nixos/dd-agent: Fix dodgy temp files

DataDog was dropping PID files and and python pickle files in /tmp. Move these to private directories as a precaution.
2018-05-05 13:46:10 +01:00 · 2018-05-05 13:46:10 +01:00 · 51618113f4
commit 51618113f4
parent fb6679151a
1 changed files with 41 additions and 39 deletions
--- a/nixos/modules/services/monitoring/dd-agent/dd-agent.nix
+++ b/nixos/modules/services/monitoring/dd-agent/dd-agent.nix
@ -114,13 +114,22 @@ let
 in {
  options.services.dd-agent = {
    enable = mkOption {
-      description = "Whether to enable the dd-agent montioring service";
+      description = ''
        Whether to enable the dd-agent v5 monitoring service.
        For datadog-agent v6, see <option>services.datadog-agent.enable</option>.
      '';
      default = false;
      type = types.bool;
    };
    api_key = mkOption {
-      description = "The Datadog API key to associate the agent with your account";
+      description = ''
        The Datadog API key to associate the agent with your account.
        Warning: this key is stored in cleartext within the world-readable
        Nix store! Consider using the new v6
        <option>services.datadog-agent</option> module instead.
      '';
      example = "ae0aa6a8f08efa988ba0a17578f009ab";
      type = types.str;
    };
@ -188,48 +197,41 @@ in {
    users.groups.datadog.gid = config.ids.gids.datadog;
-    systemd.services.dd-agent = {
+    systemd.services = let
-      description = "Datadog agent monitor";
+      makeService = attrs: recursiveUpdate {
-      path = [ pkgs."dd-agent" pkgs.python pkgs.sysstat pkgs.procps pkgs.gohai ];
+        path = [ pkgs.dd-agent pkgs.python pkgs.sysstat pkgs.procps pkgs.gohai ];
-      wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
+        serviceConfig = {
-        ExecStart = "${pkgs.dd-agent}/bin/dd-agent foreground";
+          User = "datadog";
-        User = "datadog";
+          Group = "datadog";
-        Group = "datadog";
+          Restart = "always";
-        Restart = "always";
+          RestartSec = 2;
-        RestartSec = 2;
+          PrivateTmp = true;
        };
        restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig jmxConfig processConfig ];
      } attrs;
    in {
      dd-agent = makeService {
        description = "Datadog agent monitor";
        serviceConfig.ExecStart = "${pkgs.dd-agent}/bin/dd-agent foreground";
      };
      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig jmxConfig processConfig ];
    };
-    systemd.services.dogstatsd = {
+      dogstatsd = makeService {
-      description = "Datadog statsd";
+        description = "Datadog statsd";
-      path = [ pkgs."dd-agent" pkgs.python pkgs.procps ];
+        environment.TMPDIR = "/run/dogstatsd";
-      wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
-      serviceConfig = {
+          ExecStart = "${pkgs.dd-agent}/bin/dogstatsd start";
-        ExecStart = "${pkgs.dd-agent}/bin/dogstatsd start";
+          Type = "forking";
-        User = "datadog";
+          PIDFile = "/run/dogstatsd/dogstatsd.pid";
-        Group = "datadog";
+          RuntimeDirectory = "dogstatsd";
-        Type = "forking";
+        };
        PIDFile = "/tmp/dogstatsd.pid";
        Restart = "always";
        RestartSec = 2;
      };
      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig jmxConfig processConfig ];
    };
-    systemd.services.dd-jmxfetch = lib.mkIf (cfg.jmxConfig != null) {
+      dd-jmxfetch = lib.mkIf (cfg.jmxConfig != null) {
-      description = "Datadog JMX Fetcher";
+        description = "Datadog JMX Fetcher";
-      path = [ pkgs."dd-agent" pkgs.python pkgs.sysstat pkgs.procps pkgs.jdk ];
+        path = [ pkgs.dd-agent pkgs.python pkgs.sysstat pkgs.procps pkgs.jdk ];
-      wantedBy = [ "multi-user.target" ];
+        serviceConfig.ExecStart = "${pkgs.dd-agent}/bin/dd-jmxfetch";
      serviceConfig = {
        ExecStart = "${pkgs.dd-agent}/bin/dd-jmxfetch";
        User = "datadog";
        Group = "datadog";
        Restart = "always";
        RestartSec = 2;
      };
      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig jmxConfig ];
    };
    environment.etc = etcfiles;