pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #182104 from mayflower/mail-exporter-secrets

nixos/prometheus-mail-exporter: support storing `passphrase` outside of the store, use umask when using envsubst

Maximilian Bosch 501bbad4 a115cf16

options
unified split
Changed files
+25 -6
nixos
modules
services
monitoring
prometheus
exporters
mail.nix
networking
mxisd.nix
security
privacyidea.nix
tests
prometheus-exporters.nix
+18 -3
nixos/modules/services/monitoring/prometheus/exporters/mail.nix 
···

       
5

       
5

       
 

       
let


     

       
6

       
6

       
 

       
  cfg = config.services.prometheus.exporters.mail;


     

       
7

       
7

       
 

       



     

       

       
8

       
+

       
  configFile = if cfg.configuration != null then configurationFile else (escapeShellArg cfg.configFile);


     

       

       
9

       
+

       



     

       
8

       
10

       
 

       
  configurationFile = pkgs.writeText "prometheus-mail-exporter.conf" (builtins.toJSON (


     

       
9

       
11

       
 

       
    # removes the _module attribute, null values and converts attrNames to lowercase


     

       
10

       
12

       
 

       
    mapAttrs' (name: value:


     
···

       
137

       
139

       
 

       
{


     

       
138

       
140

       
 

       
  port = 9225;


     

       
139

       
141

       
 

       
  extraOpts = {


     

       

       
142

       
+

       
    environmentFile = mkOption {


     

       

       
143

       
+

       
      type = types.nullOr types.str;


     

       

       
144

       
+

       
      default = null;


     

       

       
145

       
+

       
      description = ''


     

       

       
146

       
+

       
        File containing env-vars to be substituted into the exporter's config.


     

       

       
147

       
+

       
      '';


     

       

       
148

       
+

       
    };


     

       
140

       
149

       
 

       
    configFile = mkOption {


     

       
141

       
150

       
 

       
      type = types.nullOr types.path;


     

       
142

       
151

       
 

       
      default = null;


     
···

       
162

       
171

       
 

       
  serviceOpts = {


     

       
163

       
172

       
 

       
    serviceConfig = {


     

       
164

       
173

       
 

       
      DynamicUser = false;


     

       

       
174

       
+

       
      EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];


     

       

       
175

       
+

       
      RuntimeDirectory = "prometheus-mail-exporter";


     

       

       
176

       
+

       
      ExecStartPre = [


     

       

       
177

       
+

       
        "${pkgs.writeShellScript "subst-secrets-mail-exporter" ''


     

       

       
178

       
+

       
          umask 0077


     

       

       
179

       
+

       
          ${pkgs.envsubst}/bin/envsubst -i ${configFile} -o ''${RUNTIME_DIRECTORY}/mail-exporter.json


     

       

       
180

       
+

       
        ''}"


     

       

       
181

       
+

       
      ];


     

       
165

       
182

       
 

       
      ExecStart = ''


     

       
166

       
183

       
 

       
        ${pkgs.prometheus-mail-exporter}/bin/mailexporter \


     

       
167

       
184

       
 

       
          --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \


     

       
168

       
185

       
 

       
          --web.telemetry-path ${cfg.telemetryPath} \


     

       
169

       

       
-

       
          --config.file ${


     

       
170

       

       
-

       
            if cfg.configuration != null then configurationFile else (escapeShellArg cfg.configFile)


     

       
171

       

       
-

       
          } \


     

       

       
186

       
+

       
          --config.file ''${RUNTIME_DIRECTORY}/mail-exporter.json \


     

       
172

       
187

       
 

       
          ${concatStringsSep " \\\n  " cfg.extraFlags}


     

       
173

       
188

       
 

       
      '';


     

       
174

       
189

       
 

       
    };
+1
nixos/modules/services/networking/mxisd.nix 
···

       
130

       
130

       
 

       
        EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];


     

       
131

       
131

       
 

       
        ExecStart = "${cfg.package}/bin/${executable} -c ${cfg.dataDir}/mxisd-config.yaml";


     

       
132

       
132

       
 

       
        ExecStartPre = "${pkgs.writeShellScript "mxisd-substitute-secrets" ''


     

       

       
133

       
+

       
          umask 0077


     

       
133

       
134

       
 

       
          ${pkgs.envsubst}/bin/envsubst -o ${cfg.dataDir}/mxisd-config.yaml \


     

       
134

       
135

       
 

       
            -i ${configFile}


     

       
135

       
136

       
 

       
        ''}";
+1
nixos/modules/services/security/privacyidea.nix 
···

       
332

       
332

       
 

       
            [ cfg.ldap-proxy.environmentFile ];


     

       
333

       
333

       
 

       
          ExecStartPre =


     

       
334

       
334

       
 

       
            "${pkgs.writeShellScript "substitute-secrets-ldap-proxy" ''


     

       

       
335

       
+

       
              umask 0077


     

       
335

       
336

       
 

       
              ${pkgs.envsubst}/bin/envsubst \


     

       
336

       
337

       
 

       
                -i ${ldapProxyConfig} \


     

       
337

       
338

       
 

       
                -o $STATE_DIRECTORY/ldap-proxy.ini
+5 -3
nixos/tests/prometheus-exporters.nix 
···

       
557

       
557

       
 

       
        systemd.services.prometheus-mail-exporter = {


     

       
558

       
558

       
 

       
          after = [ "postfix.service" ];


     

       
559

       
559

       
 

       
          requires = [ "postfix.service" ];


     

       
560

       

       
-

       
          preStart = ''


     

       
561

       

       
-

       
            mkdir -p -m 0700 mail-exporter/new


     

       
562

       

       
-

       
          '';


     

       
563

       
560

       
 

       
          serviceConfig = {


     

       

       
561

       
+

       
            ExecStartPre = [


     

       

       
562

       
+

       
              "${pkgs.writeShellScript "create-maildir" ''


     

       

       
563

       
+

       
                mkdir -p -m 0700 mail-exporter/new


     

       

       
564

       
+

       
              ''}"


     

       

       
565

       
+

       
            ];


     

       
564

       
566

       
 

       
            ProtectHome = true;


     

       
565

       
567

       
 

       
            ReadOnlyPaths = "/";


     

       
566

       
568

       
 

       
            ReadWritePaths = "/var/spool/mail";