Home / Input Output / cardano-parts
Insights Pull Requests
Apr 25, 11-12 PM (0)
Apr 25, 12-1 PM (0)
Apr 25, 1-2 PM (0)
Apr 25, 2-3 PM (0)
Apr 25, 3-4 PM (0)
Apr 25, 4-5 PM (0)
Apr 25, 5-6 PM (0)
Apr 25, 6-7 PM (0)
Apr 25, 7-8 PM (0)
Apr 25, 8-9 PM (0)
Apr 25, 9-10 PM (0)
Apr 25, 10-11 PM (0)
Apr 25, 11-12 AM (0)
Apr 26, 12-1 AM (0)
Apr 26, 1-2 AM (0)
Apr 26, 2-3 AM (0)
Apr 26, 3-4 AM (0)
Apr 26, 4-5 AM (0)
Apr 26, 5-6 AM (0)
Apr 26, 6-7 AM (0)
Apr 26, 7-8 AM (0)
Apr 26, 8-9 AM (0)
Apr 26, 9-10 AM (0)
Apr 26, 10-11 AM (0)
Apr 26, 11-12 PM (0)
Apr 26, 12-1 PM (0)
Apr 26, 1-2 PM (0)
Apr 26, 2-3 PM (0)
Apr 26, 3-4 PM (0)
Apr 26, 4-5 PM (0)
Apr 26, 5-6 PM (0)
Apr 26, 6-7 PM (0)
Apr 26, 7-8 PM (0)
Apr 26, 8-9 PM (0)
Apr 26, 9-10 PM (0)
Apr 26, 10-11 PM (0)
Apr 26, 11-12 AM (0)
Apr 27, 12-1 AM (0)
Apr 27, 1-2 AM (0)
Apr 27, 2-3 AM (0)
Apr 27, 3-4 AM (0)
Apr 27, 4-5 AM (0)
Apr 27, 5-6 AM (0)
Apr 27, 6-7 AM (0)
Apr 27, 7-8 AM (0)
Apr 27, 8-9 AM (0)
Apr 27, 9-10 AM (0)
Apr 27, 10-11 AM (0)
Apr 27, 11-12 PM (0)
Apr 27, 12-1 PM (0)
Apr 27, 1-2 PM (0)
Apr 27, 2-3 PM (0)
Apr 27, 3-4 PM (1)
Apr 27, 4-5 PM (0)
Apr 27, 5-6 PM (0)
Apr 27, 6-7 PM (0)
Apr 27, 7-8 PM (0)
Apr 27, 8-9 PM (0)
Apr 27, 9-10 PM (0)
Apr 27, 10-11 PM (0)
Apr 27, 11-12 AM (0)
Apr 28, 12-1 AM (0)
Apr 28, 1-2 AM (0)
Apr 28, 2-3 AM (0)
Apr 28, 3-4 AM (0)
Apr 28, 4-5 AM (0)
Apr 28, 5-6 AM (0)
Apr 28, 6-7 AM (0)
Apr 28, 7-8 AM (0)
Apr 28, 8-9 AM (0)
Apr 28, 9-10 AM (0)
Apr 28, 10-11 AM (0)
Apr 28, 11-12 PM (0)
Apr 28, 12-1 PM (0)
Apr 28, 1-2 PM (0)
Apr 28, 2-3 PM (0)
Apr 28, 3-4 PM (0)
Apr 28, 4-5 PM (1)
Apr 28, 5-6 PM (0)
Apr 28, 6-7 PM (0)
Apr 28, 7-8 PM (0)
Apr 28, 8-9 PM (0)
Apr 28, 9-10 PM (0)
Apr 28, 10-11 PM (0)
Apr 28, 11-12 AM (0)
Apr 29, 12-1 AM (1)
Apr 29, 1-2 AM (0)
Apr 29, 2-3 AM (0)
Apr 29, 3-4 AM (0)
Apr 29, 4-5 AM (0)
Apr 29, 5-6 AM (0)
Apr 29, 6-7 AM (0)
Apr 29, 7-8 AM (0)
Apr 29, 8-9 AM (0)
Apr 29, 9-10 AM (0)
Apr 29, 10-11 AM (0)
Apr 29, 11-12 PM (0)
Apr 29, 12-1 PM (0)
Apr 29, 1-2 PM (0)
Apr 29, 2-3 PM (0)
Apr 29, 3-4 PM (1)
Apr 29, 4-5 PM (0)
Apr 29, 5-6 PM (0)
Apr 29, 6-7 PM (0)
Apr 29, 7-8 PM (0)
Apr 29, 8-9 PM (0)
Apr 29, 9-10 PM (0)
Apr 29, 10-11 PM (0)
Apr 29, 11-12 AM (0)
Apr 30, 12-1 AM (0)
Apr 30, 1-2 AM (1)
Apr 30, 2-3 AM (0)
Apr 30, 3-4 AM (0)
Apr 30, 4-5 AM (0)
Apr 30, 5-6 AM (0)
Apr 30, 6-7 AM (0)
Apr 30, 7-8 AM (0)
Apr 30, 8-9 AM (0)
Apr 30, 9-10 AM (0)
Apr 30, 10-11 AM (0)
Apr 30, 11-12 PM (0)
Apr 30, 12-1 PM (0)
Apr 30, 1-2 PM (0)
Apr 30, 2-3 PM (0)
Apr 30, 3-4 PM (0)
Apr 30, 4-5 PM (0)
Apr 30, 5-6 PM (0)
Apr 30, 6-7 PM (0)
Apr 30, 7-8 PM (0)
Apr 30, 8-9 PM (0)
Apr 30, 9-10 PM (0)
Apr 30, 10-11 PM (0)
Apr 30, 11-12 AM (0)
May 01, 12-1 AM (0)
May 01, 1-2 AM (1)
May 01, 2-3 AM (0)
May 01, 3-4 AM (0)
May 01, 4-5 AM (0)
May 01, 5-6 AM (0)
May 01, 6-7 AM (0)
May 01, 7-8 AM (0)
May 01, 8-9 AM (0)
May 01, 9-10 AM (1)
May 01, 10-11 AM (1)
May 01, 11-12 PM (0)
May 01, 12-1 PM (0)
May 01, 1-2 PM (0)
May 01, 2-3 PM (1)
May 01, 3-4 PM (0)
May 01, 4-5 PM (0)
