From 0ac24ccf2a076c6cdad20f739031fe65d49a51f4 Mon Sep 17 00:00:00 2001 From: Martin Milata Date: Fri, 6 Mar 2020 00:22:15 +0100 Subject: [PATCH 1/5] nixos/prometheus-*-exporter: escape shell args --- .../services/monitoring/prometheus/exporters/blackbox.nix | 2 +- .../services/monitoring/prometheus/exporters/collectd.nix | 2 +- .../services/monitoring/prometheus/exporters/dnsmasq.nix | 2 +- .../services/monitoring/prometheus/exporters/dovecot.nix | 2 +- .../services/monitoring/prometheus/exporters/json.nix | 2 +- .../services/monitoring/prometheus/exporters/mail.nix | 2 +- .../services/monitoring/prometheus/exporters/minio.nix | 4 ++-- .../services/monitoring/prometheus/exporters/nextcloud.nix | 2 +- .../services/monitoring/prometheus/exporters/postfix.nix | 6 +++--- .../services/monitoring/prometheus/exporters/snmp.nix | 4 ++-- .../services/monitoring/prometheus/exporters/unifi.nix | 4 ++-- .../services/monitoring/prometheus/exporters/varnish.nix | 4 ++-- .../services/monitoring/prometheus/exporters/wireguard.nix | 2 +- 13 files changed, 19 insertions(+), 19 deletions(-) diff --git a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix index 8a90afa9984..fe8d905da3f 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix @@ -61,7 +61,7 @@ in { ExecStart = '' ${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ - --config.file ${adjustedConfigFile} \ + --config.file ${escapeShellArg adjustedConfigFile} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix index 1cc34641809..97210463027 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix @@ -66,7 +66,7 @@ in serviceConfig = { ExecStart = '' ${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \ - -log.format ${cfg.logFormat} \ + -log.format ${escapeShellArg cfg.logFormat} \ -log.level ${cfg.logLevel} \ -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ ${collectSettingsArgs} \ diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix b/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix index e9fa26cb1f5..68afba21d64 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix @@ -30,7 +30,7 @@ in ${pkgs.prometheus-dnsmasq-exporter}/bin/dnsmasq_exporter \ --listen ${cfg.listenAddress}:${toString cfg.port} \ --dnsmasq ${cfg.dnsmasqListenAddress} \ - --leases_path ${cfg.leasesPath} \ + --leases_path ${escapeShellArg cfg.leasesPath} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix index a01074758ff..aba3533e439 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix @@ -64,7 +64,7 @@ in ${pkgs.prometheus-dovecot-exporter}/bin/dovecot_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ --web.telemetry-path ${cfg.telemetryPath} \ - --dovecot.socket-path ${cfg.socketPath} \ + --dovecot.socket-path ${escapeShellArg cfg.socketPath} \ --dovecot.scopes ${concatStringsSep "," cfg.scopes} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/json.nix b/nixos/modules/services/monitoring/prometheus/exporters/json.nix index 82a55bafc98..bd0026b55f7 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/json.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/json.nix @@ -27,7 +27,7 @@ in ExecStart = '' ${pkgs.prometheus-json-exporter}/bin/prometheus-json-exporter \ --port ${toString cfg.port} \ - ${cfg.url} ${cfg.configFile} \ + ${cfg.url} ${escapeShellArg cfg.configFile} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix index 7d8c6fb6140..7754e8fb8a6 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix @@ -148,7 +148,7 @@ in ${pkgs.prometheus-mail-exporter}/bin/mailexporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ --config.file ${ - if cfg.configuration != {} then configurationFile else cfg.configFile + if cfg.configuration != {} then configurationFile else (escapeShellArg cfg.configFile) } \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/minio.nix b/nixos/modules/services/monitoring/prometheus/exporters/minio.nix index ab3e3d7d5d5..d6dd62f871b 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/minio.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/minio.nix @@ -54,8 +54,8 @@ in ${pkgs.prometheus-minio-exporter}/bin/minio-exporter \ -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ -minio.server ${cfg.minioAddress} \ - -minio.access-key ${cfg.minioAccessKey} \ - -minio.access-secret ${cfg.minioAccessSecret} \ + -minio.access-key ${escapeShellArg cfg.minioAccessKey} \ + -minio.access-secret ${escapeShellArg cfg.minioAccessSecret} \ ${optionalString cfg.minioBucketStats "-minio.bucket-stats"} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix b/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix index 5f9a52053f7..aee6bd5e66c 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix @@ -50,7 +50,7 @@ in -u ${cfg.username} \ -t ${cfg.timeout} \ -l ${cfg.url} \ - -p @${cfg.passwordFile} \ + -p ${escapeShellArg "@${cfg.passwordFile}"} \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix b/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix