2026-02-08 10:05:38 -08:00
|
|
|
// Grafana Alloy configuration for flyio-proxy
|
|
|
|
|
// Collects nginx access logs → Loki, extracts metrics → Prometheus.
|
|
|
|
|
// Note: stub_status connection metrics are not collected — Alloy has no
|
|
|
|
|
// built-in nginx exporter. The log-derived metrics cover the key signals.
|
|
|
|
|
|
|
|
|
|
// ============== LOG COLLECTION ==============
|
|
|
|
|
|
|
|
|
|
// Tail the JSON access log written by nginx
|
|
|
|
|
local.file_match "nginx_access" {
|
|
|
|
|
path_targets = [
|
|
|
|
|
{__path__ = "/var/log/nginx/access.json.log", job = "flyio-nginx"},
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
loki.source.file "nginx_access" {
|
|
|
|
|
targets = local.file_match.nginx_access.targets
|
|
|
|
|
forward_to = [loki.process.nginx.receiver]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse JSON fields, extract labels, derive metrics
|
|
|
|
|
loki.process "nginx" {
|
|
|
|
|
forward_to = [loki.relabel.instance.receiver]
|
|
|
|
|
|
|
|
|
|
// Parse the JSON log line
|
|
|
|
|
stage.json {
|
|
|
|
|
expressions = {
|
2026-02-09 11:02:06 -08:00
|
|
|
client_ip = "client_ip",
|
2026-02-08 10:05:38 -08:00
|
|
|
status = "status",
|
|
|
|
|
method = "request_method",
|
|
|
|
|
host = "http_host",
|
|
|
|
|
cache_status = "upstream_cache_status",
|
|
|
|
|
request_time = "request_time",
|
|
|
|
|
body_bytes_sent = "body_bytes_sent",
|
|
|
|
|
upstream_response_time = "upstream_response_time",
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Promote to labels for filtering in Loki
|
|
|
|
|
stage.labels {
|
|
|
|
|
values = {
|
|
|
|
|
status = "",
|
|
|
|
|
method = "",
|
|
|
|
|
host = "",
|
|
|
|
|
cache_status = "",
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// --- Derived metrics (exposed on Alloy's /metrics endpoint) ---
|
|
|
|
|
|
|
|
|
|
stage.metrics {
|
|
|
|
|
metric.counter {
|
|
|
|
|
name = "flyio_nginx_http_requests_total"
|
|
|
|
|
description = "Total HTTP requests by status, method, and host."
|
|
|
|
|
match_all = true
|
|
|
|
|
action = "inc"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
stage.metrics {
|
|
|
|
|
metric.histogram {
|
|
|
|
|
name = "flyio_nginx_http_request_duration_seconds"
|
|
|
|
|
description = "HTTP request latency in seconds."
|
|
|
|
|
source = "request_time"
|
|
|
|
|
buckets = [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
stage.metrics {
|
|
|
|
|
metric.counter {
|
|
|
|
|
name = "flyio_nginx_http_response_bytes_total"
|
|
|
|
|
description = "Total bytes sent in HTTP responses."
|
|
|
|
|
source = "body_bytes_sent"
|
|
|
|
|
action = "add"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
stage.metrics {
|
|
|
|
|
metric.counter {
|
|
|
|
|
name = "flyio_nginx_cache_requests_total"
|
|
|
|
|
description = "Total cache lookups by cache status."
|
|
|
|
|
source = "cache_status"
|
|
|
|
|
action = "inc"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add instance label to logs
|
|
|
|
|
loki.relabel "instance" {
|
|
|
|
|
forward_to = [loki.write.loki.receiver]
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
target_label = "instance"
|
|
|
|
|
replacement = "flyio-proxy"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126)
## Summary
- Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy
- Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test
- Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses
- Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress)
- Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly
## Manual step (not in PR)
Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes.
## Deployment order
1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up`
2. **OAuth client** — Manual update in Tailscale admin console
3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus`
4. **Fly.io proxy** — `mise run fly-deploy`
5. **Verify** — `mise run services-check`, check Grafana dashboards
## Test plan
- [ ] `mise run tailnet-preview` shows clean diff
- [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions
- [ ] After deploy: Grafana dashboards show continued log/metric flow
- [ ] `curl -sf https://docs.eblu.me` returns 200
- [ ] `mise run services-check` passes
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126
2026-02-08 21:54:18 -08:00
|
|
|
// Write logs to Loki via Tailscale Ingress (direct, bypasses Caddy)
|
|
|
|
|
// Uses direct Tailscale endpoint because flyio-proxy ACLs only allow
|
|
|
|
|
// tag:flyio-target — Caddy on indri (tag:homelab) is not reachable.
|
2026-02-08 10:05:38 -08:00
|
|
|
loki.write "loki" {
|
|
|
|
|
endpoint {
|
Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126)
## Summary
- Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy
- Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test
- Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses
- Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress)
- Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly
## Manual step (not in PR)
Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes.
