nixos/prometheus: enable checking syntax only

This allows config checking with external files to not fail inside the sandbox.
2022-05-12 10:40:26 -07:00 · 2022-05-12 10:40:26 -07:00 · c0723eef37
commit c0723eef37
parent 1ce1506255
1 changed files with 15 additions and 8 deletions
--- a/nixos/modules/services/monitoring/prometheus/default.nix
+++ b/nixos/modules/services/monitoring/prometheus/default.nix
@ -5,6 +5,9 @@ with lib;
 let
  json = pkgs.formats.json { };
  cfg = config.services.prometheus;
+  checkConfigEnabled =
+    (lib.isBool cfg.checkConfig && cfg.checkConfig)
+      || cfg.checkConfig == "syntax-only";

  workingDir = "/var/lib/" + cfg.stateDir;

@ -27,7 +30,7 @@ let

  # a wrapper that verifies that the configuration is valid
  promtoolCheck = what: name: file:
-    if cfg.checkConfig then
+    if checkConfigEnabled then
      pkgs.runCommandLocal
        "${name}-${replaceStrings [" "] [""] what}-checked"
        { buildInputs = [ cfg.package ]; } ''
@ -58,7 +61,7 @@ let
          pkgs.writeText "prometheus.yml" cfg.configText
        else generatedPrometheusYml;
    in
-    promtoolCheck "check config" "prometheus.yml" yml;
+    promtoolCheck "check config ${lib.optionalString (cfg.checkConfig == "syntax-only") "--syntax-only"}" "prometheus.yml" yml;

  cmdlineArgs = cfg.extraFlags ++ [
    "--storage.tsdb.path=${workingDir}/data/"
@ -1726,16 +1729,20 @@ in
    };

    checkConfig = mkOption {
-      type = types.bool;
+      type = with types; either bool (enum [ "syntax-only" ]);
      default = true;
+      example = "syntax-only";
      description = ''
        Check configuration with <literal>promtool
        check</literal>. The call to <literal>promtool</literal> is
-        subject to sandboxing by Nix. When credentials are stored in
-        external files (<literal>password_file</literal>,
-        <literal>bearer_token_file</literal>, etc), they will not be
-        visible to <literal>promtool</literal> and it will report
-        errors, despite a correct configuration.
+        subject to sandboxing by Nix.
+
+        If you use credentials stored in external files
+        (<literal>password_file</literal>, <literal>bearer_token_file</literal>, etc),
+        they will not be visible to <literal>promtool</literal>
+        and it will report errors, despite a correct configuration.
+        To resolve this, you may set this option to <literal>"syntax-only"</literal>
+        in order to only syntax check the Prometheus configuration.
      '';
    };