nix-community/srvos
1
1
Fork 0
mirror of https://github.com/nix-community/srvos.git synced 2024-08-17 01:40:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

telegraf: replace sudo with setuid wrapper for telegraf

Browse Source
This commit is contained in:
Jörg Thalheim 2023-11-12 07:53:20 +01:00 committed by zowoq
parent 533a8681bb
commit 6cdb43f8f1
1 changed files with 8 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
nixos/mixins/telegraf.nix
View File

@ -93,9 +93,7 @@ in
"http://localhost/nginx_status"
];
smart = lib.mkIf (!isVM) {
path_smartctl = pkgs.writeShellScript "smartctl" ''
exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@"
'';
path_smartctl = "/run/wrappers/bin/smartctl-telegraf";
};
system = { };
mem = { };
@ -142,21 +140,13 @@ in
};
};
};
security.sudo.extraRules = lib.mkIf (!isVM) [
{
users = [ "telegraf" ];
commands = [
{
command = "${pkgs.smartmontools}/bin/smartctl";
options = [ "NOPASSWD" ];
}
];
}
];
# avoid logging sudo use
security.sudo.configFile = ''
Defaults:telegraf !syslog,!pam_session
'';
security.wrappers.smartctl-telegraf = lib.mkIf (!isVM) {
owner = "telegraf";
group = "telegraf";
capabilities = "cap_sys_admin,cap_dac_override,cap_sys_rawio+ep";
source = "${pkgs.smartmontools}/bin/smartctl";
};
# create dummy file to avoid telegraf errors
systemd.tmpfiles.rules = [
"f /var/log/telegraf/dummy 0444 root root - -"