nixos/modules/services/monitoring/prometheus/default.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / monitoring / prometheus / default.nix
at master 64 kB view raw
   1{
   2  config,
   3  pkgs,
   4  lib,
   5  ...
   6}:
   7
   8with lib;
   9
  10let
  11  yaml = pkgs.formats.yaml { };
  12  cfg = config.services.prometheus;
  13  checkConfigEnabled =
  14    (lib.isBool cfg.checkConfig && cfg.checkConfig) || cfg.checkConfig == "syntax-only";
  15
  16  workingDir = "/var/lib/" + cfg.stateDir;
  17
  18  triggerReload = pkgs.writeShellScriptBin "trigger-reload-prometheus" ''
  19    PATH="${makeBinPath (with pkgs; [ systemd ])}"
  20    if systemctl -q is-active prometheus.service; then
  21      systemctl reload prometheus.service
  22    fi
  23  '';
  24
  25  reload = pkgs.writeShellScriptBin "reload-prometheus" ''
  26    PATH="${
  27      makeBinPath (
  28        with pkgs;
  29        [
  30          systemd
  31          coreutils
  32          gnugrep
  33        ]
  34      )
  35    }"
  36    cursor=$(journalctl --show-cursor -n0 | grep -oP "cursor: \K.*")
  37    kill -HUP $MAINPID
  38    journalctl -u prometheus.service --after-cursor="$cursor" -f \
  39      | grep -m 1 "Completed loading of configuration file" > /dev/null
  40  '';
  41
  42  # a wrapper that verifies that the configuration is valid
  43  promtoolCheck =
  44    what: name: file:
  45    if checkConfigEnabled then
  46      pkgs.runCommand "${name}-${replaceStrings [ " " ] [ "" ] what}-checked"
  47        {
  48          preferLocalBuild = true;
  49          nativeBuildInputs = [ cfg.package.cli ];
  50        }
  51        ''
  52          ln -s ${file} $out
  53          promtool ${what} $out
  54        ''
  55    else
  56      file;
  57
  58  generatedPrometheusYml = yaml.generate "prometheus.yml" promConfig;
  59
  60  # This becomes the main config file for Prometheus
  61  promConfig = {
  62    global = filterValidPrometheus cfg.globalConfig;
  63    scrape_configs = filterValidPrometheus cfg.scrapeConfigs;
  64    remote_write = filterValidPrometheus cfg.remoteWrite;
  65    remote_read = filterValidPrometheus cfg.remoteRead;
  66    rule_files = optionals (!(cfg.enableAgentMode)) (
  67      map (promtoolCheck "check rules" "rules") (
  68        cfg.ruleFiles
  69        ++ [
  70          (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg.rules))
  71        ]
  72      )
  73    );
  74    alerting = {
  75      inherit (cfg) alertmanagers;
  76    };
  77  };
  78
  79  prometheusYml =
  80    let
  81      yml =
  82        if cfg.configText != null then
  83          pkgs.writeText "prometheus.yml" cfg.configText
  84        else
  85          generatedPrometheusYml;
  86    in
  87    promtoolCheck "check config ${
  88      lib.optionalString (cfg.checkConfig == "syntax-only") "--syntax-only"
  89    }" "prometheus.yml" yml;
  90
  91  cmdlineArgs =
  92    cfg.extraFlags
  93    ++ [
  94      "--config.file=${if cfg.enableReload then "/etc/prometheus/prometheus.yaml" else prometheusYml}"
  95      "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}"
  96    ]
  97    ++ (
  98      if (cfg.enableAgentMode) then
  99        [
 100          "--enable-feature=agent"
 101        ]
 102      else
 103        [
 104          "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}"
 105          "--storage.tsdb.path=${workingDir}/data/"
 106        ]
 107    )
 108    ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}"
 109    ++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}"
 110    ++ optional (cfg.webConfigFile != null) "--web.config.file=${cfg.webConfigFile}";
 111
 112  filterValidPrometheus = filterAttrsListRecursive (n: v: !(n == "_module" || v == null));
 113  filterAttrsListRecursive =
 114    pred: x:
 115    if isAttrs x then
 116      listToAttrs (
 117        concatMap (
 118          name:
 119          let
 120            v = x.${name};
 121          in
 122          if pred name v then
 123            [
 124              (nameValuePair name (filterAttrsListRecursive pred v))
 125            ]
 126          else
 127            [ ]
 128        ) (attrNames x)
 129      )
 130    else if isList x then
 131      map (filterAttrsListRecursive pred) x
 132    else
 133      x;
 134
 135  #
 136  # Config types: helper functions
 137  #
 138
 139  mkDefOpt =
 140    type: defaultStr: description:
 141    mkOpt type (
 142      description
 143      + ''
 144
 145        Defaults to ````${defaultStr}```` in prometheus
 146        when set to `null`.
 147      ''
 148    );
 149
 150  mkOpt =
 151    type: description:
 152    mkOption {
 153      type = types.nullOr type;
 154      default = null;
 155      description = description;
 156    };
 157
 158  mkSdConfigModule =
 159    extraOptions:
 160    types.submodule {
 161      options = {
 162        basic_auth = mkOpt promTypes.basic_auth ''
 163          Optional HTTP basic authentication information.
 164        '';
 165
 166        authorization =
 167          mkOpt
 168            (types.submodule {
 169              options = {
 170                type = mkDefOpt types.str "Bearer" ''
 171                  Sets the authentication type.
 172                '';
 173
 174                credentials = mkOpt types.str ''
 175                  Sets the credentials. It is mutually exclusive with `credentials_file`.
 176                '';
 177
 178                credentials_file = mkOpt types.str ''
 179                  Sets the credentials to the credentials read from the configured file.
 180                  It is mutually exclusive with `credentials`.
 181                '';
 182              };
 183            })
 184            ''
 185              Optional `Authorization` header configuration.
 186            '';
 187
 188        oauth2 = mkOpt promtypes.oauth2 ''
 189          Optional OAuth 2.0 configuration.
 190          Cannot be used at the same time as basic_auth or authorization.
 191        '';
 192
 193        proxy_url = mkOpt types.str ''
 194          Optional proxy URL.
 195        '';
 196
 197        follow_redirects = mkDefOpt types.bool "true" ''
 198          Configure whether HTTP requests follow HTTP 3xx redirects.
 199        '';
 200
 201        tls_config = mkOpt promTypes.tls_config ''
 202          TLS configuration.
 203        '';
 204      }
 205      // extraOptions;
 206    };
 207
 208  #
 209  # Config types: general
 210  #
 211
 212  promTypes.globalConfig = types.submodule {
 213    options = {
 214      scrape_interval = mkDefOpt types.str "1m" ''
 215        How frequently to scrape targets by default.
 216      '';
 217
 218      scrape_timeout = mkDefOpt types.str "10s" ''
 219        How long until a scrape request times out.
 220      '';
 221
 222      evaluation_interval = mkDefOpt types.str "1m" ''
 223        How frequently to evaluate rules by default.
 224      '';
 225
 226      external_labels = mkOpt (types.attrsOf types.str) ''
 227        The labels to add to any time series or alerts when
 228        communicating with external systems (federation, remote
 229        storage, Alertmanager).
