staging: run node_exporter from nixos; run synapse as non-root

2022-12-01 17:25:53 +01:00 · 2022-12-01 17:25:53 +01:00 · 18ab08a86c
commit 18ab08a86c
parent 195e340f56
2 changed files with 22 additions and 29 deletions
--- a/cluster/staging/app/im/deploy/im-nix.hcl
+++ b/cluster/staging/app/im/deploy/im-nix.hcl
@ -46,7 +46,6 @@ job "im" {
          "secrets/litestream.yml" = "/etc/litestream.yml"
        }
      }
-      user = "root"

      template {
        data = file("../config/litestream.yml")
@ -82,7 +81,6 @@ job "im" {
      env = {
        SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"
      }
-      user = "root"

      template {
        data = file("flake.nix")
@ -148,7 +146,6 @@ job "im" {
          "../alloc/data" = "/ephemeral",
        }
      }
-      user = "root"

      template {
        data = file("flake.nix")
@ -195,7 +192,6 @@ EOH
          "secrets/litestream.yml" = "/etc/litestream.yml"
        }
      }
-      user = "root"

      template {
        data = file("../config/litestream.yml")
--- a/cluster/staging/app/telemetry/deploy/telemetry-system.hcl
+++ b/cluster/staging/app/telemetry/deploy/telemetry-system.hcl
@ -1,40 +1,37 @@
 job "telemetry-system" {
-	datacenters = ["neptune"]
-	type = "system"
-	priority = "100"
+  datacenters = ["neptune"]
+  type = "system"
+  priority = "100"

-	group "collector" {
+  group "collector" {
    network {
      port "node_exporter" { static = 9100 }
    }

-		task "node_exporter" {
-			driver = "docker"
+    task "node_exporter" {
+      driver = "nix2"

-			config {
-				image = "quay.io/prometheus/node-exporter:v1.1.2"
-				network_mode = "host"
-				volumes = [
-					"/:/host:ro,rslave"
-				]
-				args = [ "--path.rootfs=/host" ]
-			}
+      config {
+        packages = [ "#prometheus-node-exporter" ]
+        command = "node_exporter"
+        args = [ "--path.rootfs=/host" ]
+        bind_read_only = {
+          "/" = "/host"
+        }
+      }

-			resources {
-				cpu = 50
-				memory = 40
-			}
+      resources {
+        cpu = 50
+        memory = 40
+      }

      service {
-        tags = [ "telemetry" ]
-        port = 9100
-        address_mode = "driver"
        name = "node-exporter"
+        tags = [ "telemetry" ]
+        port = "node_exporter"
        check {
          type = "http"
          path = "/"
-          port = 9100
-          address_mode = "driver"
          interval = "60s"
          timeout = "5s"
          check_restart {
@ -44,6 +41,6 @@ job "telemetry-system" {
          }
        }
      }
-		}
-	}
+    }
+  }
 }