From 495222a840d3a09dbde029e60f83218c31575c97 Mon Sep 17 00:00:00 2001 From: WilliButz Date: Fri, 2 Aug 2019 15:10:27 +0200 Subject: [PATCH] nixos/prometheus-exporter: use separate user for each exporter Stop using nobody/nogroup by default and use seperate users for each exporter instead. --- .../services/monitoring/prometheus/exporters.nix | 16 ++++++++++++++-- .../monitoring/prometheus/exporters/dovecot.nix | 4 ++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 15ec2e868b89..04aeb33878b8 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -88,7 +88,7 @@ let }; user = mkOption { type = types.str; - default = "nobody"; + default = "${name}-exporter"; description = '' User name under which the ${name} exporter shall be run. Has no effect when is true. @@ -96,7 +96,7 @@ let }; group = mkOption { type = types.str; - default = "nobody"; + default = "${name}-exporter"; description = '' Group under which the ${name} exporter shall be run. Has no effect when is true. @@ -129,6 +129,18 @@ let mkExporterConf = { name, conf, serviceOpts }: mkIf conf.enable { warnings = conf.warnings or []; + users.users = (mkIf (conf.user == "${name}-exporter") { + "${name}-exporter" = { + description = '' + Prometheus ${name} exporter service user + ''; + isSystemUser = true; + inherit (conf) group; + }; + }); + users.groups = (mkIf (conf.group == "${name}-exporter") { + "${name}-exporter" = {}; + }); networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [ "ip46tables -A nixos-fw ${conf.firewallFilter} " "-m comment --comment ${name}-exporter -j nixos-fw-accept" diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix index 039242b730c6..39c908fea572 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix @@ -39,8 +39,8 @@ in mail_plugins = $mail_plugins old_stats service old-stats { unix_listener old-stats { - user = nobody - group = nobody + user = dovecot-exporter + group = dovecot-exporter } } ''';