nixos/modules/services/monitoring/cockpit.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / monitoring / cockpit.nix
at 25.11-pre 2.8 kB view raw
  1{
  2  pkgs,
  3  config,
  4  lib,
  5  ...
  6}:
  7
  8let
  9  cfg = config.services.cockpit;
 10  inherit (lib)
 11    types
 12    mkEnableOption
 13    mkOption
 14    mkIf
 15    mkPackageOption
 16    ;
 17  settingsFormat = pkgs.formats.ini { };
 18in
 19{
 20  options = {
 21    services.cockpit = {
 22      enable = mkEnableOption "Cockpit";
 23
 24      package = mkPackageOption pkgs "Cockpit" {
 25        default = [ "cockpit" ];
 26      };
 27
 28      allowed-origins = lib.mkOption {
 29        type = types.listOf types.str;
 30
 31        default = [ ];
 32
 33        description = ''
 34          List of allowed origins.
 35
 36          Maps to the WebService.Origins setting and allows merging from multiple modules.
 37        '';
 38      };
 39
 40      settings = lib.mkOption {
 41        type = settingsFormat.type;
 42
 43        default = { };
 44
 45        description = ''
 46          Settings for cockpit that will be saved in /etc/cockpit/cockpit.conf.
 47
 48          See the [documentation](https://cockpit-project.org/guide/latest/cockpit.conf.5.html), that is also available with `man cockpit.conf.5` for details.
 49        '';
 50      };
 51
 52      port = mkOption {
 53        description = "Port where cockpit will listen.";
 54        type = types.port;
 55        default = 9090;
 56      };
 57
 58      openFirewall = mkOption {
 59        description = "Open port for cockpit.";
 60        type = types.bool;
 61        default = false;
 62      };
 63    };
 64  };
 65  config = mkIf cfg.enable {
 66
 67    # expose cockpit-bridge system-wide
 68    environment.systemPackages = [ cfg.package ];
 69
 70    # allow cockpit to find its plugins
 71    environment.pathsToLink = [ "/share/cockpit" ];
 72
 73    # generate cockpit settings
 74    environment.etc."cockpit/cockpit.conf".source = settingsFormat.generate "cockpit.conf" cfg.settings;
 75
 76    security.pam.services.cockpit = {
 77      startSession = true;
 78    };
 79
 80    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
 81
 82    systemd.packages = [ cfg.package ];
 83    systemd.sockets.cockpit.wantedBy = [ "multi-user.target" ];
 84    systemd.sockets.cockpit.listenStreams = [
 85      "" # workaround so it doesn't listen on both ports caused by the runtime merging
 86      (toString cfg.port)
 87    ];
 88
 89    systemd.tmpfiles.rules = [
 90      # From $out/lib/tmpfiles.d/cockpit-tmpfiles.conf
 91      "C /run/cockpit/inactive.motd 0640 root root - ${cfg.package}/share/cockpit/motd/inactive.motd"
 92      "f /run/cockpit/active.motd   0640 root root -"
 93      "L+ /run/cockpit/motd - - - - inactive.motd"
 94      "d /etc/cockpit/ws-certs.d 0600 root root 0"
 95    ];
 96
 97    services.cockpit.allowed-origins = [
 98      "https://localhost:${toString config.services.cockpit.port}"
 99    ];
100
101    services.cockpit.settings.WebService.Origins =
102      builtins.concatStringsSep " " config.services.cockpit.allowed-origins;
103  };
104
105  meta.maintainers = pkgs.cockpit.meta.maintainers;
106}