blob: 4f6c2557a641792eafb81e6fc6b750b26ff9a258 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.osquery;
dirname = path: with lib.strings; with lib.lists; concatStringsSep "/"
(init (splitString "/" (normalizePath path)));
# conf is the osquery configuration file used when the --config_plugin=filesystem.
# filesystem is the osquery default value for the config_plugin flag.
conf = pkgs.writeText "osquery.conf" (builtins.toJSON cfg.settings);
# flagfile is the file containing osquery command line flags to be
# provided to the application using the special --flagfile option.
flagfile = pkgs.writeText "osquery.flags"
(concatStringsSep "\n"
(mapAttrsToList (name: value: "--${name}=${value}")
# Use the conf derivation if not otherwise specified.
({ config_path = conf; } // cfg.flags)));
osqueryi = pkgs.runCommand "osqueryi" { nativeBuildInputs = [ pkgs.makeWrapper ]; } ''
mkdir -p $out/bin
makeWrapper ${pkgs.osquery}/bin/osqueryi $out/bin/osqueryi \
--add-flags "--flagfile ${flagfile} --disable-database"
'';
in
{
options.services.osquery = {
enable = mkEnableOption (mdDoc "osqueryd daemon");
settings = mkOption {
default = { };
description = mdDoc ''
Configuration to be written to the osqueryd JSON configuration file.
To understand the configuration format, refer to https://osquery.readthedocs.io/en/stable/deployment/configuration/#configuration-components.
'';
example = {
options.utc = false;
};
type = types.attrs;
};
flags = mkOption {
default = { };
description = mdDoc ''
Attribute set of flag names and values to be written to the osqueryd flagfile.
For more information, refer to https://osquery.readthedocs.io/en/stable/installation/cli-flags.
'';
example = {
config_refresh = "10";
};
type = with types;
submodule {
freeformType = attrsOf str;
options = {
database_path = mkOption {
default = "/var/lib/osquery/osquery.db";
readOnly = true;
description = mdDoc "Path used for the database file.";
type = path;
};
logger_path = mkOption {
default = "/var/log/osquery";
readOnly = true;
description = mdDoc "Base directory used for logging.";
type = path;
};
pidfile = mkOption {
default = "/run/osquery/osqueryd.pid";
readOnly = true;
description = mdDoc "Path used for pid file.";
type = path;
};
};
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ osqueryi ];
systemd.services.osqueryd = {
after = [ "network.target" "syslog.service" ];
description = "The osquery daemon";
serviceConfig = {
ExecStart = "${pkgs.osquery}/bin/osqueryd --flagfile ${flagfile}";
PIDFile = cfg.flags.pidfile;
LogsDirectory = cfg.flags.logger_path;
StateDirectory = dirname cfg.flags.database_path;
Restart = "always";
};
wantedBy = [ "multi-user.target" ];
};
systemd.tmpfiles.rules = [
"d ${dirname (cfg.flags.pidfile)} 0755 root root -"
];
};
}
|