index d50564717ea..3b6ef1631f8 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix @@ -67,15 +67,15 @@ in ${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ --web.telemetry-path ${cfg.telemetryPath} \ - --postfix.showq_path ${cfg.showqPath} \ + --postfix.showq_path ${escapeShellArg cfg.showqPath} \ ${concatStringsSep " \\\n " (cfg.extraFlags ++ optional cfg.systemd.enable "--systemd.enable" ++ optional cfg.systemd.enable (if cfg.systemd.slice != null then "--systemd.slice ${cfg.systemd.slice}" else "--systemd.unit ${cfg.systemd.unit}") ++ optional (cfg.systemd.enable && (cfg.systemd.journalPath != null)) - "--systemd.journal_path ${cfg.systemd.journalPath}" - ++ optional (!cfg.systemd.enable) "--postfix.logfile_path ${cfg.logfilePath}")} + "--systemd.journal_path ${escapeShellArg cfg.systemd.journalPath}" + ++ optional (!cfg.systemd.enable) "--postfix.logfile_path ${escapeShellArg cfg.logfilePath}")} ''; }; }; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix index fe7ae8a8ac9..606c9162059 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix @@ -59,8 +59,8 @@ in serviceConfig = { ExecStart = '' ${pkgs.prometheus-snmp-exporter.bin}/bin/snmp_exporter \ - --config.file=${configFile} \ - --log.format=${cfg.logFormat} \ + --config.file=${escapeShellArg configFile} \ + --log.format=${escapeShellArg cfg.logFormat} \ --log.level=${cfg.logLevel} \ --web.listen-address=${cfg.listenAddress}:${toString cfg.port} \ ${concatStringsSep " \\\n " cfg.extraFlags} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix b/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix index 9aa0f1b85aa..8d0e8764001 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix @@ -55,8 +55,8 @@ in ${pkgs.prometheus-unifi-exporter}/bin/unifi_exporter \ -telemetry.addr ${cfg.listenAddress}:${toString cfg.port} \ -unifi.addr ${cfg.unifiAddress} \ - -unifi.username ${cfg.unifiUsername} \ - -unifi.password ${cfg.unifiPassword} \ + -unifi.username ${escapeShellArg cfg.unifiUsername} \ + -unifi.password ${escapeShellArg cfg.unifiPassword} \ -unifi.timeout ${cfg.unifiTimeout} \ ${optionalString cfg.unifiInsecure "-unifi.insecure" } \ ${concatStringsSep " \\\n " cfg.extraFlags} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix b/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix index 12153fa021e..5b5a6e18fcd 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix @@ -74,10 +74,10 @@ in ${pkgs.prometheus-varnish-exporter}/bin/prometheus_varnish_exporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ --web.telemetry-path ${cfg.telemetryPath} \ - --varnishstat-path ${cfg.varnishStatPath} \ + --varnishstat-path ${escapeShellArg cfg.varnishStatPath} \ ${concatStringsSep " \\\n " (cfg.extraFlags ++ optional (cfg.healthPath != null) "--web.health-path ${cfg.healthPath}" - ++ optional (cfg.instance != null) "-n ${cfg.instance}" + ++ optional (cfg.instance != null) "-n ${escapeShellArg cfg.instance}" ++ optional cfg.noExit "--no-exit" ++ optional cfg.withGoMetrics "--with-go-metrics" ++ optional cfg.verbose "--verbose" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix index 374f83a2939..04421fc2d25 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/wireguard.nix @@ -59,7 +59,7 @@ in { ${optionalString cfg.verbose "-v"} \ ${optionalString cfg.singleSubnetPerField "-s"} \ ${optionalString cfg.withRemoteIp "-r"} \ - ${optionalString (cfg.wireguardConfig != null) "-n ${cfg.wireguardConfig}"} + ${optionalString (cfg.wireguardConfig != null) "-n ${escapeShellArg cfg.wireguardConfig}"} ''; }; }; From 87f87fb3e98d49bc7e48b22fb5086de75af46736 Mon Sep 17 00:00:00 2001 From: Martin Milata Date: Fri, 6 Mar 2020 01:01:22 +0100 Subject: [PATCH 2/5] nixos/prometheus-snmp-exporter: update log options The allowed values have changed in bd3319d28c43580c74839a10dca5d348cc3e0b29. 0.15: --log.level="info" Only log messages with the given severity or above. Valid levels: [debug, info, warn, error, fatal] --log.format="logger:stderr" Set the log target and format. Example: "logger:syslog?appname=bob&local=7" or "logger:stdout?json=true" 0.17: --log.level=info Only log messages with the given severity or above. One of: [debug, info, warn, error] --log.format=logfmt Output format of log messages. One of: [logfmt, json] --- .../services/monitoring/prometheus/exporters/snmp.