infra/stacks/platform/modules/monitoring/loki.yaml

loki:
  commonConfig:
    replication_factor: 1
  schemaConfig:
    configs:
      - from: "2025-04-01"
        store: tsdb
        object_store: filesystem
        schema: v13
        index:
          prefix: loki_index_
          period: 24h
  ingester:
    chunk_idle_period: 12h
    max_chunk_age: 24h
    chunk_retain_period: 1m
    chunk_target_size: 1572864
    wal:
      dir: /loki-wal
  pattern_ingester:
    enabled: true
  limits_config:
    allow_structured_metadata: true
    volume_enabled: true
    retention_period: 720h
  compactor:
    retention_enabled: true
    working_directory: /var/loki/compactor
    compaction_interval: 1h
    delete_request_store: filesystem
  ruler:
    enable_api: true
    storage:
      type: local
      local:
        directory: /var/loki/rules
    alertmanager_url: http://prometheus-alertmanager.monitoring.svc.cluster.local:9093
    ring:
      kvstore:
        store: inmemory
    rule_path: /var/loki/scratch
  storage:
    type: "filesystem"
  auth_enabled: false

minio:
  enabled: false

deploymentMode: SingleBinary

singleBinary:
  replicas: 1
  persistence:
    enabled: true
    size: 50Gi
    storageClass: "iscsi-truenas"
  extraVolumes:
    - name: wal
      emptyDir:
        medium: Memory
        sizeLimit: 2Gi
    - name: rules
      configMap:
        name: loki-alert-rules
  extraVolumeMounts:
    - name: wal
      mountPath: /loki-wal
    - name: rules
      mountPath: /var/loki/rules/fake
  resources:
    requests:
      cpu: 250m
      memory: 2Gi
    limits:
      memory: 4Gi

# Zero out replica counts of other deployment modes
backend:
  replicas: 0
read:
  replicas: 0
write:
  replicas: 0
ingester:
  replicas: 0
querier:
  replicas: 0
queryFrontend:
  replicas: 0
queryScheduler:
  replicas: 0
distributor:
  replicas: 0
compactor:
  replicas: 0
indexGateway:
  replicas: 0
bloomCompactor:
  replicas: 0
bloomGateway:
  replicas: 0

