pyrox.dev / nixpkgs
lol
fork atom

cadviser: add storageDriverPasswordFile option

This gives users the option of storing the storageDriverPassword outside the
world-readable Nix store.

Bas van Dijk 2030a91f 79f9544e

+59 -28
unified split
+59 -28
nixos/modules/services/monitoring/cadvisor.nix
··· 54 54 storageDriverPassword = mkOption { 55 55 default = "root"; 56 56 type = types.str; 57 - description = "Cadvisor storage driver password."; 57 + description = '' 58 + Cadvisor storage driver password. 59 + 60 + Warning: this password is stored in the world-readable Nix store. It's 61 + recommended to use the <option>storageDriverPasswordFile</option> option 62 + since that gives you control over the security of the password. 63 + <option>storageDriverPasswordFile</option> also takes precedence over <option>storageDriverPassword</option>. 64 + ''; 65 + }; 66 + 67 + storageDriverPasswordFile = mkOption { 68 + type = types.str; 69 + description = '' 70 + File that contains the cadvisor storage driver password. 71 + 72 + <option>storageDriverPasswordFile</option> takes precedence over <option>storageDriverPassword</option> 73 + 74 + Warning: when <option>storageDriverPassword</option> is non-empty this defaults to a file in the 75 + world-readable Nix store that contains the value of <option>storageDriverPassword</option>. 76 + 77 + It's recommended to override this with a path not in the Nix store. 78 + Tip: use <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'>nixops key management</link> 79 + ''; 58 80 }; 59 81 60 82 storageDriverSecure = mkOption { ··· 65 87 }; 66 88 }; 67 89 68 - config = mkIf cfg.enable { 69 - systemd.services.cadvisor = { 70 - wantedBy = [ "multi-user.target" ]; 71 - after = [ "network.target" "docker.service" "influxdb.service" ]; 90 + config = mkMerge [ 91 + { services.cadvisor.storageDriverPasswordFile = mkIf (cfg.storageDriverPassword != "") ( 92 + mkDefault (toString (pkgs.writeTextFile { 93 + name = "cadvisor-storage-driver-password"; 94 + text = cfg.storageDriverPassword; 95 + })) 96 + ); 97 + } 72 98 73 - postStart = mkBefore '' 74 - until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/containers/'; do 75 - sleep 1; 76 - done 77 - ''; 99 + (mkIf cfg.enable { 100 + systemd.services.cadvisor = { 101 + wantedBy = [ "multi-user.target" ]; 102 + after = [ "network.target" "docker.service" "influxdb.service" ]; 103 + 104 + postStart = mkBefore '' 105 + until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/containers/'; do 106 + sleep 1; 107 + done 108 + ''; 78 109 79 - serviceConfig = { 80 - ExecStart = ''${pkgs.cadvisor}/bin/cadvisor \ 81 - -logtostderr=true \ 82 - -listen_ip=${cfg.listenAddress} \ 83 - -port=${toString cfg.port} \ 84 - ${optionalString (cfg.storageDriver != null) '' 85 - -storage_driver ${cfg.storageDriver} \ 86 - -storage_driver_user ${cfg.storageDriverHost} \ 87 - -storage_driver_db ${cfg.storageDriverDb} \ 88 - -storage_driver_user ${cfg.storageDriverUser} \ 89 - -storage_driver_password ${cfg.storageDriverPassword} \ 90 - ${optionalString cfg.storageDriverSecure "-storage_driver_secure"} 91 - ''} 110 + script = '' 111 + exec ${pkgs.cadvisor}/bin/cadvisor \ 112 + -logtostderr=true \ 113 + -listen_ip="${cfg.listenAddress}" \ 114 + -port="${toString cfg.port}" \ 115 + ${optionalString (cfg.storageDriver != null) '' 116 + -storage_driver "${cfg.storageDriver}" \ 117 + -storage_driver_user "${cfg.storageDriverHost}" \ 118 + -storage_driver_db "${cfg.storageDriverDb}" \ 119 + -storage_driver_user "${cfg.storageDriverUser}" \ 120 + -storage_driver_password "$(cat "${cfg.storageDriverPasswordFile}")" \ 121 + ${optionalString cfg.storageDriverSecure "-storage_driver_secure"} 122 + ''} 92 123 ''; 93 - TimeoutStartSec=300; 94 - }; 95 - }; 96 124 97 - virtualisation.docker.enable = mkDefault true; 98 - }; 125 + serviceConfig.TimeoutStartSec=300; 126 + }; 127 + virtualisation.docker.enable = mkDefault true; 128 + }) 129 + ]; 99 130 }