influx: update firewall and config

931865cf · skorpy · ff7faa28 · 931865cf · 931865cf · 931865cf
Commit 931865cf authored 3 years ago by skorpy
--- a/influxdb/files/ferm.conf
+++ b/influxdb/files/ferm.conf
@@ -2,17 +2,9 @@ domain (ip ip6) {
  table filter {
    chain INPUT {
      proto tcp dport (8086) saddr (
-          # prometheus1
-          185.206.209.130
-          2a0f:3786:11:7::1
-
-          # www2 (Grafana)
-          185.206.209.128
-          2a06:8187:fb12:1::2:1
-
-          # yanic.batman15
-          185.206.209.170
-          2a06:8187:fb11:1::11:1
+          {{ " ".join(salt['ferm.resolve']("freifunk.fail")) }}
+          {{ " ".join(salt['ferm.resolve']("prometheus.ffm.freifunk.net")) }}
+          {{ " ".join(salt['ferm.resolve']("yanic.batman15.ffffm.net")) }}
      ) ACCEPT;
    }
  }

--- a/influxdb/files/influxdb.conf
+++ b/influxdb/files/influxdb.conf
@@ -67,12 +67,16 @@
  # log any sensitive data contained within a query.
  # query-log-enabled = true

+  # Validates incoming writes to ensure keys only have valid unicode characters.
+  # This setting will incur a small overhead because every key must be checked.
+  # validate-keys = false
+
  # Settings for the TSM engine

  # CacheMaxMemorySize is the maximum size a shard's cache can
  # reach before it starts rejecting writes.
  # Valid size suffixes are k, m, or g (case insensitive, 1024 = 1k).
-  # Vaues without a size suffix are in bytes.
+  # Values without a size suffix are in bytes.
  # cache-max-memory-size = "1g"

  # CacheSnapshotMemorySize is the size at which the engine will
@@ -97,6 +101,22 @@
  # to cache snapshotting.
  # max-concurrent-compactions = 0

+  # CompactThroughput is the rate limit in bytes per second that we
+  # will allow TSM compactions to write to disk. Note that short bursts are allowed
+  # to happen at a possibly larger value, set by CompactThroughputBurst
+  # compact-throughput = "48m"
+
+  # CompactThroughputBurst is the rate limit in bytes per second that we
+  # will allow TSM compactions to write to disk.
+  # compact-throughput-burst = "48m"
+
+  # If true, then the mmap advise value MADV_WILLNEED will be provided to the kernel with respect to
+  # TSM files. This setting has been found to be problematic on some kernels, and defaults to off.
+  # It might help users who have slow disks in some cases.
+  # tsm-use-madv-willneed = false
+
+  # Settings for the inmem index
+
  # The maximum series allowed per database before writes are dropped.  This limit can prevent
  # high cardinality issues at the database level.  This limit can be disabled by setting it to
  # 0.
@@ -107,6 +127,27 @@
  # disabled by setting it to 0.
  # max-values-per-tag = 100000

+  # Settings for the tsi1 index
+
+  # The threshold, in bytes, when an index write-ahead log file will compact
+  # into an index file. Lower sizes will cause log files to be compacted more
+  # quickly and result in lower heap usage at the expense of write throughput.
+  # Higher sizes will be compacted less frequently, store more series in-memory,
+  # and provide higher write throughput.
+  # Valid size suffixes are k, m, or g (case insensitive, 1024 = 1k).
+  # Values without a size suffix are in bytes.
+  # max-index-log-file-size = "1m"
+
+  # The size of the internal cache used in the TSI index to store previously
+  # calculated series results. Cached results will be returned quickly from the cache rather
+  # than needing to be recalculated when a subsequent query with a matching tag key/value
+  # predicate is executed. Setting this value to 0 will disable the cache, which may
+  # lead to query performance issues.
+  # This value should only be increased if it is known that the set of regularly used
+  # tag key/value predicates across all measurements for a database is larger than 100. An
+  # increase in cache size may lead to an increase in heap usage.
+  series-id-set-cache-size = 100
+
 ###
 ### [coordinator]
 ###
@@ -139,7 +180,7 @@
  # count unlimited.
  # max-select-series = 0

-  # The maxium number of group by time bucket a SELECT can create.  A value of zero will max the maximum
+  # The maximum number of group by time bucket a SELECT can create.  A value of zero will max the maximum
  # number of buckets unlimited.
  # max-select-buckets = 0

@@ -205,11 +246,17 @@
  # Determines whether HTTP endpoint is enabled.
  # enabled = true

+  # Determines whether the Flux query endpoint is enabled.
+  # flux-enabled = false
+
+  # Determines whether the Flux query logging is enabled.
+  # flux-log-enabled = false
+
  # The bind address used by the HTTP service.
  # bind-address = ":8086"

