feat: infra - remove openobserve, add loki

2026-04-22 16:58:31 +02:00 · 2025-06-08 14:18:23 +08:00
parent 77ed0378d1
commit e12afe7cea
11 changed files with 139 additions and 105 deletions
--- a/hosts/idols-ai/impermanence.nix
+++ b/hosts/idols-ai/impermanence.nix
@@ -79,6 +79,7 @@
        ".pki"
        ".steam" # steam games
        ".var" # flatpak app's data
+        ".terraform.d/plugin-cache" # terraform's plugin cache

        # cloud native
        {
--- a/infra/minio/loki/.terraform.lock.hcl
+++ b/infra/minio/loki/.terraform.lock.hcl
@@ -0,0 +1,22 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/aminueza/minio" {
+  version     = "3.5.2"
+  constraints = "3.5.2"
+  hashes = [
+    "h1:3G/Q/dlf4ItE5tvE1zvSDUW4bYvwdCMVsHNAhMq9328=",
+    "zh:5513c7b20eac89b7bc27b1f762ff03058b4c75456523d5065c41be170fc1ce53",
+    "zh:597ec8ab8169ab4d044b7d442e65b03bbce2516c15f718510e8c80b5fc451be6",
+    "zh:608ff0eb5929b840c11efee1da0273b81d21a8149d8f2d259989597068b48253",
+    "zh:71bee58a6ba43d2a2aadd604c0e04f621fa67cb82ab3633fc5d1366689a5be6b",
+    "zh:9871556bcc3d5daab3cd8e302d1d07bc5693038e1abf8bd11aaf07a439d67a0b",
+    "zh:a3272fbb1ac7dff2481e778284709a5d8b85eda61f26239867eaed9ede57e90a",
+    "zh:a5048a378d5b075a6afac14197fc0fc57f97788cd697749621c07cec7156344c",
+    "zh:a8f28d070653cbd78ca85f9e54d9391a164828de598d481ed53d04882944dcb7",
+    "zh:cbf6895d80828f66fdaa234c6fcf87c329c41eb72391a6d29056b917bce65426",
+    "zh:cd48186b94cee7757a59f848dd6a2bd1d2faa76738a849261ca7cf14e7ca76c2",
+    "zh:cdefdf9bb591ab19c3176c7c8796762e2626ebde0d49971b49393f6bf28533ba",
+    "zh:ef16beff601be117a837cd47a1813be24ee0463d4f36a5d5f7e42a19d6c02b3d",
+  ]
+}
--- a/infra/minio/loki/README.md
+++ b/infra/minio/loki/README.md
@@ -0,0 +1,3 @@
+# Buckets for Grafana Loki
+
+Store Log data.
--- a/infra/minio/loki/loki.tf
+++ b/infra/minio/loki/loki.tf
@@ -0,0 +1,90 @@
+# ==============================================
+# Buckets
+# ==============================================
+
+resource "minio_s3_bucket" "k3s-test-1-loki-chunks" {
+  bucket = "k3s-test-1-loki-chunks"
+  acl    = "private"
+}
+
+resource "minio_s3_bucket" "k3s-test-1-loki-ruler" {
+  bucket = "k3s-test-1-loki-ruler"
+  acl    = "private"
+}
+
+resource "minio_s3_bucket" "k3s-test-1-loki-admin" {
+  bucket = "k3s-test-1-loki-admin"
+  acl    = "private"
+}
+
+# ==============================================
+# User & Permission
+# ==============================================
+
+
+resource "minio_iam_user" "loki" {
+  name          = "loki"
+  force_destroy = true
+  tags = {
+    env       = "prod"
+    managedBy = "terraform"
+  }
+}
+
+resource "minio_iam_service_account" "loki" {
+  target_user = minio_iam_user.loki.name
+}
+
+resource "minio_iam_policy" "loki" {
+  name   = "loki"
+  policy = <<EOF
+{
+  "Version":"2012-10-17",
+  "Statement": [
+    {
+      "Sid": "ObjectFullAccess",
+      "Action": [
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:ListBucket",
+        "s3:DeleteObject"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::k3s-test-1-loki-chunks/*",
+        "arn:aws:s3:::k3s-test-1-loki-ruler/*",
+        "arn:aws:s3:::k3s-test-1-loki-admin/*"
+      ]
+    }
+  ]
+}
+EOF
+}
+
+resource "minio_iam_user_policy_attachment" "loki-1" {
+  user_name   = minio_iam_user.loki.id
