nixos/modules/services/monitoring/glances.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / monitoring / glances.nix
at 25.11-pre 2.5 kB view raw
  1{
  2  pkgs,
  3  config,
  4  lib,
  5  utils,
  6  ...
  7}:
  8let
  9  cfg = config.services.glances;
 10
 11  inherit (lib)
 12    getExe
 13    maintainers
 14    mkEnableOption
 15    mkOption
 16    mkIf
 17    mkPackageOption
 18    ;
 19
 20  inherit (lib.types)
 21    bool
 22    listOf
 23    port
 24    str
 25    ;
 26
 27  inherit (utils)
 28    escapeSystemdExecArgs
 29    ;
 30
 31in
 32{
 33  options.services.glances = {
 34    enable = mkEnableOption "Glances";
 35
 36    package = mkPackageOption pkgs "glances" { };
 37
 38    port = mkOption {
 39      description = "Port the server will isten on.";
 40      type = port;
 41      default = 61208;
 42    };
 43
 44    openFirewall = mkOption {
 45      description = "Open port in the firewall for glances.";
 46      type = bool;
 47      default = false;
 48    };
 49
 50    extraArgs = mkOption {
 51      type = listOf str;
 52      default = [ "--webserver" ];
 53      example = [
 54        "--webserver"
 55        "--disable-webui"
 56      ];
 57      description = ''
 58        Extra command-line arguments to pass to glances.
 59
 60        See <https://glances.readthedocs.io/en/latest/cmds.html> for all available options.
 61      '';
 62    };
 63  };
 64
 65  config = mkIf cfg.enable {
 66
 67    environment.systemPackages = [ cfg.package ];
 68
 69    systemd.services."glances" = {
 70      description = "Glances";
 71      documentation = [ "man:glances(1)" ];
 72      after = [ "network.target" ];
 73      wantedBy = [ "multi-user.target" ];
 74
 75      serviceConfig = {
 76        Type = "simple";
 77        DynamicUser = true;
 78        ExecStart = "${getExe cfg.package} --port ${toString cfg.port} ${escapeSystemdExecArgs cfg.extraArgs}";
 79        Restart = "on-failure";
 80
 81        NoNewPrivileges = true;
 82        ProtectSystem = "full";
 83        ProtectHome = true;
 84        PrivateTmp = true;
 85        PrivateDevices = true;
 86        ProtectKernelTunables = true;
 87        ProtectKernelModules = true;
 88        ProtectKernelLogs = true;
 89        ProtectControlGroups = true;
 90        MemoryDenyWriteExecute = true;
 91        RestrictAddressFamilies = [
 92          "AF_INET"
 93          "AF_INET6"
 94          "AF_NETLINK"
 95          "AF_UNIX"
 96        ];
 97        LockPersonality = true;
 98        RestrictRealtime = true;
 99        ProtectClock = true;
100        ReadWritePaths = [ "/var/log" ];
101        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
102        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
103        SystemCallFilter = [ "@system-service" ];
104      };
105    };
106
107    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
108  };
109
110  meta.maintainers = with maintainers; [ claha ];
111}