Add more Nix Apps

Rewrite of some of the Apps to Nix. Tried to convert ApplicationSets to simple Applications with an ${env} modifier.
2024-12-12 22:36:56 +01:00
parent e3b1ef76da
commit 9e1beb6895
11 changed files with 732 additions and 2 deletions
@@ -0,0 +1,249 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.loki;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      loki = {
+        auth_enabled = false;
+        storage = {
+          bucketNames = {
+            chunks = cfg.buckets.chunks;
+            ruler = cfg.buckets.ruler;
+            admin = cfg.buckets.admin;
+          };
+          s3 =
+            {
+              endpoint = cfg.s3.endpoint;
+              region = cfg.s3.region;
+              secretAccessKey = "\${S3SECRET}";
+              accessKeyId = "\${S3KEY}";
+              s3ForcePathStyle = true;
+            }
+            // lib.optionalAttrs cfg.s3.insecureSkipVerify {
+              http_config.insecure_skip_verify = true;
+            };
+        };
+        schemaConfig.configs = [
+          {
+            from = "2024-04-01";
+            index.period = "24h";
+            index.prefix = "loki_index_";
+            object_store = "s3";
+            schema = "v13";
+            store = "tsdb";
+          }
+        ];
+        compactor = {
+          compaction_interval = "10m";
+          working_directory = "/tmp/loki/compactor";
+          retention_enabled = true;
+          retention_delete_delay = "2h";
+          retention_delete_worker_count = 150;
+          delete_request_store = "s3";
+        };
+        limits_config.retention_period = "744h";
+      };
+
+      write = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+        tolerations = [
+          {
+            effect = "NoSchedule";
+            operator = "Equal";
+            key = "unschedulable";
+            value = "true";
+          }
+        ];
+      };
+
+      read = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+        tolerations = [
+          {
+            effect = "NoSchedule";
+            operator = "Equal";
+            key = "unschedulable";
+            value = "true";
+          }
+        ];
+      };
+
+      ingress = {
+        enabled = true;
+        ingressClassName = "nginx";
+        annotations = {
+          "cert-manager.io/cluster-issuer" = "letsencrypt-staging";
+          "nginx.ingress.kubernetes.io/ssl-redirect" = "true";
+          "atlantis.oceanbox.io/expose" = "internal";
+        };
+        hosts = [ "loki.adm.oceanbox.io" ];
+        tls = [{
+          hosts = [ "loki.adm.oceanbox.io" ];
+          secretName = "loki-distributed-tls";
+        }];
+      };
+
+      compactor = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+      };
+
+      backend = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+      };
+    };
+  };
+
+in
+{
+  options.apps.loki = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "6.12.0";
+      description = "Loki chart version";
+    };
+    buckets = {
+      chunks = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-chunks";
+        description = "S3 bucket for chunks";
+      };
+      ruler = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-chunks";
+        description = "S3 bucket for ruler";
+      };
+      admin = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-chunks";
+        description = "S3 bucket for admin";
+      };
+    };
+    s3 = {
+      endpoint = lib.mkOption {
+        type = lib.types.str;
+        default = "http://10.255.241.30:30080";
+        description = "S3 endpoint";
+      };
+      region = lib.mkOption {
+        type = lib.types.str;
+        default = "tos";
+        description = "S3 region";
+      };
+      insecureSkipVerify = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Skip TLS verification";
+      };
+    };
+    secret = {
+      name = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-s3";
+        description = "Name of the S3 credentials secret";
+      };
+      accessKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_ID";
+        description = "Access key field in secret";
+      };
+      secretKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_SECRET";
+        description = "Secret key field in secret";
+      };
+    };
+  };
+
+  config = lib.apps.appConfig cfg "loki" {
+    namespace = "argocd";
+    helm.releases.loki = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://grafana.github.io/helm-charts";
+        chart = "loki";
+        version = cfg.revision;
+        chartHash = "sha256-YUtEIUiQWRzlttfOOgDk1xfTaiAZ12tIgpGr1QcMpro=";
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+    # TODO: Add network policies as a second source or integrate them into `resources`.
+    resources = {
+      "argoproj.io".v1alpha1.Application.loki.spec.ignoreDifferences = [
+        {
+          group = "apps";
+          kind = "StatefulSet";
+          jsonPointers = [ "/spec/persistentVolumeClaimRetentionPolicy" ];
+        }
+      ];
+    };
+  };
+}