pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / monitoring / prometheus / default.nix
at 25.11-pre 64 kB view raw
1{ 2 config, 3 pkgs, 4 lib, 5 ... 6}: 7 8with lib; 9 10let 11 yaml = pkgs.formats.yaml { }; 12 cfg = config.services.prometheus; 13 checkConfigEnabled = 14 (lib.isBool cfg.checkConfig && cfg.checkConfig) || cfg.checkConfig == "syntax-only"; 15 16 workingDir = "/var/lib/" + cfg.stateDir; 17 18 triggerReload = pkgs.writeShellScriptBin "trigger-reload-prometheus" '' 19 PATH="${makeBinPath (with pkgs; [ systemd ])}" 20 if systemctl -q is-active prometheus.service; then 21 systemctl reload prometheus.service 22 fi 23 ''; 24 25 reload = pkgs.writeShellScriptBin "reload-prometheus" '' 26 PATH="${ 27 makeBinPath ( 28 with pkgs; 29 [ 30 systemd 31 coreutils 32 gnugrep 33 ] 34 ) 35 }" 36 cursor=$(journalctl --show-cursor -n0 | grep -oP "cursor: \K.*") 37 kill -HUP $MAINPID 38 journalctl -u prometheus.service --after-cursor="$cursor" -f \ 39 | grep -m 1 "Completed loading of configuration file" > /dev/null 40 ''; 41 42 # a wrapper that verifies that the configuration is valid 43 promtoolCheck = 44 what: name: file: 45 if checkConfigEnabled then 46 pkgs.runCommand "${name}-${replaceStrings [ " " ] [ "" ] what}-checked" 47 { 48 preferLocalBuild = true; 49 nativeBuildInputs = [ cfg.package.cli ]; 50 } 51 '' 52 ln -s ${file} $out 53 promtool ${what} $out 54 '' 55 else 56 file; 57 58 generatedPrometheusYml = yaml.generate "prometheus.yml" promConfig; 59 60 # This becomes the main config file for Prometheus 61 promConfig = { 62 global = filterValidPrometheus cfg.globalConfig; 63 scrape_configs = filterValidPrometheus cfg.scrapeConfigs; 64 remote_write = filterValidPrometheus cfg.remoteWrite; 65 remote_read = filterValidPrometheus cfg.remoteRead; 66 rule_files = optionals (!(cfg.enableAgentMode)) ( 67 map (promtoolCheck "check rules" "rules") ( 68 cfg.ruleFiles 69 ++ [ 70 (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg.rules)) 71 ] 72 ) 73 ); 74 alerting = { 75 inherit (cfg) alertmanagers; 76 }; 77 }; 78 79 prometheusYml = 80 let 81 yml = 82 if cfg.configText != null then 83 pkgs.writeText "prometheus.yml" cfg.configText 84 else 85 generatedPrometheusYml; 86 in 87 promtoolCheck "check config ${ 88 lib.optionalString (cfg.checkConfig == "syntax-only") "--syntax-only" 89 }" "prometheus.yml" yml; 90 91 cmdlineArgs = 92 cfg.extraFlags 93 ++ [ 94 "--config.file=${if cfg.enableReload then "/etc/prometheus/prometheus.yaml" else prometheusYml}" 95 "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" 96 ] 97 ++ ( 98 if (cfg.enableAgentMode) then 99 [ 100 "--enable-feature=agent" 101 ] 102 else 103 [ 104 "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" 105 "--storage.tsdb.path=${workingDir}/data/" 106 ] 107 ) 108 ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}" 109 ++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}" 110 ++ optional (cfg.webConfigFile != null) "--web.config.file=${cfg.webConfigFile}"; 111 112 filterValidPrometheus = filterAttrsListRecursive (n: v: !(n == "_module" || v == null)); 113 filterAttrsListRecursive = 114 pred: x: 115 if isAttrs x then 116 listToAttrs ( 117 concatMap ( 118 name: 119 let 120 v = x.${name}; 121 in 122 if pred name v then 123 [ 124 (nameValuePair name (filterAttrsListRecursive pred v)) 125 ] 126 else 127 [ ] 128 ) (attrNames x) 129 ) 130 else if isList x then 131 map (filterAttrsListRecursive pred) x 132 else 133 x; 134 135 # 136 # Config types: helper functions 137 # 138 139 mkDefOpt = 140 type: defaultStr: description: 141 mkOpt type ( 142 description 143 + '' 144 145 Defaults to ````${defaultStr}```` in prometheus 146 when set to `null`. 147 '' 148 ); 149 150 mkOpt = 151 type: description: 152 mkOption { 153 type = types.nullOr type; 154 default = null; 155 description = description; 156 }; 157 158 mkSdConfigModule = 159 extraOptions: 160 types.submodule { 161 options = { 162 basic_auth = mkOpt promTypes.basic_auth '' 163 Optional HTTP basic authentication information. 164 ''; 165 166 authorization = 167 mkOpt 168 (types.submodule { 169 options = { 170 type = mkDefOpt types.str "Bearer" '' 171 Sets the authentication type. 172 ''; 173 174 credentials = mkOpt types.str '' 175 Sets the credentials. It is mutually exclusive with `credentials_file`. 176 ''; 177 178 credentials_file = mkOpt types.str '' 179 Sets the credentials to the credentials read from the configured file. 180 It is mutually exclusive with `credentials`. 181 ''; 182 }; 183 }) 184 '' 185 Optional `Authorization` header configuration. 186 ''; 187 188 oauth2 = mkOpt promtypes.oauth2 '' 189 Optional OAuth 2.0 configuration. 190 Cannot be used at the same time as basic_auth or authorization. 191 ''; 192 193 proxy_url = mkOpt types.str '' 194 Optional proxy URL. 195 ''; 196 197 follow_redirects = mkDefOpt types.bool "true" '' 198 Configure whether HTTP requests follow HTTP 3xx redirects. 199 ''; 200 201 tls_config = mkOpt promTypes.tls_config '' 202 TLS configuration. 203 ''; 204 } // extraOptions; 205 }; 206 207 # 208 # Config types: general 209 # 210 211 promTypes.globalConfig = types.submodule { 212 options = { 213 scrape_interval = mkDefOpt types.str "1m" '' 214 How frequently to scrape targets by default. 215 ''; 216 217 scrape_timeout = mkDefOpt types.str "10s" '' 218 How long until a scrape request times out. 219 ''; 220 221 evaluation_interval = mkDefOpt types.str "1m" '' 222 How frequently to evaluate rules by default. 223 ''; 224 225 external_labels = mkOpt (types.attrsOf types.str) '' 226 The labels to add to any time series or alerts when 227 communicating with external systems (federation, remote 228 storage, Alertmanager). 229 ''; 230 231 query_log_file = mkOpt types.str '' 232 Path to the file prometheus should write its query log to. 233 ''; 234 }; 235 }; 236 237 promTypes.basic_auth = types.submodule { 238 options = { 239 username = mkOption { 240 type = types.str; 241 description = '' 242 HTTP username 243 ''; 244 }; 245 password = mkOpt types.str "HTTP password"; 246 password_file = mkOpt types.str "HTTP password file"; 247 }; 248 }; 249 250 promTypes.sigv4 = types.submodule { 251 options = { 252 region = mkOpt types.str '' 253 The AWS region. 254 ''; 255 access_key = mkOpt types.str '' 256 The Access Key ID. 257 ''; 258 secret_key = mkOpt types.str '' 259 The Secret Access Key. 260 ''; 261 profile = mkOpt types.str '' 262 The named AWS profile used to authenticate. 263 ''; 264 role_arn = mkOpt types.str '' 265 The AWS role ARN. 266 ''; 267 }; 268 }; 269 270 promTypes.tls_config = types.submodule { 271 options = { 272 ca_file = mkOpt types.str '' 273 CA certificate to validate API server certificate with. 274 ''; 275 276 cert_file = mkOpt types.str '' 277 Certificate file for client cert authentication to the server. 278 ''; 279 280 key_file = mkOpt types.str '' 281 Key file for client cert authentication to the server. 282 ''; 283 284 server_name = mkOpt types.str '' 285 ServerName extension to indicate the name of the server. 286 http://tools.ietf.org/html/rfc4366#section-3.1 287 ''; 288 289 insecure_skip_verify = mkOpt types.bool '' 290 Disable validation of the server certificate. 291 ''; 292 }; 293 }; 294 295 promtypes.oauth2 = types.submodule { 296 options = { 297 client_id = mkOpt types.str '' 298 OAuth client ID. 299 ''; 300 301 client_secret = mkOpt types.str '' 302 OAuth client secret. 303 ''; 304 305 client_secret_file = mkOpt types.str '' 306 Read the client secret from a file. It is mutually exclusive with `client_secret`. 