. 1140 ''; 1141 1142 all_tenants = mkDefOpt types.bool "false" '' 1143 Whether the service discovery should list all instances for all projects. 1144 It is only relevant for the 'instance' role and usually requires admin permissions. 1145 ''; 1146 1147 refresh_interval = mkDefOpt types.str "60s" '' 1148 Refresh interval to re-read the instance list. 1149 ''; 1150 1151 port = mkDefOpt types.port "80" '' 1152 The port to scrape metrics from. If using the public IP address, this must 1153 instead be specified in the relabeling rule. 1154 ''; 1155 1156 availability = mkDefOpt (types.enum [ "public" "admin" "internal" ]) "public" '' 1157 The availability of the endpoint to connect to. Must be one of public, admin or internal. 1158 ''; 1159 1160 tls_config = mkOpt promTypes.tls_config '' 1161 TLS configuration. 1162 ''; 1163 }; 1164 }; 1165 1166 promTypes.puppetdb_sd_config = mkSdConfigModule { 1167 url = mkOption { 1168 type = types.str; 1169 description = '' 1170 The URL of the PuppetDB root query endpoint. 1171 ''; 1172 }; 1173 1174 query = mkOption { 1175 type = types.str; 1176 description = '' 1177 Puppet Query Language (PQL) query. Only resources are supported. 1178 https://puppet.com/docs/puppetdb/latest/api/query/v4/pql.html 1179 ''; 1180 }; 1181 1182 include_parameters = mkDefOpt types.bool "false" '' 1183 Whether to include the parameters as meta labels. 1184 Due to the differences between parameter types and Prometheus labels, 1185 some parameters might not be rendered. The format of the parameters might 1186 also change in future releases. 1187 1188 Note: Enabling this exposes parameters in the Prometheus UI and API. Make sure 1189 that you don't have secrets exposed as parameters if you enable this. 1190 ''; 1191 1192 refresh_interval = mkDefOpt types.str "60s" '' 1193 Refresh interval to re-read the resources list. 1194 ''; 1195 1196 port = mkDefOpt types.port "80" '' 1197 The port to scrape metrics from. 1198 ''; 1199 }; 1200 1201 promTypes.scaleway_sd_config = types.submodule { 1202 options = { 1203 access_key = mkOption { 1204 type = types.str; 1205 description = '' 1206 Access key to use. https://console.scaleway.com/project/credentials 1207 ''; 1208 }; 1209 1210 secret_key = mkOpt types.str '' 1211 Secret key to use when listing targets. https://console.scaleway.com/project/credentials 1212 It is mutually exclusive with `secret_key_file`. 1213 ''; 1214 1215 secret_key_file = mkOpt types.str '' 1216 Sets the secret key with the credentials read from the configured file. 1217 It is mutually exclusive with `secret_key`. 1218 ''; 1219 1220 project_id = mkOption { 1221 type = types.str; 1222 description = '' 1223 Project ID of the targets. 1224 ''; 1225 }; 1226 1227 role = mkOption { 1228 type = types.enum [ "instance" "baremetal" ]; 1229 description = '' 1230 Role of the targets to retrieve. Must be `instance` or `baremetal`. 1231 ''; 1232 }; 1233 1234 port = mkDefOpt types.port "80" '' 1235 The port to scrape metrics from. 1236 ''; 1237 1238 api_url = mkDefOpt types.str "https://api.scaleway.com" '' 1239 API URL to use when doing the server listing requests. 1240 ''; 1241 1242 zone = mkDefOpt types.str "fr-par-1" '' 1243 Zone is the availability zone of your targets (e.g. fr-par-1). 1244 ''; 1245 1246 name_filter = mkOpt types.str '' 1247 Specify a name filter (works as a LIKE) to apply on the server listing request. 1248 ''; 1249 1250 tags_filter = mkOpt (types.listOf types.str) '' 1251 Specify a tag filter (a server needs to have all defined tags to be listed) to apply on the server listing request. 1252 ''; 1253 1254 refresh_interval = mkDefOpt types.str "60s" '' 1255 Refresh interval to re-read the managed targets list. 1256 ''; 1257 1258 proxy_url = mkOpt types.str '' 1259 Optional proxy URL. 1260 ''; 1261 1262 follow_redirects = mkDefOpt types.bool "true" '' 1263 Configure whether HTTP requests follow HTTP 3xx redirects. 