Get loki, prometheus, and promtail configured

First iteration

modules/services/promtail/default.nix

@@ -0,0 +1,77 @@
+{
+  options,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.aa.services.promtail;
+  loki = config.services.loki;
+in {
+  options.aa.services.promtail = with types; {
+    enable = mkEnableOption "promtail";
+    acmeCertName = mkOption {
+      type = str;
+      default = "";
+      description = ''
+        If set to a non-empty string, forces SSL with the supplied acme
+        certificate.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.promtail = {
+      enable = true;
+      configuration = {
+        server = {
+          http_listen_port = 28183;
+          grpc_listen_port = 0;
+        };
+        positions = {
+          filename = "/tmp/positions.yaml";
+        };
+        clients = [
+          {
+            url = "http://127.0.0.1:${toString loki.configuration.server.http_listen_port}/loki/api/v1/push";
+          }
+        ];
+        scrape_configs = [
+          {
+            job_name = "journal";
+            journal = {
+              max_age = "12h";
+              labels = {
+                job = "systemd-journal";
+                host = "node";
+              };
+            };
+            relabel_configs = [
+              {
+                source_labels = ["__journal__systemd_unit"];
+                target_label = "unit";
+              }
+            ];
+          }
+        ];
+      };
+    };
+
+    services.nginx = mkIf (cfg.acmeCertName != "") {
+      enable = true;
+      # Confirm with /loki/api/v1/status/buildinfo
+      virtualHosts."promtail.${cfg.acmeCertName}" = {
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.promtail.configuration.server.http_listen_port}";
+        };
+        forceSSL = true;
+        useACMEHost = cfg.acmeCertName;
+      };
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [80 443];
+    };
+  };
+}