307 ''; 308 309 scopes = mkOpt (types.listOf types.str) '' 310 Scopes for the token request. 311 ''; 312 313 token_url = mkOpt types.str '' 314 The URL to fetch the token from. 315 ''; 316 317 endpoint_params = mkOpt (types.attrsOf types.str) '' 318 Optional parameters to append to the token URL. 319 ''; 320 }; 321 }; 322 323 # https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config 324 promTypes.scrape_config = types.submodule { 325 options = { 326 authorization = mkOption { 327 type = types.nullOr types.attrs; 328 default = null; 329 description = '' 330 Sets the `Authorization` header on every scrape request with the configured credentials. 331 ''; 332 }; 333 job_name = mkOption { 334 type = types.str; 335 description = '' 336 The job name assigned to scraped metrics by default. 337 ''; 338 }; 339 scrape_interval = mkOpt types.str '' 340 How frequently to scrape targets from this job. Defaults to the 341 globally configured default. 342 ''; 343 344 scrape_timeout = mkOpt types.str '' 345 Per-target timeout when scraping this job. Defaults to the 346 globally configured default. 347 ''; 348 349 scrape_protocols = mkOpt (types.listOf types.str) '' 350 The protocols to negotiate during a scrape with the client. 351 ''; 352 353 fallback_scrape_protocol = mkOpt types.str '' 354 Fallback protocol to use if a scrape returns blank, unparseable, or otherwise 355 invalid Content-Type. 356 ''; 357 358 metrics_path = mkDefOpt types.str "/metrics" '' 359 The HTTP resource path on which to fetch metrics from targets. 360 ''; 361 362 honor_labels = mkDefOpt types.bool "false" '' 363 Controls how Prometheus handles conflicts between labels 364 that are already present in scraped data and labels that 365 Prometheus would attach server-side ("job" and "instance" 366 labels, manually configured target labels, and labels 367 generated by service discovery implementations). 368 369 If honor_labels is set to "true", label conflicts are 370 resolved by keeping label values from the scraped data and 371 ignoring the conflicting server-side labels. 372 373 If honor_labels is set to "false", label conflicts are 374 resolved by renaming conflicting labels in the scraped data 375 to "exported_\<original-label\>" (for example 376 "exported_instance", "exported_job") and then attaching 377 server-side labels. This is useful for use cases such as 378 federation, where all labels specified in the target should 379 be preserved. 380 ''; 381 382 honor_timestamps = mkDefOpt types.bool "true" '' 383 honor_timestamps controls whether Prometheus respects the timestamps present 384 in scraped data. 385 386 If honor_timestamps is set to `true`, the timestamps of the metrics exposed 387 by the target will be used. 388 389 If honor_timestamps is set to `false`, the timestamps of the metrics exposed 390 by the target will be ignored. 391 ''; 392 393 scheme = 394 mkDefOpt 395 (types.enum [ 396 "http" 397 "https" 398 ]) 399 "http" 400 '' 401 The URL scheme with which to fetch metrics from targets. 402 ''; 403 404 params = mkOpt (types.attrsOf (types.listOf types.str)) '' 405 Optional HTTP URL parameters. 406 ''; 407 408 basic_auth = mkOpt promTypes.basic_auth '' 409 Sets the `Authorization` header on every scrape request with the 410 configured username and password. 411 password and password_file are mutually exclusive. 412 ''; 413 414 bearer_token = mkOpt types.str '' 415 Sets the `Authorization` header on every scrape request with 416 the configured bearer token. It is mutually exclusive with 417 {option}`bearer_token_file`. 418 ''; 419 420 bearer_token_file = mkOpt types.str '' 421 Sets the `Authorization` header on every scrape request with 422 the bearer token read from the configured file. It is mutually 423 exclusive with {option}`bearer_token`. 424 ''; 425 426 tls_config = mkOpt promTypes.tls_config '' 427 Configures the scrape request's TLS settings. 428 ''; 429 430 proxy_url = mkOpt types.str '' 431 Optional proxy URL. 432 ''; 433 434 azure_sd_configs = mkOpt (types.listOf promTypes.azure_sd_config) '' 435 List of Azure service discovery configurations. 436 ''; 437 438 consul_sd_configs = mkOpt (types.listOf promTypes.consul_sd_config) '' 439 List of Consul service discovery configurations. 440 ''; 441 442 digitalocean_sd_configs = mkOpt (types.listOf promTypes.digitalocean_sd_config) '' 443 List of DigitalOcean service discovery configurations. 444 ''; 445 446 docker_sd_configs = mkOpt (types.listOf promTypes.docker_sd_config) '' 447 List of Docker service discovery configurations. 448 ''; 449 450 dockerswarm_sd_configs = mkOpt (types.listOf promTypes.dockerswarm_sd_config) '' 451 List of Docker Swarm service discovery configurations. 452 ''; 453 454 dns_sd_configs = mkOpt (types.listOf promTypes.dns_sd_config) '' 455 List of DNS service discovery configurations. 456 ''; 457 458 ec2_sd_configs = mkOpt (types.listOf promTypes.ec2_sd_config) '' 459 List of EC2 service discovery configurations. 460 ''; 461 462 eureka_sd_configs = mkOpt (types.listOf promTypes.eureka_sd_config) '' 463 List of Eureka service discovery configurations. 464 ''; 465 466 file_sd_configs = mkOpt (types.listOf promTypes.file_sd_config) '' 467 List of file service discovery configurations. 468 ''; 469 470 gce_sd_configs = mkOpt (types.listOf promTypes.gce_sd_config) '' 471 List of Google Compute Engine service discovery configurations. 472 473 See [the relevant Prometheus configuration docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config) 474 for more detail. 475 ''; 476 477 hetzner_sd_configs = mkOpt (types.listOf promTypes.hetzner_sd_config) '' 478 List of Hetzner service discovery configurations. 479 ''; 480 481 http_sd_configs = mkOpt (types.listOf promTypes.http_sd_config) '' 482 List of HTTP service discovery configurations. 483 ''; 484 485 kubernetes_sd_configs = mkOpt (types.listOf promTypes.kubernetes_sd_config) '' 486 List of Kubernetes service discovery configurations. 487 ''; 488 489 kuma_sd_configs = mkOpt (types.listOf promTypes.kuma_sd_config) '' 490 List of Kuma service discovery configurations. 491 ''; 492 493 lightsail_sd_configs = mkOpt (types.listOf promTypes.lightsail_sd_config) '' 494 List of Lightsail service discovery configurations. 495 ''; 496 497 linode_sd_configs = mkOpt (types.listOf promTypes.linode_sd_config) '' 498 List of Linode service discovery configurations. 499 ''; 500 501 marathon_sd_configs = mkOpt (types.listOf promTypes.marathon_sd_config) '' 502 List of Marathon service discovery configurations. 503 ''; 504 505 nerve_sd_configs = mkOpt (types.listOf promTypes.nerve_sd_config) '' 506 List of AirBnB's Nerve service discovery configurations. 507 ''; 508 509 openstack_sd_configs = mkOpt (types.listOf promTypes.openstack_sd_config) '' 510 List of OpenStack service discovery configurations. 511 ''; 512 513 puppetdb_sd_configs = mkOpt (types.listOf promTypes.puppetdb_sd_config) '' 514 List of PuppetDB service discovery configurations. 515 ''; 516 517 scaleway_sd_configs = mkOpt (types.listOf promTypes.scaleway_sd_config) '' 518 List of Scaleway service discovery configurations. 519 ''; 520 521 serverset_sd_configs = mkOpt (types.listOf promTypes.serverset_sd_config) '' 522 List of Zookeeper Serverset service discovery configurations. 523 ''; 524 525 triton_sd_configs = mkOpt (types.listOf promTypes.triton_sd_config) '' 526 List of Triton Serverset service discovery configurations. 