ebe67d69d0
The collectd service runs as an unprivileged user by default, so it does not leak more information to its data directory than any user can obtain elsewhere by other means. If people are running it as root and are worried about information leak, we can add collectd group and set perms to 750. CC @offlinehacker. Fixes #21198.
126 lines
2.7 KiB
Nix
126 lines
2.7 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.collectd;
|
|
|
|
conf = pkgs.writeText "collectd.conf" ''
|
|
BaseDir "${cfg.dataDir}"
|
|
PIDFile "${cfg.pidFile}"
|
|
AutoLoadPlugin ${if cfg.autoLoadPlugin then "true" else "false"}
|
|
Hostname "${config.networking.hostName}"
|
|
|
|
LoadPlugin syslog
|
|
<Plugin "syslog">
|
|
LogLevel "info"
|
|
NotifyLevel "OKAY"
|
|
</Plugin>
|
|
|
|
${concatMapStrings (f: ''
|
|
Include "${f}"
|
|
'') cfg.include}
|
|
|
|
${cfg.extraConfig}
|
|
'';
|
|
|
|
in {
|
|
options.services.collectd = with types; {
|
|
enable = mkOption {
|
|
default = false;
|
|
description = ''
|
|
Whether to enable collectd agent.
|
|
'';
|
|
type = bool;
|
|
};
|
|
|
|
package = mkOption {
|
|
default = pkgs.collectd;
|
|
defaultText = "pkgs.collectd";
|
|
description = ''
|
|
Which collectd package to use.
|
|
'';
|
|
type = package;
|
|
};
|
|
|
|
user = mkOption {
|
|
default = "collectd";
|
|
description = ''
|
|
User under which to run collectd.
|
|
'';
|
|
type = nullOr str;
|
|
};
|
|
|
|
dataDir = mkOption {
|
|
default = "/var/lib/collectd";
|
|
description = ''
|
|
Data directory for collectd agent.
|
|
'';
|
|
type = path;
|
|
};
|
|
|
|
pidFile = mkOption {
|
|
default = "/var/run/collectd.pid";
|
|
description = ''
|
|
Location of collectd pid file.
|
|
'';
|
|
type = path;
|
|
};
|
|
|
|
autoLoadPlugin = mkOption {
|
|
default = false;
|
|
description = ''
|
|
Enable plugin autoloading.
|
|
'';
|
|
type = bool;
|
|
};
|
|
|
|
include = mkOption {
|
|
default = [];
|
|
description = ''
|
|
Additional paths to load config from.
|
|
'';
|
|
type = listOf str;
|
|
};
|
|
|
|
extraConfig = mkOption {
|
|
default = "";
|
|
description = ''
|
|
Extra configuration for collectd.
|
|
'';
|
|
type = lines;
|
|
};
|
|
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
systemd.services.collectd = {
|
|
description = "Collectd Monitoring Agent";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${cfg.package}/sbin/collectd -C ${conf} -P ${cfg.pidFile}";
|
|
Type = "forking";
|
|
PIDFile = cfg.pidFile;
|
|
User = optional (cfg.user!="root") cfg.user;
|
|
PermissionsStartOnly = true;
|
|
};
|
|
|
|
preStart = ''
|
|
mkdir -p ${cfg.dataDir}
|
|
chmod 755 ${cfg.dataDir}
|
|
install -D /dev/null ${cfg.pidFile}
|
|
if [ "$(id -u)" = 0 ]; then
|
|
chown -R ${cfg.user} ${cfg.dataDir};
|
|
chown ${cfg.user} ${cfg.pidFile}
|
|
fi
|
|
'';
|
|
};
|
|
|
|
users.extraUsers = optional (cfg.user == "collectd") {
|
|
name = "collectd";
|
|
uid = config.ids.uids.collectd;
|
|
};
|
|
};
|
|
}
|