Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate fastly log processor to pluto #388

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Migrate fastly log processor to pluto #388

wants to merge 6 commits into from

Conversation

edolstra
Copy link
Member

This makes the service that ingest raw fastly logs and generates summaries (see https://github.com/NixOS/infra/tree/master/metrics/fastly) to pluto. Currently it's running on one of my home machines.

This service runs once a week and kicks off some AWS Athena queries. It expects the credentials for the fastly-log-processor AWS user in /home/nix-metrics/.aws/config. That user has access to the nixos-metrics, nixos-athena and fastly logs buckets.

mweinelt
mweinelt reviewed Feb 22, 2024
View reviewed changes
metrics/fastly/process-raw-nix-logs.nix
Comment on lines +3 to +6
users.users.nix-metrics =
{ isNormalUser = true;
description = "Nix Metrics Collection";
};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a statically allocated user (and uid), or can the service use the DynamicUser feature, which creates an ad hoc user, when the service runs?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's probably possible. But it does need to have the AWS credentials somewhere.

Copy link
Member

@mweinelt mweinelt Feb 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In which case we could probably use LoadCredential.

   systemd.services.process-raw-nix-logs.serviceConfig.LoadCredential = [
     "aws-cred:/path/to/actual/aws-cred-file"
   ];

The secret will then be provided at $CREDENTIALS_DIRECTORY/aws-cred.

We currently deploy secrets through agenix. I can help integrate the secret, if needed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe you can share the secret with me via Bitwarden and I'll create the age file? Feel free to reach out on Matrix to expedite this process.

@edolstra edolstra mentioned this pull request Mar 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mweinelt mweinelt mweinelt left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@edolstra @mweinelt