527 ''; 528 529 uyuni_sd_configs = mkOpt (types.listOf promTypes.uyuni_sd_config) '' 530 List of Uyuni Serverset service discovery configurations. 531 ''; 532 533 static_configs = mkOpt (types.listOf promTypes.static_config) '' 534 List of labeled target groups for this job. 535 ''; 536 537 relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 538 List of relabel configurations. 539 ''; 540 541 metric_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 542 List of metric relabel configurations. 543 ''; 544 545 body_size_limit = mkDefOpt types.str "0" '' 546 An uncompressed response body larger than this many bytes will cause the 547 scrape to fail. 0 means no limit. Example: 100MB. 548 This is an experimental feature, this behaviour could 549 change or be removed in the future. 550 ''; 551 552 sample_limit = mkDefOpt types.int "0" '' 553 Per-scrape limit on number of scraped samples that will be accepted. 554 If more than this number of samples are present after metric relabelling 555 the entire scrape will be treated as failed. 0 means no limit. 556 ''; 557 558 label_limit = mkDefOpt types.int "0" '' 559 Per-scrape limit on number of labels that will be accepted for a sample. If 560 more than this number of labels are present post metric-relabeling, the 561 entire scrape will be treated as failed. 0 means no limit. 562 ''; 563 564 label_name_length_limit = mkDefOpt types.int "0" '' 565 Per-scrape limit on length of labels name that will be accepted for a sample. 566 If a label name is longer than this number post metric-relabeling, the entire 567 scrape will be treated as failed. 0 means no limit. 568 ''; 569 570 label_value_length_limit = mkDefOpt types.int "0" '' 571 Per-scrape limit on length of labels value that will be accepted for a sample. 572 If a label value is longer than this number post metric-relabeling, the 573 entire scrape will be treated as failed. 0 means no limit. 574 ''; 575 576 target_limit = mkDefOpt types.int "0" '' 577 Per-scrape config limit on number of unique targets that will be 578 accepted. If more than this number of targets are present after target 579 relabeling, Prometheus will mark the targets as failed without scraping them. 580 0 means no limit. This is an experimental feature, this behaviour could 581 change in the future. 582 ''; 583 }; 584 }; 585 586 # 587 # Config types: service discovery 588 # 589 590 # For this one, the docs actually define all types needed to use mkSdConfigModule, but a bunch 591 # of them are marked with 'currently not support by Azure' so we don't bother adding them in 592 # here. 593 promTypes.azure_sd_config = types.submodule { 594 options = { 595 environment = mkDefOpt types.str "AzurePublicCloud" '' 596 The Azure environment. 597 ''; 598 599 authentication_method = 600 mkDefOpt 601 (types.enum [ 602 "OAuth" 603 "ManagedIdentity" 604 ]) 605 "OAuth" 606 '' 607 The authentication method, either OAuth or ManagedIdentity. 608 See <https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview> 609 ''; 610 611 subscription_id = mkOption { 612 type = types.str; 613 description = '' 614 The subscription ID. 615 ''; 616 }; 617 618 tenant_id = mkOpt types.str '' 619 Optional tenant ID. Only required with authentication_method OAuth. 620 ''; 621 622 client_id = mkOpt types.str '' 623 Optional client ID. Only required with authentication_method OAuth. 624 ''; 625 626 client_secret = mkOpt types.str '' 627 Optional client secret. Only required with authentication_method OAuth. 628 ''; 629 630 refresh_interval = mkDefOpt types.str "300s" '' 631 Refresh interval to re-read the instance list. 632 ''; 633 634 port = mkDefOpt types.port "80" '' 635 The port to scrape metrics from. If using the public IP 636 address, this must instead be specified in the relabeling 637 rule. 638 ''; 639 640 proxy_url = mkOpt types.str '' 641 Optional proxy URL. 642 ''; 643 644 follow_redirects = mkDefOpt types.bool "true" '' 645 Configure whether HTTP requests follow HTTP 3xx redirects. 646 ''; 647 648 tls_config = mkOpt promTypes.tls_config '' 649 TLS configuration. 650 ''; 651 }; 652 }; 653 654 promTypes.consul_sd_config = mkSdConfigModule { 655 server = mkDefOpt types.str "localhost:8500" '' 656 Consul server to query. 657 ''; 658 659 token = mkOpt types.str "Consul token"; 660 661 datacenter = mkOpt types.str "Consul datacenter"; 662 663 scheme = mkDefOpt types.str "http" "Consul scheme"; 664 665 username = mkOpt types.str "Consul username"; 666 667 password = mkOpt types.str "Consul password"; 668 669 tls_config = mkOpt promTypes.tls_config '' 670 Configures the Consul request's TLS settings. 671 ''; 672 673 services = mkOpt (types.listOf types.str) '' 674 A list of services for which targets are retrieved. 675 ''; 676 677 tags = mkOpt (types.listOf types.str) '' 678 An optional list of tags used to filter nodes for a given 679 service. Services must contain all tags in the list. 680 ''; 681 682 node_meta = mkOpt (types.attrsOf types.str) '' 683 Node metadata used to filter nodes for a given service. 684 ''; 685 686 tag_separator = mkDefOpt types.str "," '' 687 The string by which Consul tags are joined into the tag label. 688 ''; 689 690 allow_stale = mkOpt types.bool '' 691 Allow stale Consul results 692 (see <https://www.consul.io/api/index.html#consistency-modes>). 693 694 Will reduce load on Consul. 695 ''; 696 697 refresh_interval = mkDefOpt types.str "30s" '' 698 The time after which the provided names are refreshed. 699 700 On large setup it might be a good idea to increase this value 701 because the catalog will change all the time. 702 ''; 703 }; 704 705 promTypes.digitalocean_sd_config = mkSdConfigModule { 706 port = mkDefOpt types.port "80" '' 707 The port to scrape metrics from. 708 ''; 709 710 refresh_interval = mkDefOpt types.str "60s" '' 711 The time after which the droplets are refreshed. 712 ''; 713 }; 714 715 mkDockerSdConfigModule = 716 extraOptions: 717 mkSdConfigModule ( 718 { 719 host = mkOption { 720 type = types.str; 721 description = '' 722 Address of the Docker daemon. 723 ''; 724 }; 725 726 port = mkDefOpt types.port "80" '' 727 The port to scrape metrics from, when `role` is nodes, and for discovered 728 tasks and services that don't have published ports. 729 ''; 730 731 filters = 732 mkOpt 733 (types.listOf ( 734 types.submodule { 735 options = { 736 name = mkOption { 737 type = types.str; 738 description = '' 739 Name of the filter. The available filters are listed in the upstream documentation: 740 Services: <https://docs.docker.com/engine/api/v1.40/#operation/ServiceList> 741 Tasks: <https://docs.docker.com/engine/api/v1.40/#operation/TaskList> 742 Nodes: <https://docs.docker.com/engine/api/v1.40/#operation/NodeList> 743 ''; 744 }; 745 values = mkOption { 746 type = types.str; 747 description = '' 748 Value for the filter. 749 ''; 750 }; 751 }; 752 } 753 )) 754 '' 755 Optional filters to limit the discovery process to a subset of available resources. 756 ''; 757 758 refresh_interval = mkDefOpt types.str "60s" '' 759 The time after which the containers are refreshed. 760 ''; 761 } 762 // extraOptions 763 ); 764 765 promTypes.docker_sd_config = mkDockerSdConfigModule { 766 host_networking_host = mkDefOpt types.str "localhost" '' 767 The host to use if the container is in host networking mode. 768 ''; 769 }; 770 771 promTypes.dockerswarm_sd_config = mkDockerSdConfigModule { 772 role = mkOption { 773 type = types.enum [ 774 "services" 775 "tasks" 776 "nodes" 777 ]; 778 description = '' 779 Role of the targets to retrieve. Must be `services`, `tasks`, or `nodes`. 