 230      '';
 231
 232      query_log_file = mkOpt types.str ''
 233        Path to the file prometheus should write its query log to.
 234      '';
 235    };
 236  };
 237
 238  promTypes.basic_auth = types.submodule {
 239    options = {
 240      username = mkOption {
 241        type = types.str;
 242        description = ''
 243          HTTP username
 244        '';
 245      };
 246      password = mkOpt types.str "HTTP password";
 247      password_file = mkOpt types.str "HTTP password file";
 248    };
 249  };
 250
 251  promTypes.sigv4 = types.submodule {
 252    options = {
 253      region = mkOpt types.str ''
 254        The AWS region.
 255      '';
 256      access_key = mkOpt types.str ''
 257        The Access Key ID.
 258      '';
 259      secret_key = mkOpt types.str ''
 260        The Secret Access Key.
 261      '';
 262      profile = mkOpt types.str ''
 263        The named AWS profile used to authenticate.
 264      '';
 265      role_arn = mkOpt types.str ''
 266        The AWS role ARN.
 267      '';
 268    };
 269  };
 270
 271  promTypes.tls_config = types.submodule {
 272    options = {
 273      ca_file = mkOpt types.str ''
 274        CA certificate to validate API server certificate with.
 275      '';
 276
 277      cert_file = mkOpt types.str ''
 278        Certificate file for client cert authentication to the server.
 279      '';
 280
 281      key_file = mkOpt types.str ''
 282        Key file for client cert authentication to the server.
 283      '';
 284
 285      server_name = mkOpt types.str ''
 286        ServerName extension to indicate the name of the server.
 287        http://tools.ietf.org/html/rfc4366#section-3.1
 288      '';
 289
 290      insecure_skip_verify = mkOpt types.bool ''
 291        Disable validation of the server certificate.
 292      '';
 293    };
 294  };
 295
 296  promtypes.oauth2 = types.submodule {
 297    options = {
 298      client_id = mkOpt types.str ''
 299        OAuth client ID.
 300      '';
 301
 302      client_secret = mkOpt types.str ''
 303        OAuth client secret.
 304      '';
 305
 306      client_secret_file = mkOpt types.str ''
 307        Read the client secret from a file. It is mutually exclusive with `client_secret`.
 308      '';
 309
 310      scopes = mkOpt (types.listOf types.str) ''
 311        Scopes for the token request.
 312      '';
 313
 314      token_url = mkOpt types.str ''
 315        The URL to fetch the token from.
 316      '';
 317
 318      endpoint_params = mkOpt (types.attrsOf types.str) ''
 319        Optional parameters to append to the token URL.
 320      '';
 321    };
 322  };
 323
 324  # https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config
 325  promTypes.scrape_config = types.submodule {
 326    options = {
 327      authorization = mkOption {
 328        type = types.nullOr types.attrs;
 329        default = null;
 330        description = ''
 331          Sets the `Authorization` header on every scrape request with the configured credentials.
 332        '';
 333      };
 334      job_name = mkOption {
 335        type = types.str;
 336        description = ''
 337          The job name assigned to scraped metrics by default.
 338        '';
 339      };
 340      scrape_interval = mkOpt types.str ''
 341        How frequently to scrape targets from this job. Defaults to the
 342        globally configured default.
 343      '';
 344
 345      scrape_timeout = mkOpt types.str ''
 346        Per-target timeout when scraping this job. Defaults to the
 347        globally configured default.
 348      '';
 349
 350      scrape_protocols = mkOpt (types.listOf types.str) ''
 351        The protocols to negotiate during a scrape with the client.
 352      '';
 353
 354      fallback_scrape_protocol = mkOpt types.str ''
 355        Fallback protocol to use if a scrape returns blank, unparseable, or otherwise
 356        invalid Content-Type.
 357      '';
 358
 359      metrics_path = mkDefOpt types.str "/metrics" ''
 360        The HTTP resource path on which to fetch metrics from targets.
 361      '';
 362
 363      honor_labels = mkDefOpt types.bool "false" ''
 364        Controls how Prometheus handles conflicts between labels
 365        that are already present in scraped data and labels that
 366        Prometheus would attach server-side ("job" and "instance"
 367        labels, manually configured target labels, and labels
 368        generated by service discovery implementations).
 369
 370        If honor_labels is set to "true", label conflicts are
 371        resolved by keeping label values from the scraped data and
 372        ignoring the conflicting server-side labels.
 373
 374        If honor_labels is set to "false", label conflicts are
 375        resolved by renaming conflicting labels in the scraped data
 376        to "exported_\<original-label\>" (for example
 377        "exported_instance", "exported_job") and then attaching
 378        server-side labels. This is useful for use cases such as
 379        federation, where all labels specified in the target should
 380        be preserved.
 381      '';
 382
 383      honor_timestamps = mkDefOpt types.bool "true" ''
 384        honor_timestamps controls whether Prometheus respects the timestamps present
 385        in scraped data.
 386
 387        If honor_timestamps is set to `true`, the timestamps of the metrics exposed
 388        by the target will be used.
 389
 390        If honor_timestamps is set to `false`, the timestamps of the metrics exposed
 391        by the target will be ignored.
 392      '';
 393
 394      scheme =
 395        mkDefOpt
 396          (types.enum [
 397            "http"
 398            "https"
 399          ])
 400          "http"
 401          ''
 402            The URL scheme with which to fetch metrics from targets.
 403          '';
 404
 405      params = mkOpt (types.attrsOf (types.listOf types.str)) ''
 406        Optional HTTP URL parameters.
 407      '';
 408
 409      basic_auth = mkOpt promTypes.basic_auth ''
 410        Sets the `Authorization` header on every scrape request with the
 411        configured username and password.
 412        password and password_file are mutually exclusive.
 413      '';
 414
 415      bearer_token = mkOpt types.str ''
 416        Sets the `Authorization` header on every scrape request with
 417        the configured bearer token. It is mutually exclusive with
 418        {option}`bearer_token_file`.
 419      '';
 420
 421      bearer_token_file = mkOpt types.str ''
 422        Sets the `Authorization` header on every scrape request with
 423        the bearer token read from the configured file. It is mutually
 424        exclusive with {option}`bearer_token`.
 425      '';
 426
 427      tls_config = mkOpt promTypes.tls_config ''
 428        Configures the scrape request's TLS settings.
 429      '';
 430
 431      proxy_url = mkOpt types.str ''
 432        Optional proxy URL.
 433      '';
 434
 435      azure_sd_configs = mkOpt (types.listOf promTypes.azure_sd_config) ''
 436        List of Azure service discovery configurations.
 437      '';
 438
 439      consul_sd_configs = mkOpt (types.listOf promTypes.consul_sd_config) ''
 440        List of Consul service discovery configurations.
 441      '';
 442
 443      digitalocean_sd_configs = mkOpt (types.listOf promTypes.digitalocean_sd_config) ''
 444        List of DigitalOcean service discovery configurations.
 445      '';
 446
 447      docker_sd_configs = mkOpt (types.listOf promTypes.docker_sd_config) ''
 448        List of Docker service discovery configurations.
 449      '';
 450
 451      dockerswarm_sd_configs = mkOpt (types.listOf promTypes.dockerswarm_sd_config) ''
 452        List of Docker Swarm service discovery configurations.
 453      '';
 454
 455      dns_sd_configs = mkOpt (types.listOf promTypes.dns_sd_config) ''
 456        List of DNS service discovery configurations.
 457      '';
 458
 459      ec2_sd_configs = mkOpt (types.listOf promTypes.ec2_sd_config) ''
 460        List of EC2 service discovery configurations.
 461      '';
 462
 463      eureka_sd_configs = mkOpt (types.listOf promTypes.eureka_sd_config) ''
 464        List of Eureka service discovery configurations.
 465      '';
 466
 467      file_sd_configs = mkOpt (types.listOf promTypes.file_sd_config) ''
 468        List of file service discovery configurations.
 469      '';
 470
 471      gce_sd_configs = mkOpt (types.listOf promTypes.gce_sd_config) ''
 472        List of Google Compute Engine service discovery configurations.
 473
 474        See [the relevant Prometheus configuration docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#gce_sd_config)
 475        for more detail.
 476      '';
 477
 478      hetzner_sd_configs = mkOpt (types.listOf promTypes.hetzner_sd_config) ''
 479        List of Hetzner service discovery configurations.
 480      '';
 481
 482      http_sd_configs = mkOpt (types.listOf promTypes.http_sd_config) ''
 483        List of HTTP service discovery configurations.
 484      '';
 485
 486      kubernetes_sd_configs = mkOpt (types.listOf promTypes.kubernetes_sd_config) ''
 487        List of Kubernetes service discovery configurations.
 488      '';
 489
 490      kuma_sd_configs = mkOpt (types.listOf promTypes.kuma_sd_config) ''
 491        List of Kuma service discovery configurations.
 492      '';
 493
 494      lightsail_sd_configs = mkOpt (types.listOf promTypes.lightsail_sd_config) ''
 495        List of Lightsail service discovery configurations.
 496      '';
 497
 498      linode_sd_configs = mkOpt (types.listOf promTypes.linode_sd_config) ''
 499        List of Linode service discovery configurations.
 500      '';
 501
 502      marathon_sd_configs = mkOpt (types.listOf promTypes.marathon_sd_config) ''
 503        List of Marathon service discovery configurations.
 504      '';
 505
 506      nerve_sd_configs = mkOpt (types.listOf promTypes.nerve_sd_config) ''
 507        List of AirBnB's Nerve service discovery configurations.
 508      '';
 509
 510      openstack_sd_configs = mkOpt (types.listOf promTypes.openstack_sd_config) ''
 511        List of OpenStack service discovery configurations.
 512      '';
 513
 514      puppetdb_sd_configs = mkOpt (types.listOf promTypes.puppetdb_sd_config) ''
 515        List of PuppetDB service discovery configurations.
 516      '';
 517
 518      scaleway_sd_configs = mkOpt (types.listOf promTypes.scaleway_sd_config) ''
 519        List of Scaleway service discovery configurations.
 520      '';
 521
 522      serverset_sd_configs = mkOpt (types.listOf promTypes.serverset_sd_config) ''
 523        List of Zookeeper Serverset service discovery configurations.
 524      '';
 525
 526      triton_sd_configs = mkOpt (types.listOf promTypes.triton_sd_config) ''
 527        List of Triton Serverset service discovery configurations.
 528      '';
 529
 530      uyuni_sd_configs = mkOpt (types.listOf promTypes.uyuni_sd_config) ''
 531        List of Uyuni Serverset service discovery configurations.
 532      '';
 533
 534      static_configs = mkOpt (types.listOf promTypes.static_config) ''
 535        List of labeled target groups for this job.
 536      '';
 537
 538      relabel_configs = mkOpt (types.listOf promTypes.relabel_config) ''
 539        List of relabel configurations.
 540      '';
 541
 542      metric_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) ''
 543        List of metric relabel configurations.
 544      '';
 545
 546      body_size_limit = mkDefOpt types.str "0" ''
 547        An uncompressed response body larger than this many bytes will cause the
 548        scrape to fail. 0 means no limit. Example: 100MB.
 549        This is an experimental feature, this behaviour could
 550        change or be removed in the future.
 551      '';
 552
 553      sample_limit = mkDefOpt types.int "0" ''
 554        Per-scrape limit on number of scraped samples that will be accepted.
 555        If more than this number of samples are present after metric relabelling
 556        the entire scrape will be treated as failed. 0 means no limit.
 557      '';
 558
 559      label_limit = mkDefOpt types.int "0" ''
 560        Per-scrape limit on number of labels that will be accepted for a sample. If
 561        more than this number of labels are present post metric-relabeling, the
 562        entire scrape will be treated as failed. 0 means no limit.
 563      '';
 564
 565      label_name_length_limit = mkDefOpt types.int "0" ''
 566        Per-scrape limit on length of labels name that will be accepted for a sample.
 567        If a label name is longer than this number post metric-relabeling, the entire
 568        scrape will be treated as failed. 0 means no limit.
 569      '';
 570
 571      label_value_length_limit = mkDefOpt types.int "0" ''
 572        Per-scrape limit on length of labels value that will be accepted for a sample.
 573        If a label value is longer than this number post metric-relabeling, the
 574        entire scrape will be treated as failed. 0 means no limit.
 575      '';
 576
 577      target_limit = mkDefOpt types.int "0" ''
 578        Per-scrape config limit on number of unique targets that will be
 579        accepted. If more than this number of targets are present after target
 580        relabeling, Prometheus will mark the targets as failed without scraping them.
 581        0 means no limit. This is an experimental feature, this behaviour could
 582        change in the future.
 583      '';
 584    };
 585  };
 586
 587  #
 588  # Config types: service discovery
 589  #
 590
 591  # For this one, the docs actually define all types needed to use mkSdConfigModule, but a bunch
 592  # of them are marked with 'currently not support by Azure' so we don't bother adding them in
 593  # here.
 594  promTypes.azure_sd_config = types.submodule {
 595    options = {
 596      environment = mkDefOpt types.str "AzurePublicCloud" ''
 597        The Azure environment.
 598      '';
 599
 600      authentication_method =
 601        mkDefOpt
 602          (types.enum [
 603            "OAuth"
 604            "ManagedIdentity"
 605          ])
 606          "OAuth"
 607          ''
 608            The authentication method, either OAuth or ManagedIdentity.
 609            See <https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview>
 610          '';
 611
 612      subscription_id = mkOption {
 613        type = types.str;
 614        description = ''
 615          The subscription ID.
 616        '';
 617      };
 618
 619      tenant_id = mkOpt types.str ''
 620        Optional tenant ID. Only required with authentication_method OAuth.
 621      '';
 622
 623      client_id = mkOpt types.str ''
 624        Optional client ID. Only required with authentication_method OAuth.
 625      '';
 626
 627      client_secret = mkOpt types.str ''
 628        Optional client secret. Only required with authentication_method OAuth.
 629      '';
 630
 631      refresh_interval = mkDefOpt types.str "300s" ''
 632        Refresh interval to re-read the instance list.
 633      '';
 634
 635      port = mkDefOpt types.port "80" ''
 636        The port to scrape metrics from. If using the public IP
 637        address, this must instead be specified in the relabeling
 638        rule.
 639      '';
 640
 641      proxy_url = mkOpt types.str ''
 642        Optional proxy URL.
 643      '';
 644
 645      follow_redirects = mkDefOpt types.bool "true" ''
 646        Configure whether HTTP requests follow HTTP 3xx redirects.
 647      '';
 648
 649      tls_config = mkOpt promTypes.tls_config ''
 650        TLS configuration.
 651      '';
 652    };
 653  };
 654
 655  promTypes.consul_sd_config = mkSdConfigModule {
 656    server = mkDefOpt types.str "localhost:8500" ''
 657      Consul server to query.
 658    '';
 659
 660    token = mkOpt types.str "Consul token";
 661
 662    datacenter = mkOpt types.str "Consul datacenter";
 663
 664    scheme = mkDefOpt types.str "http" "Consul scheme";
 665
 666    username = mkOpt types.str "Consul username";
 667
 668    password = mkOpt types.str "Consul password";
 669
 670    tls_config = mkOpt promTypes.tls_config ''
 671      Configures the Consul request's TLS settings.
 672    '';
 673
 674    services = mkOpt (types.listOf types.str) ''
 675      A list of services for which targets are retrieved.
 676    '';
 677
 678    tags = mkOpt (types.listOf types.str) ''
 679      An optional list of tags used to filter nodes for a given
 680      service. Services must contain all tags in the list.
 681    '';
 682
 683    node_meta = mkOpt (types.attrsOf types.str) ''
 684      Node metadata used to filter nodes for a given service.
 685    '';
 686
 687    tag_separator = mkDefOpt types.str "," ''
 688      The string by which Consul tags are joined into the tag label.
 689    '';
 690
 691    allow_stale = mkOpt types.bool ''
 692      Allow stale Consul results
 693      (see <https://www.consul.io/api/index.html#consistency-modes>).
 694
 695      Will reduce load on Consul.
 696    '';
 697
 698    refresh_interval = mkDefOpt types.str "30s" ''
 699      The time after which the provided names are refreshed.
 700
 701      On large setup it might be a good idea to increase this value
 702      because the catalog will change all the time.
 703    '';
 704  };
 705
 706  promTypes.digitalocean_sd_config = mkSdConfigModule {
 707    port = mkDefOpt types.port "80" ''
 708      The port to scrape metrics from.
 709    '';
 710
 711    refresh_interval = mkDefOpt types.str "60s" ''
 712      The time after which the droplets are refreshed.
 713    '';
 714  };
 715
 716  mkDockerSdConfigModule =
 717    extraOptions:
 718    mkSdConfigModule (
 719      {
 720        host = mkOption {
 721          type = types.str;
 722          description = ''
 723            Address of the Docker daemon.
 724          '';
 725        };
 726
 727        port = mkDefOpt types.port "80" ''
 728          The port to scrape metrics from, when `role` is nodes, and for discovered
 729          tasks and services that don't have published ports.