# Disable optional components for single binary mode
gateway:
  enabled: false
chunksCache:
  enabled: false
resultsCache:
  enabled: false
add loki + alloy deployments for logs collection [ci skip] 2025-05-04 11:22:12 +00:00			`loki:`
			`commonConfig:`
			`replication_factor: 1`
			`schemaConfig:`
			`configs:`
			`- from: "2025-04-01"`
			`store: tsdb`
			`object_store: filesystem`
			`schema: v13`
			`index:`
			`prefix: loki_index_`
			`period: 24h`
[ci skip] Add centralized log collection: Loki + Alloy + sysctl DaemonSet 2026-02-13 23:03:40 +00:00			`ingester:`
			`chunk_idle_period: 12h`
			`max_chunk_age: 24h`
			`chunk_retain_period: 1m`
			`chunk_target_size: 1572864`
			`wal:`
			`dir: /loki-wal`
add loki + alloy deployments for logs collection [ci skip] 2025-05-04 11:22:12 +00:00			`pattern_ingester:`
			`enabled: true`
			`limits_config:`
			`allow_structured_metadata: true`
			`volume_enabled: true`
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules 2026-02-23 22:05:28 +00:00			`retention_period: 720h`
[ci skip] Add centralized log collection: Loki + Alloy + sysctl DaemonSet 2026-02-13 23:03:40 +00:00			`compactor:`
			`retention_enabled: true`
[ci skip] Fix compactor/ruler paths to use writable /var/loki mount 2026-02-13 23:22:13 +00:00			`working_directory: /var/loki/compactor`
[ci skip] Add centralized log collection: Loki + Alloy + sysctl DaemonSet 2026-02-13 23:03:40 +00:00			`compaction_interval: 1h`
			`delete_request_store: filesystem`
add loki + alloy deployments for logs collection [ci skip] 2025-05-04 11:22:12 +00:00			`ruler:`
			`enable_api: true`
[ci skip] Add centralized log collection: Loki + Alloy + sysctl DaemonSet 2026-02-13 23:03:40 +00:00			`storage:`
			`type: local`
			`local:`
Add node hang instrumentation and scale down chromium services - Add journald collection to Alloy (loki.source.journal) for kernel OOM, panic, hung task, and soft lockup detection — ships system logs off-node so they survive hard resets - Add 5 Loki alerting rules (KernelOOMKiller, KernelPanic, KernelHungTask, KernelSoftLockup, ContainerdDown) evaluating against node-journal logs - Fix Loki ruler config: correct rules mount path (/var/loki/rules/fake), add alertmanager_url and enable_api - Add Prometheus alerts: NodeMemoryPressureTrending (>85%), NodeExporterDown, NodeHighIOWait (>30%) - Add caretta tolerations for control-plane and GPU nodes - Scale down chromium-based services to 0 for cluster stability: f1-stream, flaresolverr, changedetection, resume/printer 2026-03-11 22:46:33 +00:00			`directory: /var/loki/rules`
[ci skip] Fix code review findings: correct Alertmanager URL, add atomic to Loki, remove dead minio NFS export, update design doc 2026-02-13 23:08:44 +00:00			`alertmanager_url: http://prometheus-alertmanager.monitoring.svc.cluster.local:9093`
[ci skip] Add centralized log collection: Loki + Alloy + sysctl DaemonSet 2026-02-13 23:03:40 +00:00			`ring:`
			`kvstore:`
			`store: inmemory`
[ci skip] Fix compactor/ruler paths to use writable /var/loki mount 2026-02-13 23:22:13 +00:00			`rule_path: /var/loki/scratch`
add loki + alloy deployments for logs collection [ci skip] 2025-05-04 11:22:12 +00:00			`storage:`
			`type: "filesystem"`
			`auth_enabled: false`