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix index 606c9162059..ddde3c10481 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix @@ -36,15 +36,15 @@ in }; logFormat = mkOption { - type = types.str; - default = "logger:stderr"; + type = types.enum ["logfmt" "json"]; + default = "logfmt"; description = '' - Set the log target and format. + Output format of log messages. ''; }; logLevel = mkOption { - type = types.enum ["debug" "info" "warn" "error" "fatal"]; + type = types.enum ["debug" "info" "warn" "error"]; default = "info"; description = '' Only log messages with the given severity or above. From 2a080ac4349899a9d1d103ba42b0c8ecba95dba0 Mon Sep 17 00:00:00 2001 From: Martin Milata Date: Fri, 6 Mar 2020 01:11:21 +0100 Subject: [PATCH 3/5] nixos/prometheus-snmp-exporter: fix assertion The assertion was printed when user explicitly defined only the configurationPath option. --- nixos/modules/services/monitoring/prometheus/exporters.nix | 4 +++- .../modules/services/monitoring/prometheus/exporters/snmp.nix | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 36ebffa4463..e9845fc4bb8 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -197,7 +197,9 @@ in config = mkMerge ([{ assertions = [ { - assertion = (cfg.snmp.configurationPath == null) != (cfg.snmp.configuration == null); + assertion = cfg.snmp.enable -> ( + (cfg.snmp.configurationPath == null) != (cfg.snmp.configuration == null) + ); message = '' Please ensure you have either `services.prometheus.exporters.snmp.configuration' or `services.prometheus.exporters.snmp.configurationPath' set! diff --git a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix index ddde3c10481..045e48a3d0f 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix @@ -19,7 +19,7 @@ in configuration = mkOption { type = types.nullOr types.attrs; - default = {}; + default = null; description = '' Snmp exporter configuration as nix attribute set. Mutually exclusive with 'configurationPath' option. ''; @@ -54,7 +54,7 @@ in serviceOpts = let configFile = if cfg.configurationPath != null then cfg.configurationPath - else "${pkgs.writeText "snmp-eporter-conf.yml" (builtins.toJSON cfg.configuration)}"; + else "${pkgs.writeText "snmp-exporter-conf.yml" (builtins.toJSON cfg.configuration)}"; in { serviceConfig = { ExecStart = '' From 3b5cf35e8bc5198cbd9f2e34a6df9c971947a7e8 Mon Sep 17 00:00:00 2001 From: Martin Milata Date: Fri, 6 Mar 2020 01:41:40 +0100 Subject: [PATCH 4/5] nixos/prometheus-mail-exporter: fix assertion The assertion was printed when user explicitly defined only the configFile option. --- nixos/modules/services/monitoring/prometheus/exporters.nix | 4 +++- .../services/monitoring/prometheus/exporters/mail.nix | 6 +++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index e9845fc4bb8..aeed55172da 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -205,7 +205,9 @@ in or `services.prometheus.exporters.snmp.configurationPath' set! ''; } { - assertion = (cfg.mail.configFile == null) != (cfg.mail.configuration == {}); + assertion = cfg.mail.enable -> ( + (cfg.mail.configFile == null) != (cfg.mail.configuration == null) + ); message = '' Please specify either 'services.prometheus.exporters.mail.configuration' or 'services.prometheus.exporters.mail.configFile'. diff --git a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix index 7754e8fb8a6..4d9239f7bb3 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix @@ -127,8 +127,8 @@ in ''; }; configuration = mkOption { - type = types.submodule exporterOptions; - default = {}; + type = types.nullOr (types.submodule exporterOptions); + default = null; description = '' Specify the mailexporter configuration file to use. ''; @@ -148,7 +148,7 @@ in ${pkgs.prometheus-mail-exporter}/bin/mailexporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ --config.file ${ - if cfg.configuration != {} then configurationFile else (escapeShellArg cfg.configFile) + if cfg.configuration != null then configurationFile else (escapeShellArg cfg.configFile) } \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; From e7ed7901a8c7242e4c12806547e5405e79b17aeb Mon Sep 17 00:00:00 2001 From: Martin Milata Date: Fri, 6 Mar 2020 01:24:48 +0100 Subject: [PATCH 5/5] nixos/prometheus-mail-exporter: misc fixes - Fix misspelled option. mkRenamedOptionModule is not used because the option hasn't really worked before. - Add missing cfg.telemetryPath arg to ExecStart. - Fix mkdir invocation in test. --- .../modules/services/monitoring/prometheus/exporters/mail.nix | 3 ++- nixos/tests/prometheus-exporters.nix | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix index 4d9239f7bb3..18c5c4dd162 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix @@ -90,7 +90,7 @@ let Timeout until mails are considered "didn't make it". ''; }; - disableFileDelition = mkOption { + disableFileDeletion = mkOption { type = types.bool; default = false; description = '' @@ -147,6 +147,7 @@ in ExecStart = '' ${pkgs.prometheus-mail-exporter}/bin/mailexporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --web.telemetry-path ${cfg.telemetryPath} \ --config.file ${ if cfg.configuration != null then configurationFile else (escapeShellArg cfg.configFile) } \ diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 3d0d00bfbe6..b84e589e84c 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -224,7 +224,7 @@ let after = [ "postfix.service" ]; requires = [ "postfix.service" ]; preStart = '' - mkdir -p 0600 mail-exporter/new + mkdir -p -m 0700 mail-exporter/new ''; serviceConfig = { ProtectHome = true;