diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix
index 15ec2e868b89..04aeb33878b8 100644
--- a/nixos/modules/services/monitoring/prometheus/exporters.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters.nix
@@ -88,7 +88,7 @@ let
};
user = mkOption {
type = types.str;
- default = "nobody";
+ default = "${name}-exporter";
description = ''
User name under which the ${name} exporter shall be run.
Has no effect when is true.
@@ -96,7 +96,7 @@ let
};
group = mkOption {
type = types.str;
- default = "nobody";
+ default = "${name}-exporter";
description = ''
Group under which the ${name} exporter shall be run.
Has no effect when is true.
@@ -129,6 +129,18 @@ let
mkExporterConf = { name, conf, serviceOpts }:
mkIf conf.enable {
warnings = conf.warnings or [];
+ users.users = (mkIf (conf.user == "${name}-exporter") {
+ "${name}-exporter" = {
+ description = ''
+ Prometheus ${name} exporter service user
+ '';
+ isSystemUser = true;
+ inherit (conf) group;
+ };
+ });
+ users.groups = (mkIf (conf.group == "${name}-exporter") {
+ "${name}-exporter" = {};
+ });
networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
"ip46tables -A nixos-fw ${conf.firewallFilter} "
"-m comment --comment ${name}-exporter -j nixos-fw-accept"
diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix
index 039242b730c6..39c908fea572 100644
--- a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix
@@ -39,8 +39,8 @@ in
mail_plugins = $mail_plugins old_stats
service old-stats {
unix_listener old-stats {
- user = nobody
- group = nobody
+ user = dovecot-exporter
+ group = dovecot-exporter
}
}
''';