fluent-bit: link against Nix dependencies, fix Darwin builds, and add…

… NixOS module

ci/OWNERS

@@ -143,10 +143,13 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/tests/amazon-ssm-agent.nix                 @arianvp
 /nixos/modules/system/boot/grow-partition.nix     @arianvp
 
+# Monitoring
+/nixos/modules/services/monitoring/fluent-bit.nix @samrose
+/nixos/tests/fluent-bit.nix                       @samrose
+
 # nixos-rebuild-ng
 /pkgs/by-name/ni/nixos-rebuild-ng                 @thiagokokada
 
-
 # Updaters
 ## update.nix
 /maintainers/scripts/update.nix   @jtojnar

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -40,6 +40,8 @@
 
 - [Amazon CloudWatch Agent](https://github.com/aws/amazon-cloudwatch-agent), the official telemetry collector for AWS CloudWatch and AWS X-Ray. Available as [services.amazon-cloudwatch-agent](options.html#opt-services.amazon-cloudwatch-agent.enable).
 
+- [Fluent Bit](https://github.com/fluent/fluent-bit), a fast Log, Metrics and Traces Processor and Forwarder. Available as [services.fluent-bit](#opt-services.fluent-bit.enable).
+
 - [Bat](https://github.com/sharkdp/bat), a {manpage}`cat(1)` clone with wings. Available as [programs.bat](options.html#opt-programs.bat).
 
 - [Whoogle Search](https://github.com/benbusby/whoogle-search), a self-hosted, ad-free, privacy-respecting metasearch engine. Available as [services.whoogle-search](options.html#opt-services.whoogle-search.enable).

nixos/modules/module-list.nix

@@ -906,6 +906,7 @@
   ./services/monitoring/das_watchdog.nix
   ./services/monitoring/datadog-agent.nix
   ./services/monitoring/do-agent.nix
+  ./services/monitoring/fluent-bit.nix
   ./services/monitoring/fusion-inventory.nix
   ./services/monitoring/gatus.nix
   ./services/monitoring/gitwatch.nix

nixos/modules/services/monitoring/fluent-bit.nix

@@ -0,0 +1,109 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.fluent-bit;
+
+  yamlFormat = pkgs.formats.yaml { };
+
+  configurationFile =
+    if (cfg.configurationFile == null) then
+      (yamlFormat.generate "fluent-bit.yaml" cfg.configuration)
+    else
+      cfg.configurationFile;
+in
+{
+  options.services.fluent-bit = {
+    enable = lib.mkEnableOption "Fluent Bit";
+    package = lib.mkPackageOption pkgs "fluent-bit" { };
+    configurationFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      description = ''
+        Fluent Bit configuration. See
+        <https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/yaml>
+        for supported values.
+
+        {option}`configurationFile` takes precedence over {option}`configuration`.
+
+        Note: Restricted evaluation blocks access to paths outside the Nix store.
+        This means detecting content changes for mutable paths (i.e. not input or content-addressed) can't be done.
+        As a result, `nixos-rebuild` won't reload/restart the systemd unit when mutable path contents change.
+        `systemctl restart fluent-bit.service` must be used instead.
+      '';
+      example = "/etc/fluent-bit/fluent-bit.yaml";
+    };
+    configuration = lib.mkOption {
+      type = yamlFormat.type;
+      default = { };
+      description = ''
+        See {option}`configurationFile`.
+
+        {option}`configurationFile` takes precedence over {option}`configuration`.
+      '';
+      example = {
+        service = {
+          grace = 30;
+        };
+        pipeline = {
+          inputs = [
+            {
+              name = "systemd";
+              systemd_filter = "_SYSTEMD_UNIT=fluent-bit.service";
+            }
+          ];
+          outputs = [
+            {
+              name = "file";
+              path = "/var/log/fluent-bit";
+              file = "fluent-bit.out";
+            }
+          ];
+        };
+      };
+    };
+    # See https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/yaml/service-section.
+    graceLimit = lib.mkOption {
+      type = lib.types.nullOr (
+        lib.types.oneOf [
+          lib.types.ints.positive
+          lib.types.str
+        ]
+      );
+      default = null;
+      description = ''
+        The grace time limit. Sets the systemd unit's `TimeoutStopSec`.
+
+        The `service.grace` option in the Fluent Bit configuration should be ≤ this option.
+      '';
+      example = 30;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # See https://github.com/fluent/fluent-bit/blob/v3.2.3/init/systemd.in.
+    systemd.services.fluent-bit = {
+      description = "Fluent Bit";
+      after = [ "network.target" ];
+      requires = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig =
+        {
+          DynamicUser = true;
+          # See https://nixos.org/manual/nixos/stable#sec-logging.
+          SupplementaryGroups = "systemd-journal";
+          ExecStart = builtins.concatStringsSep " " [
+            "${cfg.package}/bin/fluent-bit"
+            "--config ${configurationFile}"
+          ];
+          Restart = "always";
+        }
+        // (lib.optionalAttrs (cfg.graceLimit != null) {
+          TimeoutStopSec = cfg.graceLimit;
+        });
+    };
+  };
+}

