diff options
| author | WilliButz <wbutz@cyberfnord.de> | 2019-08-02 15:10:27 +0200 |
|---|---|---|
| committer | WilliButz <wbutz@cyberfnord.de> | 2019-08-02 18:49:56 +0200 |
| commit | 495222a840d3a09dbde029e60f83218c31575c97 (patch) | |
| tree | 29afd5f83bd01f9c0bc5ed0c96b659367db8f278 | |
| parent | c221f9fdf2775010384c995ff26bf2da683aaa43 (diff) | |
| download | nixpkgs-495222a840d3a09dbde029e60f83218c31575c97.tar nixpkgs-495222a840d3a09dbde029e60f83218c31575c97.tar.gz nixpkgs-495222a840d3a09dbde029e60f83218c31575c97.tar.bz2 nixpkgs-495222a840d3a09dbde029e60f83218c31575c97.tar.lz nixpkgs-495222a840d3a09dbde029e60f83218c31575c97.tar.xz nixpkgs-495222a840d3a09dbde029e60f83218c31575c97.tar.zst nixpkgs-495222a840d3a09dbde029e60f83218c31575c97.zip | |
nixos/prometheus-exporter: use separate user for each exporter
Stop using nobody/nogroup by default and use seperate users for each exporter instead.
| -rw-r--r-- | nixos/modules/services/monitoring/prometheus/exporters.nix | 16 | ||||
| -rw-r--r-- | nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix | 4 |
2 files changed, 16 insertions, 4 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 15ec2e868b8..04aeb33878b 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -88,7 +88,7 @@ let }; user = mkOption { type = types.str; - default = "nobody"; + default = "${name}-exporter"; description = '' User name under which the ${name} exporter shall be run. Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true. @@ -96,7 +96,7 @@ let }; group = mkOption { type = types.str; - default = "nobody"; + default = "${name}-exporter"; description = '' Group under which the ${name} exporter shall be run. Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true. @@ -129,6 +129,18 @@ let mkExporterConf = { name, conf, serviceOpts }: mkIf conf.enable { warnings = conf.warnings or []; + users.users = (mkIf (conf.user == "${name}-exporter") { + "${name}-exporter" = { + description = '' + Prometheus ${name} exporter service user + ''; + isSystemUser = true; + inherit (conf) group; + }; + }); + users.groups = (mkIf (conf.group == "${name}-exporter") { + "${name}-exporter" = {}; + }); networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [ "ip46tables -A nixos-fw ${conf.firewallFilter} " "-m comment --comment ${name}-exporter -j nixos-fw-accept" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix index 039242b730c..39c908fea57 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix @@ -39,8 +39,8 @@ in mail_plugins = $mail_plugins old_stats service old-stats { unix_listener old-stats { - user = nobody - group = nobody + user = dovecot-exporter + group = dovecot-exporter } } '''; |