From 01317634ad438451cfd19cf47ab0b26b09393106 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 26 Mar 2026 14:20:05 -0700
Subject: [PATCH] Add Nix container build for Pyroscope and update to v1.19.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Nix derivation follows the Alloy pattern: stdenv + pre-fetched Go
modules for multi-module workspace (go.work with ./api, ./lidia).
goModules hash is a placeholder (fakeHash) — first build on ringtail
will produce the real hash. Kustomization updated to use local
registry image. Service-versions entries added for pyroscope and
alloy-profiling-ringtail.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 argocd/manifests/pyroscope/kustomization.yaml |   3 +-
 containers/pyroscope/default.nix              | 110 ++++++++++++++++++
 service-versions.yaml                         |  14 +++
 3 files changed, 126 insertions(+), 1 deletion(-)
 create mode 100644 containers/pyroscope/default.nix

diff --git a/argocd/manifests/pyroscope/kustomization.yaml b/argocd/manifests/pyroscope/kustomization.yaml
index 1813cdc..4278a82 100644
--- a/argocd/manifests/pyroscope/kustomization.yaml
+++ b/argocd/manifests/pyroscope/kustomization.yaml
@@ -11,7 +11,8 @@ resources:
 
 images:
   - name: grafana/pyroscope
-    newTag: "1.13.3"
+    newName: registry.ops.eblu.me/blumeops/pyroscope
+    newTag: "v1.19.1-placeholder-nix"
 
 configMapGenerator:
   - name: pyroscope-config
diff --git a/containers/pyroscope/default.nix b/containers/pyroscope/default.nix
new file mode 100644
index 0000000..54c0f2a
--- /dev/null
+++ b/containers/pyroscope/default.nix
@@ -0,0 +1,110 @@
+# Nix-built Grafana Pyroscope continuous profiling server
+# Builds v1.19.1 from forge mirror
+# Uses stdenv + make (not buildGoModule) due to multi-module go.work workspace
+# with local replace directives (./api, ./lidia)
+# Built with dockerTools.buildLayeredImage for efficient layer caching
+{ pkgs ? import <nixpkgs> { } }:
+
+let
+  version = "1.19.1";
+
+  src = pkgs.fetchgit {
+    url = "https://forge.ops.eblu.me/mirrors/pyroscope.git";
+    rev = "v${version}";
+    hash = "sha256-UPxGimkzXLFACqmAM1hNQIoNjN6OquVibwVmNvP00+s=";
+  };
+
+  # Pre-fetch Go modules for all go.mod files in the workspace (fixed-output derivation)
+  goModules = pkgs.stdenv.mkDerivation {
+    pname = "pyroscope-go-modules";
+    inherit src version;
+
+    nativeBuildInputs = with pkgs; [ go git cacert ];
+
+    buildPhase = ''
+      export GOPATH=$TMPDIR/go
+      export GOFLAGS=-modcacherw
+      # Download modules for all workspace members
+      go mod download
+      cd api && go mod download && cd ..
+      cd lidia && go mod download && cd ..
+    '';
+
+    installPhase = ''
+      cp -r $TMPDIR/go/pkg/mod $out
+    '';
+
+    outputHashMode = "recursive";
+    outputHash = pkgs.lib.fakeHash;
+    outputHashAlgo = "sha256";
+  };
+
+  pyroscope = pkgs.stdenv.mkDerivation {
+    inherit src version;
+    pname = "pyroscope";
+
+    nativeBuildInputs = with pkgs; [
+      go
+      git
+      gnumake
+      cacert
+    ];
+
+    buildPhase = ''
+      runHook preBuild
+
+      export HOME=$TMPDIR
+      export GOPATH=$TMPDIR/go
+      export GOFLAGS=-modcacherw
+
+      # Populate module cache from pre-fetched modules
+      mkdir -p $GOPATH/pkg
+      cp -r ${goModules} $GOPATH/pkg/mod
+      chmod -R u+w $GOPATH/pkg/mod
+
+      # Build using upstream Makefile
+      # CGO_ENABLED=0 for static binary (matches upstream)
+      CGO_ENABLED=0 \
+        IMAGE_TAG=v${version} \
+        make build
+
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+      mkdir -p $out/bin
+      cp pyroscope $out/bin/pyroscope
+      runHook postInstall
+    '';
+
+    meta = with pkgs.lib; {
+      description = "Grafana Pyroscope continuous profiling platform";
+      homepage = "https://grafana.com/docs/pyroscope/";
+      license = licenses.agpl3Only;
+      mainProgram = "pyroscope";
+    };
+  };
+in
+
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/pyroscope";
+  contents = [
+    pyroscope
+    pkgs.cacert
+    pkgs.tzdata
+  ];
+
+  config = {
+    Entrypoint = [ "${pyroscope}/bin/pyroscope" ];
+    Cmd = [ "-config.path=/etc/pyroscope/config.yaml" ];
+    Env = [
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      "TZDIR=${pkgs.tzdata}/share/zoneinfo"
+    ];
+    ExposedPorts = {
+      "4040/tcp" = { };
+    };
+    User = "65534";
+  };
+}
diff --git a/service-versions.yaml b/service-versions.yaml
index 909aa8c..8580525 100644
--- a/service-versions.yaml
+++ b/service-versions.yaml
@@ -285,6 +285,20 @@ services:
     upstream-source: https://github.com/prowler-cloud/prowler/releases
     notes: CIS Kubernetes Benchmark scanner; weekly CronJob on minikube-indri
 
+  - name: pyroscope
+    type: argocd
+    last-reviewed: 2026-03-26
+    current-version: "v1.19.1"
+    upstream-source: https://github.com/grafana/pyroscope/releases
+    notes: Nix-built container on ringtail; continuous profiling backend
+
+  - name: alloy-profiling-ringtail
+    type: argocd
+    last-reviewed: 2026-03-26
+    current-version: "v1.14.0"
+    upstream-source: https://github.com/grafana/alloy/releases
+    notes: Privileged DaemonSet with pyroscope.ebpf for CPU profiling on ringtail
+
   - name: forgejo
     type: ansible
     last-reviewed: 2026-02-22