780 ''; 781 }; 782 }; 783 784 promTypes.dns_sd_config = types.submodule { 785 options = { 786 names = mkOption { 787 type = types.listOf types.str; 788 description = '' 789 A list of DNS SRV record names to be queried. 790 ''; 791 }; 792 793 type = 794 mkDefOpt 795 (types.enum [ 796 "SRV" 797 "A" 798 "AAAA" 799 "MX" 800 "NS" 801 ]) 802 "SRV" 803 '' 804 The type of DNS query to perform. 805 ''; 806 807 port = mkOpt types.port '' 808 The port number used if the query type is not SRV. 809 ''; 810 811 refresh_interval = mkDefOpt types.str "30s" '' 812 The time after which the provided names are refreshed. 813 ''; 814 }; 815 }; 816 817 promTypes.ec2_sd_config = types.submodule { 818 options = { 819 region = mkOption { 820 type = types.str; 821 description = '' 822 The AWS Region. If blank, the region from the instance metadata is used. 823 ''; 824 }; 825 endpoint = mkOpt types.str '' 826 Custom endpoint to be used. 827 ''; 828 829 access_key = mkOpt types.str '' 830 The AWS API key id. If blank, the environment variable 831 `AWS_ACCESS_KEY_ID` is used. 832 ''; 833 834 secret_key = mkOpt types.str '' 835 The AWS API key secret. If blank, the environment variable 836 `AWS_SECRET_ACCESS_KEY` is used. 837 ''; 838 839 profile = mkOpt types.str '' 840 Named AWS profile used to connect to the API. 841 ''; 842 843 role_arn = mkOpt types.str '' 844 AWS Role ARN, an alternative to using AWS API keys. 845 ''; 846 847 refresh_interval = mkDefOpt types.str "60s" '' 848 Refresh interval to re-read the instance list. 849 ''; 850 851 port = mkDefOpt types.port "80" '' 852 The port to scrape metrics from. If using the public IP 853 address, this must instead be specified in the relabeling 854 rule. 855 ''; 856 857 filters = 858 mkOpt 859 (types.listOf ( 860 types.submodule { 861 options = { 862 name = mkOption { 863 type = types.str; 864 description = '' 865 See [this list](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html) 866 for the available filters. 867 ''; 868 }; 869 870 values = mkOption { 871 type = types.listOf types.str; 872 default = [ ]; 873 description = '' 874 Value of the filter. 875 ''; 876 }; 877 }; 878 } 879 )) 880 '' 881 Filters can be used optionally to filter the instance list by other criteria. 882 ''; 883 }; 884 }; 885 886 promTypes.eureka_sd_config = mkSdConfigModule { 887 server = mkOption { 888 type = types.str; 889 description = '' 890 The URL to connect to the Eureka server. 891 ''; 892 }; 893 }; 894 895 promTypes.file_sd_config = types.submodule { 896 options = { 897 files = mkOption { 898 type = types.listOf types.str; 899 description = '' 900 Patterns for files from which target groups are extracted. Refer 901 to the Prometheus documentation for permitted filename patterns 902 and formats. 903 ''; 904 }; 905 906 refresh_interval = mkDefOpt types.str "5m" '' 907 Refresh interval to re-read the files. 908 ''; 909 }; 910 }; 911 912 promTypes.gce_sd_config = types.submodule { 913 options = { 914 # Use `mkOption` instead of `mkOpt` for project and zone because they are 915 # required configuration values for `gce_sd_config`. 916 project = mkOption { 917 type = types.str; 918 description = '' 919 The GCP Project. 920 ''; 921 }; 922 923 zone = mkOption { 924 type = types.str; 925 description = '' 926 The zone of the scrape targets. If you need multiple zones use multiple 927 gce_sd_configs. 928 ''; 929 }; 930 931 filter = mkOpt types.str '' 932 Filter can be used optionally to filter the instance list by other 933 criteria Syntax of this filter string is described here in the filter 934 query parameter section: <https://cloud.google.com/compute/docs/reference/latest/instances/list>. 935 ''; 936 937 refresh_interval = mkDefOpt types.str "60s" '' 938 Refresh interval to re-read the cloud instance list. 939 ''; 940 941 port = mkDefOpt types.port "80" '' 942 The port to scrape metrics from. If using the public IP address, this 943 must instead be specified in the relabeling rule. 944 ''; 945 946 tag_separator = mkDefOpt types.str "," '' 947 The tag separator used to separate concatenated GCE instance network tags. 948 949 See the GCP documentation on network tags for more information: 950 <https://cloud.google.com/vpc/docs/add-remove-network-tags> 951 ''; 952 }; 953 }; 954 955 promTypes.hetzner_sd_config = mkSdConfigModule { 956 role = mkOption { 957 type = types.enum [ 958 "robot" 959 "hcloud" 960 ]; 961 description = '' 962 The Hetzner role of entities that should be discovered. 963 One of `robot` or `hcloud`. 964 ''; 965 }; 966 967 port = mkDefOpt types.port "80" '' 968 The port to scrape metrics from. 969 ''; 970 971 refresh_interval = mkDefOpt types.str "60s" '' 972 The time after which the servers are refreshed. 973 ''; 974 }; 975 976 promTypes.http_sd_config = types.submodule { 977 options = { 978 url = mkOption { 979 type = types.str; 980 description = '' 981 URL from which the targets are fetched. 982 ''; 983 }; 984 985 refresh_interval = mkDefOpt types.str "60s" '' 986 Refresh interval to re-query the endpoint. 987 ''; 988 989 basic_auth = mkOpt promTypes.basic_auth '' 990 Authentication information used to authenticate to the API server. 991 password and password_file are mutually exclusive. 992 ''; 993 994 proxy_url = mkOpt types.str '' 995 Optional proxy URL. 996 ''; 997 998 follow_redirects = mkDefOpt types.bool "true" '' 999 Configure whether HTTP requests follow HTTP 3xx redirects. 1000 ''; 1001 1002 tls_config = mkOpt promTypes.tls_config '' 1003 Configures the scrape request's TLS settings. 1004 ''; 1005 }; 1006 }; 1007 1008 promTypes.kubernetes_sd_config = mkSdConfigModule { 1009 api_server = mkOpt types.str '' 1010 The API server addresses. If left empty, Prometheus is assumed to run inside 1011 of the cluster and will discover API servers automatically and use the pod's 1012 CA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/. 1013 ''; 1014 1015 role = mkOption { 1016 type = types.enum [ 1017 "endpoints" 1018 "service" 1019 "pod" 1020 "node" 1021 "ingress" 1022 ]; 1023 description = '' 1024 The Kubernetes role of entities that should be discovered. 1025 One of endpoints, service, pod, node, or ingress. 1026 ''; 1027 }; 1028 1029 kubeconfig_file = mkOpt types.str '' 1030 Optional path to a kubeconfig file. 1031 Note that api_server and kube_config are mutually exclusive. 1032 ''; 1033 1034 namespaces = 1035 mkOpt 1036 (types.submodule { 1037 options = { 1038 names = mkOpt (types.listOf types.str) '' 1039 Namespace name. 1040 ''; 1041 }; 1042 }) 1043 '' 1044 Optional namespace discovery. If omitted, all namespaces are used. 1045 ''; 1046 1047 selectors = 1048 mkOpt 1049 (types.listOf ( 1050 types.submodule { 1051 options = { 1052 role = mkOption { 1053 type = types.str; 1054 description = '' 1055 Selector role 1056 ''; 1057 }; 1058 1059 label = mkOpt types.str '' 1060 Selector label 1061 ''; 1062 1063 field = mkOpt types.str '' 1064 Selector field 1065 ''; 1066 }; 1067 } 1068 )) 1069 '' 1070 Optional label and field selectors to limit the discovery process to a subset of available resources. 1071 See <https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/> 1072 and <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/> to learn more about the possible 1073 filters that can be used. Endpoints role supports pod, service and endpoints selectors, other roles 1074 only support selectors matching the role itself (e.g. node role can only contain node selectors). 