From e4c256145b5c75409ebc81d1ae87597e564eb872 Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Thu, 31 Oct 2024 23:29:27 +0800 Subject: [PATCH] fix: victoriametrics (#172) * chore: update aqua's host key * fix: victoriametrics * feat: adjust order of nix cache mirrors * feat: update mysecrets * fix: use bind mount - Failed at step STATE_DIRECTORY --- flake.lock | 6 ++--- .../monitoring/module/default.nix | 27 +++++++++---------- .../monitoring/victoriametrics.nix | 14 ++++++++-- modules/base.nix | 4 +-- vars/networking.nix | 2 +- 5 files changed, 30 insertions(+), 23 deletions(-) diff --git a/flake.lock b/flake.lock index da167358..e2dee69f 100644 --- a/flake.lock +++ b/flake.lock @@ -516,10 +516,10 @@ "mysecrets": { "flake": false, "locked": { - "lastModified": 1725269346, - "narHash": "sha256-VR/gaksXhlNIrnaQg2+uccKn8ZXag8gx6hh1yHARbE4=", + "lastModified": 1730305200, + "narHash": "sha256-OqzPkj8AVzRblsBfC35GUJv/BloI+q0QyHKipgXzXg0=", "ref": "refs/heads/main", - "rev": "4f3ddacef411d4c3d59011a3bd6c14a1dcf19c07", + "rev": "ee967e0bd19acaf25d1774f389d96b9d5c7b3baf", "shallow": true, "type": "git", "url": "ssh://git@github.com/ryan4yin/nix-secrets.git" diff --git a/hosts/idols-aquamarine/monitoring/module/default.nix b/hosts/idols-aquamarine/monitoring/module/default.nix index 1050ef52..3fc207cb 100644 --- a/hosts/idols-aquamarine/monitoring/module/default.nix +++ b/hosts/idols-aquamarine/monitoring/module/default.nix @@ -8,28 +8,23 @@ with lib; let cfg = config.services.my-victoriametrics; settingsFormat = pkgs.formats.yaml {}; - workingDir = "/var/lib/" + cfg.stateDir; - startCommandLine = - lib.escapeShellArgs [ + startCLIList = + [ "${cfg.package}/bin/victoria-metrics" - "-storageDataPath=${workingDir}" + "-storageDataPath=/var/lib/${cfg.stateDir}" "-httpListenAddr=${cfg.listenAddress}" "-retentionPeriod=${cfg.retentionPeriod}" ] - ++ lib.optional (cfg.prometheusConfig != null) "-promscrape.config=${prometheusConfigYml}" ++ cfg.extraOptions; prometheusConfigYml = checkedConfig ( settingsFormat.generate "prometheusConfig.yaml" cfg.prometheusConfig ); checkedConfig = file: - if cfg.checkConfig - then - pkgs.runCommand "checked-config" {nativeBuildInputs = [cfg.package];} '' - ln -s ${file} $out - ${startCommandLine} -dryRun - '' - else file; + pkgs.runCommand "checked-config" {nativeBuildInputs = [cfg.package];} '' + ln -s ${file} $out + ${lib.escapeShellArgs startCLIList} -promscrape.config=${file} -dryRun + ''; in { options.services.my-victoriametrics = { enable = mkEnableOption "VictoriaMetrics, a time series database."; @@ -130,15 +125,17 @@ in { startLimitBurst = 5; serviceConfig = { - ExecStart = startCommandLine; + ExecStart = lib.escapeShellArgs ( + startCLIList + ++ lib.optional (cfg.prometheusConfig != null) ["-promscrape.config=${prometheusConfigYml}"] + ); + DynamicUser = true; User = "victoriametrics"; - Group = "victoriametrics"; RestartSec = 1; Restart = "on-failure"; RuntimeDirectory = "victoriametrics"; RuntimeDirectoryMode = "0700"; - WorkingDirectory = workingDir; StateDirectory = cfg.stateDir; StateDirectoryMode = "0700"; diff --git a/hosts/idols-aquamarine/monitoring/victoriametrics.nix b/hosts/idols-aquamarine/monitoring/victoriametrics.nix index 647fac7d..7410b399 100644 --- a/hosts/idols-aquamarine/monitoring/victoriametrics.nix +++ b/hosts/idols-aquamarine/monitoring/victoriametrics.nix @@ -3,13 +3,23 @@ myvars, ... }: { + # Since victoriametrics use DynamicUser, the user & group do not exists before the service starts. + # this group is used as a supplementary Unix group for the service to access our data dir(/data/apps/xxx) + users.groups.victoriametrics-data = {}; + # Workaround for victoriametrics to store data in another place # https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html#Type systemd.tmpfiles.rules = [ - "D /data/apps/victoriametrics 0751 victoriametrics victoriametrics - -" - "L+ /var/lib/victoriametrics - - - - /data/apps/victoriametrics" + "D /data/apps/victoriametrics 0770 root victoriametrics-data - -" ]; + # Symlinks do not work with DynamicUser, so we should use bind mount here. + # https://github.com/systemd/systemd/issues/25097#issuecomment-1929074961 + systemd.services.victoriametrics.serviceConfig = { + SupplementaryGroups = ["victoriametrics-data"]; + BindPaths = ["/data/apps/victoriametrics:/var/lib/victoriametrics:rbind"]; + }; + # https://victoriametrics.io/docs/victoriametrics/latest/configuration/configuration/ services.my-victoriametrics = { enable = true; diff --git a/modules/base.nix b/modules/base.nix index 721c7485..9bf53de6 100644 --- a/modules/base.nix +++ b/modules/base.nix @@ -90,11 +90,11 @@ # substituers that will be considered before the official ones(https://cache.nixos.org) substituters = [ # cache mirror located in China - # status: https://mirror.sjtu.edu.cn/ - "https://mirror.sjtu.edu.cn/nix-channels/store" # status: https://mirrors.ustc.edu.cn/status/ "https://mirrors.ustc.edu.cn/nix-channels/store" "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" + # status: https://mirror.sjtu.edu.cn/ + "https://mirror.sjtu.edu.cn/nix-channels/store" "https://nix-community.cachix.org" # my own cache server diff --git a/vars/networking.nix b/vars/networking.nix index 2bfb8d42..f4b4e6e5 100644 --- a/vars/networking.nix +++ b/vars/networking.nix @@ -193,7 +193,7 @@ publicKey = value.publicKey; }) { - aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIbIecyrmrBpjD497lA2adJeTpsubZ3dozEraLGCcgVi root@aquamarine"; + aquamarine.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOXFhFu9Duzp6ZBE288gDZ6VLrNaeWL4kDrFUh9Neic root@aquamarine"; # ruby.publicKey = ""; # kana.publicKey = ""; };