nixpkgs/nixos/modules/services/monitoring/longview.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.longview;

  runDir = "/run/longview";
  configsDir = "${runDir}/longview.d";

in {
  options = {

    services.longview = {

      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          If enabled, system metrics will be sent to Linode LongView.
        '';
      };

      apiKey = mkOption {
        type = types.str;
        default = "";
        example = "01234567-89AB-CDEF-0123456789ABCDEF";
        description = ''
          Longview API key. To get this, look in Longview settings which
          are found at https://manager.linode.com/longview/.

          Warning: this secret is stored in the world-readable Nix store!
          Use <option>apiKeyFile</option> instead.
        '';
      };

      apiKeyFile = mkOption {
        type = types.nullOr types.path;
        default = null;
        example = "/run/keys/longview-api-key";
        description = ''
          A file containing the Longview API key.
          To get this, look in Longview settings which
          are found at https://manager.linode.com/longview/.

          <option>apiKeyFile</option> takes precedence over <option>apiKey</option>.
        '';
      };

      apacheStatusUrl = mkOption {
        type = types.str;
        default = "";
        example = "http://127.0.0.1/server-status";
        description = ''
          The Apache status page URL. If provided, Longview will
          gather statistics from this location. This requires Apache
          mod_status to be loaded and enabled.
        '';
      };

      nginxStatusUrl = mkOption {
        type = types.str;
        default = "";
        example = "http://127.0.0.1/nginx_status";
        description = ''
          The Nginx status page URL. Longview will gather statistics
          from this URL. This requires the Nginx stub_status module to
          be enabled and configured at the given location.
        '';
      };

      mysqlUser = mkOption {
        type = types.str;
        default = "";
        description = ''
          The user for connecting to the MySQL database. If provided,
          Longview will connect to MySQL and collect statistics about
          queries, etc. This user does not need to have been granted
          any extra privileges.
        '';
      };

      mysqlPassword = mkOption {
        type = types.str;
        default = "";
        description = ''
          The password corresponding to <option>mysqlUser</option>.
          Warning: this is stored in cleartext in the Nix store!
          Use <option>mysqlPasswordFile</option> instead.
        '';
      };

      mysqlPasswordFile = mkOption {
        type = types.nullOr types.path;
        default = null;
        example = "/run/keys/dbpassword";
        description = ''
          A file containing the password corresponding to <option>mysqlUser</option>.
        '';
      };

    };

  };

  config = mkIf cfg.enable {
    systemd.services.longview =
      { description = "Longview Metrics Collection";
        after = [ "network.target" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig.Type = "forking";
        serviceConfig.ExecStop = "-${pkgs.coreutils}/bin/kill -TERM $MAINPID";
        serviceConfig.ExecReload = "-${pkgs.coreutils}/bin/kill -HUP $MAINPID";
        serviceConfig.PIDFile = "${runDir}/longview.pid";
        serviceConfig.ExecStart = "${pkgs.longview}/bin/longview";
        preStart = ''
          umask 077
          mkdir -p ${configsDir}
        '' + (optionalString (cfg.apiKeyFile != null) ''
          cp --no-preserve=all "${cfg.apiKeyFile}" ${runDir}/longview.key
        '') + (optionalString (cfg.apacheStatusUrl != "") ''
          cat > ${configsDir}/Apache.conf <<EOF
          location ${cfg.apacheStatusUrl}?auto
          EOF
        '') + (optionalString (cfg.mysqlUser != "" && cfg.mysqlPasswordFile != null) ''
          cat > ${configsDir}/MySQL.conf <<EOF
          username ${cfg.mysqlUser}
          password `head -n1 "${cfg.mysqlPasswordFile}"`
          EOF
        '') + (optionalString (cfg.nginxStatusUrl != "") ''
          cat > ${configsDir}/Nginx.conf <<EOF
          location ${cfg.nginxStatusUrl}
          EOF
        '');
      };

    warnings = let warn = k: optional (cfg.${k} != "")
                 "config.services.longview.${k} is insecure. Use ${k}File instead.";
               in concatMap warn [ "apiKey" "mysqlPassword" ];

    assertions = [
      { assertion = cfg.apiKeyFile != null;
        message = "Longview needs an API key configured";
      }
    ];