1075 1076 Note: When making decision about using field/label selector make sure that this 1077 is the best approach - it will prevent Prometheus from reusing single list/watch 1078 for all scrape configs. This might result in a bigger load on the Kubernetes API, 1079 because per each selector combination there will be additional LIST/WATCH. On the other hand, 1080 if you just want to monitor small subset of pods in large cluster it's recommended to use selectors. 1081 Decision, if selectors should be used or not depends on the particular situation. 1082 ''; 1083 }; 1084 1085 promTypes.kuma_sd_config = mkSdConfigModule { 1086 server = mkOption { 1087 type = types.str; 1088 description = '' 1089 Address of the Kuma Control Plane's MADS xDS server. 1090 ''; 1091 }; 1092 1093 refresh_interval = mkDefOpt types.str "30s" '' 1094 The time to wait between polling update requests. 1095 ''; 1096 1097 fetch_timeout = mkDefOpt types.str "2m" '' 1098 The time after which the monitoring assignments are refreshed. 1099 ''; 1100 }; 1101 1102 promTypes.lightsail_sd_config = types.submodule { 1103 options = { 1104 region = mkOpt types.str '' 1105 The AWS region. If blank, the region from the instance metadata is used. 1106 ''; 1107 1108 endpoint = mkOpt types.str '' 1109 Custom endpoint to be used. 1110 ''; 1111 1112 access_key = mkOpt types.str '' 1113 The AWS API keys. If blank, the environment variable `AWS_ACCESS_KEY_ID` is used. 1114 ''; 1115 1116 secret_key = mkOpt types.str '' 1117 The AWS API keys. If blank, the environment variable `AWS_SECRET_ACCESS_KEY` is used. 1118 ''; 1119 1120 profile = mkOpt types.str '' 1121 Named AWS profile used to connect to the API. 1122 ''; 1123 1124 role_arn = mkOpt types.str '' 1125 AWS Role ARN, an alternative to using AWS API keys. 1126 ''; 1127 1128 refresh_interval = mkDefOpt types.str "60s" '' 1129 Refresh interval to re-read the instance list. 1130 ''; 1131 1132 port = mkDefOpt types.port "80" '' 1133 The port to scrape metrics from. If using the public IP address, this must 1134 instead be specified in the relabeling rule. 1135 ''; 1136 }; 1137 }; 1138 1139 promTypes.linode_sd_config = mkSdConfigModule { 1140 port = mkDefOpt types.port "80" '' 1141 The port to scrape metrics from. 1142 ''; 1143 1144 tag_separator = mkDefOpt types.str "," '' 1145 The string by which Linode Instance tags are joined into the tag label. 1146 ''; 1147 1148 refresh_interval = mkDefOpt types.str "60s" '' 1149 The time after which the linode instances are refreshed. 1150 ''; 1151 }; 1152 1153 promTypes.marathon_sd_config = mkSdConfigModule { 1154 servers = mkOption { 1155 type = types.listOf types.str; 1156 description = '' 1157 List of URLs to be used to contact Marathon servers. You need to provide at least one server URL. 1158 ''; 1159 }; 1160 1161 refresh_interval = mkDefOpt types.str "30s" '' 1162 Polling interval. 1163 ''; 1164 1165 auth_token = mkOpt types.str '' 1166 Optional authentication information for token-based authentication: 1167 <https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token> 1168 It is mutually exclusive with `auth_token_file` and other authentication mechanisms. 1169 ''; 1170 1171 auth_token_file = mkOpt types.str '' 1172 Optional authentication information for token-based authentication: 1173 <https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token> 1174 It is mutually exclusive with `auth_token` and other authentication mechanisms. 1175 ''; 1176 }; 1177 1178 promTypes.nerve_sd_config = types.submodule { 1179 options = { 1180 servers = mkOption { 1181 type = types.listOf types.str; 1182 description = '' 1183 The Zookeeper servers. 1184 ''; 1185 }; 1186 1187 paths = mkOption { 1188 type = types.listOf types.str; 1189 description = '' 1190 Paths can point to a single service, or the root of a tree of services. 1191 ''; 1192 }; 1193 1194 timeout = mkDefOpt types.str "10s" '' 1195 Timeout value. 1196 ''; 1197 }; 1198 }; 1199 1200 promTypes.openstack_sd_config = types.submodule { 1201 options = 1202 let 1203 userDescription = '' 1204 username is required if using Identity V2 API. Consult with your provider's 1205 control panel to discover your account's username. In Identity V3, either 1206 userid or a combination of username and domain_id or domain_name are needed. 1207 ''; 1208 1209 domainDescription = '' 1210 At most one of domain_id and domain_name must be provided if using username 1211 with Identity V3. Otherwise, either are optional. 1212 ''; 1213 1214 projectDescription = '' 1215 The project_id and project_name fields are optional for the Identity V2 API. 1216 Some providers allow you to specify a project_name instead of the project_id. 1217 Some require both. Your provider's authentication policies will determine 1218 how these fields influence authentication. 1219 ''; 1220 1221 applicationDescription = '' 1222 The application_credential_id or application_credential_name fields are 1223 required if using an application credential to authenticate. Some providers 1224 allow you to create an application credential to authenticate rather than a 1225 password. 1226 ''; 1227 in 1228 { 1229 role = mkOption { 1230 type = types.str; 1231 description = '' 1232 The OpenStack role of entities that should be discovered. 1233 ''; 1234 }; 1235 1236 region = mkOption { 1237 type = types.str; 1238 description = '' 1239 The OpenStack Region. 1240 ''; 1241 }; 1242 1243 identity_endpoint = mkOpt types.str '' 1244 identity_endpoint specifies the HTTP endpoint that is required to work with 1245 the Identity API of the appropriate version. While it's ultimately needed by 1246 all of the identity services, it will often be populated by a provider-level 1247 function. 1248 ''; 1249 1250 username = mkOpt types.str userDescription; 1251 userid = mkOpt types.str userDescription; 1252 1253 password = mkOpt types.str '' 1254 password for the Identity V2 and V3 APIs. Consult with your provider's 1255 control panel to discover your account's preferred method of authentication. 1256 ''; 1257 1258 domain_name = mkOpt types.str domainDescription; 1259 domain_id = mkOpt types.str domainDescription; 1260 1261 project_name = mkOpt types.str projectDescription; 1262 project_id = mkOpt types.str projectDescription; 1263 1264 application_credential_name = mkOpt types.str applicationDescription; 1265 application_credential_id = mkOpt types.str applicationDescription; 1266 1267 application_credential_secret = mkOpt types.str '' 1268 The application_credential_secret field is required if using an application 1269 credential to authenticate. 1270 ''; 1271 1272 all_tenants = mkDefOpt types.bool "false" '' 1273 Whether the service discovery should list all instances for all projects. 1274 It is only relevant for the 'instance' role and usually requires admin permissions. 1275 ''; 1276 1277 refresh_interval = mkDefOpt types.str "60s" '' 1278 Refresh interval to re-read the instance list. 1279 ''; 1280 1281 port = mkDefOpt types.port "80" '' 1282 The port to scrape metrics from. If using the public IP address, this must 1283 instead be specified in the relabeling rule. 1284 ''; 1285 1286 availability = 1287 mkDefOpt 1288 (types.enum [ 1289 "public" 1290 "admin" 1291 "internal" 1292 ]) 1293 "public" 1294 '' 1295 The availability of the endpoint to connect to. Must be one of public, admin or internal. 1296 ''; 1297 1298 tls_config = mkOpt promTypes.tls_config '' 1299 TLS configuration. 1300 ''; 1301 }; 1302 }; 1303 1304 promTypes.puppetdb_sd_config = mkSdConfigModule { 1305 url = mkOption { 1306 type = types.str; 1307 description = '' 1308 The URL of the PuppetDB root query endpoint. 