diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2021-11-08 18:01:24 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-08 18:01:24 +0000 |
commit | f14d7cb2f666e85da4e69c9b8b1e8c24860cf91c (patch) | |
tree | 72f48cbc6b62cbb38c847d268cbff1d5782c4a93 /nixos | |
parent | 40b71c3159786e26785d0fbda27f0e2042c7f764 (diff) | |
parent | 159ed1e4f00b1a4dfe06881f27cb7d3ffe7d3ec3 (diff) |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 11 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2111.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/config/swap.nix | 12 | ||||
-rw-r--r-- | nixos/modules/services/monitoring/prometheus/default.nix | 93 | ||||
-rw-r--r-- | nixos/tests/prometheus.nix | 11 |
5 files changed, 36 insertions, 93 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 2488f150248c..e433029a3816 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -1813,6 +1813,17 @@ Superuser created successfully. </listitem> <listitem> <para> + The option + <literal>services.prometheus.environmentFile</literal> has + been removed since it was causing + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/126083">issues</link> + and Prometheus now has native support for secret files, i.e. + <literal>basic_auth.password_file</literal> and + <literal>authorization.credentials_file</literal>. + </para> + </listitem> + <listitem> + <para> Dokuwiki now supports caddy! However </para> <itemizedlist spacing="compact"> diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 39663720eb6e..7567c7d64393 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -510,6 +510,8 @@ In addition to numerous new and upgraded packages, this release has the followin - A new option `services.prometheus.enableReload` has been added which can be enabled to reload the prometheus service when its config file changes instead of restarting. +- The option `services.prometheus.environmentFile` has been removed since it was causing [issues](https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`. + - Dokuwiki now supports caddy! However - the nginx option has been removed, in the new configuration, please use the `dokuwiki.webserver = "nginx"` instead. - The "${hostname}" option has been deprecated, please use `dokuwiki.sites = [ "${hostname}" ]` instead diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix index ff2ae1da31bd..9b005021086b 100644 --- a/nixos/modules/config/swap.nix +++ b/nixos/modules/config/swap.nix @@ -47,6 +47,15 @@ let ''; }; + allowDiscards = mkOption { + default = false; + type = types.bool; + description = '' + Whether to allow TRIM requests to the underlying device. This option + has security implications; please read the LUKS documentation before + activating it. + ''; + }; }; }; @@ -224,7 +233,8 @@ in fi ''} ${optionalString sw.randomEncryption.enable '' - cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} ${optionalString (sw.discardPolicy != null) "--allow-discards"} ${sw.device} ${sw.deviceName} + cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} \ + ${optionalString sw.randomEncryption.allowDiscards "--allow-discards"} ${sw.device} ${sw.deviceName} mkswap ${sw.realDevice} ''} ''; diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index cdda6c5ce3ae..f20b8dde1abd 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -9,13 +9,6 @@ let prometheusYmlOut = "${workingDir}/prometheus-substituted.yaml"; - writeConfig = pkgs.writeShellScriptBin "write-prometheus-config" '' - PATH="${makeBinPath (with pkgs; [ coreutils envsubst ])}" - touch '${prometheusYmlOut}' - chmod 600 '${prometheusYmlOut}' - envsubst -o '${prometheusYmlOut}' -i '${prometheusYml}' - ''; - triggerReload = pkgs.writeShellScriptBin "trigger-reload-prometheus" '' PATH="${makeBinPath (with pkgs; [ systemd ])}" if systemctl -q is-active prometheus.service; then @@ -76,8 +69,8 @@ let "--storage.tsdb.path=${workingDir}/data/" "--config.file=${ if cfg.enableReload - then prometheusYmlOut - else "/run/prometheus/prometheus-substituted.yaml" + then "/etc/prometheus/prometheus.yaml" + else prometheusYml }" "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" @@ -1561,6 +1554,8 @@ in imports = [ (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) + (mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ] + "It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`.") ]; options.services.prometheus = { @@ -1625,51 +1620,6 @@ in (<literal>switch-to-configuration</literal>) that changes the prometheus configuration only finishes successully when prometheus has finished loading the new configuration. - - Note that prometheus will also get reloaded when the location of the - <option>environmentFile</option> changes but not when its contents - changes. So when you change it contents make sure to reload prometheus - manually or include the hash of <option>environmentFile</option> in its - name. - ''; - }; - - environmentFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/root/prometheus.env"; - description = '' - Environment file as defined in <citerefentry> - <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>. - - Secrets may be passed to the service without adding them to the - world-readable Nix store, by specifying placeholder variables as - the option value in Nix and setting these variables accordingly in the - environment file. - - Environment variables from this file will be interpolated into the - config file using envsubst with this syntax: - <literal>$ENVIRONMENT ''${VARIABLE}</literal> - - <programlisting> - # Example scrape config entry handling an OAuth bearer token - { - job_name = "home_assistant"; - metrics_path = "/api/prometheus"; - scheme = "https"; - bearer_token = "\''${HOME_ASSISTANT_BEARER_TOKEN}"; - [...] - } - </programlisting> - - <programlisting> - # Content of the environment file - HOME_ASSISTANT_BEARER_TOKEN=someoauthbearertoken - </programlisting> - - Note that this file needs to be available on the host on which - <literal>Prometheus</literal> is running. ''; }; @@ -1830,13 +1780,12 @@ in uid = config.ids.uids.prometheus; group = "prometheus"; }; + environment.etc."prometheus/prometheus.yaml" = mkIf cfg.enableReload { + source = prometheusYml; + }; systemd.services.prometheus = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - preStart = mkIf (!cfg.enableReload) '' - ${lib.getBin pkgs.envsubst}/bin/envsubst -o "/run/prometheus/prometheus-substituted.yaml" \ - -i "${prometheusYml}" - ''; serviceConfig = { ExecStart = "${cfg.package}/bin/prometheus" + optionalString (length cmdlineArgs != 0) (" \\\n " + @@ -1844,7 +1793,6 @@ in ExecReload = mkIf cfg.enableReload "+${reload}/bin/reload-prometheus"; User = "prometheus"; Restart = "always"; - EnvironmentFile = mkIf (cfg.environmentFile != null && !cfg.enableReload) [ cfg.environmentFile ]; RuntimeDirectory = "prometheus"; RuntimeDirectoryMode = "0700"; WorkingDirectory = workingDir; @@ -1852,18 +1800,6 @@ in StateDirectoryMode = "0700"; }; }; - systemd.services.prometheus-config-write = mkIf cfg.enableReload { - wantedBy = [ "prometheus.service" ]; - before = [ "prometheus.service" ]; - serviceConfig = { - Type = "oneshot"; - User = "prometheus"; - StateDirectory = cfg.stateDir; - StateDirectoryMode = "0700"; - EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; - ExecStart = "${writeConfig}/bin/write-prometheus-config"; - }; - }; # prometheus-config-reload will activate after prometheus. However, what we # don't want is that on startup it immediately reloads prometheus because # prometheus itself might have just started. @@ -1873,26 +1809,19 @@ in # harmless message and then stay active (RemainAfterExit). # # Then, when the config file has changed, switch-to-configuration notices - # that this service has changed and needs to be reloaded - # (reloadIfChanged). The reload command then actually writes the new config - # and reloads prometheus. + # that this service has changed (restartTriggers) and needs to be reloaded + # (reloadIfChanged). The reload command then reloads prometheus. systemd.services.prometheus-config-reload = mkIf cfg.enableReload { wantedBy = [ "prometheus.service" ]; after = [ "prometheus.service" ]; reloadIfChanged = true; + restartTriggers = [ prometheusYml ]; serviceConfig = { Type = "oneshot"; - User = "prometheus"; - StateDirectory = cfg.stateDir; - StateDirectoryMode = "0700"; - EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; RemainAfterExit = true; TimeoutSec = 60; ExecStart = "${pkgs.logger}/bin/logger 'prometheus-config-reload will only reload prometheus when reloaded itself.'"; - ExecReload = [ - "${writeConfig}/bin/write-prometheus-config" - "+${triggerReload}/bin/trigger-reload-prometheus" - ]; + ExecReload = [ "${triggerReload}/bin/trigger-reload-prometheus" ]; }; }; }; diff --git a/nixos/tests/prometheus.nix b/nixos/tests/prometheus.nix index d102b4c07518..20f8c4459e10 100644 --- a/nixos/tests/prometheus.nix +++ b/nixos/tests/prometheus.nix @@ -130,14 +130,10 @@ in import ./make-test-python.nix { # This configuration just adds a new prometheus job # to scrape the node_exporter metrics of the s3 machine. - # We also use an environmentFile to test if that works correctly. services.prometheus = { - environmentFile = pkgs.writeText "prometheus-config-env-file" '' - JOB_NAME=s3-node_exporter - ''; scrapeConfigs = [ { - job_name = "$JOB_NAME"; + job_name = "s3-node_exporter"; static_configs = [ { targets = [ "s3:9100" ]; @@ -232,11 +228,6 @@ in import ./make-test-python.nix { # Check if prometheus responds to requests: prometheus.wait_for_unit("prometheus.service") - # Check if prometheus' config file is correctly locked down because it could contain secrets. - prometheus.succeed( - "stat -c '%a %U' /var/lib/prometheus2/prometheus-substituted.yaml | grep '600 prometheus'" - ) - prometheus.wait_for_open_port(${toString queryPort}) prometheus.succeed("curl -sf http://127.0.0.1:${toString queryPort}/metrics") |