From 89f9196ef0405d2b82a8330a4e00f45c5a8b7e28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Fri, 4 Apr 2025 21:35:24 +0800
Subject: [PATCH] fix(victorialogs): Use new upstream module

---
 .../services/metrics/victorialogs.nix         | 100 +++---------------
 1 file changed, 12 insertions(+), 88 deletions(-)

diff --git a/configuration/services/metrics/victorialogs.nix b/configuration/services/metrics/victorialogs.nix
index ed74c59..ae47c39 100644
--- a/configuration/services/metrics/victorialogs.nix
+++ b/configuration/services/metrics/victorialogs.nix
@@ -1,37 +1,26 @@
 {
   config,
-  pkgs,
   lib,
   ...
 }:
 let
   cfg = config.services.victorialogs;
-  pkg = pkgs.victoriametrics;
-  dirname = "victorialogs";
 in
 {
-  options.services.victorialogs =
-    let
-      inherit (lib.types) str;
-    in
-    {
-      listenAddress = lib.mkOption {
-        default = ":9428";
-        type = str;
-      };
-
-      bindAddress = lib.mkOption {
-        readOnly = true;
-        type = str;
-        description = ''
-          Final address on which victorialogs listens.
-        '';
-      };
-    };
+  options.services.victorialogs.bindAddress = lib.mkOption {
+    readOnly = true;
+    type = lib.types.str;
+    description = ''
+      Final address on which victorialogs listens.
+    '';
+  };
 
   config = {
-    services.victorialogs.bindAddress =
-      (lib.optionalString (lib.hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;
+    services.victorialogs = {
+      enable = true;
+      bindAddress =
+        (lib.optionalString (lib.hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;
+    };
 
     services.journald.upload = {
       enable = true;
@@ -40,71 +29,6 @@ in
         NetworkTimeoutSec = "20s";
       };
     };
-
     systemd.services."systemd-journal-upload".after = [ "victorialogs.service" ];
-
-    systemd.services.victorialogs = {
-      description = "VictoriaLogs log database";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-      startLimitBurst = 5;
-
-      serviceConfig = {
-        ExecStart = lib.escapeShellArgs [
-          "${pkg}/bin/victoria-logs"
-          "-storageDataPath=/var/lib/${dirname}"
-          "-httpListenAddr=${cfg.listenAddress}"
-        ];
-
-        DynamicUser = true;
-        RestartSec = 1;
-        Restart = "on-failure";
-        RuntimeDirectory = dirname;
-        RuntimeDirectoryMode = "0700";
-        StateDirectory = dirname;
-        StateDirectoryMode = "0700";
-
-        LimitNOFILE = 1048576;
-
-        # Hardening
-        DeviceAllow = [ "/dev/null rw" ];
-        DevicePolicy = "strict";
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        PrivateTmp = true;
-        PrivateUsers = true;
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "full";
-        RemoveIPC = true;
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = [
-          "@system-service"
-          "~@privileged"
-        ];
-      };
-
-      postStart = lib.mkBefore ''
-        until ${lib.getBin pkgs.curl}/bin/curl -s -o /dev/null http://${cfg.bindAddress}/ping; do
-          sleep 1;
-        done
-      '';
-    };
   };
 }