nixos/prometheus-exporter: use separate user for each exporter
Stop using nobody/nogroup by default and use seperate users for each exporter instead.
This commit is contained in:
WilliButz
parent
c221f9fdf2
commit
495222a840
|
|
@ -88,7 +88,7 @@ let
|
||||||
};
|
};
|
||||||
user = mkOption {
|
user = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "nobody";
|
default = "${name}-exporter";
|
||||||
description = ''
|
description = ''
|
||||||
User name under which the ${name} exporter shall be run.
|
User name under which the ${name} exporter shall be run.
|
||||||
Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true.
|
Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true.
|
||||||
|
|
@ -96,7 +96,7 @@ let
|
||||||
};
|
};
|
||||||
group = mkOption {
|
group = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "nobody";
|
default = "${name}-exporter";
|
||||||
description = ''
|
description = ''
|
||||||
Group under which the ${name} exporter shall be run.
|
Group under which the ${name} exporter shall be run.
|
||||||
Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true.
|
Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true.
|
||||||
|
|
@ -129,6 +129,18 @@ let
|
||||||
mkExporterConf = { name, conf, serviceOpts }:
|
mkExporterConf = { name, conf, serviceOpts }:
|
||||||
mkIf conf.enable {
|
mkIf conf.enable {
|
||||||
warnings = conf.warnings or [];
|
warnings = conf.warnings or [];
|
||||||
|
users.users = (mkIf (conf.user == "${name}-exporter") {
|
||||||
|
"${name}-exporter" = {
|
||||||
|
description = ''
|
||||||
|
Prometheus ${name} exporter service user
|
||||||
|
'';
|
||||||
|
isSystemUser = true;
|
||||||
|
inherit (conf) group;
|
||||||
|
};
|
||||||
|
});
|
||||||
|
users.groups = (mkIf (conf.group == "${name}-exporter") {
|
||||||
|
"${name}-exporter" = {};
|
||||||
|
});
|
||||||
networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
|
networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
|
||||||
"ip46tables -A nixos-fw ${conf.firewallFilter} "
|
"ip46tables -A nixos-fw ${conf.firewallFilter} "
|
||||||
"-m comment --comment ${name}-exporter -j nixos-fw-accept"
|
"-m comment --comment ${name}-exporter -j nixos-fw-accept"
|
||||||
|
|
|
||||||
|
|
@ -39,8 +39,8 @@ in
|
||||||
mail_plugins = $mail_plugins old_stats
|
mail_plugins = $mail_plugins old_stats
|
||||||
service old-stats {
|
service old-stats {
|
||||||
unix_listener old-stats {
|
unix_listener old-stats {
|
||||||
user = nobody
|
user = dovecot-exporter
|
||||||
group = nobody
|
group = dovecot-exporter
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
''';
|
''';
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue