diff options
| author | Bas van Dijk <v.dijk.bas@gmail.com> | 2017-03-26 00:44:53 +0100 |
|---|---|---|
| committer | Bas van Dijk <v.dijk.bas@gmail.com> | 2017-04-08 14:15:18 +0200 |
| commit | 2030a91f58cde5a8c8b8db339da8af9dfe366b04 (patch) | |
| tree | da44ab9c451ce6c6885ac128c5b13a476ed1b0f1 /nixos/modules/services/monitoring | |
| parent | 79f9544eca8659bad4e48c31accf62f69521fb86 (diff) | |
| download | nixlib-2030a91f58cde5a8c8b8db339da8af9dfe366b04.tar nixlib-2030a91f58cde5a8c8b8db339da8af9dfe366b04.tar.gz nixlib-2030a91f58cde5a8c8b8db339da8af9dfe366b04.tar.bz2 nixlib-2030a91f58cde5a8c8b8db339da8af9dfe366b04.tar.lz nixlib-2030a91f58cde5a8c8b8db339da8af9dfe366b04.tar.xz nixlib-2030a91f58cde5a8c8b8db339da8af9dfe366b04.tar.zst nixlib-2030a91f58cde5a8c8b8db339da8af9dfe366b04.zip | |
cadviser: add storageDriverPasswordFile option
This gives users the option of storing the storageDriverPassword outside the world-readable Nix store.
Diffstat (limited to 'nixos/modules/services/monitoring')
| -rw-r--r-- | nixos/modules/services/monitoring/cadvisor.nix | 91 |
1 files changed, 61 insertions, 30 deletions
diff --git a/nixos/modules/services/monitoring/cadvisor.nix b/nixos/modules/services/monitoring/cadvisor.nix index 8ae8b12056ce..6ca420a05b23 100644 --- a/nixos/modules/services/monitoring/cadvisor.nix +++ b/nixos/modules/services/monitoring/cadvisor.nix @@ -54,7 +54,29 @@ in { storageDriverPassword = mkOption { default = "root"; type = types.str; - description = "Cadvisor storage driver password."; + description = '' + Cadvisor storage driver password. + + Warning: this password is stored in the world-readable Nix store. It's + recommended to use the <option>storageDriverPasswordFile</option> option + since that gives you control over the security of the password. + <option>storageDriverPasswordFile</option> also takes precedence over <option>storageDriverPassword</option>. + ''; + }; + + storageDriverPasswordFile = mkOption { + type = types.str; + description = '' + File that contains the cadvisor storage driver password. + + <option>storageDriverPasswordFile</option> takes precedence over <option>storageDriverPassword</option> + + Warning: when <option>storageDriverPassword</option> is non-empty this defaults to a file in the + world-readable Nix store that contains the value of <option>storageDriverPassword</option>. + + It's recommended to override this with a path not in the Nix store. + Tip: use <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'>nixops key management</link> + ''; }; storageDriverSecure = mkOption { @@ -65,35 +87,44 @@ in { }; }; - config = mkIf cfg.enable { - systemd.services.cadvisor = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "docker.service" "influxdb.service" ]; - - postStart = mkBefore '' - until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/containers/'; do - sleep 1; - done - ''; - - serviceConfig = { - ExecStart = ''${pkgs.cadvisor}/bin/cadvisor \ - -logtostderr=true \ - -listen_ip=${cfg.listenAddress} \ - -port=${toString cfg.port} \ - ${optionalString (cfg.storageDriver != null) '' - -storage_driver ${cfg.storageDriver} \ - -storage_driver_user ${cfg.storageDriverHost} \ - -storage_driver_db ${cfg.storageDriverDb} \ - -storage_driver_user ${cfg.storageDriverUser} \ - -storage_driver_password ${cfg.storageDriverPassword} \ - ${optionalString cfg.storageDriverSecure "-storage_driver_secure"} - ''} + config = mkMerge [ + { services.cadvisor.storageDriverPasswordFile = mkIf (cfg.storageDriverPassword != "") ( + mkDefault (toString (pkgs.writeTextFile { + name = "cadvisor-storage-driver-password"; + text = cfg.storageDriverPassword; + })) + ); + } + + (mkIf cfg.enable { + systemd.services.cadvisor = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "docker.service" "influxdb.service" ]; + + postStart = mkBefore '' + until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/containers/'; do + sleep 1; + done ''; - TimeoutStartSec=300; - }; - }; - virtualisation.docker.enable = mkDefault true; - }; + script = '' + exec ${pkgs.cadvisor}/bin/cadvisor \ + -logtostderr=true \ + -listen_ip="${cfg.listenAddress}" \ + -port="${toString cfg.port}" \ + ${optionalString (cfg.storageDriver != null) '' + -storage_driver "${cfg.storageDriver}" \ + -storage_driver_user "${cfg.storageDriverHost}" \ + -storage_driver_db "${cfg.storageDriverDb}" \ + -storage_driver_user "${cfg.storageDriverUser}" \ + -storage_driver_password "$(cat "${cfg.storageDriverPasswordFile}")" \ + ${optionalString cfg.storageDriverSecure "-storage_driver_secure"} + ''} + ''; + + serviceConfig.TimeoutStartSec=300; + }; + virtualisation.docker.enable = mkDefault true; + }) + ]; } |