cluster/services/monitoring: use lockmith for loki

This commit is contained in:
Max Headroom 2024-08-03 00:37:06 +02:00
parent 9f158f15a4
commit 201f07efc3
4 changed files with 18 additions and 5 deletions

View file

@ -78,11 +78,21 @@ in
garage = { garage = {
keys = { keys = {
loki = { }; loki-ingest.locksmith = {
nodes = config.services.monitoring.nodes.logging;
format = "envFile";
};
loki-query.locksmith = {
nodes = config.services.monitoring.nodes.logging;
format = "envFile";
};
tempo = { }; tempo = { };
}; };
buckets = { buckets = {
loki-chunks.allow.loki = [ "read" "write" ]; loki-chunks.allow = {
loki-ingest = [ "read" "write" ];
loki-query = [ "read" ];
};
tempo-chunks.allow.tempo = [ "read" "write" ]; tempo-chunks.allow.tempo = [ "read" "write" ];
}; };
}; };

View file

@ -8,12 +8,16 @@ let
cfg = config.services.loki; cfg = config.services.loki;
in in
{ {
age.secrets.lokiSecrets.file = ./secrets/loki-secrets.age;
links.loki-grpc.protocol = "grpc"; links.loki-grpc.protocol = "grpc";
systemd.services.loki = { systemd.services.loki = {
after = [ "wireguard-wgmesh.service" ]; after = [ "wireguard-wgmesh.service" ];
serviceConfig.EnvironmentFile = config.age.secrets.lokiSecrets.path; serviceConfig.EnvironmentFile = "/run/locksmith/garage-loki-ingest";
}; };
services.locksmith.waitForSecrets.loki = [
"garage-loki-ingest"
];
services.loki = { services.loki = {
enable = true; enable = true;
dataDir = "/srv/storage/private/loki"; dataDir = "/srv/storage/private/loki";

View file

@ -9,7 +9,6 @@ in with hosts;
"cluster/services/dns/acme-dns-db-credentials.age".publicKeys = max ++ map systemKeys [ checkmate VEGAS prophet ]; "cluster/services/dns/acme-dns-db-credentials.age".publicKeys = max ++ map systemKeys [ checkmate VEGAS prophet ];
"cluster/services/monitoring/secrets/grafana-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/monitoring/secrets/grafana-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
"cluster/services/monitoring/secrets/grafana-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ]; "cluster/services/monitoring/secrets/grafana-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
"cluster/services/monitoring/secrets/loki-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/monitoring/secrets/secret-monitoring/blackbox.age".publicKeys = max ++ map systemKeys [ checkmate grail prophet ]; "cluster/services/monitoring/secrets/secret-monitoring/blackbox.age".publicKeys = max ++ map systemKeys [ checkmate grail prophet ];
"cluster/services/monitoring/secrets/tempo-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/monitoring/secrets/tempo-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/storage/secrets/heresy-encryption-key.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "cluster/services/storage/secrets/heresy-encryption-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];