## Deployment order
1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up`
2. **OAuth client** — Manual update in Tailscale admin console
3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus`
4. **Fly.io proxy** — `mise run fly-deploy`
5. **Verify** — `mise run services-check`, check Grafana dashboards
## Test plan
- [ ] `mise run tailnet-preview` shows clean diff
- [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions
- [ ] After deploy: Grafana dashboards show continued log/metric flow
- [ ] `curl -sf https://docs.eblu.me` returns 200
- [ ] `mise run services-check` passes
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126
2026-02-08 21:54:18 -08:00
|
|
|
url = "https://loki.tail8d86e.ts.net/loki/api/v1/push"
|
2026-02-08 10:05:38 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ============== METRICS PIPELINE ==============
|
|
|
|
|
|
|
|
|
|
// Self-scrape to collect the log-derived metrics from /metrics
|
|
|
|
|
prometheus.scrape "self" {
|
|
|
|
|
targets = [{"__address__" = "127.0.0.1:12345"}]
|
|
|
|
|
forward_to = [prometheus.relabel.instance.receiver]
|
|
|
|
|
scrape_interval = "15s"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Strip the "loki_process_custom_" prefix that Alloy adds to stage.metrics,
|
|
|
|
|
// then add instance label. This keeps dashboard queries clean.
|
|
|
|
|
prometheus.relabel "instance" {
|
|
|
|
|
forward_to = [prometheus.remote_write.prometheus.receiver]
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
source_labels = ["__name__"]
|
|
|
|
|
regex = "loki_process_custom_(.*)"
|
|
|
|
|
target_label = "__name__"
|
|
|
|
|
replacement = "$1"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Drop internal labels added by the loki pipeline
|
|
|
|
|
rule {
|
|
|
|
|
regex = "component_id|component_path|filename"
|
|
|
|
|
action = "labeldrop"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
target_label = "instance"
|
|
|
|
|
replacement = "flyio-proxy"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126)
## Summary
- Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy
- Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test
- Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses
- Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress)
- Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly
## Manual step (not in PR)
Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes.
## Deployment order
1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up`
2. **OAuth client** — Manual update in Tailscale admin console
3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus`
4. **Fly.io proxy** — `mise run fly-deploy`
5. **Verify** — `mise run services-check`, check Grafana dashboards
## Test plan
- [ ] `mise run tailnet-preview` shows clean diff
- [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions
- [ ] After deploy: Grafana dashboards show continued log/metric flow
- [ ] `curl -sf https://docs.eblu.me` returns 200
- [ ] `mise run services-check` passes
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126
2026-02-08 21:54:18 -08:00
|
|
|
// Push metrics to Prometheus via Tailscale Ingress (direct, bypasses Caddy)
|
|
|
|
|
// Uses direct Tailscale endpoint because flyio-proxy ACLs only allow
|
|
|
|
|
// tag:flyio-target — Caddy on indri (tag:homelab) is not reachable.
|
2026-02-08 10:05:38 -08:00
|
|
|
prometheus.remote_write "prometheus" {
|
|
|
|
|
endpoint {
|
Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126)
## Summary
- Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy
- Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test
- Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses
- Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress)
- Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly
## Manual step (not in PR)
Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes.
## Deployment order
1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up`
2. **OAuth client** — Manual update in Tailscale admin console
3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus`
4. **Fly.io proxy** — `mise run fly-deploy`
5. **Verify** — `mise run services-check`, check Grafana dashboards
## Test plan
- [ ] `mise run tailnet-preview` shows clean diff
- [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions
- [ ] After deploy: Grafana dashboards show continued log/metric flow
- [ ] `curl -sf https://docs.eblu.me` returns 200
- [ ] `mise run services-check` passes
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126
2026-02-08 21:54:18 -08:00
|
|
|
url = "https://prometheus.tail8d86e.ts.net/api/v1/write"
|
2026-02-08 10:05:38 -08:00
|
|
|
}
|
|
|
|
|
}
|