nixos/tests/all-tests.nix

@@ -352,6 +352,7 @@ in {
   flaresolverr = handleTest ./flaresolverr.nix {};
   flood = handleTest ./flood.nix {};
   floorp = handleTest ./firefox.nix { firefoxPackage = pkgs.floorp; };
+  fluent-bit = handleTest ./fluent-bit.nix {};
   fluentd = handleTest ./fluentd.nix {};
   fluidd = handleTest ./fluidd.nix {};
   fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {};

nixos/tests/fluent-bit.nix

@@ -0,0 +1,40 @@
+import ./make-test-python.nix (
+  { lib, pkgs, ... }:
+  {
+    name = "fluent-bit";
+
+    nodes.machine =
+      { config, pkgs, ... }:
+      {
+        services.fluent-bit = {
+          enable = true;
+          configuration = {
+            pipeline = {
+              inputs = [
+                {
+                  name = "systemd";
+                  systemd_filter = "_SYSTEMD_UNIT=fluent-bit.service";
+                }
+              ];
+              outputs = [
+                {
+                  name = "file";
+                  path = "/var/log/fluent-bit";
+                  file = "fluent-bit.out";
+                }
+              ];
+            };
+          };
+        };
+
+        systemd.services.fluent-bit.serviceConfig.LogsDirectory = "fluent-bit";
+      };
+
+    testScript = ''
+      start_all()
+
+      machine.wait_for_unit("fluent-bit.service")
+      machine.wait_for_file("/var/log/fluent-bit/fluent-bit.out")
+    '';
+  }
+)

pkgs/by-name/fl/fluent-bit/package.nix

@@ -1,83 +1,145 @@
 {
   lib,
-  stdenv,
-  fetchFromGitHub,
+  bison,
+  c-ares,
   cmake,
+  curl,
+  fetchFromGitHub,
   flex,
-  bison,
-  systemd,
-  postgresql,
-  openssl,
+  jemalloc,
+  libbacktrace,
+  libbpf,
+  libnghttp2,
   libyaml,
-  darwin,
+  luajit,
+  nix-update-script,
+  nixosTests,
+  openssl,
+  pkg-config,
+  postgresql,
+  rdkafka,
+  stdenv,
+  systemd,
+  versionCheckHook,
+  zlib,
+  zstd,
 }:
 
-stdenv.mkDerivation (finalAttrs: {
+stdenv.mkDerivation rec {
   pname = "fluent-bit";
   version = "3.2.3";
 
   src = fetchFromGitHub {
     owner = "fluent";
     repo = "fluent-bit";
-    rev = "v${finalAttrs.version}";
+    tag = "v${version}";
     hash = "sha256-5Oyw3nHlAyywF+G0UiGyi1v+jAr8eyKt/1cDT5FdJXQ=";
   };
 
-  # optional only to avoid linux rebuild
-  patches = lib.optionals stdenv.hostPlatform.isDarwin [ ./macos-11-sdk-compat.patch ];
+  # `src/CMakeLists.txt` installs fluent-bit's systemd unit files at the path in the `SYSTEMD_UNITDIR` CMake variable.
+  #
+  # The initial value of `SYSTEMD_UNITDIR` is set in `cmake/FindJournald` which uses pkg-config to find the systemd
+  # unit directory. `src/CMakeLists.txt` only sets `SYSTEMD_UNITDIR` to `/lib/systemd/system` if it's unset.
+  #
+  # Unfortunately, this resolves to systemd's Nix store path which is immutable. Consequently, CMake fails when trying
+  # to install fluent-bit's systemd unit files to the systemd Nix store path.
+  #
+  # We fix this by replacing `${SYSTEMD_UNITDIR}` instances in `src/CMakeLists.txt`.
+  postPatch = ''
+    substituteInPlace src/CMakeLists.txt \
+      --replace-fail \''${SYSTEMD_UNITDIR} $out/lib/systemd/system
+  '';
+
+  # The source build documentation covers some dependencies and CMake options.
+  #
+  # - Linux: https://docs.fluentbit.io/manual/installation/sources/build-and-install
+  # - Darwin: https://docs.fluentbit.io/manual/installation/macos#compile-from-source
+  #
+  # Unfortunately, fluent-bit vends many dependencies (e.g. luajit) as source files and tries to compile them by
+  # default, with none of their dependencies and CMake options documented.
+  #
+  # Fortunately, there's the undocumented `FLB_PREFER_SYSTEM_LIBS` CMake option to link against system libraries for
+  # some dependencies.
+  #
+  # See https://github.com/fluent/fluent-bit/blob/v3.2.3/CMakeLists.txt#L211-L218.
+  #
+  # Like `FLB_PREFER_SYSTEM_LIBS`, several CMake options aren't documented.
+  #
+  # See https://github.com/fluent/fluent-bit/blob/v3.2.3/CMakeLists.txt#L111-L157.
+  #
+  # The CMake options may differ across target platforms. We'll stick to the minimum.
+  #
+  # See https://github.com/fluent/fluent-bit/tree/v3.2.3/packaging/distros.
+
+  strictDeps = true;
 
