grafana-loki: 3.6.8 -> 3.7.1, nixos/promtail,promtail: remove because `promtail` is EOL (#505055)

  If you need to rotate, a [3rd-party tool, `grafana-secretkey-rotation-tool`](https://github.com/erooke/grafana-secretkey-rotation-tool/tree/d9dc788902fa5185e15cb15ce6129f7237ab6138) is a tested option.

  When using a secret for this value, make sure to use [Grafana's variable expansion to inject secrets](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion).

- `services.promtail` has been removed, as `promtail` reached its end of life.

  Consider migrating to [](#opt-services.alloy.enable), or, if you are looking for something light-weight, [](#opt-services.fluent-bit.enable).

  See <https://grafana.com/docs/alloy/latest/set-up/migrate/> or <https://docs.fluentbit.io/manual/data-pipeline/outputs/loki>.

- Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.

- `services.immich` no longer supports pgvecto.rs since the package has been removed from nixpkgs.

  ./services/logging/logcheck.nix

  ./services/logging/logrotate.nix

  ./services/logging/logstash.nix

  ./services/logging/promtail.nix

  ./services/logging/rsyslogd.nix

  ./services/logging/syslog-ng.nix

  ./services/logging/syslogd.nix

      ]

      "The grafana-agent module has been removed. Consider migrating to `grafana-alloy` (`services.alloy.enable`). See <https://grafana.com/docs/alloy/latest/set-up/migrate/>"

    )

    (mkRemovedOptionModule

      [

        "services"

        "promtail"

      ]

      ''

        The promtail module has been removed, as promtail reached its end of life.

        Consider migrating to `grafana-alloy` (`services.alloy.enable`), or, if you are looking for something light-weight, `fluent-bit` (`services.fluent-bit.enable`).

        See <https://grafana.com/docs/alloy/latest/set-up/migrate/> or <https://docs.fluentbit.io/manual/data-pipeline/outputs/loki>.

      ''

    )

    (mkRemovedOptionModule [ "services" "homeassistant-satellite" ]

      "The `services.homeassistant-satellite` module has been replaced by `services.wyoming-satellite`."

    )

{

  config,

  lib,

  pkgs,

  ...

}:

with lib;

let

  cfg = config.services.promtail;

  format = pkgs.formats.json { };

  prettyJSON =

    conf:

    with lib;

    pipe conf [

      (flip removeAttrs [ "_module" ])

      (format.generate "promtail-config.json")

    ];

  allowSystemdJournal =

    cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs;

  allowPositionsFile = !lib.hasPrefix "/var/cache/promtail" positionsFile;

  positionsFile = cfg.configuration.positions.filename;

  configFile = if cfg.configFile != null then cfg.configFile else prettyJSON cfg.configuration;

in

{

  options.services.promtail = with types; {

    enable = mkEnableOption "the Promtail ingresser";

    configuration = mkOption {

      type = format.type;

      description = ''

        Specify the configuration for Promtail in Nix.

        This option will be ignored if `services.promtail.configFile` is defined.

      '';

    };

    configFile = mkOption {

      type = nullOr path;

      default = null;

      description = ''

        Config file path for Promtail.

        If this option is defined, the value of `services.promtail.configuration` will be ignored.

      '';

    };

    extraFlags = mkOption {

      type = listOf str;

      default = [ ];

      example = [ "--server.http-listen-port=3101" ];

      description = ''

        Specify a list of additional command line flags,

        which get escaped and are then passed to Loki.

      '';

    };

  };

  config = mkIf cfg.enable {

    services.promtail.configuration.positions.filename = mkDefault "/var/cache/promtail/positions.yaml";

    systemd.services.promtail = {

      description = "Promtail log ingress";

      wantedBy = [ "multi-user.target" ];

      stopIfChanged = false;

      serviceConfig = {

        Restart = "on-failure";

        TimeoutStopSec = 10;

        ExecStartPre = "${lib.getExe pkgs.promtail} -config.file=${configFile} -check-syntax";

        ExecStart = "${pkgs.promtail}/bin/promtail -config.file=${configFile} ${escapeShellArgs cfg.extraFlags}";

        ProtectSystem = "strict";

        ProtectHome = true;

        PrivateTmp = true;

        PrivateDevices = true;

        ProtectKernelTunables = true;

        ProtectControlGroups = true;

        RestrictSUIDSGID = true;

        PrivateMounts = true;

        CacheDirectory = "promtail";

        ReadWritePaths = lib.optional allowPositionsFile (dirOf positionsFile);

        User = "promtail";

        Group = "promtail";

        CapabilityBoundingSet = "";

        NoNewPrivileges = true;

        ProtectKernelModules = true;

        SystemCallArchitectures = "native";

        ProtectKernelLogs = true;

        ProtectClock = true;

        LockPersonality = true;

        ProtectHostname = true;

        RestrictRealtime = true;

        MemoryDenyWriteExecute = true;

        PrivateUsers = true;

        SupplementaryGroups = lib.optional allowSystemdJournal "systemd-journal";

      }

      // (optionalAttrs (!pkgs.stdenv.hostPlatform.isAarch64) {

        # FIXME: figure out why this breaks on aarch64

        SystemCallFilter = "@system-service";

      });

    };

    users.groups.promtail = { };

    users.users.promtail = {

      description = "Promtail service user";

      isSystemUser = true;

      group = "promtail";

    };

  };

}

{ lib, pkgs, ... }:

{ pkgs, ... }:

{

  name = "loki";

        enable = true;

        configFile = "${pkgs.grafana-loki.src}/cmd/loki/loki-local-config.yaml";

      };

      services.promtail = {

        enable = true;

        configuration = {

          server = {

            http_listen_port = 9080;

            grpc_listen_port = 0;

          };

          clients = [ { url = "http://localhost:3100/loki/api/v1/push"; } ];

          scrape_configs = [

            {

              job_name = "system";

              static_configs = [

                {

                  targets = [ "localhost" ];

                  labels = {

                    job = "varlogs";

                    __path__ = "/var/log/*log";

                  };

                }

              ];

            }

          ];

        };

      };

    };

  testScript = ''

    import json

    import time

    machine.start

    machine.wait_for_unit("loki.service")

    machine.wait_for_unit("promtail.service")

    machine.wait_for_open_port(3100)

    machine.wait_for_open_port(9080)

    machine.succeed("echo 'Loki Ingestion Test' > /var/log/testlog")

    # should not have access to journal unless specified

    machine.fail(

        "systemctl show --property=SupplementaryGroups promtail | grep -q systemd-journal"

    )

    machine.wait_until_succeeds(

        "${pkgs.grafana-loki}/bin/logcli --addr='http://localhost:3100' query --no-labels '{job=\"varlogs\",filename=\"/var/log/testlog\"}' | grep -q 'Loki Ingestion Test'"

    )

    payload = json.dumps({

        "streams": [{

            "stream": {"job": "test"},

            "values": [

                [str(time.time_ns()), "Loki Ingestion Test"],

            ],

        }],

    })

    machine.succeed(f"curl --json '{payload}' http://localhost:3100/loki/api/v1/push")

    machine.wait_until_succeeds("logcli query --no-labels '{job=\"test\"}' | grep -q 'Loki Ingestion Test'")

  '';

}