base/various: add to slice system-monitoring

base/default.nix

@@ -95,6 +95,10 @@
     AllowHibernation = lib.mkDefault false;
   };
 
+  systemd.slices."system-monitoring" = {
+    description = "Monitoring related services";
+  };
+
   # users.mutableUsers = lib.mkDefault false;
 
   users.groups."drift".name = "drift";

base/services/fluentbit.nix

@@ -62,10 +62,8 @@ in
           name = "loki";
           match = "*";
 
-          host = "loki.pvv.ntnu.no";
-          port = 443;
-          tls = "on";
-          "tls.verify" = "on";
+          host = "ildkule.pvv.ntnu.no";
+          port = 3100;
           uri = "/loki/api/v1/push";
           compress = "gzip";
 
@@ -90,6 +88,7 @@ in
 
   systemd.services.fluent-bit = lib.mkIf cfg.enable {
     serviceConfig = {
+      Slice = "system-monitoring.slice";
       StateDirectory = "fluent-bit";
 
       # NOTE: This hardening might be way too strong for general purpose use, don't upstream this.

base/services/journald-upload.nix

@@ -14,6 +14,7 @@ in
   };
 
   systemd.services."systemd-journal-upload".serviceConfig = lib.mkIf cfg.enable {
+    Slice = "system-monitoring.slice";
     IPAddressDeny = "any";
     IPAddressAllow = [
       values.hosts.ildkule.ipv4

base/services/prometheus-node-exporter.nix

@@ -10,7 +10,7 @@ in
     enabledCollectors = [ "systemd" ];
   };
 
-  services.nginx = {
+  services.nginx = lib.mkIf cfg.enable {
     enable = lib.mkDefault true;
 
     virtualHosts.${config.networking.fqdn} = lib.mkIf config.services.nginx.enable {
@@ -31,4 +31,8 @@ in
       };
     };
   };
+
+  systemd.services = lib.mkIf cfg.enable {
+    "prometheus-node-exporter".serviceConfig.Slice = "system-monitoring.slice";
+  };
 }

base/services/prometheus-systemd-exporter.nix

@@ -13,7 +13,7 @@ in
     ];
   };
 
-  services.nginx = {
+  services.nginx = lib.mkIf cfg.enable {
     enable = lib.mkDefault true;
 
     virtualHosts.${config.networking.fqdn} = lib.mkIf config.services.nginx.enable {
@@ -34,4 +34,8 @@ in
       };
     };
   };
+
+  systemd.services = lib.mkIf cfg.enable {
+    "prometheus-systemd-exporter".serviceConfig.Slice = "system-monitoring.slice";
+  };
 }

base/services/rsyslogd.nix

@@ -1,13 +1,20 @@
-{ ... }:
+{ config, lib, ... }:
+let
+  cfg = config.services.rsyslogd;
+in
 {
   services.rsyslogd = {
-    enable = true;
+    enable = lib.mkDefault true;
     defaultConfig = ''
       *.* @loghost.pvv.ntnu.no
     '';
   };
 
-  services.journald.extraConfig = ''
+  services.journald.extraConfig = lib.mkIf cfg.enable ''
     ForwardToSyslog=yes
   '';
+
+  systemd.services = lib.mkIf cfg.enable {
+    "syslog".serviceConfig.Slice = "system-monitoring.slice";
+  };
 }

base/services/uptimed.nix

@@ -23,7 +23,7 @@ in
       };
     };
 
-    systemd.services.uptimed = lib.mkIf (cfg.enable) {
+    systemd.services.uptimed = lib.mkIf cfg.enable {
       serviceConfig = let
         uptimed = pkgs.uptimed.overrideAttrs (prev: {
           postPatch = ''
@@ -35,6 +35,8 @@ in
         });
 
       in {
+        Slice = "system-monitoring.slice";
+
         Type = "notify";
 
         ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";

hosts/ildkule/services/monitoring/loki.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, values, ... }:
+{ config, pkgs, ... }:
 
 let
   cfg = config.services.loki;
@@ -9,8 +9,8 @@ in {
     configuration = {
       auth_enabled = false;
       server = {
-        http_listen_port = 31832;
-        http_listen_address = "127.0.0.1";
+        http_listen_port = 3100;
+        http_listen_address = "0.0.0.0";
         grpc_listen_port = 9096;
       };
 
@@ -81,25 +81,5 @@ in {
     };
   };
 
-  services.nginx.virtualHosts."loki.pvv.ntnu.no" = {
-    forceSSL = true;
-    enableACME = true;
-    kTLS = true;
-
-    locations = {
-      "/".return = "403";
-      "/loki/api/v1/push" = {
-        proxyPass = "http://${cfg.configuration.server.http_listen_address}:${toString cfg.configuration.server.http_listen_port}/loki/api/v1/push";
-        extraConfig = ''
-          allow 127.0.0.1;
-          allow ::1;
-          allow ${values.ipv4-space};
-          allow ${values.ipv6-space};
-          allow ${values.ntnu.ipv4-space};
-          allow ${values.ntnu.ipv6-space};
-          deny all;
-        '';
-      };
-    };
-  };
+  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
 }