1264 ''; 1265 1266 tls_config = mkOpt promTypes.tls_config '' 1267 TLS configuration. 1268 ''; 1269 }; 1270 }; 1271 1272 # These are exactly the same. 1273 promTypes.serverset_sd_config = promTypes.nerve_sd_config; 1274 1275 promTypes.triton_sd_config = types.submodule { 1276 options = { 1277 account = mkOption { 1278 type = types.str; 1279 description = '' 1280 The account to use for discovering new targets. 1281 ''; 1282 }; 1283 1284 role = mkDefOpt (types.enum [ "container" "cn" ]) "container" '' 1285 The type of targets to discover, can be set to: 1286 - "container" to discover virtual machines (SmartOS zones, lx/KVM/bhyve branded zones) running on Triton 1287 - "cn" to discover compute nodes (servers/global zones) making up the Triton infrastructure 1288 ''; 1289 1290 dns_suffix = mkOption { 1291 type = types.str; 1292 description = '' 1293 The DNS suffix which should be applied to target. 1294 ''; 1295 }; 1296 1297 endpoint = mkOption { 1298 type = types.str; 1299 description = '' 1300 The Triton discovery endpoint (e.g. `cmon.us-east-3b.triton.zone`). This is 1301 often the same value as dns_suffix. 1302 ''; 1303 }; 1304 1305 groups = mkOpt (types.listOf types.str) '' 1306 A list of groups for which targets are retrieved, only supported when targeting the `container` role. 1307 If omitted all containers owned by the requesting account are scraped. 1308 ''; 1309 1310 port = mkDefOpt types.port "9163" '' 1311 The port to use for discovery and metric scraping. 1312 ''; 1313 1314 refresh_interval = mkDefOpt types.str "60s" '' 1315 The interval which should be used for refreshing targets. 1316 ''; 1317 1318 version = mkDefOpt types.int "1" '' 1319 The Triton discovery API version. 1320 ''; 1321 1322 tls_config = mkOpt promTypes.tls_config '' 1323 TLS configuration. 1324 ''; 1325 }; 1326 }; 1327 1328 promTypes.uyuni_sd_config = mkSdConfigModule { 1329 server = mkOption { 1330 type = types.str; 1331 description = '' 1332 The URL to connect to the Uyuni server. 1333 ''; 1334 }; 1335 1336 username = mkOption { 1337 type = types.str; 1338 description = '' 1339 Credentials are used to authenticate the requests to Uyuni API. 1340 ''; 1341 }; 1342 1343 password = mkOption { 1344 type = types.str; 1345 description = '' 1346 Credentials are used to authenticate the requests to Uyuni API. 1347 ''; 1348 }; 1349 1350 entitlement = mkDefOpt types.str "monitoring_entitled" '' 1351 The entitlement string to filter eligible systems. 1352 ''; 1353 1354 separator = mkDefOpt types.str "," '' 1355 The string by which Uyuni group names are joined into the groups label 1356 ''; 1357 1358 refresh_interval = mkDefOpt types.str "60s" '' 1359 Refresh interval to re-read the managed targets list. 1360 ''; 1361 }; 1362 1363 promTypes.static_config = types.submodule { 1364 options = { 1365 targets = mkOption { 1366 type = types.listOf types.str; 1367 description = '' 1368 The targets specified by the target group. 1369 ''; 1370 }; 1371 labels = mkOption { 1372 type = types.attrsOf types.str; 1373 default = { }; 1374 description = '' 1375 Labels assigned to all metrics scraped from the targets. 1376 ''; 1377 }; 1378 }; 1379 }; 1380 1381 # 1382 # Config types: relabling 1383 # 1384 1385 promTypes.relabel_config = types.submodule { 1386 options = { 1387 source_labels = mkOpt (types.listOf types.str) '' 1388 The source labels select values from existing labels. Their content 1389 is concatenated using the configured separator and matched against 1390 the configured regular expression. 1391 ''; 1392 1393 separator = mkDefOpt types.str ";" '' 1394 Separator placed between concatenated source label values. 1395 ''; 1396 1397 target_label = mkOpt types.str '' 1398 Label to which the resulting value is written in a replace action. 1399 It is mandatory for replace actions. 1400 ''; 1401 1402 regex = mkDefOpt types.str "(.