commit 8cd0da0015cc81e91aa2093ab7461a1daebf37af

+11

nixos/doc/manual/from_md/release-notes/rl-2111.section.xml

··· 1805 1805 </listitem> 1806 1806 <listitem> 1807 1807 <para> 1808 + The option 1809 + <literal>services.prometheus.environmentFile</literal> has 1810 + been removed since it was causing 1811 + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/126083">issues</link> 1812 + and Prometheus now has native support for secret files, i.e. 1813 + <literal>basic_auth.password_file</literal> and 1814 + <literal>authorization.credentials_file</literal>. 1815 + </para> 1816 + </listitem> 1817 + <listitem> 1818 + <para> 1808 1819 Dokuwiki now supports caddy! However 1809 1820 </para> 1810 1821 <itemizedlist spacing="compact">

+2

nixos/doc/manual/release-notes/rl-2111.section.md

··· 508 508 509 509 - A new option `services.prometheus.enableReload` has been added which can be enabled to reload the prometheus service when its config file changes instead of restarting. 510 510 511 + - The option `services.prometheus.environmentFile` has been removed since it was causing [issues](https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`. 512 + 511 513 - Dokuwiki now supports caddy! However 512 514 - the nginx option has been removed, in the new configuration, please use the `dokuwiki.webserver = "nginx"` instead. 513 515 - The "${hostname}" option has been deprecated, please use `dokuwiki.sites = [ "${hostname}" ]` instead