 730        '';
 731
 732        filters =
 733          mkOpt
 734            (types.listOf (
 735              types.submodule {
 736                options = {
 737                  name = mkOption {
 738                    type = types.str;
 739                    description = ''
 740                      Name of the filter. The available filters are listed in the upstream documentation:
 741                      Services: <https://docs.docker.com/engine/api/v1.40/#operation/ServiceList>
 742                      Tasks: <https://docs.docker.com/engine/api/v1.40/#operation/TaskList>
 743                      Nodes: <https://docs.docker.com/engine/api/v1.40/#operation/NodeList>
 744                    '';
 745                  };
 746                  values = mkOption {
 747                    type = types.str;
 748                    description = ''
 749                      Value for the filter.
 750                    '';
 751                  };
 752                };
 753              }
 754            ))
 755            ''
 756              Optional filters to limit the discovery process to a subset of available resources.
 757            '';
 758
 759        refresh_interval = mkDefOpt types.str "60s" ''
 760          The time after which the containers are refreshed.
 761        '';
 762      }
 763      // extraOptions
 764    );
 765
 766  promTypes.docker_sd_config = mkDockerSdConfigModule {
 767    host_networking_host = mkDefOpt types.str "localhost" ''
 768      The host to use if the container is in host networking mode.
 769    '';
 770  };
 771
 772  promTypes.dockerswarm_sd_config = mkDockerSdConfigModule {
 773    role = mkOption {
 774      type = types.enum [
 775        "services"
 776        "tasks"
 777        "nodes"
 778      ];
 779      description = ''
 780        Role of the targets to retrieve. Must be `services`, `tasks`, or `nodes`.
 781      '';
 782    };
 783  };
 784
 785  promTypes.dns_sd_config = types.submodule {
 786    options = {
 787      names = mkOption {
 788        type = types.listOf types.str;
 789        description = ''
 790          A list of DNS SRV record names to be queried.
 791        '';
 792      };
 793
 794      type =
 795        mkDefOpt
 796          (types.enum [
 797            "SRV"
 798            "A"
 799            "AAAA"
 800            "MX"
 801            "NS"
 802          ])
 803          "SRV"
 804          ''
 805            The type of DNS query to perform.
 806          '';
 807
 808      port = mkOpt types.port ''
 809        The port number used if the query type is not SRV.
 810      '';
 811
 812      refresh_interval = mkDefOpt types.str "30s" ''
 813        The time after which the provided names are refreshed.
 814      '';
 815    };
 816  };
 817
 818  promTypes.ec2_sd_config = types.submodule {
 819    options = {
 820      region = mkOption {
 821        type = types.str;
 822        description = ''
 823          The AWS Region. If blank, the region from the instance metadata is used.
 824        '';
 825      };
 826      endpoint = mkOpt types.str ''
 827        Custom endpoint to be used.
 828      '';
 829
 830      access_key = mkOpt types.str ''
 831        The AWS API key id. If blank, the environment variable
 832        `AWS_ACCESS_KEY_ID` is used.
 833      '';
 834
 835      secret_key = mkOpt types.str ''
 836        The AWS API key secret. If blank, the environment variable
 837         `AWS_SECRET_ACCESS_KEY` is used.
 838      '';
 839
 840      profile = mkOpt types.str ''
 841        Named AWS profile used to connect to the API.
 842      '';
 843
 844      role_arn = mkOpt types.str ''
 845        AWS Role ARN, an alternative to using AWS API keys.
 846      '';
 847
 848      refresh_interval = mkDefOpt types.str "60s" ''
 849        Refresh interval to re-read the instance list.
 850      '';
 851
 852      port = mkDefOpt types.port "80" ''
 853        The port to scrape metrics from. If using the public IP
 854        address, this must instead be specified in the relabeling
 855        rule.
 856      '';
 857
 858      filters =
 859        mkOpt
 860          (types.listOf (
 861            types.submodule {
 862              options = {
 863                name = mkOption {
 864                  type = types.str;
 865                  description = ''
 866                    See [this list](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html)
 867                    for the available filters.
 868                  '';
 869                };
 870
 871                values = mkOption {
 872                  type = types.listOf types.str;
 873                  default = [ ];
 874                  description = ''
 875                    Value of the filter.
 876                  '';
 877                };
 878              };
 879            }
 880          ))
 881          ''
 882            Filters can be used optionally to filter the instance list by other criteria.
 883          '';
 884    };
 885  };
 886
 887  promTypes.eureka_sd_config = mkSdConfigModule {
 888    server = mkOption {
 889      type = types.str;
 890      description = ''
 891        The URL to connect to the Eureka server.
 892      '';
 893    };
 894  };
 895
 896  promTypes.file_sd_config = types.submodule {
 897    options = {
 898      files = mkOption {
 899        type = types.listOf types.str;
 900        description = ''
 901          Patterns for files from which target groups are extracted. Refer
 902          to the Prometheus documentation for permitted filename patterns
 903          and formats.
 904        '';
 905      };
 906
 907      refresh_interval = mkDefOpt types.str "5m" ''
 908        Refresh interval to re-read the files.
 909      '';
 910    };
 911  };
 912
 913  promTypes.gce_sd_config = types.submodule {
 914    options = {
 915      # Use `mkOption` instead of `mkOpt` for project and zone because they are
 916      # required configuration values for `gce_sd_config`.
 917      project = mkOption {
 918        type = types.str;
 919        description = ''
 920          The GCP Project.
 921        '';
 922      };
 923
 924      zone = mkOption {
 925        type = types.str;
 926        description = ''
 927          The zone of the scrape targets. If you need multiple zones use multiple
 928          gce_sd_configs.
 929        '';
 930      };
 931
 932      filter = mkOpt types.str ''
 933        Filter can be used optionally to filter the instance list by other
 934        criteria Syntax of this filter string is described here in the filter
 935        query parameter section: <https://cloud.google.com/compute/docs/reference/latest/instances/list>.
 936      '';
 937
 938      refresh_interval = mkDefOpt types.str "60s" ''
 939        Refresh interval to re-read the cloud instance list.
 940      '';
 941
 942      port = mkDefOpt types.port "80" ''
 943        The port to scrape metrics from. If using the public IP address, this
 944        must instead be specified in the relabeling rule.
 945      '';
 946
 947      tag_separator = mkDefOpt types.str "," ''
 948        The tag separator used to separate concatenated GCE instance network tags.
 949
 950        See the GCP documentation on network tags for more information:
 951        <https://cloud.google.com/vpc/docs/add-remove-network-tags>
 952      '';
 953    };
 954  };
 955
 956  promTypes.hetzner_sd_config = mkSdConfigModule {
 957    role = mkOption {
 958      type = types.enum [
 959        "robot"
 960        "hcloud"
 961      ];
 962      description = ''
 963        The Hetzner role of entities that should be discovered.
 964        One of `robot` or `hcloud`.
 965      '';
 966    };
 967
 968    port = mkDefOpt types.port "80" ''
 969      The port to scrape metrics from.
 970    '';
 971
 972    refresh_interval = mkDefOpt types.str "60s" ''
 973      The time after which the servers are refreshed.
 974    '';
 975  };
 976
 977  promTypes.http_sd_config = types.submodule {
 978    options = {
 979      url = mkOption {
 980        type = types.str;
 981        description = ''
 982          URL from which the targets are fetched.
 983        '';
 984      };
 985
 986      refresh_interval = mkDefOpt types.str "60s" ''
 987        Refresh interval to re-query the endpoint.
 988      '';
 989
 990      basic_auth = mkOpt promTypes.basic_auth ''
 991        Authentication information used to authenticate to the API server.
 992        password and password_file are mutually exclusive.
