From 157d7354d6e66153352e5ef2c054ef4398c67187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io> Date: Sat, 22 Aug 2020 11:31:34 +0100 Subject: [PATCH] nixos/telegraf: add environmentFile option --- .../modules/services/monitoring/telegraf.nix | 25 +++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/monitoring/telegraf.nix b/nixos/modules/services/monitoring/telegraf.nix index c6b0b8906fd6..c0733f6b89cf 100644 --- a/nixos/modules/services/monitoring/telegraf.nix +++ b/nixos/modules/services/monitoring/telegraf.nix @@ -26,6 +26,19 @@ in { type = types.package; }; + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/telegraf.env"; + description = '' + File to load as environment file. Environment variables + from this file will be interpolated into the config file + using envsubst with this syntax: + <literal>$ENVIRONMENT ''${VARIABLE}</literal> + This is useful to avoid putting secrets into the nix store. + ''; + }; + extraConfig = mkOption { default = {}; description = "Extra configuration options for telegraf"; @@ -51,15 +64,23 @@ in { ###### implementation config = mkIf config.services.telegraf.enable { - systemd.services.telegraf = { + systemd.services.telegraf = let + finalConfigFile = if config.services.telegraf.environmentFile == null + then configFile + else "/tmp/config.toml"; + in { description = "Telegraf Agent"; wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; serviceConfig = { - ExecStart=''${cfg.package}/bin/telegraf -config "${configFile}"''; + EnvironmentFile = config.services.telegraf.environmentFile; + ExecStartPre = lib.optional (config.services.telegraf.environmentFile != null) + ''${pkgs.envsubst}/bin/envsubst -o /tmp/config.toml -i "${configFile}"''; + ExecStart=''${cfg.package}/bin/telegraf -config ${finalConfigFile}''; ExecReload="${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "telegraf"; Restart = "on-failure"; + PrivateTmp = true; # for ping probes AmbientCapabilities = [ "CAP_NET_RAW" ]; };