diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2022-07-20 20:42:14 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-20 20:42:14 +0200 |
commit | 501bbad4ce34c9d81d6d2b75e7e7126a9db3907c (patch) | |
tree | 41f59afea174e4e53b05085aaa559d78260f2775 /nixos | |
parent | a115cf16e7741a7e0591e126cab694b75cd51a04 (diff) | |
parent | 92bd77e85e024c4a58e00cb9f6ff1e6e501ddf02 (diff) |
Merge pull request #182104 from mayflower/mail-exporter-secrets
nixos/prometheus-mail-exporter: support storing `passphrase` outside of the store, use umask when using envsubst
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/monitoring/prometheus/exporters/mail.nix | 21 | ||||
-rw-r--r-- | nixos/modules/services/networking/mxisd.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/security/privacyidea.nix | 1 | ||||
-rw-r--r-- | nixos/tests/prometheus-exporters.nix | 8 |
4 files changed, 25 insertions, 6 deletions
diff --git a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix index 956bd96aa4543..a60f47f63932a 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix @@ -5,6 +5,8 @@ with lib; let cfg = config.services.prometheus.exporters.mail; + configFile = if cfg.configuration != null then configurationFile else (escapeShellArg cfg.configFile); + configurationFile = pkgs.writeText "prometheus-mail-exporter.conf" (builtins.toJSON ( # removes the _module attribute, null values and converts attrNames to lowercase mapAttrs' (name: value: @@ -137,6 +139,13 @@ in { port = 9225; extraOpts = { + environmentFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + File containing env-vars to be substituted into the exporter's config. + ''; + }; configFile = mkOption { type = types.nullOr types.path; default = null; @@ -162,13 +171,19 @@ in serviceOpts = { serviceConfig = { DynamicUser = false; + EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; + RuntimeDirectory = "prometheus-mail-exporter"; + ExecStartPre = [ + "${pkgs.writeShellScript "subst-secrets-mail-exporter" '' + umask 0077 + ${pkgs.envsubst}/bin/envsubst -i ${configFile} -o ''${RUNTIME_DIRECTORY}/mail-exporter.json + ''}" + ]; ExecStart = '' ${pkgs.prometheus-mail-exporter}/bin/mailexporter \ --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ --web.telemetry-path ${cfg.telemetryPath} \ - --config.file ${ - if cfg.configuration != null then configurationFile else (escapeShellArg cfg.configFile) - } \ + --config.file ''${RUNTIME_DIRECTORY}/mail-exporter.json \ ${concatStringsSep " \\\n " cfg.extraFlags} ''; }; diff --git a/nixos/modules/services/networking/mxisd.nix b/nixos/modules/services/networking/mxisd.nix index 5b1e0dee8e359..1509671bc54ae 100644 --- a/nixos/modules/services/networking/mxisd.nix +++ b/nixos/modules/services/networking/mxisd.nix @@ -130,6 +130,7 @@ in { EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ]; ExecStart = "${cfg.package}/bin/${executable} -c ${cfg.dataDir}/mxisd-config.yaml"; ExecStartPre = "${pkgs.writeShellScript "mxisd-substitute-secrets" '' + umask 0077 ${pkgs.envsubst}/bin/envsubst -o ${cfg.dataDir}/mxisd-config.yaml \ -i ${configFile} ''}"; diff --git a/nixos/modules/services/security/privacyidea.nix b/nixos/modules/services/security/privacyidea.nix index 13e27f255068b..1f5639d475e85 100644 --- a/nixos/modules/services/security/privacyidea.nix +++ b/nixos/modules/services/security/privacyidea.nix @@ -332,6 +332,7 @@ in [ cfg.ldap-proxy.environmentFile ]; ExecStartPre = "${pkgs.writeShellScript "substitute-secrets-ldap-proxy" '' + umask 0077 ${pkgs.envsubst}/bin/envsubst \ -i ${ldapProxyConfig} \ -o $STATE_DIRECTORY/ldap-proxy.ini diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index a3092d101d87e..0a1ec824986ab 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -557,10 +557,12 @@ let systemd.services.prometheus-mail-exporter = { after = [ "postfix.service" ]; requires = [ "postfix.service" ]; - preStart = '' - mkdir -p -m 0700 mail-exporter/new - ''; serviceConfig = { + ExecStartPre = [ + "${pkgs.writeShellScript "create-maildir" '' + mkdir -p -m 0700 mail-exporter/new + ''}" + ]; ProtectHome = true; ReadOnlyPaths = "/"; ReadWritePaths = "/var/spool/mail"; |