 993      '';
 994
 995      proxy_url = mkOpt types.str ''
 996        Optional proxy URL.
 997      '';
 998
 999      follow_redirects = mkDefOpt types.bool "true" ''
1000        Configure whether HTTP requests follow HTTP 3xx redirects.
1001      '';
1002
1003      tls_config = mkOpt promTypes.tls_config ''
1004        Configures the scrape request's TLS settings.
1005      '';
1006    };
1007  };
1008
1009  promTypes.kubernetes_sd_config = mkSdConfigModule {
1010    api_server = mkOpt types.str ''
1011      The API server addresses. If left empty, Prometheus is assumed to run inside
1012      of the cluster and will discover API servers automatically and use the pod's
1013      CA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/.
1014    '';
1015
1016    role = mkOption {
1017      type = types.enum [
1018        "endpoints"
1019        "service"
1020        "pod"
1021        "node"
1022        "ingress"
1023      ];
1024      description = ''
1025        The Kubernetes role of entities that should be discovered.
1026        One of endpoints, service, pod, node, or ingress.
1027      '';
1028    };
1029
1030    kubeconfig_file = mkOpt types.str ''
1031      Optional path to a kubeconfig file.
1032      Note that api_server and kube_config are mutually exclusive.
1033    '';
1034
1035    namespaces =
1036      mkOpt
1037        (types.submodule {
1038          options = {
1039            names = mkOpt (types.listOf types.str) ''
1040              Namespace name.
1041            '';
1042          };
1043        })
1044        ''
1045          Optional namespace discovery. If omitted, all namespaces are used.
1046        '';
1047
1048    selectors =
1049      mkOpt
1050        (types.listOf (
1051          types.submodule {
1052            options = {
1053              role = mkOption {
1054                type = types.str;
1055                description = ''
1056                  Selector role
1057                '';
1058              };
1059
1060              label = mkOpt types.str ''
1061                Selector label
1062              '';
1063
1064              field = mkOpt types.str ''
1065                Selector field
1066              '';
1067            };
1068          }
1069        ))
1070        ''
1071          Optional label and field selectors to limit the discovery process to a subset of available resources.
1072          See <https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/>
1073          and <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/> to learn more about the possible
1074          filters that can be used. Endpoints role supports pod, service and endpoints selectors, other roles
1075          only support selectors matching the role itself (e.g. node role can only contain node selectors).
1076
1077          Note: When making decision about using field/label selector make sure that this
1078          is the best approach - it will prevent Prometheus from reusing single list/watch
1079          for all scrape configs. This might result in a bigger load on the Kubernetes API,
1080          because per each selector combination there will be additional LIST/WATCH. On the other hand,
1081          if you just want to monitor small subset of pods in large cluster it's recommended to use selectors.
1082          Decision, if selectors should be used or not depends on the particular situation.
1083        '';
1084  };
1085
1086  promTypes.kuma_sd_config = mkSdConfigModule {
1087    server = mkOption {
1088      type = types.str;
1089      description = ''
1090        Address of the Kuma Control Plane's MADS xDS server.
1091      '';
1092    };
1093
1094    refresh_interval = mkDefOpt types.str "30s" ''
1095      The time to wait between polling update requests.
1096    '';
1097
1098    fetch_timeout = mkDefOpt types.str "2m" ''
1099      The time after which the monitoring assignments are refreshed.
1100    '';
1101  };
1102
1103  promTypes.lightsail_sd_config = types.submodule {
1104    options = {
1105      region = mkOpt types.str ''
1106        The AWS region. If blank, the region from the instance metadata is used.
1107      '';
1108
1109      endpoint = mkOpt types.str ''
1110        Custom endpoint to be used.
1111      '';
1112
1113      access_key = mkOpt types.str ''
1114        The AWS API keys. If blank, the environment variable `AWS_ACCESS_KEY_ID` is used.
1115      '';
1116
1117      secret_key = mkOpt types.str ''
1118        The AWS API keys. If blank, the environment variable `AWS_SECRET_ACCESS_KEY` is used.
1119      '';
1120
1121      profile = mkOpt types.str ''
1122        Named AWS profile used to connect to the API.
1123      '';
1124
1125      role_arn = mkOpt types.str ''
1126        AWS Role ARN, an alternative to using AWS API keys.
1127      '';
1128
1129      refresh_interval = mkDefOpt types.str "60s" ''
1130        Refresh interval to re-read the instance list.
1131      '';
1132
1133      port = mkDefOpt types.port "80" ''
1134        The port to scrape metrics from. If using the public IP address, this must
1135        instead be specified in the relabeling rule.
1136      '';
1137    };
1138  };
1139
1140  promTypes.linode_sd_config = mkSdConfigModule {
1141    port = mkDefOpt types.port "80" ''
1142      The port to scrape metrics from.
1143    '';
1144
1145    tag_separator = mkDefOpt types.str "," ''
1146      The string by which Linode Instance tags are joined into the tag label.
1147    '';
1148
1149    refresh_interval = mkDefOpt types.str "60s" ''
1150      The time after which the linode instances are refreshed.
1151    '';
1152  };
1153
1154  promTypes.marathon_sd_config = mkSdConfigModule {
1155    servers = mkOption {
1156      type = types.listOf types.str;
1157      description = ''
1158        List of URLs to be used to contact Marathon servers. You need to provide at least one server URL.
1159      '';
1160    };
1161
1162    refresh_interval = mkDefOpt types.str "30s" ''
1163      Polling interval.
1164    '';
1165
1166    auth_token = mkOpt types.str ''
1167      Optional authentication information for token-based authentication:
1168      <https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token>
1169      It is mutually exclusive with `auth_token_file` and other authentication mechanisms.
1170    '';
1171
1172    auth_token_file = mkOpt types.str ''
1173      Optional authentication information for token-based authentication:
1174      <https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token>
1175      It is mutually exclusive with `auth_token` and other authentication mechanisms.
1176    '';
1177  };
1178
1179  promTypes.nerve_sd_config = types.submodule {
1180    options = {
1181      servers = mkOption {
1182        type = types.listOf types.str;
1183        description = ''
1184          The Zookeeper servers.
1185        '';
1186      };
1187
1188      paths = mkOption {
1189        type = types.listOf types.str;
1190        description = ''
1191          Paths can point to a single service, or the root of a tree of services.
1192        '';
1193      };
1194
1195      timeout = mkDefOpt types.str "10s" ''
1196        Timeout value.
1197      '';
1198    };
1199  };
1200
1201  promTypes.openstack_sd_config = types.submodule {
1202    options =
1203      let
1204        userDescription = ''
1205          username is required if using Identity V2 API. Consult with your provider's
1206          control panel to discover your account's username. In Identity V3, either
1207          userid or a combination of username and domain_id or domain_name are needed.
1208        '';
1209
1210        domainDescription = ''
1211          At most one of domain_id and domain_name must be provided if using username
1212          with Identity V3. Otherwise, either are optional.
1213        '';
1214
1215        projectDescription = ''
1216          The project_id and project_name fields are optional for the Identity V2 API.
1217          Some providers allow you to specify a project_name instead of the project_id.
1218          Some require both. Your provider's authentication policies will determine
1219          how these fields influence authentication.
1220        '';
1221
1222        applicationDescription = ''
1223          The application_credential_id or application_credential_name fields are
1224          required if using an application credential to authenticate. Some providers
1225          allow you to create an application credential to authenticate rather than a
1226          password.
1227        '';
1228      in
1229      {
1230        role = mkOption {
1231          type = types.str;
1232          description = ''
1233            The OpenStack role of entities that should be discovered.
1234          '';
1235        };
1236
1237        region = mkOption {
1238          type = types.str;
1239          description = ''
1240            The OpenStack Region.
1241          '';
1242        };
1243
1244        identity_endpoint = mkOpt types.str ''
1245          identity_endpoint specifies the HTTP endpoint that is required to work with
1246          the Identity API of the appropriate version. While it's ultimately needed by
1247          all of the identity services, it will often be populated by a provider-level
1248          function.
1249        '';
1250
1251        username = mkOpt types.str userDescription;
1252        userid = mkOpt types.str userDescription;
1253
1254        password = mkOpt types.str ''
1255          password for the Identity V2 and V3 APIs. Consult with your provider's
1256          control panel to discover your account's preferred method of authentication.
1257        '';
1258
1259        domain_name = mkOpt types.str domainDescription;
1260        domain_id = mkOpt types.str domainDescription;
1261
1262        project_name = mkOpt types.str projectDescription;
1263        project_id = mkOpt types.str projectDescription;
1264
1265        application_credential_name = mkOpt types.str applicationDescription;
1266        application_credential_id = mkOpt types.str applicationDescription;
1267
1268        application_credential_secret = mkOpt types.str ''
1269          The application_credential_secret field is required if using an application
1270          credential to authenticate.
1271        '';
1272
1273        all_tenants = mkDefOpt types.bool "false" ''
1274          Whether the service discovery should list all instances for all projects.
1275          It is only relevant for the 'instance' role and usually requires admin permissions.
1276        '';
1277
1278        refresh_interval = mkDefOpt types.str "60s" ''
1279          Refresh interval to re-read the instance list.
1280        '';
1281
1282        port = mkDefOpt types.port "80" ''
1283          The port to scrape metrics from. If using the public IP address, this must
1284          instead be specified in the relabeling rule.