*)" '' 1403 Regular expression against which the extracted value is matched. 1404 ''; 1405 1406 modulus = mkOpt types.int '' 1407 Modulus to take of the hash of the source label values. 1408 ''; 1409 1410 replacement = mkDefOpt types.str "$1" '' 1411 Replacement value against which a regex replace is performed if the 1412 regular expression matches. 1413 ''; 1414 1415 action = 1416 mkDefOpt (types.enum [ "replace" "lowercase" "uppercase" "keep" "drop" "hashmod" "labelmap" "labeldrop" "labelkeep" ]) "replace" '' 1417 Action to perform based on regex matching. 1418 ''; 1419 }; 1420 }; 1421 1422 # 1423 # Config types : remote read / write 1424 # 1425 1426 promTypes.remote_write = types.submodule { 1427 options = { 1428 url = mkOption { 1429 type = types.str; 1430 description = '' 1431 ServerName extension to indicate the name of the server. 1432 http://tools.ietf.org/html/rfc4366#section-3.1 1433 ''; 1434 }; 1435 remote_timeout = mkOpt types.str '' 1436 Timeout for requests to the remote write endpoint. 1437 ''; 1438 headers = mkOpt (types.attrsOf types.str) '' 1439 Custom HTTP headers to be sent along with each remote write request. 1440 Be aware that headers that are set by Prometheus itself can't be overwritten. 1441 ''; 1442 write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 1443 List of remote write relabel configurations. 1444 ''; 1445 name = mkOpt types.str '' 1446 Name of the remote write config, which if specified must be unique among remote write configs. 1447 The name will be used in metrics and logging in place of a generated value to help users distinguish between 1448 remote write configs. 1449 ''; 1450 basic_auth = mkOpt promTypes.basic_auth '' 1451 Sets the `Authorization` header on every remote write request with the 1452 configured username and password. 1453 password and password_file are mutually exclusive. 1454 ''; 1455 bearer_token = mkOpt types.str '' 1456 Sets the `Authorization` header on every remote write request with 1457 the configured bearer token. It is mutually exclusive with `bearer_token_file`. 1458 ''; 1459 bearer_token_file = mkOpt types.str '' 1460 Sets the `Authorization` header on every remote write request with the bearer token 1461 read from the configured file. It is mutually exclusive with `bearer_token`. 1462 ''; 1463 tls_config = mkOpt promTypes.tls_config '' 1464 Configures the remote write request's TLS settings. 1465 ''; 1466 proxy_url = mkOpt types.str "Optional Proxy URL."; 1467 queue_config = mkOpt 1468 (types.submodule { 1469 options = { 1470 capacity = mkOpt types.int '' 1471 Number of samples to buffer per shard before we block reading of more 1472 samples from the WAL. It is recommended to have enough capacity in each 1473 shard to buffer several requests to keep throughput up while processing 1474 occasional slow remote requests. 1475 ''; 1476 max_shards = mkOpt types.int '' 1477 Maximum number of shards, i.e. amount of concurrency. 1478 ''; 1479 min_shards = mkOpt types.int '' 1480 Minimum number of shards, i.e. amount of concurrency. 1481 ''; 1482 max_samples_per_send = mkOpt types.int '' 1483 Maximum number of samples per send. 1484 ''; 1485 batch_send_deadline = mkOpt types.str '' 1486 Maximum time a sample will wait in buffer. 1487 ''; 1488 min_backoff = mkOpt types.str '' 1489 Initial retry delay. Gets doubled for every retry. 1490 ''; 1491 max_backoff = mkOpt types.str '' 1492 Maximum retry delay. 1493 ''; 1494 }; 1495 }) '' 1496 Configures the queue used to write to remote storage. 1497 ''; 1498 metadata_config = mkOpt 1499 (types.submodule { 1500 options = { 1501 send = mkOpt types.bool '' 1502 Whether metric metadata is sent to remote storage or not. 1503 ''; 1504 send_interval = mkOpt types.str '' 1505 How frequently metric metadata is sent to remote storage. 1506 ''; 1507 }; 1508 }) '' 1509 Configures the sending of series metadata to remote storage. 