pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / monitoring / cockpit.nix
at master 3.6 kB view raw
1{ 2 pkgs, 3 config, 4 lib, 5 ... 6}: 7 8let 9 cfg = config.services.cockpit; 10 inherit (lib) 11 types 12 mkEnableOption 13 mkOption 14 mkIf 15 mkPackageOption 16 ; 17 settingsFormat = pkgs.formats.ini { }; 18in 19{ 20 options = { 21 services.cockpit = { 22 enable = mkEnableOption "Cockpit"; 23 24 package = mkPackageOption pkgs "Cockpit" { 25 default = [ "cockpit" ]; 26 }; 27 28 allowed-origins = lib.mkOption { 29 type = types.listOf types.str; 30 31 default = [ ]; 32 33 description = '' 34 List of allowed origins. 35 36 Maps to the WebService.Origins setting and allows merging from multiple modules. 37 ''; 38 }; 39 40 settings = lib.mkOption { 41 type = settingsFormat.type; 42 43 default = { }; 44 45 description = '' 46 Settings for cockpit that will be saved in /etc/cockpit/cockpit.conf. 47 48 See the [documentation](https://cockpit-project.org/guide/latest/cockpit.conf.5.html), that is also available with `man cockpit.conf.5` for details. 49 ''; 50 }; 51 52 showBanner = mkOption { 53 description = "Whether to add the Cockpit banner to the issue and motd files."; 54 type = types.bool; 55 default = true; 56 example = false; 57 }; 58 59 port = mkOption { 60 description = "Port where cockpit will listen."; 61 type = types.port; 62 default = 9090; 63 }; 64 65 openFirewall = mkOption { 66 description = "Open port for cockpit."; 67 type = types.bool; 68 default = false; 69 }; 70 }; 71 }; 72 73 config = mkIf cfg.enable { 74 # expose cockpit-bridge system-wide 75 environment.systemPackages = [ cfg.package ]; 76 77 # allow cockpit to find its plugins 78 environment.pathsToLink = [ "/share/cockpit" ]; 79 80 environment.etc = { 81 # generate cockpit settings 82 "cockpit/cockpit.conf".source = settingsFormat.generate "cockpit.conf" cfg.settings; 83 84 # Add "Web console: ..." line to issue and MOTD 85 "issue.d/cockpit.issue" = { 86 enable = cfg.showBanner; 87 source = "/run/cockpit/issue"; 88 }; 89 "motd.d/cockpit" = { 90 enable = cfg.showBanner; 91 source = "/run/cockpit/issue"; 92 }; 93 }; 94 95 security.pam.services.cockpit = { 96 startSession = true; 97 }; 98 99 networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; 100 101 systemd.packages = [ cfg.package ]; 102 103 systemd.sockets.cockpit = { 104 wantedBy = [ "multi-user.target" ]; 105 listenStreams = [ 106 "" # workaround so it doesn't listen on both ports caused by the runtime merging 107 (toString cfg.port) 108 ]; 109 }; 110 111 # Enable connecting to remote hosts from the login page 112 systemd.services = mkIf (cfg.settings ? LoginTo -> cfg.settings.LoginTo) { 113 "cockpit-wsinstance-http".path = [ 114 config.programs.ssh.package 115 cfg.package 116 ]; 117 "cockpit-wsinstance-https@".path = [ 118 config.programs.ssh.package 119 cfg.package 120 ]; 121 }; 122 123 systemd.tmpfiles.rules = [ 124 # From $out/lib/tmpfiles.d/cockpit-tmpfiles.conf 125 "C /run/cockpit/inactive.motd 0640 root root - ${cfg.package}/share/cockpit/motd/inactive.motd" 126 "f /run/cockpit/active.motd 0640 root root -" 127 "L+ /run/cockpit/motd - - - - inactive.motd" 128 "d /etc/cockpit/ws-certs.d 0600 root root 0" 129 ]; 130 131 services.cockpit.allowed-origins = [ 132 "https://localhost:${toString config.services.cockpit.port}" 133 ]; 134 135 services.cockpit.settings.WebService.Origins = 136 builtins.concatStringsSep " " config.services.cockpit.allowed-origins; 137 }; 138 139 meta.maintainers = pkgs.cockpit.meta.maintainers; 140}