profiles/monitoring: move loki to a profile

Add a nginx virtualhost for loki too, so that we can use a valid SSL
certificate.

6 files changed, 105 insertions, 118 deletions

diff --git a/hosts/tahoe/default.nix b/hosts/tahoe/default.nix
index a23c7c8..2cefdb7 100644
--- a/hosts/tahoe/default.nix
+++ b/hosts/tahoe/default.nix
@@ -19,6 +19,7 @@ in
     "${self}/profiles/hardware/amd.nix"
     "${self}/profiles/monitoring/exporter.nix"
     "${self}/profiles/monitoring/promtail.nix"
+    "${self}/profiles/monitoring/loki.nix"
   ];
 
   # Use systemd-networkd for networking
diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix
index a8b80b8..7e42a1f 100644
--- a/hosts/tahoe/services.nix
+++ b/hosts/tahoe/services.nix
@@ -12,10 +12,6 @@ in
         enable = true;
         listenAddress = "192.168.6.40";
       };
-      loki = {
-        enable = true;
-        listenAddress = "192.168.6.40";
-      };
       grafana = {
         enable = true;
         vhostName = "dash.${config.homelab.domain}";
diff --git a/modules/services/monitoring/default.nix b/modules/services/monitoring/default.nix
index 32866cb..9c75aa8 100644
--- a/modules/services/monitoring/default.nix
+++ b/modules/services/monitoring/default.nix
@@ -5,7 +5,6 @@ in
 {
   imports = [
     ./grafana.nix
-    ./loki.nix
     ./prometheus.nix
   ];
 }
diff --git a/modules/services/monitoring/loki.nix b/modules/services/monitoring/loki.nix
deleted file mode 100644
index 65c4bdd..0000000
--- a/modules/services/monitoring/loki.nix
+++ /dev/null
@@ -1,112 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.my.services.monitoring.loki;
-in
-{
-  options.my.services.monitoring.loki = with lib; {
-    enable = mkEnableOption "loki observability stack";
-    listenAddress = mkOption {
-      type = types.str;
-      default = "0.0.0.0";
-      description = lib.mdDoc ''
-        Address to listen on.
-      '';
-    };
-    listenPort = mkOption {
-      type = types.port;
-      default = 3100;
-      description = lib.mdDoc ''
-        Port to listen on.
-      '';
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.loki = {
-      enable = true;
-      configuration = {
-        # no need for authentication, since we're binding on the
-        # wireguard interface, we can trust the connections.
-        auth_enabled = false;
-
-        server = {
-          http_listen_port = 3100;
-          http_listen_address = cfg.listenAddress;
-        };
-
-        ingester = {
-          lifecycler = {
-            address = cfg.listenAddress;
-            ring = {
-              kvstore = { store = "inmemory"; };
-              replication_factor = 1;
-            };
-            final_sleep = "0s";
-          };
-
-          # Any chunk not receiving new logs in this time will be flushed
-          chunk_idle_period = "1h";
-
-          # All chunks will be flushed when they hit this age, default is 1h
-          max_chunk_age = "1h";
-
-          # Loki will attempt to build chunks up to 1.5MB, flushing first if
-          # chunk_idle_period or max_chunk_age is reached first
-          chunk_target_size = 1048576;
-
-          # Must be greater than index read cache TTL if using an index cache (Default
-          # index read cache TTL is 5m)
-          chunk_retain_period = "30s";
-
-          # Chunk transfers disabled
-          max_transfer_retries = 0;
-        };
-
-        schema_config = {
-          configs = [{
-            from = "2020-10-24";
-            store = "boltdb-shipper";
-            object_store = "filesystem";
-            schema = "v11";
-            index = {
-              prefix = "index_";
-              period = "24h";
-            };
-          }];
-        };
-
-        storage_config = {
-          boltdb_shipper = {
-            active_index_directory = "/var/lib/loki/boltdb-shipper-active";
-            cache_location = "/var/lib/loki/boltdb-shipper-cache";
-
-            # Can be increased for faster performance over longer query periods,
-            # uses more disk space
-            cache_ttl = "24h";