    # Create API key file if not configured.
    services.longview.apiKeyFile = mkIf (cfg.apiKey != "")
      (mkDefault (toString (pkgs.writeTextFile {
        name = "longview.key";
        text = cfg.apiKey;
      })));

    # Create MySQL password file if not configured.
    services.longview.mysqlPasswordFile = mkDefault (toString (pkgs.writeTextFile {
      name = "mysql-password-file";
      text = cfg.mysqlPassword;
    }));
  };
}
longview nixos module: init 2015-11-01 10:22:58 +00:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`cfg = config.services.longview;`

longview service: don't write passwords to nix store Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as alternatives to apiKey and mysqlPassword, which still work, but are deprecated with a warning message. Related to #24288. 2017-03-26 22:56:28 +01:00			`runDir = "/run/longview";`
			`configsDir = "${runDir}/longview.d";`

			`in {`
longview nixos module: init 2015-11-01 10:22:58 +00:00			`options = {`

			`services.longview = {`

			`enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`If enabled, system metrics will be sent to Linode LongView.`
			`'';`
			`};`

			`apiKey = mkOption {`
			`type = types.str;`
longview service: don't write passwords to nix store Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as alternatives to apiKey and mysqlPassword, which still work, but are deprecated with a warning message. Related to #24288. 2017-03-26 22:56:28 +01:00			`default = "";`
longview nixos module: add config options for service monitoring 2015-11-11 12:11:07 +00:00			`example = "01234567-89AB-CDEF-0123456789ABCDEF";`
longview nixos module: init 2015-11-01 10:22:58 +00:00			`description = ''`
			`Longview API key. To get this, look in Longview settings which`
			`are found at https://manager.linode.com/longview/.`
longview service: don't write passwords to nix store Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as alternatives to apiKey and mysqlPassword, which still work, but are deprecated with a warning message. Related to #24288. 2017-03-26 22:56:28 +01:00
			`Warning: this secret is stored in the world-readable Nix store!`
			`Use <option>apiKeyFile</option> instead.`
			`'';`
			`};`

			`apiKeyFile = mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`example = "/run/keys/longview-api-key";`
			`description = ''`
			`A file containing the Longview API key.`
			`To get this, look in Longview settings which`
			`are found at https://manager.linode.com/longview/.`

			`<option>apiKeyFile</option> takes precedence over <option>apiKey</option>.`
longview nixos module: init 2015-11-01 10:22:58 +00:00			`'';`
			`};`

longview nixos module: add config options for service monitoring 2015-11-11 12:11:07 +00:00			`apacheStatusUrl = mkOption {`
			`type = types.str;`
			`default = "";`
			`example = "http://127.0.0.1/server-status";`
			`description = ''`
			`The Apache status page URL. If provided, Longview will`
			`gather statistics from this location. This requires Apache`
			`mod_status to be loaded and enabled.`
			`'';`
			`};`

			`nginxStatusUrl = mkOption {`
			`type = types.str;`
			`default = "";`
			`example = "http://127.0.0.1/nginx_status";`
			`description = ''`
			`The Nginx status page URL. Longview will gather statistics`
			`from this URL. This requires the Nginx stub_status module to`
			`be enabled and configured at the given location.`
			`'';`
			`};`

			`mysqlUser = mkOption {`
			`type = types.str;`
			`default = "";`
			`description = ''`
			`The user for connecting to the MySQL database. If provided,`
			`Longview will connect to MySQL and collect statistics about`
longview nixos module: improve description for mysql password config options 2015-11-16 14:27:36 +00:00			`queries, etc. This user does not need to have been granted`
			`any extra privileges.`
longview nixos module: add config options for service monitoring 2015-11-11 12:11:07 +00:00			`'';`
			`};`

