0254ae4e80
The web_access.patch would no longer apply. It disabled a check that required the static files for the web UI to be owned by the user the daemon runs as (not root, so it doesn't work well with nix). Besides updating netdata, this commit removes that patch, changes the netdata service config to set the "web files owner/group" option to "root" and adds a test that checks that the web UI is being served. This allows the web files to be owned by root without patching.
116 lines
3.1 KiB
Nix
116 lines
3.1 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.netdata;
|
|
|
|
wrappedPlugins = pkgs.runCommand "wrapped-plugins" {} ''
|
|
mkdir -p $out/libexec/netdata/plugins.d
|
|
ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin
|
|
'';
|
|
|
|
localConfig = {
|
|
global = {
|
|
"plugins directory" = "${wrappedPlugins}/libexec/netdata/plugins.d ${pkgs.netdata}/libexec/netdata/plugins.d";
|
|
};
|
|
web = {
|
|
"web files owner" = "root";
|
|
"web files group" = "root";
|
|
};
|
|
};
|
|
mkConfig = generators.toINI {} (recursiveUpdate localConfig cfg.config);
|
|
configFile = pkgs.writeText "netdata.conf" (if cfg.configText != null then cfg.configText else mkConfig);
|
|
|
|
defaultUser = "netdata";
|
|
|
|
in {
|
|
options = {
|
|
services.netdata = {
|
|
enable = mkEnableOption "netdata";
|
|
|
|
user = mkOption {
|
|
type = types.str;
|
|
default = "netdata";
|
|
description = "User account under which netdata runs.";
|
|
};
|
|
|
|
group = mkOption {
|
|
type = types.str;
|
|
default = "netdata";
|
|
description = "Group under which netdata runs.";
|
|
};
|
|
|
|
configText = mkOption {
|
|
type = types.nullOr types.lines;
|
|
description = "Verbatim netdata.conf, cannot be combined with config.";
|
|
default = null;
|
|
example = ''
|
|
[global]
|
|
debug log = syslog
|
|
access log = syslog
|
|
error log = syslog
|
|
'';
|
|
};
|
|
|
|
config = mkOption {
|
|
type = types.attrsOf types.attrs;
|
|
default = {};
|
|
description = "netdata.conf configuration as nix attributes. cannot be combined with configText.";
|
|
example = literalExample ''
|
|
global = {
|
|
"debug log" = "syslog";
|
|
"access log" = "syslog";
|
|
"error log" = "syslog";
|
|
};
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
assertions =
|
|
[ { assertion = cfg.config != {} -> cfg.configText == null ;
|
|
message = "Cannot specify both config and configText";
|
|
}
|
|
];
|
|
systemd.services.netdata = {
|
|
path = with pkgs; [ gawk curl ];
|
|
description = "Real time performance monitoring";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
preStart = concatStringsSep "\n" (map (dir: ''
|
|
mkdir -vp ${dir}
|
|
chmod 750 ${dir}
|
|
chown -R ${cfg.user}:${cfg.group} ${dir}
|
|
'') [ "/var/cache/netdata"
|
|
"/var/log/netdata"
|
|
"/var/lib/netdata" ]);
|
|
serviceConfig = {
|
|
User = cfg.user;
|
|
Group = cfg.group;
|
|
PermissionsStartOnly = true;
|
|
ExecStart = "${pkgs.netdata}/bin/netdata -D -c ${configFile}";
|
|
TimeoutStopSec = 60;
|
|
};
|
|
};
|
|
|
|
security.wrappers."apps.plugin" = {
|
|
source = "${pkgs.netdata}/libexec/netdata/plugins.d/apps.plugin";
|
|
capabilities = "cap_dac_read_search,cap_sys_ptrace+ep";
|
|
owner = cfg.user;
|
|
group = cfg.group;
|
|
permissions = "u+rx,g+rx,o-rwx";
|
|
};
|
|
|
|
|
|
users.users = optional (cfg.user == defaultUser) {
|
|
name = defaultUser;
|
|
};
|
|
|
|
users.groups = optional (cfg.group == defaultUser) {
|
|
name = defaultUser;
|
|
};
|
|
|
|
};
|
|
}
|