nixos/modules/services/monitoring/vnstat.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / services / monitoring / vnstat.nix

at 23.11-pre 1.5 kB view raw

 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6  cfg = config.services.vnstat;
 7in {
 8  options.services.vnstat = {
 9    enable = mkEnableOption (lib.mdDoc "update of network usage statistics via vnstatd");
10  };
11
12  config = mkIf cfg.enable {
13
14    environment.systemPackages = [ pkgs.vnstat ];
15
16    users = {
17      groups.vnstatd = {};
18
19      users.vnstatd = {
20        isSystemUser = true;
21        group = "vnstatd";
22        description = "vnstat daemon user";
23      };
24    };
25
26    systemd.services.vnstat = {
27      description = "vnStat network traffic monitor";
28      path = [ pkgs.coreutils ];
29      after = [ "network.target" ];
30      wantedBy = [ "multi-user.target" ];
31      documentation = [
32        "man:vnstatd(1)"
33        "man:vnstat(1)"
34        "man:vnstat.conf(5)"
35      ];
36      serviceConfig = {
37        ExecStart = "${pkgs.vnstat}/bin/vnstatd -n";
38        ExecReload = "${pkgs.procps}/bin/kill -HUP $MAINPID";
39
40        # Hardening (from upstream example service)
41        ProtectSystem = "strict";
42        StateDirectory = "vnstat";
43        PrivateDevices = true;
44        ProtectKernelTunables = true;
45        ProtectControlGroups = true;
46        ProtectHome = true;
47        ProtectKernelModules = true;
48        PrivateTmp = true;
49        MemoryDenyWriteExecute = true;
50        RestrictRealtime = true;
51        RestrictNamespaces = true;
52
53        User = "vnstatd";
54        Group = "vnstatd";
55      };
56    };
57  };
58
59  meta.maintainers = [ maintainers.evils ];
60}