1285        '';
1286
1287        availability =
1288          mkDefOpt
1289            (types.enum [
1290              "public"
1291              "admin"
1292              "internal"
1293            ])
1294            "public"
1295            ''
1296              The availability of the endpoint to connect to. Must be one of public, admin or internal.
1297            '';
1298
1299        tls_config = mkOpt promTypes.tls_config ''
1300          TLS configuration.
1301        '';
1302      };
1303  };
1304
1305  promTypes.puppetdb_sd_config = mkSdConfigModule {
1306    url = mkOption {
1307      type = types.str;
1308      description = ''
1309        The URL of the PuppetDB root query endpoint.
1310      '';
1311    };
1312
1313    query = mkOption {
1314      type = types.str;
1315      description = ''
1316        Puppet Query Language (PQL) query. Only resources are supported.
1317        <https://puppet.com/docs/puppetdb/latest/api/query/v4/pql.html>
1318      '';
1319    };
1320
1321    include_parameters = mkDefOpt types.bool "false" ''
1322      Whether to include the parameters as meta labels.
1323      Due to the differences between parameter types and Prometheus labels,
1324      some parameters might not be rendered. The format of the parameters might
1325      also change in future releases.
1326
1327      Note: Enabling this exposes parameters in the Prometheus UI and API. Make sure
1328      that you don't have secrets exposed as parameters if you enable this.
1329    '';
1330
1331    refresh_interval = mkDefOpt types.str "60s" ''
1332      Refresh interval to re-read the resources list.
1333    '';
1334
1335    port = mkDefOpt types.port "80" ''
1336      The port to scrape metrics from.
1337    '';
1338  };
1339
1340  promTypes.scaleway_sd_config = types.submodule {
1341    options = {
1342      access_key = mkOption {
1343        type = types.str;
1344        description = ''
1345          Access key to use. <https://console.scaleway.com/project/credentials>
1346        '';
1347      };
1348
1349      secret_key = mkOpt types.str ''
1350        Secret key to use when listing targets. <https://console.scaleway.com/project/credentials>
1351        It is mutually exclusive with `secret_key_file`.
1352      '';
1353
1354      secret_key_file = mkOpt types.str ''
1355        Sets the secret key with the credentials read from the configured file.
1356        It is mutually exclusive with `secret_key`.
1357      '';
1358
1359      project_id = mkOption {
1360        type = types.str;
1361        description = ''
1362          Project ID of the targets.
1363        '';
1364      };
1365
1366      role = mkOption {
1367        type = types.enum [
1368          "instance"
1369          "baremetal"
1370        ];
1371        description = ''
1372          Role of the targets to retrieve. Must be `instance` or `baremetal`.
1373        '';
1374      };
1375
1376      port = mkDefOpt types.port "80" ''
1377        The port to scrape metrics from.
1378      '';
1379
1380      api_url = mkDefOpt types.str "https://api.scaleway.com" ''
1381        API URL to use when doing the server listing requests.
1382      '';
1383
1384      zone = mkDefOpt types.str "fr-par-1" ''
1385        Zone is the availability zone of your targets (e.g. fr-par-1).
1386      '';
1387
1388      name_filter = mkOpt types.str ''
1389        Specify a name filter (works as a LIKE) to apply on the server listing request.
1390      '';
1391
1392      tags_filter = mkOpt (types.listOf types.str) ''
1393        Specify a tag filter (a server needs to have all defined tags to be listed) to apply on the server listing request.
1394      '';
1395
1396      refresh_interval = mkDefOpt types.str "60s" ''
1397        Refresh interval to re-read the managed targets list.
1398      '';
1399
1400      proxy_url = mkOpt types.str ''
1401        Optional proxy URL.
1402      '';
1403
1404      follow_redirects = mkDefOpt types.bool "true" ''
1405        Configure whether HTTP requests follow HTTP 3xx redirects.
1406      '';
1407
1408      tls_config = mkOpt promTypes.tls_config ''
1409        TLS configuration.
1410      '';
1411    };
1412  };
1413
1414  # These are exactly the same.
1415  promTypes.serverset_sd_config = promTypes.nerve_sd_config;
1416
1417  promTypes.triton_sd_config = types.submodule {
1418    options = {
1419      account = mkOption {
1420        type = types.str;
1421        description = ''
1422          The account to use for discovering new targets.
1423        '';
1424      };
1425
1426      role =
1427        mkDefOpt
1428          (types.enum [
1429            "container"
1430            "cn"
1431          ])
1432          "container"
1433          ''
1434            The type of targets to discover, can be set to:
1435            - "container" to discover virtual machines (SmartOS zones, lx/KVM/bhyve branded zones) running on Triton
1436            - "cn" to discover compute nodes (servers/global zones) making up the Triton infrastructure
1437          '';
1438
1439      dns_suffix = mkOption {
1440        type = types.str;
1441        description = ''
1442          The DNS suffix which should be applied to target.
1443        '';
1444      };
1445
1446      endpoint = mkOption {
1447        type = types.str;
1448        description = ''
1449          The Triton discovery endpoint (e.g. `cmon.us-east-3b.triton.zone`). This is
1450          often the same value as dns_suffix.
1451        '';
1452      };
1453
1454      groups = mkOpt (types.listOf types.str) ''
1455        A list of groups for which targets are retrieved, only supported when targeting the `container` role.
1456        If omitted all containers owned by the requesting account are scraped.
1457      '';
1458
1459      port = mkDefOpt types.port "9163" ''
1460        The port to use for discovery and metric scraping.
1461      '';
1462
1463      refresh_interval = mkDefOpt types.str "60s" ''
1464        The interval which should be used for refreshing targets.
1465      '';
1466
1467      version = mkDefOpt types.int "1" ''
1468        The Triton discovery API version.
1469      '';
1470
1471      tls_config = mkOpt promTypes.tls_config ''
1472        TLS configuration.
1473      '';
1474    };
1475  };
1476
1477  promTypes.uyuni_sd_config = mkSdConfigModule {
1478    server = mkOption {
1479      type = types.str;
1480      description = ''
1481        The URL to connect to the Uyuni server.
1482      '';
1483    };
1484
1485    username = mkOption {
1486      type = types.str;
1487      description = ''
1488        Credentials are used to authenticate the requests to Uyuni API.
1489      '';
1490    };
1491
1492    password = mkOption {
1493      type = types.str;
1494      description = ''
1495        Credentials are used to authenticate the requests to Uyuni API.
1496      '';
1497    };
1498
1499    entitlement = mkDefOpt types.str "monitoring_entitled" ''
1500      The entitlement string to filter eligible systems.
1501    '';
1502
1503    separator = mkDefOpt types.str "," ''
1504      The string by which Uyuni group names are joined into the groups label
1505    '';
1506
1507    refresh_interval = mkDefOpt types.str "60s" ''
1508      Refresh interval to re-read the managed targets list.
1509    '';
1510  };
1511
1512  promTypes.static_config = types.submodule {
1513    options = {
1514      targets = mkOption {
1515        type = types.listOf types.str;
1516        description = ''
1517          The targets specified by the target group.
1518        '';
1519      };
1520      labels = mkOption {
1521        type = types.attrsOf types.str;
1522        default = { };
1523        description = ''
1524          Labels assigned to all metrics scraped from the targets.
1525        '';
1526      };
1527    };
1528  };
1529
1530  #
1531  # Config types: relabling
1532  #
1533
1534  promTypes.relabel_config = types.submodule {
1535    options = {
1536      source_labels = mkOpt (types.listOf types.str) ''
1537        The source labels select values from existing labels. Their content
1538        is concatenated using the configured separator and matched against
1539        the configured regular expression.
1540      '';
1541
1542      separator = mkDefOpt types.str ";" ''
1543        Separator placed between concatenated source label values.
1544      '';
1545
1546      target_label = mkOpt types.str ''
1547        Label to which the resulting value is written in a replace action.
1548        It is mandatory for replace actions.
1549      '';
1550
1551      regex = mkDefOpt types.str "(.*)" ''
1552        Regular expression against which the extracted value is matched.
1553      '';
1554
1555      modulus = mkOpt types.int ''
1556        Modulus to take of the hash of the source label values.
1557      '';
1558
1559      replacement = mkDefOpt types.str "$1" ''
1560        Replacement value against which a regex replace is performed if the
1561        regular expression matches.