+11 -82

nixos/modules/services/monitoring/prometheus/default.nix

··· 9 9 10 10 prometheusYmlOut = "${workingDir}/prometheus-substituted.yaml"; 11 11 12 - writeConfig = pkgs.writeShellScriptBin "write-prometheus-config" '' 13 - PATH="${makeBinPath (with pkgs; [ coreutils envsubst ])}" 14 - touch '${prometheusYmlOut}' 15 - chmod 600 '${prometheusYmlOut}' 16 - envsubst -o '${prometheusYmlOut}' -i '${prometheusYml}' 17 - ''; 18 - 19 12 triggerReload = pkgs.writeShellScriptBin "trigger-reload-prometheus" '' 20 13 PATH="${makeBinPath (with pkgs; [ systemd ])}" 21 14 if systemctl -q is-active prometheus.service; then ··· 76 69 "--storage.tsdb.path=${workingDir}/data/" 77 70 "--config.file=${ 78 71 if cfg.enableReload 79 - then prometheusYmlOut 80 - else "/run/prometheus/prometheus-substituted.yaml" 72 + then "/etc/prometheus/prometheus.yaml" 73 + else prometheusYml 81 74 }" 82 75 "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" 83 76 "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" ··· 1561 1554 1562 1555 imports = [ 1563 1556 (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) 1557 + (mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ] 1558 + "It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`.") 1564 1559 ]; 1565 1560 1566 1561 options.services.prometheus = { ··· 1625 1620 (<literal>switch-to-configuration</literal>) that changes the prometheus 1626 1621 configuration only finishes successully when prometheus has finished 1627 1622 loading the new configuration. 1628 - 1629 - Note that prometheus will also get reloaded when the location of the 1630 - <option>environmentFile</option> changes but not when its contents 1631 - changes. So when you change it contents make sure to reload prometheus 1632 - manually or include the hash of <option>environmentFile</option> in its 1633 - name. 1634 - ''; 1635 - }; 1636 - 1637 - environmentFile = mkOption { 1638 - type = types.nullOr types.path; 1639 - default = null; 1640 - example = "/root/prometheus.env"; 1641 - description = '' 1642 - Environment file as defined in <citerefentry> 1643 - <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> 1644 - </citerefentry>. 1645 - 1646 - Secrets may be passed to the service without adding them to the 1647 - world-readable Nix store, by specifying placeholder variables as 1648 - the option value in Nix and setting these variables accordingly in the 1649 - environment file. 1650 - 1651 - Environment variables from this file will be interpolated into the 1652 - config file using envsubst with this syntax: 1653 - <literal>$ENVIRONMENT ''${VARIABLE}</literal> 1654 - 1655 - <programlisting> 1656 - # Example scrape config entry handling an OAuth bearer token 1657 - { 1658 - job_name = "home_assistant"; 1659 - metrics_path = "/api/prometheus"; 1660 - scheme = "https"; 1661 - bearer_token = "\''${HOME_ASSISTANT_BEARER_TOKEN}"; 1662 - [...] 1663 - } 1664 - </programlisting> 1665 - 1666 - <programlisting> 1667 - # Content of the environment file 1668 - HOME_ASSISTANT_BEARER_TOKEN=someoauthbearertoken 1669 - </programlisting> 1670 - 1671 - Note that this file needs to be available on the host on which 1672 - <literal>Prometheus</literal> is running. 1673 1623 ''; 1674 1624 }; 1675 1625 ··· 1830 1780 uid = config.ids.uids.prometheus; 1831 1781 group = "prometheus"; 1832 1782 }; 1783 + environment.etc."prometheus/prometheus.yaml" = mkIf cfg.enableReload { 1784 + source = prometheusYml; 1785 + }; 1833 1786 systemd.services.prometheus = { 1834 1787 wantedBy = [ "multi-user.target" ]; 1835 1788 after = [ "network.target" ]; 1836 - preStart = mkIf (!cfg.enableReload) '' 1837 - ${lib.getBin pkgs.envsubst}/bin/envsubst -o "/run/prometheus/prometheus-substituted.yaml" \ 1838 - -i "${prometheusYml}" 1839 - ''; 1840 1789 serviceConfig = { 1841 1790 ExecStart = "${cfg.package}/bin/prometheus" + 1842 1791 optionalString (length cmdlineArgs != 0) (" \\\n " + ··· 1844 1793 ExecReload = mkIf cfg.enableReload "+${reload}/bin/reload-prometheus"; 1845 1794 User = "prometheus"; 1846 1795 Restart = "always"; 1847 - EnvironmentFile = mkIf (cfg.environmentFile != null && !cfg.enableReload) [ cfg.environmentFile ]; 1848 1796 RuntimeDirectory = "prometheus"; 1849 1797 RuntimeDirectoryMode = "0700"; 1850 1798 WorkingDirectory = workingDir; ··· 1852 1800 StateDirectoryMode = "0700"; 1853 1801 }; 1854 1802 }; 1855 - systemd.services.prometheus-config-write = mkIf cfg.enableReload { 1856 - wantedBy = [ "prometheus.service" ]; 1857 - before = [ "prometheus.service" ]; 1858 - serviceConfig = { 1859 - Type = "oneshot"; 1860 - User = "prometheus"; 1861 - StateDirectory = cfg.stateDir; 1862 - StateDirectoryMode = "0700"; 1863 - EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; 1864 - ExecStart = "${writeConfig}/bin/write-prometheus-config"; 1865 - }; 1866 - }; 1867 1803 # prometheus-config-reload will activate after prometheus. However, what we 1868 1804 # don't want is that on startup it immediately reloads prometheus because 1869 1805 # prometheus itself might have just started. ··· 1873 1809 # harmless message and then stay active (RemainAfterExit). 1874 1810 # 1875 1811 # Then, when the config file has changed, switch-to-configuration notices 1876 - # that this service has changed and needs to be reloaded 1877 - # (reloadIfChanged). The reload command then actually writes the new config 1878 - # and reloads prometheus. 1812 + # that this service has changed (restartTriggers) and needs to be reloaded 1813 + # (reloadIfChanged). The reload command then reloads prometheus. 1879 1814 systemd.services.prometheus-config-reload = mkIf cfg.enableReload { 1880 1815 wantedBy = [ "prometheus.service" ]; 1881 1816 after = [ "prometheus.service" ]; 1882 1817 reloadIfChanged = true; 1818 + restartTriggers = [ prometheusYml ]; 1883 1819 serviceConfig = { 1884 1820 Type = "oneshot"; 1885 - User = "prometheus"; 1886 - StateDirectory = cfg.stateDir; 1887 - StateDirectoryMode = "0700"; 1888 - EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; 1889 1821 RemainAfterExit = true; 1890 1822 TimeoutSec = 60; 1891 1823 ExecStart = "${pkgs.logger}/bin/logger 'prometheus-config-reload will only reload prometheus when reloaded itself.'"; 1892 - ExecReload = [ 1893 - "${writeConfig}/bin/write-prometheus-config" 1894 - "+${triggerReload}/bin/trigger-reload-prometheus" 1895 - ]; 1824 + ExecReload = [ "${triggerReload}/bin/trigger-reload-prometheus" ]; 1896 1825 }; 1897 1826 }; 1898 1827 };

+1 -10

nixos/tests/prometheus.nix

··· 130 130 131 131 # This configuration just adds a new prometheus job 132 132 # to scrape the node_exporter metrics of the s3 machine. 133 - # We also use an environmentFile to test if that works correctly. 134 133 services.prometheus = { 135 - environmentFile = pkgs.writeText "prometheus-config-env-file" '' 136 - JOB_NAME=s3-node_exporter 137 - ''; 138 134 scrapeConfigs = [ 139 135 { 140 - job_name = "$JOB_NAME"; 136 + job_name = "s3-node_exporter"; 141 137 static_configs = [ 142 138 { 143 139 targets = [ "s3:9100" ]; ··· 231 227 232 228 # Check if prometheus responds to requests: 233 229 prometheus.wait_for_unit("prometheus.service") 234 - 235 - # Check if prometheus' config file is correctly locked down because it could contain secrets. 236 - prometheus.succeed( 237 - "stat -c '%a %U' /var/lib/prometheus2/prometheus-substituted.yaml | grep '600 prometheus'" 238 - ) 239 230 240 231 prometheus.wait_for_open_port(${toString queryPort}) 241 232 prometheus.succeed("curl -sf http://127.0.0.1:${toString queryPort}/metrics")