nixos/modules/services/monitoring/glpi-agent.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / monitoring / glpi-agent.nix
at master 3.4 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7
  8let
  9  cfg = config.services.glpiAgent;
 10
 11  settingsType =
 12    with lib.types;
 13    attrsOf (oneOf [
 14      bool
 15      int
 16      str
 17      (listOf str)
 18    ]);
 19
 20  formatValue =
 21    v:
 22    if lib.isBool v then
 23      if v then "1" else "0"
 24    else if lib.isList v then
 25      lib.concatStringsSep "," v
 26    else
 27      toString v;
 28
 29  configContent = lib.concatStringsSep "\n" (
 30    lib.mapAttrsToList (k: v: "${k} = ${formatValue v}") cfg.settings
 31  );
 32
 33  configFile = pkgs.writeText "agent.cfg" configContent;
 34
 35in
 36{
 37  options = {
 38    services.glpiAgent = {
 39      enable = lib.mkEnableOption "GLPI Agent";
 40
 41      package = lib.mkPackageOption pkgs "glpi-agent" { };
 42
 43      settings = lib.mkOption {
 44        type = settingsType;
 45        default = { };
 46        description = ''
 47          GLPI Agent configuration options.
 48          See <https://glpi-agent.readthedocs.io/en/latest/configuration.html> for all available options.
 49
 50          The 'server' option is mandatory and must point to your GLPI server.
 51        '';
 52        example = lib.literalExpression ''
 53          {
 54            server = [ "https://glpi.example.com/inventory" ];
 55            delaytime = 3600;
 56            tag = "production";
 57            logger = [ "stderr" "file" ];
 58            debug = 1;
 59            "no-category" = [ "printer" "software" ];
 60          }
 61        '';
 62      };
 63
 64      stateDir = lib.mkOption {
 65        type = lib.types.str;
 66        default = "/var/lib/glpi-agent";
 67        description = "Directory where GLPI Agent stores its state.";
 68      };
 69    };
 70  };
 71
 72  config = lib.mkIf cfg.enable {
 73    assertions = [
 74      {
 75        assertion = cfg.settings ? server;
 76        message = "GLPI Agent requires a server to be configured in services.glpiAgent.settings.server";
 77      }
 78    ];
 79
 80    systemd.services.glpi-agent = {
 81      description = "GLPI Agent";
 82      wantedBy = [ "multi-user.target" ];
 83      after = [ "network.target" ];
 84
 85      serviceConfig = {
 86        ExecStart = lib.escapeShellArgs [
 87          "${lib.getExe cfg.package}"
 88          "--conf-file"
 89          "${configFile}"
 90          "--vardir"
 91          "${cfg.stateDir}"
 92          "--daemon"
 93          "--no-fork"
 94        ];
 95
 96        DynamicUser = true;
 97        StateDirectory = "glpi-agent";
 98        CapabilityBoundingSet = [ "CAP_SYS_ADMIN" ];
 99        AmbientCapabilities = [ "CAP_SYS_ADMIN" ];
100
101        LimitCORE = 0;
102        LimitNOFILE = 65535;
103        LockPersonality = true;
104        MemorySwapMax = 0;
105        MemoryZSwapMax = 0;
106        PrivateTmp = true;
107        ProcSubset = "pid";
108        ProtectClock = true;
109        ProtectControlGroups = true;
110        ProtectHome = true;
111        ProtectHostname = true;
112        ProtectKernelLogs = true;
113        ProtectKernelModules = true;
114        ProtectKernelTunables = true;
115        ProtectProc = "invisible";
116        ProtectSystem = "strict";
117        Restart = "on-failure";
118        RestartSec = "10s";
119        RestrictAddressFamilies = [
120          "AF_INET"
121          "AF_INET6"
122          "AF_UNIX"
123          "AF_NETLINK"
124        ];
125        RestrictNamespaces = true;
126        RestrictRealtime = true;
127        SystemCallArchitectures = "native";
128        SystemCallFilter = [
129          "@system-service"
130          "@resources"
131          "~@privileged"
132        ];
133        NoNewPrivileges = true;
134        UMask = "0077";
135      };
136    };
137  };
138}