1562      '';
1563
1564      action =
1565        mkDefOpt
1566          (types.enum [
1567            "replace"
1568            "lowercase"
1569            "uppercase"
1570            "keep"
1571            "drop"
1572            "hashmod"
1573            "labelmap"
1574            "labeldrop"
1575            "labelkeep"
1576          ])
1577          "replace"
1578          ''
1579            Action to perform based on regex matching.
1580          '';
1581    };
1582  };
1583
1584  #
1585  # Config types : remote read / write
1586  #
1587
1588  promTypes.remote_write = types.submodule {
1589    options = {
1590      url = mkOption {
1591        type = types.str;
1592        description = ''
1593          ServerName extension to indicate the name of the server.
1594          http://tools.ietf.org/html/rfc4366#section-3.1
1595        '';
1596      };
1597      remote_timeout = mkOpt types.str ''
1598        Timeout for requests to the remote write endpoint.
1599      '';
1600      headers = mkOpt (types.attrsOf types.str) ''
1601        Custom HTTP headers to be sent along with each remote write request.
1602        Be aware that headers that are set by Prometheus itself can't be overwritten.
1603      '';
1604      write_relabel_configs = mkOpt (types.listOf promTypes.relabel_config) ''
1605        List of remote write relabel configurations.
1606      '';
1607      name = mkOpt types.str ''
1608        Name of the remote write config, which if specified must be unique among remote write configs.
1609        The name will be used in metrics and logging in place of a generated value to help users distinguish between
1610        remote write configs.
1611      '';
1612      basic_auth = mkOpt promTypes.basic_auth ''
1613        Sets the `Authorization` header on every remote write request with the
1614        configured username and password.
1615        password and password_file are mutually exclusive.
1616      '';
1617      bearer_token = mkOpt types.str ''
1618        Sets the `Authorization` header on every remote write request with
1619        the configured bearer token. It is mutually exclusive with `bearer_token_file`.
1620      '';
1621      bearer_token_file = mkOpt types.str ''
1622        Sets the `Authorization` header on every remote write request with the bearer token
1623        read from the configured file. It is mutually exclusive with `bearer_token`.
1624      '';
1625      sigv4 = mkOpt promTypes.sigv4 ''
1626        Configures AWS Signature Version 4 settings.
1627      '';
1628      tls_config = mkOpt promTypes.tls_config ''
1629        Configures the remote write request's TLS settings.
1630      '';
1631      proxy_url = mkOpt types.str "Optional Proxy URL.";
1632      queue_config =
1633        mkOpt
1634          (types.submodule {
1635            options = {
1636              capacity = mkOpt types.int ''
1637                Number of samples to buffer per shard before we block reading of more
1638                samples from the WAL. It is recommended to have enough capacity in each
1639                shard to buffer several requests to keep throughput up while processing
1640                occasional slow remote requests.
1641              '';
1642              max_shards = mkOpt types.int ''
1643                Maximum number of shards, i.e. amount of concurrency.
1644              '';
1645              min_shards = mkOpt types.int ''
1646                Minimum number of shards, i.e. amount of concurrency.
1647              '';
1648              max_samples_per_send = mkOpt types.int ''
1649                Maximum number of samples per send.
1650              '';
1651              batch_send_deadline = mkOpt types.str ''
1652                Maximum time a sample will wait in buffer.
1653              '';
1654              min_backoff = mkOpt types.str ''
1655                Initial retry delay. Gets doubled for every retry.
1656              '';
1657              max_backoff = mkOpt types.str ''
1658                Maximum retry delay.
1659              '';
1660            };
1661          })
1662          ''
1663            Configures the queue used to write to remote storage.
1664          '';
1665      metadata_config =
1666        mkOpt
1667          (types.submodule {
1668            options = {
1669              send = mkOpt types.bool ''
1670                Whether metric metadata is sent to remote storage or not.
1671              '';
1672              send_interval = mkOpt types.str ''
1673                How frequently metric metadata is sent to remote storage.
1674              '';
1675            };
1676          })
1677          ''
1678            Configures the sending of series metadata to remote storage.
1679            Metadata configuration is subject to change at any point
1680            or be removed in future releases.
1681          '';
1682    };
1683  };
1684
1685  promTypes.remote_read = types.submodule {
1686    options = {
1687      url = mkOption {
1688        type = types.str;
1689        description = ''
1690          ServerName extension to indicate the name of the server.
1691          http://tools.ietf.org/html/rfc4366#section-3.1
1692        '';
1693      };
1694      name = mkOpt types.str ''
1695        Name of the remote read config, which if specified must be unique among remote read configs.
1696        The name will be used in metrics and logging in place of a generated value to help users distinguish between
1697        remote read configs.
1698      '';
1699      required_matchers = mkOpt (types.attrsOf types.str) ''
1700        An optional list of equality matchers which have to be
1701        present in a selector to query the remote read endpoint.
1702      '';
1703      remote_timeout = mkOpt types.str ''
1704        Timeout for requests to the remote read endpoint.
1705      '';
1706      headers = mkOpt (types.attrsOf types.str) ''
1707        Custom HTTP headers to be sent along with each remote read request.
1708        Be aware that headers that are set by Prometheus itself can't be overwritten.
1709      '';
1710      read_recent = mkOpt types.bool ''
1711        Whether reads should be made for queries for time ranges that
1712        the local storage should have complete data for.
1713      '';
1714      basic_auth = mkOpt promTypes.basic_auth ''
1715        Sets the `Authorization` header on every remote read request with the
1716        configured username and password.
1717        password and password_file are mutually exclusive.
1718      '';
1719      bearer_token = mkOpt types.str ''
1720        Sets the `Authorization` header on every remote read request with
1721        the configured bearer token. It is mutually exclusive with `bearer_token_file`.
1722      '';
1723      bearer_token_file = mkOpt types.str ''
1724        Sets the `Authorization` header on every remote read request with the bearer token
1725        read from the configured file. It is mutually exclusive with `bearer_token`.
1726      '';
1727      tls_config = mkOpt promTypes.tls_config ''
1728        Configures the remote read request's TLS settings.
1729      '';
1730      proxy_url = mkOpt types.str "Optional Proxy URL.";
1731    };
1732  };
1733
1734in
1735{
1736
1737  imports = [
1738    (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ])
1739    (mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ]
1740      "It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`."
1741    )
1742    (mkRemovedOptionModule [
1743      "services"
1744      "prometheus"
1745      "alertmanagerTimeout"
1746    ] "Deprecated upstream and no longer had any effect")
1747  ];
1748
1749  options.services.prometheus = {
1750
1751    enable = mkEnableOption "Prometheus monitoring daemon";
1752
1753    package = mkPackageOption pkgs "prometheus" { };
1754
1755    port = mkOption {
1756      type = types.port;
1757      default = 9090;
1758      description = ''
1759        Port to listen on.
1760      '';
1761    };
1762
1763    listenAddress = mkOption {
1764      type = types.str;
1765      default = "0.0.0.0";
1766      description = ''
1767        Address to listen on for the web interface, API, and telemetry.
1768      '';
1769    };
1770
1771    stateDir = mkOption {
1772      type = types.str;
1773      default = "prometheus2";
1774      description = ''
1775        Directory below `/var/lib` to store Prometheus metrics data.
1776        This directory will be created automatically using systemd's StateDirectory mechanism.
1777      '';
1778    };
1779
1780    extraFlags = mkOption {
1781      type = types.listOf types.str;
1782      default = [ ];
1783      description = ''
1784        Extra commandline options when launching Prometheus.
1785      '';
1786    };
1787
1788    enableReload = mkOption {
1789      default = false;
1790      type = types.bool;
1791      description = ''
1792        Reload prometheus when configuration file changes (instead of restart).
1793
1794        The following property holds: switching to a configuration
1795        (`switch-to-configuration`) that changes the prometheus
1796        configuration only finishes successfully when prometheus has finished
1797        loading the new configuration.
