Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/prometheus: Support environmentFile #97933

Merged
merged 3 commits into from Oct 31, 2020
Merged

nixos/prometheus: Support environmentFile #97933

merged 3 commits into from Oct 31, 2020

Conversation

@pkern
Copy link
Contributor

@pkern pkern commented Sep 13, 2020

Motivation for this change

For the same reason Alertmanager supports environmentFile to pass secrets along, it is useful to support the same for Prometheus' configuration to store authentication/bearer tokens outside the Nix store.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@mweinelt
Copy link
Member

@mweinelt mweinelt commented Sep 13, 2020

If you are going to store secrets in /tmp I think PrivateTmp might be beneficial.

@pkern
Copy link
Contributor Author

@pkern pkern commented Sep 13, 2020

Whoops, excellent point! Fixed.

@pkern
Copy link
Contributor Author

@pkern pkern commented Oct 31, 2020

@benley @fpletz @globin @WilliButz @Frostman - Would someone of you mind to take a look at this? (I can't seem to add reviewers and I don't think this will review itself by waiting.)

Copy link
Member

@WilliButz WilliButz left a comment

Thank you for you contribution 👍
I have some suggestions for adding the environment file:

  • as in the codimd module, I find it very important to make it clear to users, that the specified path for environmentFile needs to be available on the same host, the corresponding service is running on (when used with Nixops for example).
  • instead of using /tmp with PrivateTmp, I'd suggest using a service-specific RuntimeDirectory with RuntimeDirectoryMode set to 0700, an example of this is in the murmur module.
  • to make injecting additional environment files easier for more advanced use-cases, I suggest to make EnvironmentFile a list of files by default (using mkIf (cond) [ cfg.environmentFile ];) for easier option value merging.
  • also when envsubst was new to me and I was just given the same short description about how replacement of option values works, it didn't make it clear to me how the Nix config and environmentFile actually needed to be structured for it to work together, hence the longer description in the mentioned codimd module with a short example for each.

(Note that I also think the mentioned points also apply to the alertmanager module, for which I should probably open a PR soon)

pkern added 2 commits Oct 31, 2020
For the same reason Alertmanager supports environmentFile to pass
secrets along, it is useful to support the same for Prometheus'
configuration to store bearer tokens outside the Nix store.

Use PrivateTmp on the systemd unit to safeguard potential secrets
in the configuration file.
- Move away from PrivateTmp and instead use a private RuntimeDirectory
  for the substituted config file.
- Improve documentation of environmentFile by including more descriptive
  text from existing packages (murmur and codimd).
- Also include an example scrape config entry (from nixos) as well as
  the corresponding example for the environment file.
- Pass the environment file to the systemd unit file generator as a
  list.
@pkern
Copy link
Contributor Author

@pkern pkern commented Oct 31, 2020

@WilliButz Thank you for the review, that was incredibly useful. I tried to implement your changes and it seems to have worked on my NixOS test installation. Please let me know what you think.

Copy link
Member

@WilliButz WilliButz left a comment

Looks good! 🎉

@WilliButz
Copy link
Member

@WilliButz WilliButz commented Oct 31, 2020

@GrahamcOfBorg test prometheus

@WilliButz
Copy link
Member

@WilliButz WilliButz commented Oct 31, 2020

Test failed due to thanos, prometheus is working fine - they should probably be in separate tests.

@WilliButz WilliButz merged commit ec6b095 into NixOS:master Oct 31, 2020
19 checks passed
@pkern pkern deleted the prometheus branch Oct 31, 2020
@srhb srhb mentioned this pull request Jun 30, 2021
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants