diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix
index b872833..664a6b1 100644
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@@ -52,7 +52,7 @@ in
{
name = "Victorialogs - tlater.net";
- url = "http://${config.services.victorialogs.bindAddress}";
+ url = "http://127.0.0.1::9428";
type = "victoriametrics-logs-datasource";
access = "proxy";
}
diff --git a/configuration/services/metrics/victorialogs.nix b/configuration/services/metrics/victorialogs.nix
index ed74c59..258fcf6 100644
--- a/configuration/services/metrics/victorialogs.nix
+++ b/configuration/services/metrics/victorialogs.nix
@@ -1,110 +1,22 @@
{
config,
- pkgs,
lib,
...
}:
let
- cfg = config.services.victorialogs;
- pkg = pkgs.victoriametrics;
- dirname = "victorialogs";
+ listenAddress = config.services.victorialogs.listenAddress;
+ bindAddress = (lib.optionalString (lib.hasPrefix ":" listenAddress) "127.0.0.1") + listenAddress;
in
{
- options.services.victorialogs =
- let
- inherit (lib.types) str;
- in
- {
- listenAddress = lib.mkOption {
- default = ":9428";
- type = str;
- };
+ services.victorialogs.enable = true;
- bindAddress = lib.mkOption {
- readOnly = true;
- type = str;
- description = ''
- Final address on which victorialogs listens.
- '';
- };
- };
-
- config = {
- services.victorialogs.bindAddress =
- (lib.optionalString (lib.hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;
-
- services.journald.upload = {
- enable = true;
- settings.Upload = {
- URL = "http://${cfg.bindAddress}/insert/journald";
- NetworkTimeoutSec = "20s";
- };
- };
-
- systemd.services."systemd-journal-upload".after = [ "victorialogs.service" ];
-
- systemd.services.victorialogs = {
- description = "VictoriaLogs log database";
- wantedBy = [ "multi-user.target" ];
- after = [ "network.target" ];
- startLimitBurst = 5;
-
- serviceConfig = {
- ExecStart = lib.escapeShellArgs [
- "${pkg}/bin/victoria-logs"
- "-storageDataPath=/var/lib/${dirname}"
- "-httpListenAddr=${cfg.listenAddress}"
- ];
-
- DynamicUser = true;
- RestartSec = 1;
- Restart = "on-failure";
- RuntimeDirectory = dirname;
- RuntimeDirectoryMode = "0700";
- StateDirectory = dirname;
- StateDirectoryMode = "0700";
-
- LimitNOFILE = 1048576;
-
- # Hardening
- DeviceAllow = [ "/dev/null rw" ];
- DevicePolicy = "strict";
- LockPersonality = true;
- MemoryDenyWriteExecute = true;
- NoNewPrivileges = true;
- PrivateDevices = true;
- PrivateTmp = true;
- PrivateUsers = true;
- ProtectClock = true;
- ProtectControlGroups = true;
- ProtectHome = true;
- ProtectHostname = true;
- ProtectKernelLogs = true;
- ProtectKernelModules = true;
- ProtectKernelTunables = true;
- ProtectProc = "invisible";
- ProtectSystem = "full";
- RemoveIPC = true;
- RestrictAddressFamilies = [
- "AF_INET"
- "AF_INET6"
- "AF_UNIX"
- ];
- RestrictNamespaces = true;
- RestrictRealtime = true;
- RestrictSUIDSGID = true;
- SystemCallArchitectures = "native";
- SystemCallFilter = [
- "@system-service"
- "~@privileged"
- ];
- };
-
- postStart = lib.mkBefore ''
- until ${lib.getBin pkgs.curl}/bin/curl -s -o /dev/null http://${cfg.bindAddress}/ping; do
- sleep 1;
- done
- '';
+ services.journald.upload = {
+ enable = true;
+ settings.Upload = {
+ URL = "http://${bindAddress}/insert/journald";
+ NetworkTimeoutSec = "20s";
};
};
+
+ systemd.services."systemd-journal-upload".after = [ "victorialogs.service" ];
}