1510 Metadata configuration is subject to change at any point 1511 or be removed in future releases. 1512 ''; 1513 }; 1514 }; 1515 1516 promTypes.remote_read = types.submodule { 1517 options = { 1518 url = mkOption { 1519 type = types.str; 1520 description = '' 1521 ServerName extension to indicate the name of the server. 1522 http://tools.ietf.org/html/rfc4366#section-3.1 1523 ''; 1524 }; 1525 name = mkOpt types.str '' 1526 Name of the remote read config, which if specified must be unique among remote read configs. 1527 The name will be used in metrics and logging in place of a generated value to help users distinguish between 1528 remote read configs. 1529 ''; 1530 required_matchers = mkOpt (types.attrsOf types.str) '' 1531 An optional list of equality matchers which have to be 1532 present in a selector to query the remote read endpoint. 1533 ''; 1534 remote_timeout = mkOpt types.str '' 1535 Timeout for requests to the remote read endpoint. 1536 ''; 1537 headers = mkOpt (types.attrsOf types.str) '' 1538 Custom HTTP headers to be sent along with each remote read request. 1539 Be aware that headers that are set by Prometheus itself can't be overwritten. 1540 ''; 1541 read_recent = mkOpt types.bool '' 1542 Whether reads should be made for queries for time ranges that 1543 the local storage should have complete data for. 1544 ''; 1545 basic_auth = mkOpt promTypes.basic_auth '' 1546 Sets the `Authorization` header on every remote read request with the 1547 configured username and password. 1548 password and password_file are mutually exclusive. 1549 ''; 1550 bearer_token = mkOpt types.str '' 1551 Sets the `Authorization` header on every remote read request with 1552 the configured bearer token. It is mutually exclusive with `bearer_token_file`. 1553 ''; 1554 bearer_token_file = mkOpt types.str '' 1555 Sets the `Authorization` header on every remote read request with the bearer token 1556 read from the configured file. It is mutually exclusive with `bearer_token`. 1557 ''; 1558 tls_config = mkOpt promTypes.tls_config '' 1559 Configures the remote read request's TLS settings. 1560 ''; 1561 proxy_url = mkOpt types.str "Optional Proxy URL."; 1562 }; 1563 }; 1564 1565in 1566{ 1567 1568 imports = [ 1569 (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) 1570 (mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ] 1571 "It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`.") 1572 (mkRemovedOptionModule [ "services" "prometheus" "alertmanagerTimeout" ] 1573 "Deprecated upstream and no longer had any effect") 1574 ]; 1575 1576 options.services.prometheus = { 1577 1578 enable = mkEnableOption "Prometheus monitoring daemon"; 1579 1580 package = mkPackageOption pkgs "prometheus" { }; 1581 1582 port = mkOption { 1583 type = types.port; 1584 default = 9090; 1585 description = '' 1586 Port to listen on. 1587 ''; 1588 }; 1589 1590 listenAddress = mkOption { 1591 type = types.str; 1592 default = "0.0.0.0"; 1593 description = '' 1594 Address to listen on for the web interface, API, and telemetry. 1595 ''; 1596 }; 1597 1598 stateDir = mkOption { 1599 type = types.str; 1600 default = "prometheus2"; 1601 description = '' 1602 Directory below `/var/lib` to store Prometheus metrics data. 1603 This directory will be created automatically using systemd's StateDirectory mechanism. 1604 ''; 1605 }; 1606 1607 extraFlags = mkOption { 1608 type = types.listOf types.str; 1609 default = [ ]; 1610 description = '' 1611 Extra commandline options when launching Prometheus. 1612 ''; 1613 }; 1614 1615 enableReload = mkOption { 1616 default = false; 1617 type = types.bool; 1618 description = '' 1619 Reload prometheus when configuration file changes (instead of restart). 1620 1621 The following property holds: switching to a configuration 1622 (`switch-to-configuration`) that changes the prometheus 1623 configuration only finishes successfully when prometheus has finished 1624 loading the new configuration. 