nixpkgs/nixos/modules/services/monitoring/glpi-agent.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

139 lines
3.3 KiB
Nix
Raw Normal View History

2024-12-04 14:39:54 +01:00
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.glpiAgent;
settingsType =
with lib.types;
attrsOf (oneOf [
bool
int
str
(listOf str)
]);
formatValue =
v:
if lib.isBool v then
if v then "1" else "0"
else if lib.isList v then
lib.concatStringsSep "," v
else
toString v;
configContent = lib.concatStringsSep "\n" (
lib.mapAttrsToList (k: v: "${k} = ${formatValue v}") cfg.settings
);
configFile = pkgs.writeText "agent.cfg" configContent;
in
{
options = {
services.glpiAgent = {
enable = lib.mkEnableOption "GLPI Agent";
package = lib.mkPackageOption pkgs "glpi-agent" { };
settings = lib.mkOption {
type = settingsType;
default = { };
description = ''
GLPI Agent configuration options.
See https://glpi-agent.readthedocs.io/en/latest/configuration.html for all available options.
The 'server' option is mandatory and must point to your GLPI server.
'';
example = lib.literalExpression ''
{
server = [ "https://glpi.example.com/inventory" ];
delaytime = 3600;
tag = "production";
logger = [ "stderr" "file" ];
debug = 1;
"no-category" = [ "printer" "software" ];
}
'';
};
stateDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/glpi-agent";
description = "Directory where GLPI Agent stores its state.";
};
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.settings ? server;
message = "GLPI Agent requires a server to be configured in services.glpiAgent.settings.server";
}
];
systemd.services.glpi-agent = {
description = "GLPI Agent";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
2025-05-28 10:56:12 +02:00
ExecStart = lib.escapeShellArgs [
"${lib.getExe cfg.package}"
"--conf-file"
"${configFile}"
"--vardir"
"${cfg.stateDir}"
"--daemon"
"--no-fork"
];
DynamicUser = true;
StateDirectory = "glpi-agent";
CapabilityBoundingSet = [ "CAP_SYS_ADMIN" ];
AmbientCapabilities = [ "CAP_SYS_ADMIN" ];
LimitCORE = 0;
LimitNOFILE = 65535;
LockPersonality = true;
MemorySwapMax = 0;
MemoryZSwapMax = 0;
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
2024-12-04 14:39:54 +01:00
Restart = "on-failure";
2025-05-28 10:56:12 +02:00
RestartSec = "10s";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@resources"
"~@privileged"
];
NoNewPrivileges = true;
UMask = "0077";
2024-12-04 14:39:54 +01:00
};
};
};
}