			`minio:`
			`enabled: false`

			`deploymentMode: SingleBinary`

			`singleBinary:`
			`replicas: 1`
[ci skip] Add centralized log collection: Loki + Alloy + sysctl DaemonSet 2026-02-13 23:03:40 +00:00			`persistence:`
			`enabled: true`
fix(monitoring): Expand Loki PVC from 15GB to 50GB to resolve storage exhaustion ISSUE RESOLVED: - Root cause: Loki's 15GB iSCSI PVC was completely full - Symptom: 'no space left on device' errors during TSDB operations - Impact: Loki service completely down, logging unavailable - Side effects: Contributed to node2 containerd corruption incident SOLUTION APPLIED: - Expanded PVC storage: 15Gi → 50Gi via direct kubectl patch - Triggered pod restart to complete filesystem resize - Verified successful expansion and service recovery CURRENT STATUS: ✅ PVC: 50Gi capacity (iscsi-truenas storage class) ✅ Loki StatefulSet: 1/1 ready ✅ Loki Pod: 2/2 containers running ✅ Service: Successfully processing log streams ✅ No storage errors in recent logs TERRAFORM ALIGNED: - Updated loki.yaml persistence.size to match actual PVC - Infrastructure code now reflects deployed state [ci skip] - Emergency fix applied locally first due to service outage 2026-03-13 08:13:05 +00:00			`size: 50Gi`
[ci skip] migrate Redis, Prometheus, Loki storage to iSCSI - Redis: local-path → iscsi-truenas (master + replica persistence) - Prometheus: NFS PV+PVC → dynamic iSCSI PVC (prometheus-data) - Loki: NFS PV → dynamic iSCSI via storageClass in Helm values - Deleted 2 orphaned Released iSCSI PVs (31Gi freed) 2026-03-06 20:50:55 +00:00			`storageClass: "iscsi-truenas"`
[ci skip] Add centralized log collection: Loki + Alloy + sysctl DaemonSet 2026-02-13 23:03:40 +00:00			`extraVolumes:`
			`- name: wal`
			`emptyDir:`
			`medium: Memory`
			`sizeLimit: 2Gi`
			`- name: rules`
			`configMap:`
			`name: loki-alert-rules`
			`extraVolumeMounts:`
			`- name: wal`
			`mountPath: /loki-wal`
			`- name: rules`
Add node hang instrumentation and scale down chromium services - Add journald collection to Alloy (loki.source.journal) for kernel OOM, panic, hung task, and soft lockup detection — ships system logs off-node so they survive hard resets - Add 5 Loki alerting rules (KernelOOMKiller, KernelPanic, KernelHungTask, KernelSoftLockup, ContainerdDown) evaluating against node-journal logs - Fix Loki ruler config: correct rules mount path (/var/loki/rules/fake), add alertmanager_url and enable_api - Add Prometheus alerts: NodeMemoryPressureTrending (>85%), NodeExporterDown, NodeHighIOWait (>30%) - Add caretta tolerations for control-plane and GPU nodes - Scale down chromium-based services to 0 for cluster stability: f1-stream, flaresolverr, changedetection, resume/printer 2026-03-11 22:46:33 +00:00			`mountPath: /var/loki/rules/fake`
[ci skip] Add centralized log collection: Loki + Alloy + sysctl DaemonSet 2026-02-13 23:03:40 +00:00			`resources:`
			`requests:`
			`cpu: 250m`
[ci skip] fix post-NFS-migration issues: MySQL GR, Loki, grampsweb, alerts - Loki: reduce memory limit from 6Gi to 4Gi (within LimitRange max) - Grampsweb: increase memory to 2Gi (was OOMKilled at 512Mi) - Fix PostgreSQLDown alert: check pod readiness instead of deployment - Fix MySQLDown alert: check StatefulSet replicas instead of deployment - Fix RedisDown alert: check StatefulSet replicas instead of deployment - Fix NFSServerUnresponsive: aggregate all NFS versions cluster-wide - Fix Uptime Kuma healthcheck: handle nested list heartbeat format - Update etcd backup image to registry.k8s.io/etcd:3.6.5-0 2026-03-03 21:10:26 +00:00			`memory: 2Gi`
[ci skip] Add centralized log collection: Loki + Alloy + sysctl DaemonSet 2026-02-13 23:03:40 +00:00			`limits:`
[ci skip] fix post-NFS-migration issues: MySQL GR, Loki, grampsweb, alerts - Loki: reduce memory limit from 6Gi to 4Gi (within LimitRange max) - Grampsweb: increase memory to 2Gi (was OOMKilled at 512Mi) - Fix PostgreSQLDown alert: check pod readiness instead of deployment - Fix MySQLDown alert: check StatefulSet replicas instead of deployment - Fix RedisDown alert: check StatefulSet replicas instead of deployment - Fix NFSServerUnresponsive: aggregate all NFS versions cluster-wide - Fix Uptime Kuma healthcheck: handle nested list heartbeat format - Update etcd backup image to registry.k8s.io/etcd:3.6.5-0 2026-03-03 21:10:26 +00:00			`memory: 4Gi`
add loki + alloy deployments for logs collection [ci skip] 2025-05-04 11:22:12 +00:00
			`# Zero out replica counts of other deployment modes`
			`backend:`
			`replicas: 0`
			`read:`
			`replicas: 0`
			`write:`
			`replicas: 0`
			`ingester:`
			`replicas: 0`
			`querier:`
			`replicas: 0`
			`queryFrontend:`
			`replicas: 0`
			`queryScheduler:`
			`replicas: 0`
			`distributor:`
			`replicas: 0`
			`compactor:`
			`replicas: 0`
			`indexGateway:`
			`replicas: 0`
			`bloomCompactor:`
			`replicas: 0`
			`bloomGateway:`
			`replicas: 0`
[ci skip] Disable gateway/canary/cache, increase timeout for Loki deploy 2026-02-13 23:17:32 +00:00
			`# Disable optional components for single binary mode`
			`gateway:`
			`enabled: false`
			`chunksCache:`
			`enabled: false`
			`resultsCache:`
			`enabled: false`