From 2030a91f58cde5a8c8b8db339da8af9dfe366b04 Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Sun, 26 Mar 2017 00:44:53 +0100 Subject: [PATCH] cadviser: add storageDriverPasswordFile option This gives users the option of storing the storageDriverPassword outside the world-readable Nix store. --- .../modules/services/monitoring/cadvisor.nix | 87 +++++++++++++------ 1 file changed, 59 insertions(+), 28 deletions(-) diff --git a/nixos/modules/services/monitoring/cadvisor.nix b/nixos/modules/services/monitoring/cadvisor.nix index 8ae8b12056ce..6ca420a05b23 100644 --- a/nixos/modules/services/monitoring/cadvisor.nix +++ b/nixos/modules/services/monitoring/cadvisor.nix @@ -54,7 +54,29 @@ in { storageDriverPassword = mkOption { default = "root"; type = types.str; - description = "Cadvisor storage driver password."; + description = '' + Cadvisor storage driver password. + + Warning: this password is stored in the world-readable Nix store. It's + recommended to use the option + since that gives you control over the security of the password. + also takes precedence over . + ''; + }; + + storageDriverPasswordFile = mkOption { + type = types.str; + description = '' + File that contains the cadvisor storage driver password. + + takes precedence over + + Warning: when is non-empty this defaults to a file in the + world-readable Nix store that contains the value of . + + It's recommended to override this with a path not in the Nix store. + Tip: use nixops key management + ''; }; storageDriverSecure = mkOption { @@ -65,35 +87,44 @@ in { }; }; - config = mkIf cfg.enable { - systemd.services.cadvisor = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "docker.service" "influxdb.service" ]; + config = mkMerge [ + { services.cadvisor.storageDriverPasswordFile = mkIf (cfg.storageDriverPassword != "") ( + mkDefault (toString (pkgs.writeTextFile { + name = "cadvisor-storage-driver-password"; + text = cfg.storageDriverPassword; + })) + ); + } - postStart = mkBefore '' - until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/containers/'; do - sleep 1; - done - ''; + (mkIf cfg.enable { + systemd.services.cadvisor = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "docker.service" "influxdb.service" ]; - serviceConfig = { - ExecStart = ''${pkgs.cadvisor}/bin/cadvisor \ - -logtostderr=true \ - -listen_ip=${cfg.listenAddress} \ - -port=${toString cfg.port} \ - ${optionalString (cfg.storageDriver != null) '' - -storage_driver ${cfg.storageDriver} \ - -storage_driver_user ${cfg.storageDriverHost} \ - -storage_driver_db ${cfg.storageDriverDb} \ - -storage_driver_user ${cfg.storageDriverUser} \ - -storage_driver_password ${cfg.storageDriverPassword} \ - ${optionalString cfg.storageDriverSecure "-storage_driver_secure"} - ''} + postStart = mkBefore '' + until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/containers/'; do + sleep 1; + done ''; - TimeoutStartSec=300; - }; - }; - virtualisation.docker.enable = mkDefault true; - }; + script = '' + exec ${pkgs.cadvisor}/bin/cadvisor \ + -logtostderr=true \ + -listen_ip="${cfg.listenAddress}" \ + -port="${toString cfg.port}" \ + ${optionalString (cfg.storageDriver != null) '' + -storage_driver "${cfg.storageDriver}" \ + -storage_driver_user "${cfg.storageDriverHost}" \ + -storage_driver_db "${cfg.storageDriverDb}" \ + -storage_driver_user "${cfg.storageDriverUser}" \ + -storage_driver_password "$(cat "${cfg.storageDriverPasswordFile}")" \ + ${optionalString cfg.storageDriverSecure "-storage_driver_secure"} + ''} + ''; + + serviceConfig.TimeoutStartSec=300; + }; + virtualisation.docker.enable = mkDefault true; + }) + ]; }