May 01, 5-6 PM (0)
May 01, 6-7 PM (0)
May 01, 7-8 PM (9)
May 01, 8-9 PM (9)
May 01, 9-10 PM (0)
May 01, 10-11 PM (2)
May 01, 11-12 AM (0)
May 02, 12-1 AM (0)
May 02, 1-2 AM (0)
May 02, 2-3 AM (0)
May 02, 3-4 AM (0)
May 02, 4-5 AM (0)
May 02, 5-6 AM (0)
May 02, 6-7 AM (0)
May 02, 7-8 AM (0)
May 02, 8-9 AM (0)
May 02, 9-10 AM (0)
May 02, 10-11 AM (0)
May 02, 11-12 PM (0)
29 commits this week Apr 25, 2026 - May 02, 2026
manveru
manveru · · cardano-parts
nixosModule profile-monitoring: review fixes 
* opsTf: add lifecycle rule to expire orphaned delete markers.
  Mimir / Loki compactors call DeleteObject under versioning, which
  creates markers instead of purging. Without expired_object_delete_marker
  the markers accumulate forever once their underlying versions expire.
* profile-monitoring: drop unwired Prometheus server. Alloy is the
  universal scrape-and-forward agent in this stack and on the monitoring
  node remote_writes directly into local Mimir, so the standalone
  Prometheus server (no scrape_configs, no remote_write) was dead
  code. Blackbox-exporter stays — reached on-demand via Caddy
  /blackbox/* for ad-hoc HTTPS probes; continuous probing belongs in
  a follow-up that adds a prometheus.scrape block to profile-grafana-alloy.
* monitoringOauthGoogleSubmodule: convert allowedDomains (listOf str)
  to allowedDomain (nullOr str). Google's hd OAuth parameter is
  single-valued; the list type was fiction the code resolved with
  head, leaving extra entries half-bound. Cross-tenant access is
  intentionally unsupported by this profile.
* opsTf: comment why DeleteObject is granted under Object Lock and
  why DeleteObjectVersion is intentionally omitted.
2a09c66c · mf/profile-monitoring · 4/61 ++ 38 --
manveru
manveru · · cardano-parts
nixosModule profile-monitoring: minor review cleanups 
- Cap mimir start-limit at 5/600s (matches mimir-rules-sync) so a
  permanently-broken config fails the unit instead of boot-looping
  the journal indefinitely. Operator must reset-failed afterwards.
- Comment Caddy handle exclusivity so future edits don't collapse the
  write-hash /api/v1/push routes into the broader admin-hash routes.
- Note opsTf's local dashToSnake exists to keep the helper callable
  from any terranix workspace without a cardano-parts flake closure.
- Note bootstrap.nix unmanagedBuckets scopes to rain_artifacts only;
  mimir/loki flow through mkMonitoringBucketResources.
5532dec3 · mf/profile-monitoring · 3/15 ++ 2 --
manveru
manveru · · cardano-parts
nixosModule: add profile-monitoring for in-cluster Grafana stack 
Adds an opt-in monitoring profile running Grafana + Mimir + Loki +
Prometheus + blackbox-exporter on a single Colmena machine, fronted by
Caddy with ACME-issued TLS and Google OAuth on Grafana. Cluster-wide
configuration lives under flake.cardano-parts.cluster.infra.monitoring,
read by the bootstrap opentofu workspace, profile-grafana-alloy, and
profile-monitoring itself so all three stay in lockstep.