			`mysqlPassword = mkOption {`
			`type = types.str;`
longview service: don't write passwords to nix store Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as alternatives to apiKey and mysqlPassword, which still work, but are deprecated with a warning message. Related to #24288. 2017-03-26 22:56:28 +01:00			`default = "";`
longview nixos module: add config options for service monitoring 2015-11-11 12:11:07 +00:00			`description = ''`
longview service: don't write passwords to nix store Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as alternatives to apiKey and mysqlPassword, which still work, but are deprecated with a warning message. Related to #24288. 2017-03-26 22:56:28 +01:00			`The password corresponding to <option>mysqlUser</option>.`
			`Warning: this is stored in cleartext in the Nix store!`
			`Use <option>mysqlPasswordFile</option> instead.`
longview nixos module: add config options for service monitoring 2015-11-11 12:11:07 +00:00			`'';`
			`};`
longview service: don't write passwords to nix store Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as alternatives to apiKey and mysqlPassword, which still work, but are deprecated with a warning message. Related to #24288. 2017-03-26 22:56:28 +01:00
			`mysqlPasswordFile = mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`example = "/run/keys/dbpassword";`
			`description = ''`
			`A file containing the password corresponding to <option>mysqlUser</option>.`
			`'';`
			`};`

longview nixos module: init 2015-11-01 10:22:58 +00:00			`};`

			`};`

			`config = mkIf cfg.enable {`
			`systemd.services.longview =`
			`{ description = "Longview Metrics Collection";`
			`after = [ "network.target" ];`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig.Type = "forking";`
			`serviceConfig.ExecStop = "-${pkgs.coreutils}/bin/kill -TERM $MAINPID";`
			`serviceConfig.ExecReload = "-${pkgs.coreutils}/bin/kill -HUP $MAINPID";`
longview service: don't write passwords to nix store Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as alternatives to apiKey and mysqlPassword, which still work, but are deprecated with a warning message. Related to #24288. 2017-03-26 22:56:28 +01:00			`serviceConfig.PIDFile = "${runDir}/longview.pid";`
longview nixos module: init 2015-11-01 10:22:58 +00:00			`serviceConfig.ExecStart = "${pkgs.longview}/bin/longview";`
longview service: don't write passwords to nix store Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as alternatives to apiKey and mysqlPassword, which still work, but are deprecated with a warning message. Related to #24288. 2017-03-26 22:56:28 +01:00			`preStart = ''`
			`umask 077`
			`mkdir -p ${configsDir}`
			`'' + (optionalString (cfg.apiKeyFile != null) ''`
			`cp --no-preserve=all "${cfg.apiKeyFile}" ${runDir}/longview.key`
			`'') + (optionalString (cfg.apacheStatusUrl != "") ''`
			`cat > ${configsDir}/Apache.conf <<EOF`
			`location ${cfg.apacheStatusUrl}?auto`
			`EOF`
			`'') + (optionalString (cfg.mysqlUser != "" && cfg.mysqlPasswordFile != null) ''`
			`cat > ${configsDir}/MySQL.conf <<EOF`
			`username ${cfg.mysqlUser}`
			password `head -n1 "${cfg.mysqlPasswordFile}"`
			`EOF`
			`'') + (optionalString (cfg.nginxStatusUrl != "") ''`
			`cat > ${configsDir}/Nginx.conf <<EOF`
			`location ${cfg.nginxStatusUrl}`
			`EOF`
			`'');`
longview nixos module: init 2015-11-01 10:22:58 +00:00			`};`

longview service: don't write passwords to nix store Adds services.longview.{apiKeyFile,mysqlPasswordFile} options as alternatives to apiKey and mysqlPassword, which still work, but are deprecated with a warning message. Related to #24288. 2017-03-26 22:56:28 +01:00			`warnings = let warn = k: optional (cfg.${k} != "")`
			`"config.services.longview.${k} is insecure. Use ${k}File instead.";`
			`in concatMap warn [ "apiKey" "mysqlPassword" ];`

			`assertions = [`
			`{ assertion = cfg.apiKeyFile != null;`
			`message = "Longview needs an API key configured";`
			`}`
			`];`

			`# Create API key file if not configured.`
			`services.longview.apiKeyFile = mkIf (cfg.apiKey != "")`
			`(mkDefault (toString (pkgs.writeTextFile {`
			`name = "longview.key";`
			`text = cfg.apiKey;`
			`})));`

			`# Create MySQL password file if not configured.`
			`services.longview.mysqlPasswordFile = mkDefault (toString (pkgs.writeTextFile {`
			`name = "mysql-password-file";`
			`text = cfg.mysqlPassword;`
			`}));`
longview nixos module: init 2015-11-01 10:22:58 +00:00			`};`
			`}`