nixos/victoriametrics: Add ability to pass basicAuthPasswordFile

2026-06-05 21:03:40 +00:00 · 2025-01-04 23:12:57 +01:00
parent 9f5adfabcc
commit dcf2b9c0a0
2 changed files with 36 additions and 6 deletions
--- a/nixos/modules/services/databases/victoriametrics.nix
+++ b/nixos/modules/services/databases/victoriametrics.nix
@@ -73,6 +73,22 @@ in
      '';
    };

+    basicAuthUsername = lib.mkOption {
+      default = null;
+      type = lib.types.nullOr lib.types.str;
+      description = ''
+        Basic Auth username used to protect VictoriaMetrics instance by authorization
+      '';
+    };
+
+    basicAuthPasswordFile = lib.mkOption {
+      default = null;
+      type = lib.types.nullOr lib.types.path;
+      description = ''
+        File that contains the Basic Auth password used to protect VictoriaMetrics instance by authorization
+      '';
+    };
+
    prometheusConfig = lib.mkOption {
      type = lib.types.submodule { freeformType = settingsFormat.type; };
      default = { };
@@ -118,8 +134,6 @@ in
      default = [ ];
      example = literalExpression ''
        [
-          "-httpAuth.username=username"
-          "-httpAuth.password=file:///abs/path/to/file"
          "-loggerLevel=WARN"
        ]
      '';
@@ -143,6 +157,16 @@ in
  };

  config = lib.mkIf cfg.enable {
+
+    assertions = [
+      {
+        assertion =
+          (cfg.basicAuthUsername == null && cfg.basicAuthPasswordFile == null)
+          || (cfg.basicAuthUsername != null && cfg.basicAuthPasswordFile != null);
+        message = "Both basicAuthUsername and basicAuthPasswordFile must be set together to enable basicAuth functionality, or neither should be set.";
+      }
+    ];
+
    systemd.services.victoriametrics = {
      description = "VictoriaMetrics time series database";
      wantedBy = [ "multi-user.target" ];
@@ -153,9 +177,17 @@ in
        ExecStart = lib.escapeShellArgs (
          startCLIList
          ++ lib.optionals (cfg.prometheusConfig != { }) [ "-promscrape.config=${prometheusConfigYml}" ]
+          ++ lib.optional (cfg.basicAuthUsername != null) "-httpAuth.username=${cfg.basicAuthUsername}"
+          ++ lib.optional (
+            cfg.basicAuthPasswordFile != null
+          ) "-httpAuth.password=file://%d/basic_auth_password"
        );

        DynamicUser = true;
+        LoadCredential = lib.optionals (cfg.basicAuthPasswordFile != null) [
+          "basic_auth_password:${cfg.basicAuthPasswordFile}"
+        ];
+
        RestartSec = 1;
        Restart = "on-failure";
        RuntimeDirectory = "victoriametrics";
--- a/nixos/tests/victoriametrics/remote-write.nix
+++ b/nixos/tests/victoriametrics/remote-write.nix
@@ -22,10 +22,8 @@ in
        networking.firewall.allowedTCPPorts = [ 8428 ];
        services.victoriametrics = {
          enable = true;
-          extraOptions = [
-            "-httpAuth.username=${username}"
-            "-httpAuth.password=file://${toString passwordFile}"
-          ];
+          basicAuthUsername = username;
+          basicAuthPasswordFile = toString passwordFile;
        };
      };