Storage: cardano-parts.lib.opsTf.mkMonitoringBucketResources provisions
per-cluster Mimir and Loki S3 buckets with Object Lock + lifecycle
wired together so app-level retention and storage-level retention
cannot drift. objectLockMode picks between a 1-day soft lock (default,
~1x storage) and a full-retention hard lock (~2x storage during the
retention window). Both modes use GOVERNANCE locks so a separately-
permissioned operator role holding s3:BypassGovernanceRetention can
break-glass; the EC2 role attached to the monitoring node gets
least-privilege data-plane access only (no DeleteBucket /
PutBucketPolicy / governance bypass) via
cardano-parts.lib.opsTf.mkMonitoringIamPolicy.

Both opsTf builders are pure helpers (no pkgs dependency) so existing
downstream repos that don't use this template's bootstrap workspace
can call them from any terranix-driven workspace without copying
code; the template's bootstrap.nix and cluster.nix are now the
canonical callers.

profile-grafana-alloy: when infra.monitoring.enable = true, alloy
auto-targets the in-cluster monitoring node, making the
grafana-alloy-{metrics,loki}-url sops secrets optional.

opsLib: adds parseDir and readNixImport so monitoring rule files and
the existing tofu grafana workspace can share the same .nix-import
corpus without duplicate helpers.

profile-monitoring + profile-grafana-alloy read cluster infra through
groupFlake.config (the consuming flake's self) rather than
flake.config — the latter closes over cardano-parts' own flake-parts
evaluation where these options carry their declared null defaults,
not the consumer's values.

Template additions wire all of the above into a downstream-consumable
shape: optional monitoring host in colmena.nix, infra.monitoring stanza
in cluster.nix, S3 bucket + IAM policy blocks in opentofu, and a
README section covering retention, lock modes, and the required sops
secrets.
aa23d95b · mf/profile-monitoring · 11/1,204 ++ 58 --
Showing 25 of 29 recent commits. Check out Input Output on GitHub to see more.