1625 ''; 1626 }; 1627 1628 enableAgentMode = mkEnableOption "agent mode"; 1629 1630 configText = mkOption { 1631 type = types.nullOr types.lines; 1632 default = null; 1633 description = '' 1634 If non-null, this option defines the text that is written to 1635 prometheus.yml. If null, the contents of prometheus.yml is generated 1636 from the structured config options. 1637 ''; 1638 }; 1639 1640 globalConfig = mkOption { 1641 type = promTypes.globalConfig; 1642 default = { }; 1643 description = '' 1644 Parameters that are valid in all configuration contexts. They 1645 also serve as defaults for other configuration sections 1646 ''; 1647 }; 1648 1649 remoteRead = mkOption { 1650 type = types.listOf promTypes.remote_read; 1651 default = [ ]; 1652 description = '' 1653 Parameters of the endpoints to query from. 1654 See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read) for more information. 1655 ''; 1656 }; 1657 1658 remoteWrite = mkOption { 1659 type = types.listOf promTypes.remote_write; 1660 default = [ ]; 1661 description = '' 1662 Parameters of the endpoints to send samples to. 1663 See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write) for more information. 1664 ''; 1665 }; 1666 1667 rules = mkOption { 1668 type = types.listOf types.str; 1669 default = [ ]; 1670 description = '' 1671 Alerting and/or Recording rules to evaluate at runtime. 1672 ''; 1673 }; 1674 1675 ruleFiles = mkOption { 1676 type = types.listOf types.path; 1677 default = [ ]; 1678 description = '' 1679 Any additional rules files to include in this configuration. 1680 ''; 1681 }; 1682 1683 scrapeConfigs = mkOption { 1684 type = types.listOf promTypes.scrape_config; 1685 default = [ ]; 1686 description = '' 1687 A list of scrape configurations. 1688 ''; 1689 }; 1690 1691 alertmanagers = mkOption { 1692 type = types.listOf types.attrs; 1693 example = literalExpression '' 1694 [ { 1695 scheme = "https"; 1696 path_prefix = "/alertmanager"; 1697 static_configs = [ { 1698 targets = [ 1699 "prometheus.domain.tld" 1700 ]; 1701 } ]; 1702 } ] 1703 ''; 1704 default = [ ]; 1705 description = '' 1706 A list of alertmanagers to send alerts to. 1707 See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config) for more information. 1708 ''; 1709 }; 1710 1711 alertmanagerNotificationQueueCapacity = mkOption { 1712 type = types.int; 1713 default = 10000; 1714 description = '' 1715 The capacity of the queue for pending alert manager notifications. 1716 ''; 1717 }; 1718 1719 webExternalUrl = mkOption { 1720 type = types.nullOr types.str; 1721 default = null; 1722 example = "https://example.com/"; 1723 description = '' 1724 The URL under which Prometheus is externally reachable (for example, 1725 if Prometheus is served via a reverse proxy). 1726 ''; 1727 }; 1728 1729 webConfigFile = mkOption { 1730 type = types.nullOr types.path; 1731 default = null; 1732 description = '' 1733 Specifies which file should be used as web.config.file and be passed on startup. 1734 See https://prometheus.io/docs/prometheus/latest/configuration/https/ for valid options. 1735 ''; 1736 }; 1737 1738 checkConfig = mkOption { 1739 type = with types; either bool (enum [ "syntax-only" ]); 1740 default = true; 1741 example = "syntax-only"; 1742 description = '' 1743 Check configuration with `promtool check`. The call to `promtool` is 1744 subject to sandboxing by Nix. 1745 1746 If you use credentials stored in external files 1747 (`password_file`, `bearer_token_file`, etc), 1748 they will not be visible to `promtool` 1749 and it will report errors, despite a correct configuration. 1750 To resolve this, you may set this option to `"syntax-only"` 1751 in order to only syntax check the Prometheus configuration. 