-
-            shared_store = "filesystem";
-          };
-
-          filesystem = { directory = "/var/lib/loki/chunks"; };
-        };
-
-        limits_config = {
-          reject_old_samples = true;
-          reject_old_samples_max_age = "168h";
-        };
-
-        chunk_store_config = { max_look_back_period = "0s"; };
-
-        table_manager = {
-          retention_deletes_enabled = false;
-          retention_period = "0s";
-        };
-
-        compactor = {
-          working_directory = "/var/lib/loki/boltdb-shipper-compactor";
-          shared_store = "filesystem";
-        };
-      };
-    };
-  };
-}
diff --git a/profiles/monitoring/loki.nix b/profiles/monitoring/loki.nix
new file mode 100644
index 0000000..1200846
--- /dev/null
+++ b/profiles/monitoring/loki.nix
@@ -0,0 +1,103 @@
+{ config, lib, pkgs, ... }:
+{
+  services.loki.enable = true;
+  services.loki.configuration = {
+    # no need for authentication, since we're binding on the
+    # wireguard interface, we can trust the connections.
+    auth_enabled = false;
+
+    server = {
+      http_listen_port = 3100;
+      http_listen_address = "127.0.0.1";
+    };
+
+    ingester = {
+      lifecycler = {
+        address = cfg.listenAddress;
+        ring = {
+          kvstore = { store = "inmemory"; };
+          replication_factor = 1;
+        };
+        final_sleep = "0s";
+      };
+
+      # Any chunk not receiving new logs in this time will be flushed
+      chunk_idle_period = "1h";
+
+      # All chunks will be flushed when they hit this age, default is 1h
+      max_chunk_age = "1h";
+
+      # Loki will attempt to build chunks up to 1.5MB, flushing first if
+      # chunk_idle_period or max_chunk_age is reached first
+      chunk_target_size = 1048576;
+
+      # Must be greater than index read cache TTL if using an index cache (Default
+      # index read cache TTL is 5m)
+      chunk_retain_period = "30s";
+
+      # Chunk transfers disabled
+      max_transfer_retries = 0;
+    };
+
+    schema_config = {
+      configs = [{
+        from = "2020-10-24";
+        store = "boltdb-shipper";
+        object_store = "filesystem";
+        schema = "v11";
+        index = {
+          prefix = "index_";
+          period = "24h";
+        };
+      }];
+    };
+
+    storage_config = {
+      boltdb_shipper = {
+        active_index_directory = "/var/lib/loki/boltdb-shipper-active";
+        cache_location = "/var/lib/loki/boltdb-shipper-cache";
+
+        # Can be increased for faster performance over longer query periods,
+        # uses more disk space
+        cache_ttl = "24h";
+
+        shared_store = "filesystem";
+      };
+
+      filesystem = { directory = "/var/lib/loki/chunks"; };
+    };
+
+    limits_config = {
+      reject_old_samples = true;
+      reject_old_samples_max_age = "168h";
+    };
+
+    chunk_store_config = { max_look_back_period = "0s"; };
+
+    table_manager = {
+      retention_deletes_enabled = false;
+      retention_period = "0s";
+    };
+
+    compactor = {
+      working_directory = "/var/lib/loki/boltdb-shipper-compactor";
+      shared_store = "filesystem";
+    };
+  };
+
+  services.nginx.virtualHosts."loki.${config.homelab.domain}" = {
+    default = true;
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      {
+        addr = "192.168.6.40";
+        port = 443;
+        ssl = true;
+      }
+    ];
+    locations."/" = {
+      proxyPass = "http://127.0.0.1::${toString services.loki.configuration.server.http_listen_port}";
+    };
+  };
+}
diff --git a/profiles/monitoring/promtail.nix b/profiles/monitoring/promtail.nix
index 23b6669..a3b95c2 100644
--- a/profiles/monitoring/promtail.nix
+++ b/profiles/monitoring/promtail.nix
@@ -2,7 +2,7 @@
 {
   services.promtail.enable = true;
   services.promtail.configuration = {
-    clients = [{ url = "https://loki.${config.homelab.domain}:3100/loki/api/v1/push"; }];
+    clients = [{ url = "https://loki.${config.homelab.domain}/loki/api/v1/push"; }];
     scrape_configs = [
       {
         job_name = "journal";