1309 ''; 1310 }; 1311 1312 query = mkOption { 1313 type = types.str; 1314 description = '' 1315 Puppet Query Language (PQL) query. Only resources are supported. 1316 <https://puppet.com/docs/puppetdb/latest/api/query/v4/pql.html> 1317 ''; 1318 }; 1319 1320 include_parameters = mkDefOpt types.bool "false" '' 1321 Whether to include the parameters as meta labels. 1322 Due to the differences between parameter types and Prometheus labels, 1323 some parameters might not be rendered. The format of the parameters might 1324 also change in future releases. 1325 1326 Note: Enabling this exposes parameters in the Prometheus UI and API. Make sure 1327 that you don't have secrets exposed as parameters if you enable this. 1328 ''; 1329 1330 refresh_interval = mkDefOpt types.str "60s" '' 1331 Refresh interval to re-read the resources list. 1332 ''; 1333 1334 port = mkDefOpt types.port "80" '' 1335 The port to scrape metrics from. 1336 ''; 1337 }; 1338 1339 promTypes.scaleway_sd_config = types.submodule { 1340 options = { 1341 access_key = mkOption { 1342 type = types.str; 1343 description = '' 1344 Access key to use. <https://console.scaleway.com/project/credentials> 1345 ''; 1346 }; 1347 1348 secret_key = mkOpt types.str '' 1349 Secret key to use when listing targets. <https://console.scaleway.com/project/credentials> 1350 It is mutually exclusive with `secret_key_file`. 1351 ''; 1352 1353 secret_key_file = mkOpt types.str '' 1354 Sets the secret key with the credentials read from the configured file. 1355 It is mutually exclusive with `secret_key`. 1356 ''; 1357 1358 project_id = mkOption { 1359 type = types.str; 1360 description = '' 1361 Project ID of the targets. 1362 ''; 1363 }; 1364 1365 role = mkOption { 1366 type = types.enum [ 1367 "instance" 1368 "baremetal" 1369 ]; 1370 description = '' 1371 Role of the targets to retrieve. Must be `instance` or `baremetal`. 1372 ''; 1373 }; 1374 1375 port = mkDefOpt types.port "80" '' 1376 The port to scrape metrics from. 1377 ''; 1378 1379 api_url = mkDefOpt types.str "https://api.scaleway.com" '' 1380 API URL to use when doing the server listing requests. 1381 ''; 1382 1383 zone = mkDefOpt types.str "fr-par-1" '' 1384 Zone is the availability zone of your targets (e.g. fr-par-1). 1385 ''; 1386 1387 name_filter = mkOpt types.str '' 1388 Specify a name filter (works as a LIKE) to apply on the server listing request. 1389 ''; 1390 1391 tags_filter = mkOpt (types.listOf types.str) '' 1392 Specify a tag filter (a server needs to have all defined tags to be listed) to apply on the server listing request. 1393 ''; 1394 1395 refresh_interval = mkDefOpt types.str "60s" '' 1396 Refresh interval to re-read the managed targets list. 1397 ''; 1398 1399 proxy_url = mkOpt types.str '' 1400 Optional proxy URL. 1401 ''; 1402 1403 follow_redirects = mkDefOpt types.bool "true" '' 1404 Configure whether HTTP requests follow HTTP 3xx redirects. 1405 ''; 1406 1407 tls_config = mkOpt promTypes.tls_config '' 1408 TLS configuration. 1409 ''; 1410 }; 1411 }; 1412 1413 # These are exactly the same. 1414 promTypes.serverset_sd_config = promTypes.nerve_sd_config; 1415 1416 promTypes.triton_sd_config = types.submodule { 1417 options = { 1418 account = mkOption { 1419 type = types.str; 1420 description = '' 1421 The account to use for discovering new targets. 1422 ''; 1423 }; 1424 1425 role = 1426 mkDefOpt 1427 (types.enum [ 1428 "container" 1429 "cn" 1430 ]) 1431 "container" 1432 '' 1433 The type of targets to discover, can be set to: 1434 - "container" to discover virtual machines (SmartOS zones, lx/KVM/bhyve branded zones) running on Triton 1435 - "cn" to discover compute nodes (servers/global zones) making up the Triton infrastructure 1436 ''; 1437 1438 dns_suffix = mkOption { 1439 type = types.str; 1440 description = '' 1441 The DNS suffix which should be applied to target. 1442 ''; 1443 }; 1444 1445 endpoint = mkOption { 1446 type = types.str; 1447 description = '' 1448 The Triton discovery endpoint (e.g. `cmon.us-east-3b.triton.zone`). This is 1449 often the same value as dns_suffix. 1450 ''; 1451 }; 1452 1453 groups = mkOpt (types.listOf types.str) '' 1454 A list of groups for which targets are retrieved, only supported when targeting the `container` role. 1455 If omitted all containers owned by the requesting account are scraped. 1456 ''; 1457 1458 port = mkDefOpt types.port "9163" '' 1459 The port to use for discovery and metric scraping. 1460 ''; 1461 1462 refresh_interval = mkDefOpt types.str "60s" '' 1463 The interval which should be used for refreshing targets. 1464 ''; 1465 1466 version = mkDefOpt types.int "1" '' 1467 The Triton discovery API version. 1468 ''; 1469 1470 tls_config = mkOpt promTypes.tls_config '' 1471 TLS configuration. 1472 ''; 1473 }; 1474 }; 1475 1476 promTypes.uyuni_sd_config = mkSdConfigModule { 1477 server = mkOption { 1478 type = types.str; 1479 description = '' 1480 The URL to connect to the Uyuni server. 1481 ''; 1482 }; 1483 1484 username = mkOption { 1485 type = types.str; 1486 description = '' 1487 Credentials are used to authenticate the requests to Uyuni API. 1488 ''; 1489 }; 1490 1491 password = mkOption { 1492 type = types.str; 1493 description = '' 1494 Credentials are used to authenticate the requests to Uyuni API. 1495 ''; 1496 }; 1497 1498 entitlement = mkDefOpt types.str "monitoring_entitled" '' 1499 The entitlement string to filter eligible systems. 1500 ''; 1501 1502 separator = mkDefOpt types.str "," '' 1503 The string by which Uyuni group names are joined into the groups label 1504 ''; 1505 1506 refresh_interval = mkDefOpt types.str "60s" '' 1507 Refresh interval to re-read the managed targets list. 1508 ''; 1509 }; 1510 1511 promTypes.static_config = types.submodule { 1512 options = { 1513 targets = mkOption { 1514 type = types.listOf types.str; 1515 description = '' 1516 The targets specified by the target group. 1517 ''; 1518 }; 1519 labels = mkOption { 1520 type = types.attrsOf types.str; 1521 default = { }; 1522 description = '' 1523 Labels assigned to all metrics scraped from the targets. 1524 ''; 1525 }; 1526 }; 1527 }; 1528 1529 # 1530 # Config types: relabling 1531 # 1532 1533 promTypes.relabel_config = types.submodule { 1534 options = { 1535 source_labels = mkOpt (types.listOf types.str) '' 1536 The source labels select values from existing labels. Their content 1537 is concatenated using the configured separator and matched against 1538 the configured regular expression. 1539 ''; 1540 1541 separator = mkDefOpt types.str ";" '' 1542 Separator placed between concatenated source label values. 1543 ''; 1544 1545 target_label = mkOpt types.str '' 1546 Label to which the resulting value is written in a replace action. 1547 It is mandatory for replace actions. 1548 ''; 1549 1550 regex = mkDefOpt types.str "(.*)" '' 1551 Regular expression against which the extracted value is matched. 1552 ''; 1553 1554 modulus = mkOpt types.int '' 1555 Modulus to take of the hash of the source label values. 1556 ''; 1557 1558 replacement = mkDefOpt types.str "$1" '' 1559 Replacement value against which a regex replace is performed if the 1560 regular expression matches. 1561 ''; 1562 1563 action = 1564 mkDefOpt 1565 (types.enum [ 1566 "replace" 1567 "lowercase" 1568 "uppercase" 1569 "keep" 1570 "drop" 1571 "hashmod" 1572 "labelmap" 1573 "labeldrop" 1574 "labelkeep" 1575 ]) 1576 "replace" 1577 '' 1578 Action to perform based on regex matching. 