-
-
Notifications
You must be signed in to change notification settings - Fork 13.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
grafana-alloy: add NixOS module #318306
grafana-alloy: add NixOS module #318306
Conversation
1217287
to
d37ffd0
Compare
d37ffd0
to
8d33b4d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Deployed this to some of my infrastructure (using my old grafana flow configs). Also verified changes in the config file cause a reload (not restart), and are picked up successfully. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, on a second (more thorough) readthrough, I've got more stuff to add to this; as payment for being a PITA though I'm happy to also add myself to the maintainers list on this one :)
Apologies, just want to make sure it's got decent consistency with the upstream stuff, primarily for the sake of it being an easy transition for people coming from something like Ubuntu where the naming is all just alloy
, not grafana-alloy
.
Once these are addressed (even if they're dismissed), I'm happy for this to go through one more build-test cycle and then look to get it merged. I'll deploy it to my own machines later today if I can, but without binary cache it'll be a tad painful lol
8d33b4d
to
12d6499
Compare
Hmmh, okay, their debian package also calls this I'll push a new version shortly, updating the module, unit files etc. |
This adds a NixOS module for Grafana Alloy. I started from the grafana-agent one but dropped all settings and config management whatsoever. Grafana Alloy uses its own Alloy config format (similar to HCL), which is not really possible to express in Nix. Simply pointing to a path in `/etc`, and leaving it up to the user to configure it via `environment.etc` allows the user to arrange config files however it makes most sense for them. The module, systemd unit etc is called "alloy", not "grafana-alloy" to follow the way it's packaged on other distros, to follow POLA.
This adds a VM test, starting up Grafana Alloy and ensuring it comes up healthy.
12d6499
to
1fa96ce
Compare
Everything done except for the if adding the group becomes necessary, we can still fix it in a followup. It wasn't necessary for grafana-agent to get systemd journal logs collected, so I'd be surprised it'd be necessary for alloy. |
@flokli it's not for journal, it's because adm has read access to most of /var/log, so it opens up syslog and stuff. I'd like to avoid removing groups from the user if it's not necessary personally. |
The systemd-journald group is sufficient to get system logs, at least all systemd-journald provided ones. See https://www.freedesktop.org/software/systemd/man/latest/systemd-journald.service.html#Access%20Control and NixOS/nixpkgs#318306 (comment) for details, handing out `adm` is effectively giving `sudo` rights, which is precisely what we don't want to do.
There's nothing in the tmpfiles shipped with NixOS granting access to I'd prefer this to be opt in, due to the security implications and principle of least privilege, and After all, it's only a |
Okay, apparently it's I still think there's very little on NixOS these days still logging to Considering we don't configure ACLs for other files in |
cc @vunso @hbjydev @claudiiii
Description of changes
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.