  # Determines whether user authentication is enabled over HTTP/HTTPS.
-  auth-enabled = true
+  auth-enabled = false

  # The default realm sent back when issuing a basic auth challenge.
  # realm = "InfluxDB"
@@ -217,6 +264,23 @@
  # Determines whether HTTP request logging is enabled.
  log-enabled = false

+  # Determines whether the HTTP write request logs should be suppressed when the log is enabled.
+  # suppress-write-log = false
+
+  # When HTTP request logging is enabled, this option specifies the path where
+  # log entries should be written. If unspecified, the default is to write to stderr, which
+  # intermingles HTTP logs with internal InfluxDB logging.
+  #
+  # If influxd is unable to access the specified path, it will log an error and fall back to writing
+  # the request log to stderr.
+  # access-log-path = ""
+
+  # Filters which requests should be logged. Each filter is of the pattern NNN, NNX, or NXX where N is
+  # a number and X is a wildcard for any number. To filter all 5xx responses, use the string 5xx.
+  # If multiple filters are used, then only one has to match. The default is to have no filters which
+  # will cause every request to be printed.
+  # access-log-status-filters = []
+
  # Determines whether detailed write logging is enabled.
  # write-tracing = false

@@ -224,6 +288,19 @@
  # troubleshooting and monitoring.
  # pprof-enabled = true

+  # Enables authentication on pprof endpoints. Users will need admin permissions
+  # to access the pprof endpoints when this setting is enabled. This setting has
+  # no effect if either auth-enabled or pprof-enabled are set to false.
+  # pprof-auth-enabled = false
+
+  # Enables a pprof endpoint that binds to localhost:6060 immediately on startup.
+  # This is only needed to debug startup issues.
+  # debug-pprof-enabled = false
+
+  # Enables authentication on the /ping, /metrics, and deprecated /status
+  # endpoints. This setting has no effect if auth-enabled is set to false.
+  # ping-auth-enabled = false
+
  # Determines whether HTTPS is enabled.
  # https-enabled = false

@@ -252,23 +329,40 @@
  # The maximum size of a client request body, in bytes. Setting this value to 0 disables the limit.
  # max-body-size = 25000000

+  # The maximum number of writes processed concurrently.
+  # Setting this to 0 disables the limit.
+  # max-concurrent-write-limit = 0
+
+  # The maximum number of writes queued for processing.
+  # Setting this to 0 disables the limit.
+  # max-enqueued-write-limit = 0
+
+  # The maximum duration for a write to wait in the queue to be processed.
+  # Setting this to 0 or setting max-concurrent-write-limit to 0 disables the limit.
+  # enqueued-write-timeout = 0

 ###
-### [ifql]
+### [logging]
 ###
-### Configures the ifql RPC API.
+### Controls how the logger emits logs to the output.
 ###

-[ifql]
-  # Determines whether the RPC service is enabled.
-  # enabled = true
-
-  # Determines whether additional logging is enabled.
-  # log-enabled = true
+[logging]
+  # Determines which log encoder to use for logs. Available options
+  # are auto, logfmt, and json. auto will use a more a more user-friendly
+  # output format if the output terminal is a TTY, but the format is not as
+  # easily machine-readable. When the output is a non-TTY, auto will use
+  # logfmt.
+  # format = "auto"

-  # The bind address used by the ifql RPC service.
-  # bind-address = ":8082"
+  # Determines which level of logs will be emitted. The available levels
+  # are error, warn, info, and debug. Logs that are equal to or above the
+  # specified level will be emitted.
+  # level = "info"

+  # Suppresses the logo output that is printed when the program is started.
+  # The logo is always suppressed if STDOUT is not a TTY.
+  # suppress-logo = false

 ###
 ### [subscriber]
@@ -384,7 +478,7 @@
  # Multi-value plugins can be handled two ways.
  # "split" will parse and store the multi-value plugin data into separate measurements
  # "join" will parse and store the multi-value plugin as a single multi-value measurement.
-  # "split" is the default behavior for backward compatability with previous versions of influxdb.
+  # "split" is the default behavior for backward compatibility with previous versions of influxdb.
  # parse-multivalue-plugin = "split"
 ###
 ### [opentsdb]
@@ -429,6 +523,9 @@
  # database = "udp"
  # retention-policy = ""

+  # InfluxDB precision for timestamps on received points ("" or "n", "u", "ms", "s", "m", "h")
+  # precision = ""
+
  # These next lines control how batching works. You should have this enabled
  # otherwise you could get dropped metrics or poor performance. Batching
  # will buffer points in memory if you have many coming in.

--- a/influxdb/files/influxdb.service
+++ b/influxdb/files/influxdb.service
@@ -14,6 +14,7 @@ EnvironmentFile=-/etc/default/influxdb
 ExecStart=/usr/bin/influxd -config /etc/influxdb/influxdb.conf $INFLUXD_OPTS
 KillMode=control-group
 Restart=on-failure
+MemoryMax=28G

 [Install]
 WantedBy=multi-user.target