1752 ''; 1753 }; 1754 1755 retentionTime = mkOption { 1756 type = types.nullOr types.str; 1757 default = null; 1758 example = "15d"; 1759 description = '' 1760 How long to retain samples in storage. 1761 ''; 1762 }; 1763 }; 1764 1765 config = mkIf cfg.enable { 1766 assertions = [ 1767 ( 1768 let 1769 # Match something with dots (an IPv4 address) or something ending in 1770 # a square bracket (an IPv6 addresses) followed by a port number. 1771 legacy = builtins.match "(.*\\..*|.*]):([[:digit:]]+)" cfg.listenAddress; 1772 in 1773 { 1774 assertion = legacy == null; 1775 message = '' 1776 Do not specify the port for Prometheus to listen on in the 1777 listenAddress option; use the port option instead: 1778 services.prometheus.listenAddress = ${builtins.elemAt legacy 0}; 1779 services.prometheus.port = ${builtins.elemAt legacy 1}; 1780 ''; 1781 } 1782 ) 1783 ]; 1784 1785 users.groups.prometheus.gid = config.ids.gids.prometheus; 1786 users.users.prometheus = { 1787 description = "Prometheus daemon user"; 1788 uid = config.ids.uids.prometheus; 1789 group = "prometheus"; 1790 }; 1791 environment.etc."prometheus/prometheus.yaml" = mkIf cfg.enableReload { 1792 source = prometheusYml; 1793 }; 1794 systemd.services.prometheus = { 1795 wantedBy = [ "multi-user.target" ]; 1796 after = [ "network.target" ]; 1797 serviceConfig = { 1798 ExecStart = "${cfg.package}/bin/prometheus" + 1799 optionalString (length cmdlineArgs != 0) (" \\\n " + 1800 concatStringsSep " \\\n " cmdlineArgs); 1801 ExecReload = mkIf cfg.enableReload "+${reload}/bin/reload-prometheus"; 1802 User = "prometheus"; 1803 Restart = "always"; 1804 RuntimeDirectory = "prometheus"; 1805 RuntimeDirectoryMode = "0700"; 1806 WorkingDirectory = workingDir; 1807 StateDirectory = cfg.stateDir; 1808 StateDirectoryMode = "0700"; 1809 # Hardening 1810 AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; 1811 CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ]; 1812 DeviceAllow = [ "/dev/null rw" ]; 1813 DevicePolicy = "strict"; 1814 LockPersonality = true; 1815 MemoryDenyWriteExecute = true; 1816 NoNewPrivileges = true; 1817 PrivateDevices = true; 1818 PrivateTmp = true; 1819 PrivateUsers = true; 1820 ProtectClock = true; 1821 ProtectControlGroups = true; 1822 ProtectHome = true; 1823 ProtectHostname = true; 1824 ProtectKernelLogs = true; 1825 ProtectKernelModules = true; 1826 ProtectKernelTunables = true; 1827 ProtectProc = "invisible"; 1828 ProtectSystem = "full"; 1829 RemoveIPC = true; 1830 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; 1831 RestrictNamespaces = true; 1832 RestrictRealtime = true; 1833 RestrictSUIDSGID = true; 1834 SystemCallArchitectures = "native"; 1835 SystemCallFilter = [ "@system-service" "~@privileged" ]; 1836 }; 1837 }; 1838 # prometheus-config-reload will activate after prometheus. However, what we 1839 # don't want is that on startup it immediately reloads prometheus because 1840 # prometheus itself might have just started. 1841 # 1842 # Instead we only want to reload prometheus when the config file has 1843 # changed. So on startup prometheus-config-reload will just output a 1844 # harmless message and then stay active (RemainAfterExit). 1845 # 1846 # Then, when the config file has changed, switch-to-configuration notices 1847 # that this service has changed (restartTriggers) and needs to be reloaded 1848 # (reloadIfChanged). The reload command then reloads prometheus. 1849 systemd.services.prometheus-config-reload = mkIf cfg.enableReload { 1850 wantedBy = [ "prometheus.service" ]; 1851 after = [ "prometheus.service" ]; 1852 reloadIfChanged = true; 1853 restartTriggers = [ prometheusYml ]; 1854 serviceConfig = { 1855 Type = "oneshot"; 1856 RemainAfterExit = true; 1857 TimeoutSec = 60; 1858 ExecStart = "${pkgs.logger}/bin/logger 'prometheus-config-reload will only reload prometheus when reloaded itself.'"; 1859 ExecReload = [ "${triggerReload}/bin/trigger-reload-prometheus" ]; 1860 }; 1861 }; 1862 }; 1863}