nixos/prometheus-fastly-exporter: fix runtime environment

- Make the token a required option - Drop the proto from the listen parameter - Use systemd credentials to pass the token file - Drop debug flag, use extraArgs instead - Actually hook up extraArgs - Escape shell arguments - Drop overly broad `with lib` statement
2024-11-10 16:45:51 +03:00 · 2024-02-09 02:08:02 +01:00 · 2024-02-09 02:08:02 +01:00 · a43d9cd69a
commit a43d9cd69a
parent f1f689a8e8
1 changed files with 32 additions and 19 deletions
--- a/nixos/modules/services/monitoring/prometheus/exporters/fastly.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/fastly.nix
@ -1,41 +1,54 @@
-{ config, lib, pkgs, options }:
+{ config
+, lib
+, pkgs
+, options
+}:

-with lib;
+let
+  inherit (lib)
+    escapeShellArgs
+    mkOption
+    optionals
+    types
+  ;

-let cfg = config.services.prometheus.exporters.fastly;
+  cfg = config.services.prometheus.exporters.fastly;
 in
 {
  port = 9118;
-  extraOpts = {
-    debug = mkEnableOption (lib.mdDoc "Debug logging mode for fastly-exporter");
-
+  extraOpts = with types; {
    configFile = mkOption {
-      type = types.nullOr types.path;
+      type = nullOr path;
      default = null;
-      description = lib.mdDoc ''
+      example = "./fastly-exporter-config.txt";
+      description = ''
        Path to a fastly-exporter configuration file.
        Example one can be generated with `fastly-exporter --config-file-example`.
      '';
-      example = "./fastly-exporter-config.txt";
    };

    tokenPath = mkOption {
-      type = types.nullOr types.path;
-      apply = final: if final == null then null else toString final;
-      description = lib.mdDoc ''
+      type = path;
+      description = ''
        A run-time path to the token file, which is supposed to be provisioned
        outside of Nix store.
      '';
    };
  };
  serviceOpts = {
-    script = ''
-      ${optionalString (cfg.tokenPath != null)
-      "export FASTLY_API_TOKEN=$(cat ${toString cfg.tokenPath})"}
-      ${pkgs.prometheus-fastly-exporter}/bin/fastly-exporter \
-        -listen http://${cfg.listenAddress}:${toString cfg.port}
-        ${optionalString cfg.debug "-debug true"} \
-        ${optionalString (cfg.configFile != null) "-config-file ${cfg.configFile}"}
+    serviceConfig = {
+      LoadCredential = "fastly-api-token:${cfg.tokenPath}";
+    };
+    script = let
+      call = escapeShellArgs ([
+        "${pkgs.prometheus-fastly-exporter}/bin/fastly-exporter"
+        "-listen" "${cfg.listenAddress}:${toString cfg.port}"
+      ] ++ optionals (cfg.configFile != null) [
+        "--config-file" cfg.configFile
+      ] ++ cfg.extraFlags);
+    in ''
+      export FASTLY_API_TOKEN="$(cat $CREDENTIALS_DIRECTORY/fastly-api-token)"
+      ${call}
    '';
  };
 }