diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking/mtr-exporter.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/networking/mtr-exporter.nix | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/mtr-exporter.nix b/nixpkgs/nixos/modules/services/networking/mtr-exporter.nix new file mode 100644 index 000000000000..ca261074ebde --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/mtr-exporter.nix @@ -0,0 +1,87 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) + maintainers types mkEnableOption mkOption mkIf + literalExpression escapeShellArg escapeShellArgs; + cfg = config.services.mtr-exporter; +in { + options = { + services = { + mtr-exporter = { + enable = mkEnableOption "a Prometheus exporter for MTR"; + + target = mkOption { + type = types.str; + example = "example.org"; + description = "Target to check using MTR."; + }; + + interval = mkOption { + type = types.int; + default = 60; + description = "Interval between MTR checks in seconds."; + }; + + port = mkOption { + type = types.port; + default = 8080; + description = "Listen port for MTR exporter."; + }; + + address = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "Listen address for MTR exporter."; + }; + + mtrFlags = mkOption { + type = with types; listOf str; + default = []; + example = ["-G1"]; + description = "Additional flags to pass to MTR."; + }; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.mtr-exporter = { + script = '' + exec ${pkgs.mtr-exporter}/bin/mtr-exporter \ + -mtr ${pkgs.mtr}/bin/mtr \ + -schedule '@every ${toString cfg.interval}s' \ + -bind ${escapeShellArg cfg.address}:${toString cfg.port} \ + -- \ + ${escapeShellArgs (cfg.mtrFlags ++ [ cfg.target ])} + ''; + wantedBy = [ "multi-user.target" ]; + requires = [ "network.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Restart = "on-failure"; + # Hardening + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + LockPersonality = true; + ProcSubset = "pid"; + PrivateDevices = true; + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = true; + RestrictRealtime = true; + }; + }; + }; + + meta.maintainers = with maintainers; [ jakubgs ]; +} |