nixos/victorialogs: init module (#376834)

- [duckdns](https://www.duckdns.org), free dynamic DNS. Available with [services.duckdns](options.html#opt-services.duckdns.enable)

- [victorialogs][https://docs.victoriametrics.com/victorialogs/], log database from VictoriaMetrics. Available as [services.victorialogs](#opt-services.victorialogs.enable)

- [nostr-rs-relay](https://git.sr.ht/~gheartsfield/nostr-rs-relay/), This is a nostr relay, written in Rust. Available as [services.nostr-rs-relay](options.html#opt-services.nostr-rs-relay.enable).

- [Prometheus Node Cert Exporter](https://github.com/amimof/node-cert-exporter), a prometheus exporter to check for SSL cert expiry. Available under [services.prometheus.exporters.node-cert](#opt-services.prometheus.exporters.node-cert.enable).

  ./services/databases/redis.nix

  ./services/databases/surrealdb.nix

  ./services/databases/tigerbeetle.nix

  ./services/databases/victorialogs.nix

  ./services/databases/victoriametrics.nix

  ./services/desktops/accountsservice.nix

  ./services/desktops/ayatana-indicators.nix

{

  config,

  pkgs,

  lib,

  ...

}:

let

  inherit (lib)

    escapeShellArgs

    getBin

    hasPrefix

    literalExpression

    mkBefore

    mkEnableOption

    mkIf

    mkOption

    mkPackageOption

    optionalString

    types

    ;

  cfg = config.services.victorialogs;

  startCLIList = [

    "${cfg.package}/bin/victoria-logs"

    "-storageDataPath=/var/lib/${cfg.stateDir}"

    "-httpListenAddr=${cfg.listenAddress}"

  ] ++ cfg.extraOptions;

in

{

  options.services.victorialogs = {

    enable = mkEnableOption "VictoriaLogs is an open source user-friendly database for logs from VictoriaMetrics";

    package = mkPackageOption pkgs "victoriametrics" { };

    listenAddress = mkOption {

      default = ":9428";

      type = types.str;

      description = ''

        TCP address to listen for incoming http requests.

      '';

    };

    stateDir = mkOption {

      type = types.str;

      default = "victorialogs";

      description = ''

        Directory below `/var/lib` to store VictoriaLogs data.

        This directory will be created automatically using systemd's StateDirectory mechanism.

      '';

    };

    extraOptions = mkOption {

      type = types.listOf types.str;

      default = [ ];

      example = literalExpression ''

        [

          "-httpAuth.username=username"

          "-httpAuth.password=file:///abs/path/to/file"

          "-loggerLevel=WARN"

        ]

      '';

      description = ''

        Extra options to pass to VictoriaLogs. See {command}`victoria-logs -help` for

        possible options.

      '';

    };

  };

  config = mkIf cfg.enable {

    systemd.services.victorialogs = {

      description = "VictoriaLogs logs database";

      wantedBy = [ "multi-user.target" ];

      after = [ "network.target" ];

      startLimitBurst = 5;

      serviceConfig = {

        ExecStart = escapeShellArgs startCLIList;

        DynamicUser = true;

        RestartSec = 1;

        Restart = "on-failure";

        RuntimeDirectory = "victorialogs";

        RuntimeDirectoryMode = "0700";

        StateDirectory = cfg.stateDir;

        StateDirectoryMode = "0700";

        # Hardening

        DeviceAllow = [ "/dev/null rw" ];

        DevicePolicy = "strict";

        LockPersonality = true;

        MemoryDenyWriteExecute = true;

        NoNewPrivileges = true;

        PrivateDevices = true;

        PrivateTmp = true;

        PrivateUsers = true;

        ProtectClock = true;

        ProtectControlGroups = true;

        ProtectHome = true;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "invisible";

        ProtectSystem = "full";

        RemoveIPC = true;

        RestrictAddressFamilies = [

          "AF_INET"

          "AF_INET6"

          "AF_UNIX"

        ];

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";

        SystemCallFilter = [

          "@system-service"

          "~@privileged"

        ];

      };

      postStart =

        let

          bindAddr = (optionalString (hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;

        in

        mkBefore ''

          until ${getBin pkgs.curl}/bin/curl -s -o /dev/null http://${bindAddr}/ping; do

            sleep 1;

          done

        '';

    };

  };

}