Add Nix container build for Pyroscope and update to v1.19.1

Nix derivation follows the Alloy pattern: stdenv + pre-fetched Go modules for multi-module workspace (go.work with ./api, ./lidia). goModules hash is a placeholder (fakeHash) — first build on ringtail will produce the real hash. Kustomization updated to use local registry image. Service-versions entries added for pyroscope and alloy-profiling-ringtail. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 14:20:05 -07:00 · 2026-03-26 14:20:05 -07:00 · 01317634ad
commit 01317634ad
parent e7d3871144
3 changed files with 126 additions and 1 deletions
--- a/argocd/manifests/pyroscope/kustomization.yaml
+++ b/argocd/manifests/pyroscope/kustomization.yaml
@ -11,7 +11,8 @@ resources:

 images:
  - name: grafana/pyroscope
-    newTag: "1.13.3"
+    newName: registry.ops.eblu.me/blumeops/pyroscope
+    newTag: "v1.19.1-placeholder-nix"

 configMapGenerator:
  - name: pyroscope-config
--- a/containers/pyroscope/default.nix
+++ b/containers/pyroscope/default.nix
@ -0,0 +1,110 @@
+# Nix-built Grafana Pyroscope continuous profiling server
+# Builds v1.19.1 from forge mirror
+# Uses stdenv + make (not buildGoModule) due to multi-module go.work workspace
+# with local replace directives (./api, ./lidia)
+# Built with dockerTools.buildLayeredImage for efficient layer caching
+{ pkgs ? import <nixpkgs> { } }:
+
+let
+  version = "1.19.1";
+
+  src = pkgs.fetchgit {
+    url = "https://forge.ops.eblu.me/mirrors/pyroscope.git";
+    rev = "v${version}";
+    hash = "sha256-UPxGimkzXLFACqmAM1hNQIoNjN6OquVibwVmNvP00+s=";
+  };
+
+  # Pre-fetch Go modules for all go.mod files in the workspace (fixed-output derivation)
+  goModules = pkgs.stdenv.mkDerivation {
+    pname = "pyroscope-go-modules";
+    inherit src version;
+
+    nativeBuildInputs = with pkgs; [ go git cacert ];
+
+    buildPhase = ''
+      export GOPATH=$TMPDIR/go
+      export GOFLAGS=-modcacherw
+      # Download modules for all workspace members
+      go mod download
+      cd api && go mod download && cd ..
+      cd lidia && go mod download && cd ..
+    '';
+
+    installPhase = ''
+      cp -r $TMPDIR/go/pkg/mod $out
+    '';
+
+    outputHashMode = "recursive";
+    outputHash = pkgs.lib.fakeHash;
+    outputHashAlgo = "sha256";
+  };
+
+  pyroscope = pkgs.stdenv.mkDerivation {
+    inherit src version;
+    pname = "pyroscope";
+
+    nativeBuildInputs = with pkgs; [
+      go
+      git
+      gnumake
+      cacert
+    ];
+
+    buildPhase = ''
+      runHook preBuild
+
+      export HOME=$TMPDIR
+      export GOPATH=$TMPDIR/go
+      export GOFLAGS=-modcacherw
+
+      # Populate module cache from pre-fetched modules
+      mkdir -p $GOPATH/pkg
+      cp -r ${goModules} $GOPATH/pkg/mod
+      chmod -R u+w $GOPATH/pkg/mod
+
+      # Build using upstream Makefile
+      # CGO_ENABLED=0 for static binary (matches upstream)
+      CGO_ENABLED=0 \
+        IMAGE_TAG=v${version} \
+        make build
+
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+      mkdir -p $out/bin
+      cp pyroscope $out/bin/pyroscope
+      runHook postInstall
+    '';
+
+    meta = with pkgs.lib; {
+      description = "Grafana Pyroscope continuous profiling platform";
+      homepage = "https://grafana.com/docs/pyroscope/";
+      license = licenses.agpl3Only;
+      mainProgram = "pyroscope";
+    };
+  };
+in
+
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/pyroscope";
+  contents = [
+    pyroscope
+    pkgs.cacert
+    pkgs.tzdata
+  ];
+
+  config = {
+    Entrypoint = [ "${pyroscope}/bin/pyroscope" ];
+    Cmd = [ "-config.path=/etc/pyroscope/config.yaml" ];
+    Env = [
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      "TZDIR=${pkgs.tzdata}/share/zoneinfo"
+    ];
+    ExposedPorts = {
+      "4040/tcp" = { };
+    };
+    User = "65534";
+  };
+}
--- a/service-versions.yaml
+++ b/service-versions.yaml
@ -285,6 +285,20 @@ services:
    upstream-source: https://github.com/prowler-cloud/prowler/releases
    notes: CIS Kubernetes Benchmark scanner; weekly CronJob on minikube-indri

+  - name: pyroscope
+    type: argocd
+    last-reviewed: 2026-03-26
+    current-version: "v1.19.1"
+    upstream-source: https://github.com/grafana/pyroscope/releases
+    notes: Nix-built container on ringtail; continuous profiling backend
+
+  - name: alloy-profiling-ringtail
+    type: argocd
+    last-reviewed: 2026-03-26
+    current-version: "v1.14.0"
+    upstream-source: https://github.com/grafana/alloy/releases
+    notes: Privileged DaemonSet with pyroscope.ebpf for CPU profiling on ringtail
+
  - name: forgejo
    type: ansible
    last-reviewed: 2026-02-22