1579 ''; 1580 }; 1581 }; 1582 1583 # 1584 # Config types : remote read / write 1585 # 1586 1587 promTypes.remote_write = types.submodule { 1588 options = { 1589 url = mkOption { 1590 type = types.str; 1591 description = '' 1592 ServerName extension to indicate the name of the server. 1593 http://tools.ietf.org/html/rfc4366#section-3.1 1594 ''; 1595 }; 1596 remote_timeout = mkOpt types.str '' 1597 Timeout for requests to the remote write endpoint. 1598 ''; 1599 headers = mkOpt (types.attrsOf types.str) '' 1600 Custom HTTP headers to be sent along with each remote write request. 1601 Be aware that headers that are set by Prometheus itself can't be overwritten. 1602 ''; 1603 write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) '' 1604 List of remote write relabel configurations. 1605 ''; 1606 name = mkOpt types.str '' 1607 Name of the remote write config, which if specified must be unique among remote write configs. 1608 The name will be used in metrics and logging in place of a generated value to help users distinguish between 1609 remote write configs. 1610 ''; 1611 basic_auth = mkOpt promTypes.basic_auth '' 1612 Sets the `Authorization` header on every remote write request with the 1613 configured username and password. 1614 password and password_file are mutually exclusive. 1615 ''; 1616 bearer_token = mkOpt types.str '' 1617 Sets the `Authorization` header on every remote write request with 1618 the configured bearer token. It is mutually exclusive with `bearer_token_file`. 1619 ''; 1620 bearer_token_file = mkOpt types.str '' 1621 Sets the `Authorization` header on every remote write request with the bearer token 1622 read from the configured file. It is mutually exclusive with `bearer_token`. 1623 ''; 1624 sigv4 = mkOpt promTypes.sigv4 '' 1625 Configures AWS Signature Version 4 settings. 1626 ''; 1627 tls_config = mkOpt promTypes.tls_config '' 1628 Configures the remote write request's TLS settings. 1629 ''; 1630 proxy_url = mkOpt types.str "Optional Proxy URL."; 1631 queue_config = 1632 mkOpt 1633 (types.submodule { 1634 options = { 1635 capacity = mkOpt types.int '' 1636 Number of samples to buffer per shard before we block reading of more 1637 samples from the WAL. It is recommended to have enough capacity in each 1638 shard to buffer several requests to keep throughput up while processing 1639 occasional slow remote requests. 1640 ''; 1641 max_shards = mkOpt types.int '' 1642 Maximum number of shards, i.e. amount of concurrency. 1643 ''; 1644 min_shards = mkOpt types.int '' 1645 Minimum number of shards, i.e. amount of concurrency. 1646 ''; 1647 max_samples_per_send = mkOpt types.int '' 1648 Maximum number of samples per send. 1649 ''; 1650 batch_send_deadline = mkOpt types.str '' 1651 Maximum time a sample will wait in buffer. 1652 ''; 1653 min_backoff = mkOpt types.str '' 1654 Initial retry delay. Gets doubled for every retry. 1655 ''; 1656 max_backoff = mkOpt types.str '' 1657 Maximum retry delay. 1658 ''; 1659 }; 1660 }) 1661 '' 1662 Configures the queue used to write to remote storage. 1663 ''; 1664 metadata_config = 1665 mkOpt 1666 (types.submodule { 1667 options = { 1668 send = mkOpt types.bool '' 1669 Whether metric metadata is sent to remote storage or not. 1670 ''; 1671 send_interval = mkOpt types.str '' 1672 How frequently metric metadata is sent to remote storage. 1673 ''; 1674 }; 1675 }) 1676 '' 1677 Configures the sending of series metadata to remote storage. 1678 Metadata configuration is subject to change at any point 1679 or be removed in future releases. 1680 ''; 1681 }; 1682 }; 1683 1684 promTypes.remote_read = types.submodule { 1685 options = { 1686 url = mkOption { 1687 type = types.str; 1688 description = '' 1689 ServerName extension to indicate the name of the server. 1690 http://tools.ietf.org/html/rfc4366#section-3.1 1691 ''; 1692 }; 1693 name = mkOpt types.str '' 1694 Name of the remote read config, which if specified must be unique among remote read configs. 1695 The name will be used in metrics and logging in place of a generated value to help users distinguish between 1696 remote read configs. 1697 ''; 1698 required_matchers = mkOpt (types.attrsOf types.str) '' 1699 An optional list of equality matchers which have to be 1700 present in a selector to query the remote read endpoint. 1701 ''; 1702 remote_timeout = mkOpt types.str '' 1703 Timeout for requests to the remote read endpoint. 1704 ''; 1705 headers = mkOpt (types.attrsOf types.str) '' 1706 Custom HTTP headers to be sent along with each remote read request. 1707 Be aware that headers that are set by Prometheus itself can't be overwritten. 1708 ''; 1709 read_recent = mkOpt types.bool '' 1710 Whether reads should be made for queries for time ranges that 1711 the local storage should have complete data for. 1712 ''; 1713 basic_auth = mkOpt promTypes.basic_auth '' 1714 Sets the `Authorization` header on every remote read request with the 1715 configured username and password. 1716 password and password_file are mutually exclusive. 1717 ''; 1718 bearer_token = mkOpt types.str '' 1719 Sets the `Authorization` header on every remote read request with 1720 the configured bearer token. It is mutually exclusive with `bearer_token_file`. 1721 ''; 1722 bearer_token_file = mkOpt types.str '' 1723 Sets the `Authorization` header on every remote read request with the bearer token 1724 read from the configured file. It is mutually exclusive with `bearer_token`. 1725 ''; 1726 tls_config = mkOpt promTypes.tls_config '' 1727 Configures the remote read request's TLS settings. 1728 ''; 1729 proxy_url = mkOpt types.str "Optional Proxy URL."; 1730 }; 1731 }; 1732 1733in 1734{ 1735 1736 imports = [ 1737 (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) 1738 (mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ] 1739 "It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`." 1740 ) 1741 (mkRemovedOptionModule [ 1742 "services" 1743 "prometheus" 1744 "alertmanagerTimeout" 1745 ] "Deprecated upstream and no longer had any effect") 1746 ]; 1747 1748 options.services.prometheus = { 1749 1750 enable = mkEnableOption "Prometheus monitoring daemon"; 1751 1752 package = mkPackageOption pkgs "prometheus" { }; 1753 1754 port = mkOption { 1755 type = types.port; 1756 default = 9090; 1757 description = '' 1758 Port to listen on. 1759 ''; 1760 }; 1761 1762 listenAddress = mkOption { 1763 type = types.str; 1764 default = "0.0.0.0"; 1765 description = '' 1766 Address to listen on for the web interface, API, and telemetry. 1767 ''; 1768 }; 1769 1770 stateDir = mkOption { 1771 type = types.str; 1772 default = "prometheus2"; 1773 description = '' 1774 Directory below `/var/lib` to store Prometheus metrics data. 1775 This directory will be created automatically using systemd's StateDirectory mechanism. 1776 ''; 1777 }; 1778 1779 extraFlags = mkOption { 1780 type = types.listOf types.str; 1781 default = [ ]; 1782 description = '' 1783 Extra commandline options when launching Prometheus. 1784 ''; 1785 }; 1786 1787 enableReload = mkOption { 1788 default = false; 1789 type = types.bool; 1790 description = '' 1791 Reload prometheus when configuration file changes (instead of restart). 1792 1793 The following property holds: switching to a configuration 1794 (`switch-to-configuration`) that changes the prometheus 1795 configuration only finishes successfully when prometheus has finished 1796 loading the new configuration. 