nixos/modules/services/monitoring/vnstat.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / services / monitoring / vnstat.nix

at 25.11-pre 1.5 kB view raw

 1{
 2  config,
 3  lib,
 4  pkgs,
 5  ...
 6}:
 7let
 8  cfg = config.services.vnstat;
 9in
10{
11  options.services.vnstat = {
12    enable = lib.mkEnableOption "update of network usage statistics via vnstatd";
13  };
14
15  config = lib.mkIf cfg.enable {
16
17    environment.systemPackages = [ pkgs.vnstat ];
18
19    users = {
20      groups.vnstatd = { };
21
22      users.vnstatd = {
23        isSystemUser = true;
24        group = "vnstatd";
25        description = "vnstat daemon user";
26      };
27    };
28
29    systemd.services.vnstat = {
30      description = "vnStat network traffic monitor";
31      path = [ pkgs.coreutils ];
32      after = [ "network.target" ];
33      wantedBy = [ "multi-user.target" ];
34      documentation = [
35        "man:vnstatd(1)"
36        "man:vnstat(1)"
37        "man:vnstat.conf(5)"
38      ];
39      serviceConfig = {
40        ExecStart = "${pkgs.vnstat}/bin/vnstatd -n";
41        ExecReload = "${pkgs.procps}/bin/kill -HUP $MAINPID";
42
43        # Hardening (from upstream example service)
44        ProtectSystem = "strict";
45        StateDirectory = "vnstat";
46        PrivateDevices = true;
47        ProtectKernelTunables = true;
48        ProtectControlGroups = true;
49        ProtectHome = true;
50        ProtectKernelModules = true;
51        PrivateTmp = true;
52        MemoryDenyWriteExecute = true;
53        RestrictRealtime = true;
54        RestrictNamespaces = true;
55
56        User = "vnstatd";
57        Group = "vnstatd";
58      };
59    };
60  };
61
62  meta.maintainers = [ lib.maintainers.evils ];
63}