+  policy_name = minio_iam_policy.loki.id
+}
+
+# ======================================================
+
+output "loki-chunks_url" {
+  value = minio_s3_bucket.k3s-test-1-loki-chunks.bucket_domain_name
+}
+
+output "loki-ruler_url" {
+  value = minio_s3_bucket.k3s-test-1-loki-ruler.bucket_domain_name
+}
+
+output "loki-admin_url" {
+  value = minio_s3_bucket.k3s-test-1-loki-admin.bucket_domain_name
+}
+
+output "loki_accesskey" {
+  value = minio_iam_service_account.loki.access_key
+}
+
+output "loki_secretkey" {
+  value     = minio_iam_service_account.loki.secret_key
+  sensitive = true
+}
--- a/infra/minio/openobserve/provider.tf
+++ b/infra/minio/openobserve/provider.tf
@@ -25,7 +25,7 @@ terraform {
  required_providers {
    minio = {
      source  = "aminueza/minio"
-      version = "2.5.0"
+      version = "3.5.2"
    }
  }
 }
--- a/infra/minio/openobserve/run.sh
+++ b/infra/minio/openobserve/run.sh
@@ -1,6 +1,6 @@
 # for provider
 #
-# export MINIO_PASSWORD=="xxx"
+# export MINIO_PASSWORD="xxx"

 # for terraform's s3 backend
 #
@@ -10,3 +10,7 @@
 terraform init
 terraform plan
 terraform apply
+
+# show secret key
+terraform output loki_secretkey
+
--- a/infra/minio/openobserve/.terraform.lock.hcl
+++ b/infra/minio/openobserve/.terraform.lock.hcl
@@ -1,22 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/aminueza/minio" {
-  version     = "2.5.0"
-  constraints = "2.5.0"
-  hashes = [
-    "h1:RrjfsRy+fBVh7VF3r9u7uCCSjAdR5APa6sqbc9b8GfU=",
-    "zh:066cdb289dbfd1675e22fe58c8b42e2732f24fc1528b1919a78dfe28f80e8b30",
-    "zh:26d5e55106259e69493b95058178ec3d6b2395f03a8fe832af1be0e4d89ef42c",
-    "zh:6247e19de9ec6ef719cfcb174b8f08085c0fd5118b3b0de3fb9bb150702b4ad8",
-    "zh:70c3cbab0ba8edeec0db2e175bcdb47255c92f3153f839c4e8f2b0fe8c1366f4",
-    "zh:713793b4b93ae62070b18983ff525390de6c84547cab4220aa068437149f5035",
-    "zh:72de3e532d4bc7c7a4a872aaf00d7e4dfa09f3730668a738bb881d6734248f02",
-    "zh:9090f9288d7bc9f23043c1e65d8535e91f10413a16699d4a18add811b25fa167",
-    "zh:9847284aecb52718468feccb914d67e8befb8bff8345275cb03c3209b338f68b",
-    "zh:aa09ba1aa6fec278198ff352cc7f2977cfe567d31fd948c54fba5db82b4cd7ec",
-    "zh:ca28efbf60400918b9dadd18ecbf683065bf9329b35cbf3826718d8d50f10263",
-    "zh:cb21b119202ac6a30724beb89aefbb8660762b0e9b7165f1e22d59720dd0f110",
-    "zh:f36b4c9fe4795e892b3be2c80a22461f373541f81d335b51afa963097ab29624",
-  ]
-}
--- a/infra/minio/openobserve/openobserve.tf
+++ b/infra/minio/openobserve/openobserve.tf
@@ -1,64 +0,0 @@
-resource "minio_s3_bucket" "openobserve" {
-  bucket = "openobserve"
-  acl    = "private"
-}
-
-resource "minio_iam_user" "openobserve" {
-  name          = "openobserve"
-  force_destroy = true
-  tags = {
-    env       = "prod"
-    managedBy = "terraform"
-  }
-}
-
-resource "minio_iam_policy" "openobserve" {
-  name   = "openobserve"
-  policy = <<EOF
-{
-  "Version":"2012-10-17",
-  "Statement": [
-    {
-      "Sid": "ObjectFullAccess",
-      "Action": [
-        "s3:PutObject",
-        "s3:GetObject",
-        "s3:ListBucket",
-        "s3:DeleteObject"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::openobserve/*"
-    }
-  ]
-}
-EOF
-}
-
-resource "minio_iam_user_policy_attachment" "openobserve-1" {
-  user_name   = minio_iam_user.openobserve.id
