···
storageDriverPassword = mkOption {
57
-
description = "Cadvisor storage driver password.";
58
+
Cadvisor storage driver password.
60
+
Warning: this password is stored in the world-readable Nix store. It's
61
+
recommended to use the <option>storageDriverPasswordFile</option> option
62
+
since that gives you control over the security of the password.
63
+
<option>storageDriverPasswordFile</option> also takes precedence over <option>storageDriverPassword</option>.
67
+
storageDriverPasswordFile = mkOption {
70
+
File that contains the cadvisor storage driver password.
72
+
<option>storageDriverPasswordFile</option> takes precedence over <option>storageDriverPassword</option>
74
+
Warning: when <option>storageDriverPassword</option> is non-empty this defaults to a file in the
75
+
world-readable Nix store that contains the value of <option>storageDriverPassword</option>.
77
+
It's recommended to override this with a path not in the Nix store.
78
+
Tip: use <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'>nixops key management</link>
storageDriverSecure = mkOption {
···
68
-
config = mkIf cfg.enable {
69
-
systemd.services.cadvisor = {
70
-
wantedBy = [ "multi-user.target" ];
71
-
after = [ "network.target" "docker.service" "influxdb.service" ];
91
+
{ services.cadvisor.storageDriverPasswordFile = mkIf (cfg.storageDriverPassword != "") (
92
+
mkDefault (toString (pkgs.writeTextFile {
93
+
name = "cadvisor-storage-driver-password";
94
+
text = cfg.storageDriverPassword;
73
-
postStart = mkBefore ''
74
-
until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/containers/'; do
100
+
systemd.services.cadvisor = {
101
+
wantedBy = [ "multi-user.target" ];
102
+
after = [ "network.target" "docker.service" "influxdb.service" ];
104
+
postStart = mkBefore ''
105
+
until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/containers/'; do
80
-
ExecStart = ''${pkgs.cadvisor}/bin/cadvisor \
82
-
-listen_ip=${cfg.listenAddress} \
83
-
-port=${toString cfg.port} \
84
-
${optionalString (cfg.storageDriver != null) ''
85
-
-storage_driver ${cfg.storageDriver} \
86
-
-storage_driver_user ${cfg.storageDriverHost} \
87
-
-storage_driver_db ${cfg.storageDriverDb} \
88
-
-storage_driver_user ${cfg.storageDriverUser} \
89
-
-storage_driver_password ${cfg.storageDriverPassword} \
90
-
${optionalString cfg.storageDriverSecure "-storage_driver_secure"}
111
+
exec ${pkgs.cadvisor}/bin/cadvisor \
112
+
-logtostderr=true \
113
+
-listen_ip="${cfg.listenAddress}" \
114
+
-port="${toString cfg.port}" \
115
+
${optionalString (cfg.storageDriver != null) ''
116
+
-storage_driver "${cfg.storageDriver}" \
117
+
-storage_driver_user "${cfg.storageDriverHost}" \
118
+
-storage_driver_db "${cfg.storageDriverDb}" \
119
+
-storage_driver_user "${cfg.storageDriverUser}" \
120
+
-storage_driver_password "$(cat "${cfg.storageDriverPasswordFile}")" \
121
+
${optionalString cfg.storageDriverSecure "-storage_driver_secure"}
93
-
TimeoutStartSec=300;
97
-
virtualisation.docker.enable = mkDefault true;
125
+
serviceConfig.TimeoutStartSec=300;
127
+
virtualisation.docker.enable = mkDefault true;
pyrox.dev