nixos/victorialogs: init module

Author: wlcx

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -117,6 +117,8 @@
 
 - [duckdns](https://www.duckdns.org), free dynamic DNS. Available with [services.duckdns](options.html#opt-services.duckdns.enable)
 
+- [victorialogs][https://docs.victoriametrics.com/victorialogs/], log database from VictoriaMetrics. Available as [services.victorialogs](#opt-services.victorialogs.enable)
+
 - [nostr-rs-relay](https://git.sr.ht/~gheartsfield/nostr-rs-relay/), This is a nostr relay, written in Rust. Available as [services.nostr-rs-relay](options.html#opt-services.nostr-rs-relay.enable).
 
 - [Prometheus Node Cert Exporter](https://github.com/amimof/node-cert-exporter), a prometheus exporter to check for SSL cert expiry. Available under [services.prometheus.exporters.node-cert](#opt-services.prometheus.exporters.node-cert.enable).

nixos/modules/module-list.nix

@@ -510,6 +510,7 @@
   ./services/databases/redis.nix
   ./services/databases/surrealdb.nix
   ./services/databases/tigerbeetle.nix
+  ./services/databases/victorialogs.nix
   ./services/databases/victoriametrics.nix
   ./services/desktops/accountsservice.nix
   ./services/desktops/ayatana-indicators.nix

nixos/modules/services/databases/victorialogs.nix

@@ -0,0 +1,125 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib)
+    escapeShellArgs
+    getBin
+    hasPrefix
+    literalExpression
+    mkBefore
+    mkEnableOption
+    mkIf
+    mkOption
+    mkPackageOption
+    optionalString
+    types
+    ;
+  cfg = config.services.victorialogs;
+  startCLIList = [
+    "${cfg.package}/bin/victoria-logs"
+    "-storageDataPath=/var/lib/${cfg.stateDir}"
+    "-httpListenAddr=${cfg.listenAddress}"
+  ] ++ cfg.extraOptions;
+in
+{
+  options.services.victorialogs = {
+    enable = mkEnableOption "VictoriaLogs is an open source user-friendly database for logs from VictoriaMetrics";
+    package = mkPackageOption pkgs "victoriametrics" { };
+    listenAddress = mkOption {
+      default = ":9428";
+      type = types.str;
+      description = ''
+        TCP address to listen for incoming http requests.
+      '';
+    };
+    stateDir = mkOption {
+      type = types.str;
+      default = "victorialogs";
+      description = ''
+        Directory below `/var/lib` to store VictoriaLogs data.
+        This directory will be created automatically using systemd's StateDirectory mechanism.
+      '';
+    };
+    extraOptions = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      example = literalExpression ''
+        [
+          "-httpAuth.username=username"
+          "-httpAuth.password=file:///abs/path/to/file"
+          "-loggerLevel=WARN"
+        ]
+      '';
+      description = ''
+        Extra options to pass to VictoriaLogs. See {command}`victoria-logs -help` for
+        possible options.
+      '';
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services.victorialogs = {
+      description = "VictoriaLogs logs database";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      startLimitBurst = 5;
+
+      serviceConfig = {
+        ExecStart = escapeShellArgs startCLIList;
+        DynamicUser = true;
+        RestartSec = 1;
+        Restart = "on-failure";
+        RuntimeDirectory = "victorialogs";
+        RuntimeDirectoryMode = "0700";
+        StateDirectory = cfg.stateDir;
+        StateDirectoryMode = "0700";
+
+        # Hardening
+        DeviceAllow = [ "/dev/null rw" ];
+        DevicePolicy = "strict";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "full";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+      };
+
+      postStart =
+        let
+          bindAddr = (optionalString (hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;
+        in
+        mkBefore ''
+          until ${getBin pkgs.curl}/bin/curl -s -o /dev/null http://${bindAddr}/ping; do
+            sleep 1;
+          done
+        '';
+    };
+  };
+}