pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.services.unifi-poller;
7
8 configFile = pkgs.writeText "unifi-poller.json" (generators.toJSON {} {
9 inherit (cfg) poller influxdb prometheus unifi;
10 });
11
12in {
13 options.services.unifi-poller = {
14 enable = mkEnableOption "unifi-poller";
15
16 poller = {
17 debug = mkOption {
18 type = types.bool;
19 default = false;
20 description = ''
21 Turns on line numbers, microsecond logging, and a per-device log.
22 This may be noisy if you have a lot of devices. It adds one line per device.
23 '';
24 };
25 quiet = mkOption {
26 type = types.bool;
27 default = false;
28 description = ''
29 Turns off per-interval logs. Only startup and error logs will be emitted.
30 '';
31 };
32 plugins = mkOption {
33 type = with types; listOf str;
34 default = [];
35 description = ''
36 Load additional plugins.
37 '';
38 };
39 };
40
41 prometheus = {
42 disable = mkOption {
43 type = types.bool;
44 default = false;
45 description = ''
46 Whether to disable the prometheus ouput plugin.
47 '';
48 };
49 http_listen = mkOption {
50 type = types.str;
51 default = "[::]:9130";
52 description = ''
53 Bind the prometheus exporter to this IP or hostname.
54 '';
55 };
56 report_errors = mkOption {
57 type = types.bool;
58 default = false;
59 description = ''
60 Whether to report errors.
61 '';
62 };
63 };
64
65 influxdb = {
66 disable = mkOption {
67 type = types.bool;
68 default = false;
69 description = ''
70 Whether to disable the influxdb ouput plugin.
71 '';
72 };
73 url = mkOption {
74 type = types.str;
75 default = "http://127.0.0.1:8086";
76 description = ''
77 URL of the influxdb host.
78 '';
79 };
80 user = mkOption {
81 type = types.str;
82 default = "unifipoller";
83 description = ''
84 Username for the influxdb.
85 '';
86 };
87 pass = mkOption {
88 type = types.path;
89 default = pkgs.writeText "unifi-poller-influxdb-default.password" "unifipoller";
90 defaultText = "unifi-poller-influxdb-default.password";
91 description = ''
92 Path of a file containing the password for influxdb.
93 This file needs to be readable by the unifi-poller user.
94 '';
95 apply = v: "file://${v}";
96 };
97 db = mkOption {
98 type = types.str;
99 default = "unifi";
100 description = ''
101 Database name. Database should exist.
102 '';
103 };
104 verify_ssl = mkOption {
105 type = types.bool;
106 default = true;
107 description = ''
108 Verify the influxdb's certificate.
109 '';
110 };
111 interval = mkOption {
112 type = types.str;
113 default = "30s";
114 description = ''
115 Setting this lower than the Unifi controller's refresh
116 interval may lead to zeroes in your database.
117 '';
118 };
119 };
120
121 unifi = let
122 controllerOptions = {
123 user = mkOption {
124 type = types.str;
125 default = "unifi";
126 description = ''
127 Unifi service user name.
128 '';
129 };
130 pass = mkOption {
131 type = types.path;
132 default = pkgs.writeText "unifi-poller-unifi-default.password" "unifi";
133 defaultText = "unifi-poller-unifi-default.password";
134 description = ''
135 Path of a file containing the password for the unifi service user.
136 This file needs to be readable by the unifi-poller user.
137 '';
138 apply = v: "file://${v}";
139 };
140 url = mkOption {
141 type = types.str;
142 default = "https://unifi:8443";
143 description = ''
144 URL of the Unifi controller.
145 '';
146 };
147 sites = mkOption {
148 type = with types; either (enum [ "default" "all" ]) (listOf str);
149 default = "all";
150 description = ''
151 List of site names for which statistics should be exported.
152 Or the string "default" for the default site or the string "all" for all sites.
153 '';
154 apply = toList;
155 };
156 save_ids = mkOption {
157 type = types.bool;
158 default = false;
159 description = ''
160 Collect and save data from the intrusion detection system to influxdb.
161 '';
162 };
163 save_dpi = mkOption {
164 type = types.bool;
165 default = false;
166 description = ''
167 Collect and save data from deep packet inspection.
168 Adds around 150 data points and impacts performance.
169 '';
170 };
171 save_sites = mkOption {
172 type = types.bool;
173 default = true;
174 description = ''
175 Collect and save site data.
176 '';
177 };
178 hash_pii = mkOption {
179 type = types.bool;
180 default = false;
181 description = ''
182 Hash, with md5, client names and MAC addresses. This attempts
183 to protect personally identifiable information.
184 '';
185 };
186 verify_ssl = mkOption {
187 type = types.bool;
188 default = true;
189 description = ''
190 Verify the Unifi controller's certificate.
191 '';
192 };
193 };
194
195 in {
196 dynamic = mkOption {
197 type = types.bool;
198 default = false;
199 description = ''
200 Let prometheus select which controller to poll when scraping.
201 Use with default credentials. See unifi-poller wiki for more.
202 '';
203 };
204
205 defaults = controllerOptions;
206
207 controllers = mkOption {
208 type = with types; listOf (submodule { options = controllerOptions; });
209 default = [];
210 description = ''
211 List of Unifi controllers to poll. Use defaults if empty.
212 '';
213 apply = map (flip removeAttrs [ "_module" ]);
214 };
215 };
216 };
217
218 config = mkIf cfg.enable {
219 users.groups.unifi-poller = { };
220 users.users.unifi-poller = {
221 description = "unifi-poller Service User";
222 group = "unifi-poller";
223 isSystemUser = true;
224 };
225
226 systemd.services.unifi-poller = {
227 wantedBy = [ "multi-user.target" ];
228 after = [ "network.target" ];
229 serviceConfig = {
230 ExecStart = "${pkgs.unifi-poller}/bin/unifi-poller --config ${configFile}";
231 Restart = "always";
232 PrivateTmp = true;
233 ProtectHome = true;
234 ProtectSystem = "full";
235 DevicePolicy = "closed";
236 NoNewPrivileges = true;
237 User = "unifi-poller";
238 WorkingDirectory = "/tmp";
239 };
240 };
241 };
242}