   nativeBuildInputs = [
+    bison
     cmake
     flex
-    bison
+    pkg-config
   ];
 
   buildInputs =
     [
-      openssl
+      c-ares
+      # Needed by rdkafka.
+      curl
+      jemalloc
+      libbacktrace
+      libnghttp2
       libyaml
+      luajit
+      openssl
       postgresql
+      rdkafka
+      # Needed by rdkafka.
+      zlib
+      # Needed by rdkafka.
+      zstd
     ]
-    ++ lib.optionals stdenv.hostPlatform.isLinux [ systemd ]
-    ++ lib.optionals stdenv.hostPlatform.isDarwin [
-      darwin.apple_sdk_11_0.frameworks.IOKit
-      darwin.apple_sdk_11_0.frameworks.Foundation
+    ++ lib.optionals stdenv.hostPlatform.isLinux [
+      # libbpf doesn't build for Darwin yet.
+      libbpf
+      systemd
     ];
 
-  cmakeFlags = [
-    "-DFLB_RELEASE=ON"
-    "-DFLB_METRICS=ON"
-    "-DFLB_HTTP_SERVER=ON"
-    "-DFLB_OUT_PGSQL=ON"
-  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ "-DCMAKE_OSX_DEPLOYMENT_TARGET=10.13" ];
-
-  env.NIX_CFLAGS_COMPILE = toString (
-    # Used by the embedded luajit, but is not predefined on older mac SDKs.
-    lib.optionals stdenv.hostPlatform.isDarwin [ "-DTARGET_OS_IPHONE=0" ]
-    # Assumes GNU version of strerror_r, and the posix version has an
-    # incompatible return type.
-    ++ lib.optionals (!stdenv.hostPlatform.isGnu) [ "-Wno-int-conversion" ]
-  );
+  cmakeFlags =
+    [
+      "-DFLB_RELEASE=Yes"
+      "-DFLB_PREFER_SYSTEM_LIBS=Yes"
+    ]
+    ++ lib.optionals stdenv.cc.isClang [
+      # FLB_SECURITY causes bad linker options for Clang to be set.
+      "-DFLB_SECURITY=Off"
+    ];
 
   outputs = [
     "out"
     "dev"
   ];
 
-  postPatch = ''
-    substituteInPlace src/CMakeLists.txt \
-      --replace /lib/systemd $out/lib/systemd
-  '';
+  doInstallCheck = true;
+
+  nativeInstallCheckInputs = [ versionCheckHook ];
+
+  versionCheckProgram = "${builtins.placeholder "out"}/bin/${meta.mainProgram}";
+
+  versionCheckProgramArg = "--version";
+
+  passthru = {
+    tests = lib.optionalAttrs stdenv.isLinux {
+      inherit (nixosTests) fluent-bit;
+    };
+
+    updateScript = nix-update-script { };
+  };
 
   meta = {
-    changelog = "https://github.com/fluent/fluent-bit/releases/tag/v${finalAttrs.version}";
-    description = "Log forwarder and processor, part of Fluentd ecosystem";
+    description = "Fast and lightweight logs and metrics processor for Linux, BSD, OSX and Windows";
     homepage = "https://fluentbit.io";
     license = lib.licenses.asl20;
-    maintainers = with lib.maintainers; [
-      samrose
-      fpletz
-    ];
-    platforms = lib.platforms.unix;
+    mainProgram = "fluent-bit";
+    maintainers = with lib.maintainers; [ samrose ];
   };
-})
+}