mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-01-22 14:45:27 +00:00
Code Issues Wiki Activity

nixos/prometheus-exporters: use DynamicUser by default

Browse source 
Only define seperate users and groups when necessary.
This commit is contained in:
WilliButz 2019-08-02 15:23:23 +02:00
parent 495222a840
commit afd0dc17d6
No known key found for this signature in database
GPG key ID: 92582A10F1179CB2
21 changed files with 17 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
nixos/modules/services/monitoring/prometheus/exporters.nix
View file

@ -127,9 +127,12 @@ let
);
mkExporterConf = { name, conf, serviceOpts }:
let
enableDynamicUser = serviceOpts.serviceConfig.DynamicUser or true;
in
mkIf conf.enable {
warnings = conf.warnings or [];
users.users = (mkIf (conf.user == "${name}-exporter") {
users.users = (mkIf (conf.user == "${name}-exporter" && !enableDynamicUser) {
"${name}-exporter" = {
description = ''
Prometheus ${name} exporter service user
@ -138,7 +141,7 @@ let
inherit (conf) group;
};
});
users.groups = (mkIf (conf.group == "${name}-exporter") {
users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {
"${name}-exporter" = {};
});
networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
@ -151,7 +154,8 @@ let
serviceConfig.Restart = mkDefault "always";
serviceConfig.PrivateTmp = mkDefault true;
serviceConfig.WorkingDirectory = mkDefault /tmp;
} serviceOpts ] ++ optional (!(serviceOpts.serviceConfig.DynamicUser or false)) {
serviceConfig.DynamicUser = mkDefault enableDynamicUser;
} serviceOpts ] ++ optional (!enableDynamicUser) {
serviceConfig.User = conf.user;
serviceConfig.Group = conf.group;
});

1
nixos/modules/services/monitoring/prometheus/exporters/bind.nix
View file

@ -39,7 +39,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-bind-exporter}/bin/bind_exporter \
-web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix
View file

@ -18,7 +18,6 @@ in
serviceOpts = {
serviceConfig = {
AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/collectd.nix
View file

@ -64,7 +64,6 @@ in
'' else "";
in {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \
-log.format ${cfg.logFormat} \

1
nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix
View file

@ -26,7 +26,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-dnsmasq-exporter}/bin/dnsmasq_exporter \
--listen ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix
View file

@ -59,6 +59,7 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = false;
ExecStart = ''
${pkgs.prometheus-dovecot-exporter}/bin/dovecot_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/fritzbox.nix
View file

@ -26,7 +26,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-fritzbox-exporter}/bin/exporter \
-listen-address ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/json.nix
View file

@ -24,7 +24,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-json-exporter}/bin/prometheus-json-exporter \
--port ${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/mail.nix
View file

@ -143,6 +143,7 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = false;
ExecStart = ''
${pkgs.prometheus-mail-exporter}/bin/mailexporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/minio.nix
View file

@ -50,7 +50,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-minio-exporter}/bin/minio-exporter \
-web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/nginx.nix
View file

@ -34,7 +34,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-nginx-exporter}/bin/nginx-prometheus-exporter \
--nginx.scrape-uri '${cfg.scrapeUri}' \

1
nixos/modules/services/monitoring/prometheus/exporters/node.nix
View file

@ -27,6 +27,7 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = false;
RuntimeDirectory = "prometheus-node-exporter";
ExecStart = ''
${pkgs.prometheus-node-exporter}/bin/node_exporter \

1
nixos/modules/services/monitoring/prometheus/exporters/postfix.nix
View file

@ -62,6 +62,7 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = false;
ExecStart = ''
${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/postgres.nix
View file

@ -34,6 +34,7 @@ in
serviceOpts = {
environment.DATA_SOURCE_NAME = cfg.dataSourceName;
serviceConfig = {
DynamicUser = false;
User = mkIf cfg.runAsLocalSuperUser (mkForce "postgres");
ExecStart = ''
${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \

1
nixos/modules/services/monitoring/prometheus/exporters/snmp.nix
View file

@ -57,7 +57,6 @@ in
else "${pkgs.writeText "snmp-eporter-conf.yml" (builtins.toJSON cfg.configuration)}";
in {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-snmp-exporter.bin}/bin/snmp_exporter \
--config.file=${configFile} \

1
nixos/modules/services/monitoring/prometheus/exporters/surfboard.nix
View file

@ -20,7 +20,6 @@ in
description = "Prometheus exporter for surfboard cable modem";
unitConfig.Documentation = "https://github.com/ipstatic/surfboard_exporter";
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-surfboard-exporter}/bin/surfboard_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/tor.nix
View file

@ -26,7 +26,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-tor-exporter}/bin/prometheus-tor-exporter \
-b ${cfg.listenAddress} \

1
nixos/modules/services/monitoring/prometheus/exporters/unifi.nix
View file

@ -51,7 +51,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-unifi-exporter}/bin/unifi_exporter \
-telemetry.addr ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/varnish.nix
View file

@ -69,6 +69,7 @@ in
path = [ pkgs.varnish ];
serviceConfig = {
RestartSec = mkDefault 1;
DynamicUser = false;
ExecStart = ''
${pkgs.prometheus-varnish-exporter}/bin/prometheus_varnish_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix
View file

@ -47,7 +47,6 @@ in {
path = [ pkgs.wireguard-tools ];
serviceConfig = {
DynamicUser = true;
AmbientCapabilities = [ "CAP_NET_ADMIN" ];
};
};

9
nixos/tests/prometheus-exporters.nix
View file

@ -191,7 +191,6 @@ let
mail = {
exporterConfig = {
enable = true;
user = "mailexporter";
configuration = {
monitoringInterval = "2s";
mailCheckTimeout = "10s";
@ -199,9 +198,9 @@ let
name = "testserver";
server = "localhost";
port = 25;
from = "mailexporter@localhost";
to = "mailexporter@localhost";
detectionDir = "/var/spool/mail/mailexporter/new";
from = "mail-exporter@localhost";
to = "mail-exporter@localhost";
detectionDir = "/var/spool/mail/mail-exporter/new";
} ];
};
};
@ -211,7 +210,7 @@ let
after = [ "postfix.service" ];
requires = [ "postfix.service" ];
preStart = ''
mkdir -p 0600 mailexporter/new
mkdir -p 0600 mail-exporter/new
'';
serviceConfig = {
ProtectHome = true;