nixos/promtail: fix access to journal
This commit is contained in:
parent
4c64fa224e
commit
31a0b5dff6
@ -6,10 +6,12 @@ let
|
||||
echo '${builtins.toJSON conf}' | ${pkgs.buildPackages.jq}/bin/jq 'del(._module)' > $out
|
||||
'';
|
||||
|
||||
allowSystemdJournal = cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs;
|
||||
in {
|
||||
options.services.promtail = with types; {
|
||||
enable = mkEnableOption "the Promtail ingresser";
|
||||
|
||||
|
||||
configuration = mkOption {
|
||||
type = (pkgs.formats.json {}).type;
|
||||
description = ''
|
||||
@ -67,6 +69,8 @@ in {
|
||||
RestrictRealtime = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
PrivateUsers = true;
|
||||
|
||||
SupplementaryGroups = lib.optional (allowSystemdJournal) "systemd-journal";
|
||||
} // (optionalAttrs (!pkgs.stdenv.isAarch64) { # FIXME: figure out why this breaks on aarch64
|
||||
SystemCallFilter = "@system-service";
|
||||
});
|
||||
|
@ -45,6 +45,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }:
|
||||
machine.wait_for_open_port(3100)
|
||||
machine.wait_for_open_port(9080)
|
||||
machine.succeed("echo 'Loki Ingestion Test' > /var/log/testlog")
|
||||
# should not have access to journal unless specified
|
||||
machine.fail("systemctl show --property=SupplementaryGroups promtail | grep -q systemd-journal")
|
||||
machine.wait_until_succeeds(
|
||||
"${pkgs.grafana-loki}/bin/logcli --addr='http://localhost:3100' query --no-labels '{job=\"varlogs\",filename=\"/var/log/testlog\"}' | grep -q 'Loki Ingestion Test'"
|
||||
)
|
||||
|
Loading…
Reference in New Issue
Block a user