nixos/prometheus: enable checking syntax only

This allows config checking with external files to not fail inside the
sandbox.
This commit is contained in:
Cole Helbling 2022-05-12 10:40:26 -07:00 committed by Cole Helbling
parent 1ce1506255
commit c0723eef37

View file

@ -5,6 +5,9 @@ with lib;
let let
json = pkgs.formats.json { }; json = pkgs.formats.json { };
cfg = config.services.prometheus; cfg = config.services.prometheus;
checkConfigEnabled =
(lib.isBool cfg.checkConfig && cfg.checkConfig)
|| cfg.checkConfig == "syntax-only";
workingDir = "/var/lib/" + cfg.stateDir; workingDir = "/var/lib/" + cfg.stateDir;
@ -27,7 +30,7 @@ let
# a wrapper that verifies that the configuration is valid # a wrapper that verifies that the configuration is valid
promtoolCheck = what: name: file: promtoolCheck = what: name: file:
if cfg.checkConfig then if checkConfigEnabled then
pkgs.runCommandLocal pkgs.runCommandLocal
"${name}-${replaceStrings [" "] [""] what}-checked" "${name}-${replaceStrings [" "] [""] what}-checked"
{ buildInputs = [ cfg.package ]; } '' { buildInputs = [ cfg.package ]; } ''
@ -58,7 +61,7 @@ let
pkgs.writeText "prometheus.yml" cfg.configText pkgs.writeText "prometheus.yml" cfg.configText
else generatedPrometheusYml; else generatedPrometheusYml;
in in
promtoolCheck "check config" "prometheus.yml" yml; promtoolCheck "check config ${lib.optionalString (cfg.checkConfig == "syntax-only") "--syntax-only"}" "prometheus.yml" yml;
cmdlineArgs = cfg.extraFlags ++ [ cmdlineArgs = cfg.extraFlags ++ [
"--storage.tsdb.path=${workingDir}/data/" "--storage.tsdb.path=${workingDir}/data/"
@ -1726,16 +1729,20 @@ in
}; };
checkConfig = mkOption { checkConfig = mkOption {
type = types.bool; type = with types; either bool (enum [ "syntax-only" ]);
default = true; default = true;
example = "syntax-only";
description = '' description = ''
Check configuration with <literal>promtool Check configuration with <literal>promtool
check</literal>. The call to <literal>promtool</literal> is check</literal>. The call to <literal>promtool</literal> is
subject to sandboxing by Nix. When credentials are stored in subject to sandboxing by Nix.
external files (<literal>password_file</literal>,
<literal>bearer_token_file</literal>, etc), they will not be If you use credentials stored in external files
visible to <literal>promtool</literal> and it will report (<literal>password_file</literal>, <literal>bearer_token_file</literal>, etc),
errors, despite a correct configuration. they will not be visible to <literal>promtool</literal>
and it will report errors, despite a correct configuration.
To resolve this, you may set this option to <literal>"syntax-only"</literal>
in order to only syntax check the Prometheus configuration.
''; '';
}; };