1798      '';
1799    };
1800
1801    enableAgentMode = mkEnableOption "agent mode";
1802
1803    configText = mkOption {
1804      type = types.nullOr types.lines;
1805      default = null;
1806      description = ''
1807        If non-null, this option defines the text that is written to
1808        prometheus.yml. If null, the contents of prometheus.yml is generated
1809        from the structured config options.
1810      '';
1811    };
1812
1813    globalConfig = mkOption {
1814      type = promTypes.globalConfig;
1815      default = { };
1816      description = ''
1817        Parameters that are valid in all  configuration contexts. They
1818        also serve as defaults for other configuration sections
1819      '';
1820    };
1821
1822    remoteRead = mkOption {
1823      type = types.listOf promTypes.remote_read;
1824      default = [ ];
1825      description = ''
1826        Parameters of the endpoints to query from.
1827        See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read) for more information.
1828      '';
1829    };
1830
1831    remoteWrite = mkOption {
1832      type = types.listOf promTypes.remote_write;
1833      default = [ ];
1834      description = ''
1835        Parameters of the endpoints to send samples to.
1836        See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write) for more information.
1837      '';
1838    };
1839
1840    rules = mkOption {
1841      type = types.listOf types.str;
1842      default = [ ];
1843      description = ''
1844        Alerting and/or Recording rules to evaluate at runtime.
1845      '';
1846    };
1847
1848    ruleFiles = mkOption {
1849      type = types.listOf types.path;
1850      default = [ ];
1851      description = ''
1852        Any additional rules files to include in this configuration.
1853      '';
1854    };
1855
1856    scrapeConfigs = mkOption {
1857      type = types.listOf promTypes.scrape_config;
1858      default = [ ];
1859      description = ''
1860        A list of scrape configurations.
1861      '';
1862    };
1863
1864    alertmanagers = mkOption {
1865      type = types.listOf types.attrs;
1866      example = literalExpression ''
1867        [ {
1868          scheme = "https";
1869          path_prefix = "/alertmanager";
1870          static_configs = [ {
1871            targets = [
1872              "prometheus.domain.tld"
1873            ];
1874          } ];
1875        } ]
1876      '';
1877      default = [ ];
1878      description = ''
1879        A list of alertmanagers to send alerts to.
1880        See [the official documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config) for more information.
1881      '';
1882    };
1883
1884    alertmanagerNotificationQueueCapacity = mkOption {
1885      type = types.int;
1886      default = 10000;
1887      description = ''
1888        The capacity of the queue for pending alert manager notifications.
1889      '';
1890    };
1891
1892    webExternalUrl = mkOption {
1893      type = types.nullOr types.str;
1894      default = null;
1895      example = "https://example.com/";
1896      description = ''
1897        The URL under which Prometheus is externally reachable (for example,
1898        if Prometheus is served via a reverse proxy).
1899      '';
1900    };
1901
1902    webConfigFile = mkOption {
1903      type = types.nullOr types.path;
1904      default = null;
1905      description = ''
1906        Specifies which file should be used as web.config.file and be passed on startup.
1907        See <https://prometheus.io/docs/prometheus/latest/configuration/https/> for valid options.
1908      '';
1909    };
1910
1911    checkConfig = mkOption {
1912      type = with types; either bool (enum [ "syntax-only" ]);
1913      default = true;
1914      example = "syntax-only";
1915      description = ''
1916        Check configuration with `promtool check`. The call to `promtool` is
1917        subject to sandboxing by Nix.
1918
1919        If you use credentials stored in external files
1920        (`password_file`, `bearer_token_file`, etc),
1921        they will not be visible to `promtool`
1922        and it will report errors, despite a correct configuration.
1923        To resolve this, you may set this option to `"syntax-only"`
1924        in order to only syntax check the Prometheus configuration.
1925      '';
1926    };
1927
1928    retentionTime = mkOption {
1929      type = types.nullOr types.str;
1930      default = null;
1931      example = "15d";
1932      description = ''
1933        How long to retain samples in storage.
1934      '';
1935    };
1936  };
1937
1938  config = mkIf cfg.enable {
1939    assertions = [
1940      (
1941        let
1942          # Match something with dots (an IPv4 address) or something ending in
1943          # a square bracket (an IPv6 addresses) followed by a port number.
1944          legacy = builtins.match "(.*\\..*|.*]):([[:digit:]]+)" cfg.listenAddress;
1945        in
1946        {
1947          assertion = legacy == null;
1948          message = ''
1949            Do not specify the port for Prometheus to listen on in the
1950            listenAddress option; use the port option instead:
1951              services.prometheus.listenAddress = ${builtins.elemAt legacy 0};
1952              services.prometheus.port = ${builtins.elemAt legacy 1};
1953          '';
1954        }
1955      )
1956    ];
1957
1958    users.groups.prometheus.gid = config.ids.gids.prometheus;
1959    users.users.prometheus = {
1960      description = "Prometheus daemon user";
1961      uid = config.ids.uids.prometheus;
1962      group = "prometheus";
1963    };
1964    environment.etc."prometheus/prometheus.yaml" = mkIf cfg.enableReload {
1965      source = prometheusYml;
1966    };
1967    systemd.services.prometheus = {
1968      wantedBy = [ "multi-user.target" ];
1969      after = [ "network.target" ];
1970      serviceConfig = {
1971        ExecStart =
1972          "${cfg.package}/bin/prometheus"
1973          + optionalString (length cmdlineArgs != 0) (" \\\n  " + concatStringsSep " \\\n  " cmdlineArgs);
1974        ExecReload = mkIf cfg.enableReload "+${reload}/bin/reload-prometheus";
1975        User = "prometheus";
1976        Restart = "always";
1977        RuntimeDirectory = "prometheus";
1978        RuntimeDirectoryMode = "0700";
1979        WorkingDirectory = workingDir;
1980        StateDirectory = cfg.stateDir;
1981        StateDirectoryMode = "0700";
1982        # Hardening
1983        DeviceAllow = [ "/dev/null rw" ];
1984        DevicePolicy = "strict";
1985        LockPersonality = true;
1986        MemoryDenyWriteExecute = true;
1987        NoNewPrivileges = true;
1988        PrivateDevices = true;
1989        PrivateTmp = true;
1990        PrivateUsers = true;
1991        ProtectClock = true;
1992        ProtectControlGroups = true;
1993        ProtectHome = true;
1994        ProtectHostname = true;
1995        ProtectKernelLogs = true;
1996        ProtectKernelModules = true;
1997        ProtectKernelTunables = true;
1998        ProtectProc = "invisible";
1999        ProtectSystem = "full";
2000        RemoveIPC = true;
2001        RestrictAddressFamilies = [
2002          "AF_INET"
2003          "AF_INET6"
2004          "AF_UNIX"
2005        ];
2006        RestrictNamespaces = true;
2007        RestrictRealtime = true;
2008        RestrictSUIDSGID = true;
2009        SystemCallArchitectures = "native";
2010        SystemCallFilter = [
2011          "@system-service"
2012          "~@privileged"
2013        ];
2014      };
2015    };
2016    # prometheus-config-reload will activate after prometheus. However, what we
2017    # don't want is that on startup it immediately reloads prometheus because
2018    # prometheus itself might have just started.
2019    #
2020    # Instead we only want to reload prometheus when the config file has
2021    # changed. So on startup prometheus-config-reload will just output a
2022    # harmless message and then stay active (RemainAfterExit).
2023    #
2024    # Then, when the config file has changed, switch-to-configuration notices
2025    # that this service has changed (restartTriggers) and needs to be reloaded
2026    # (reloadIfChanged). The reload command then reloads prometheus.
2027    systemd.services.prometheus-config-reload = mkIf cfg.enableReload {
2028      wantedBy = [ "prometheus.service" ];
2029      after = [ "prometheus.service" ];
2030      reloadIfChanged = true;
2031      restartTriggers = [ prometheusYml ];
2032      serviceConfig = {
2033        Type = "oneshot";
2034        RemainAfterExit = true;
2035        TimeoutSec = 60;
2036        ExecStart = "${pkgs.logger}/bin/logger 'prometheus-config-reload will only reload prometheus when reloaded itself.'";
2037        ExecReload = [ "${triggerReload}/bin/trigger-reload-prometheus" ];
2038      };
2039    };
2040  };
2041}