-  policy_name = minio_iam_policy.openobserve.id
-}
-
-resource "minio_iam_service_account" "openobserve" {
-  target_user = minio_iam_user.openobserve.name
-}
-
-
-# ======================================================
-
-output "openobserve_id" {
-  value = minio_s3_bucket.openobserve.id
-}
-
-output "openobserve_url" {
-  value = minio_s3_bucket.openobserve.bucket_domain_name
-}
-
-output "openobserve_accesskey" {
-  value = minio_iam_service_account.openobserve.access_key
-}
-
-output "openobserve_secretkey" {
-  value     = minio_iam_service_account.openobserve.secret_key
-  sensitive = true
-}
--- a/infra/minio/tf-s3-backend/.terraform.lock.hcl
+++ b/infra/minio/tf-s3-backend/.terraform.lock.hcl
@@ -2,21 +2,21 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/aminueza/minio" {
-  version     = "2.5.0"
-  constraints = "2.5.0"
+  version     = "3.5.2"
+  constraints = "3.5.2"
  hashes = [
-    "h1:RrjfsRy+fBVh7VF3r9u7uCCSjAdR5APa6sqbc9b8GfU=",
-    "zh:066cdb289dbfd1675e22fe58c8b42e2732f24fc1528b1919a78dfe28f80e8b30",
-    "zh:26d5e55106259e69493b95058178ec3d6b2395f03a8fe832af1be0e4d89ef42c",
-    "zh:6247e19de9ec6ef719cfcb174b8f08085c0fd5118b3b0de3fb9bb150702b4ad8",
-    "zh:70c3cbab0ba8edeec0db2e175bcdb47255c92f3153f839c4e8f2b0fe8c1366f4",
-    "zh:713793b4b93ae62070b18983ff525390de6c84547cab4220aa068437149f5035",
-    "zh:72de3e532d4bc7c7a4a872aaf00d7e4dfa09f3730668a738bb881d6734248f02",
-    "zh:9090f9288d7bc9f23043c1e65d8535e91f10413a16699d4a18add811b25fa167",
-    "zh:9847284aecb52718468feccb914d67e8befb8bff8345275cb03c3209b338f68b",
-    "zh:aa09ba1aa6fec278198ff352cc7f2977cfe567d31fd948c54fba5db82b4cd7ec",
-    "zh:ca28efbf60400918b9dadd18ecbf683065bf9329b35cbf3826718d8d50f10263",
-    "zh:cb21b119202ac6a30724beb89aefbb8660762b0e9b7165f1e22d59720dd0f110",
-    "zh:f36b4c9fe4795e892b3be2c80a22461f373541f81d335b51afa963097ab29624",
+    "h1:3G/Q/dlf4ItE5tvE1zvSDUW4bYvwdCMVsHNAhMq9328=",
+    "zh:5513c7b20eac89b7bc27b1f762ff03058b4c75456523d5065c41be170fc1ce53",
+    "zh:597ec8ab8169ab4d044b7d442e65b03bbce2516c15f718510e8c80b5fc451be6",
+    "zh:608ff0eb5929b840c11efee1da0273b81d21a8149d8f2d259989597068b48253",
+    "zh:71bee58a6ba43d2a2aadd604c0e04f621fa67cb82ab3633fc5d1366689a5be6b",
+    "zh:9871556bcc3d5daab3cd8e302d1d07bc5693038e1abf8bd11aaf07a439d67a0b",
+    "zh:a3272fbb1ac7dff2481e778284709a5d8b85eda61f26239867eaed9ede57e90a",
+    "zh:a5048a378d5b075a6afac14197fc0fc57f97788cd697749621c07cec7156344c",
+    "zh:a8f28d070653cbd78ca85f9e54d9391a164828de598d481ed53d04882944dcb7",
+    "zh:cbf6895d80828f66fdaa234c6fcf87c329c41eb72391a6d29056b917bce65426",
+    "zh:cd48186b94cee7757a59f848dd6a2bd1d2faa76738a849261ca7cf14e7ca76c2",
+    "zh:cdefdf9bb591ab19c3176c7c8796762e2626ebde0d49971b49393f6bf28533ba",
+    "zh:ef16beff601be117a837cd47a1813be24ee0463d4f36a5d5f7e42a19d6c02b3d",
  ]
 }
--- a/infra/minio/tf-s3-backend/provider.tf
+++ b/infra/minio/tf-s3-backend/provider.tf
@@ -2,7 +2,7 @@ terraform {
  required_providers {
    minio = {
      source  = "aminueza/minio"
-      version = "2.5.0"
+      version = "3.5.2"
    }
  }
 }
--- a/infra/minio/tf-s3-backend/run.sh
+++ b/infra/minio/tf-s3-backend/run.sh
@@ -1,6 +1,6 @@
 # for provider
 #
-# export MINIO_PASSWORD=="xxx"
+# export MINIO_PASSWORD="xxx"
 #
 terraform init
 terraform plan