1797 ''; 1798 }; 1799 1800 enableAgentMode = mkEnableOption "agent mode"; 1801 1802 configText = mkOption { 1803 type = types.nullOr types.lines; 1804 default = null; 1805 description = '' 1806 If non-null, this option defines the text that is written to 1807 prometheus.yml. If null, the contents of prometheus.yml is generated 1808 from the structured config options. 1809 ''; 1810 }; 1811 1812 globalConfig = mkOption { 1813 type = promTypes.globalConfig; 1814 default = { }; 1815 description = '' 1816 Parameters that are valid in all configuration contexts. They 1817 also serve as defaults for other configuration sections 1818 ''; 1819 }; 1820 1821 remoteRead = mkOption { 1822 type = types.listOf promTypes.remote_read; 1823 default = [ ]; 1824 description = '' 1825 Parameters of the endpoints to query from. 1826 See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read) for more information. 1827 ''; 1828 }; 1829 1830 remoteWrite = mkOption { 1831 type = types.listOf promTypes.remote_write; 1832 default = [ ]; 1833 description = '' 1834 Parameters of the endpoints to send samples to. 1835 See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write) for more information. 1836 ''; 1837 }; 1838 1839 rules = mkOption { 1840 type = types.listOf types.str; 1841 default = [ ]; 1842 description = '' 1843 Alerting and/or Recording rules to evaluate at runtime. 1844 ''; 1845 }; 1846 1847 ruleFiles = mkOption { 1848 type = types.listOf types.path; 1849 default = [ ]; 1850 description = '' 1851 Any additional rules files to include in this configuration. 1852 ''; 1853 }; 1854 1855 scrapeConfigs = mkOption { 1856 type = types.listOf promTypes.scrape_config; 1857 default = [ ]; 1858 description = '' 1859 A list of scrape configurations. 1860 ''; 1861 }; 1862 1863 alertmanagers = mkOption { 1864 type = types.listOf types.attrs; 1865 example = literalExpression '' 1866 [ { 1867 scheme = "https"; 1868 path_prefix = "/alertmanager"; 1869 static_configs = [ { 1870 targets = [ 1871 "prometheus.domain.tld" 1872 ]; 1873 } ]; 1874 } ] 1875 ''; 1876 default = [ ]; 1877 description = '' 1878 A list of alertmanagers to send alerts to. 1879 See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config) for more information. 1880 ''; 1881 }; 1882 1883 alertmanagerNotificationQueueCapacity = mkOption { 1884 type = types.int; 1885 default = 10000; 1886 description = '' 1887 The capacity of the queue for pending alert manager notifications. 1888 ''; 1889 }; 1890 1891 webExternalUrl = mkOption { 1892 type = types.nullOr types.str; 1893 default = null; 1894 example = "https://example.com/"; 1895 description = '' 1896 The URL under which Prometheus is externally reachable (for example, 1897 if Prometheus is served via a reverse proxy). 1898 ''; 1899 }; 1900 1901 webConfigFile = mkOption { 1902 type = types.nullOr types.path; 1903 default = null; 1904 description = '' 1905 Specifies which file should be used as web.config.file and be passed on startup. 1906 See https://prometheus.io/docs/prometheus/latest/configuration/https/ for valid options. 1907 ''; 1908 }; 1909 1910 checkConfig = mkOption { 1911 type = with types; either bool (enum [ "syntax-only" ]); 1912 default = true; 1913 example = "syntax-only"; 1914 description = '' 1915 Check configuration with `promtool check`. The call to `promtool` is 1916 subject to sandboxing by Nix. 1917 1918 If you use credentials stored in external files 1919 (`password_file`, `bearer_token_file`, etc), 1920 they will not be visible to `promtool` 1921 and it will report errors, despite a correct configuration. 1922 To resolve this, you may set this option to `"syntax-only"` 1923 in order to only syntax check the Prometheus configuration. 1924 ''; 1925 }; 1926 1927 retentionTime = mkOption { 1928 type = types.nullOr types.str; 1929 default = null; 1930 example = "15d"; 1931 description = '' 1932 How long to retain samples in storage. 1933 ''; 1934 }; 1935 }; 1936 1937 config = mkIf cfg.enable { 1938 assertions = [ 1939 ( 1940 let 1941 # Match something with dots (an IPv4 address) or something ending in 1942 # a square bracket (an IPv6 addresses) followed by a port number. 1943 legacy = builtins.match "(.*\\..*|.*]):([[:digit:]]+)" cfg.listenAddress; 1944 in 1945 { 1946 assertion = legacy == null; 1947 message = '' 1948 Do not specify the port for Prometheus to listen on in the 1949 listenAddress option; use the port option instead: 1950 services.prometheus.listenAddress = ${builtins.elemAt legacy 0}; 1951 services.prometheus.port = ${builtins.elemAt legacy 1}; 1952 ''; 1953 } 1954 ) 1955 ]; 1956 1957 users.groups.prometheus.gid = config.ids.gids.prometheus; 1958 users.users.prometheus = { 1959 description = "Prometheus daemon user"; 1960 uid = config.ids.uids.prometheus; 1961 group = "prometheus"; 1962 }; 1963 environment.etc."prometheus/prometheus.yaml" = mkIf cfg.enableReload { 1964 source = prometheusYml; 1965 }; 1966 systemd.services.prometheus = { 1967 wantedBy = [ "multi-user.target" ]; 1968 after = [ "network.target" ]; 1969 serviceConfig = { 1970 ExecStart = 1971 "${cfg.package}/bin/prometheus" 1972 + optionalString (length cmdlineArgs != 0) (" \\\n " + concatStringsSep " \\\n " cmdlineArgs); 1973 ExecReload = mkIf cfg.enableReload "+${reload}/bin/reload-prometheus"; 1974 User = "prometheus"; 1975 Restart = "always"; 1976 RuntimeDirectory = "prometheus"; 1977 RuntimeDirectoryMode = "0700"; 1978 WorkingDirectory = workingDir; 1979 StateDirectory = cfg.stateDir; 1980 StateDirectoryMode = "0700"; 1981 # Hardening 1982 DeviceAllow = [ "/dev/null rw" ]; 1983 DevicePolicy = "strict"; 1984 LockPersonality = true; 1985 MemoryDenyWriteExecute = true; 1986 NoNewPrivileges = true; 1987 PrivateDevices = true; 1988 PrivateTmp = true; 1989 PrivateUsers = true; 1990 ProtectClock = true; 1991 ProtectControlGroups = true; 1992 ProtectHome = true; 1993 ProtectHostname = true; 1994 ProtectKernelLogs = true; 1995 ProtectKernelModules = true; 1996 ProtectKernelTunables = true; 1997 ProtectProc = "invisible"; 1998 ProtectSystem = "full"; 1999 RemoveIPC = true; 2000 RestrictAddressFamilies = [ 2001 "AF_INET" 2002 "AF_INET6" 2003 "AF_UNIX" 2004 ]; 2005 RestrictNamespaces = true; 2006 RestrictRealtime = true; 2007 RestrictSUIDSGID = true; 2008 SystemCallArchitectures = "native"; 2009 SystemCallFilter = [ 2010 "@system-service" 2011 "~@privileged" 2012 ]; 2013 }; 2014 }; 2015 # prometheus-config-reload will activate after prometheus. However, what we 2016 # don't want is that on startup it immediately reloads prometheus because 2017 # prometheus itself might have just started. 2018 # 2019 # Instead we only want to reload prometheus when the config file has 2020 # changed. So on startup prometheus-config-reload will just output a 2021 # harmless message and then stay active (RemainAfterExit). 2022 # 2023 # Then, when the config file has changed, switch-to-configuration notices 2024 # that this service has changed (restartTriggers) and needs to be reloaded 2025 # (reloadIfChanged). The reload command then reloads prometheus. 2026 systemd.services.prometheus-config-reload = mkIf cfg.enableReload { 2027 wantedBy = [ "prometheus.service" ]; 2028 after = [ "prometheus.service" ]; 2029 reloadIfChanged = true; 2030 restartTriggers = [ prometheusYml ]; 2031 serviceConfig = { 2032 Type = "oneshot"; 2033 RemainAfterExit = true; 2034 TimeoutSec = 60; 2035 ExecStart = "${pkgs.logger}/bin/logger 'prometheus-config-reload will only reload prometheus when reloaded itself.'"; 2036 ExecReload = [ "${triggerReload}/bin/trigger-reload-prometheus" ]; 2037 }; 2038 }; 2039 }; 2040}