dnsmasq dhcp-leasefile defaults to /var/lib/dnsmasq/dnsmasq.leases, so
use that as the default for the exporter too. Curiously, the example was
using the working path, so this patch simply swaps "example" and
"default" values.
This commit ensures that exactly one of either the `repository` or
`repositoryFile` option is set. Specifying a repository is required, but
only *one* of the two options will be used, so instead of arguing about
a precedence that will only cause confusion, it makes more sense to make
them mutually exclusive.
This commit makes it possible to keep the backup repository for restic
secret by using a file outside the nix store. The restic module has an
equivalent option `services.restic.backups.<name>.repositoryFile`, which
is rendered pointless when using the cleartext `repository` option for
this exporter.
smartctl_exporter already runs with SupplementaryGroups "disk", which
gives full access to SATA drives, but NVMe devices are owned by
root:root, resulting in no access:
[...] msg="Smartctl open device: /dev/nvme0 failed: Permission denied"
This patch introduces a "smartctl-exporter-access" supplementary
group, and an udev rule with setfacl to give the exporter access to NVMe
drives, without changing the base root:root ownership.
Fixes https://github.com/NixOS/nixpkgs/issues/210041
Since `connectionStringFile` reads the file and puts it into the
invocation of the exporter, it's part of the cmdline and thus
effectively world-readable.
Added a new `connectionEnvFile` which is supposed to be an environment
file of the form
PGBOUNCER_EXPORTER_CONNECTION_STRING=...
that will be added to the systemd service. The exporter will read the
connection string from that value.
2.3.0 is the final release, the repo is now archived.
Also I don't use it anymore for quite a while, so it didn't have a real
nixpkgs maintainer either.
Closes#338712
Systemd units with `PrivateUsers` set get their capabilities within the user namespace only [1].
As a result they do cannot bind to privileged ports even though they *appear* like they should be able to.
The units in this commit [2] set `PrivateUsers` unconditionally so binding to privileged ports is currently impossible.
Granting them CAP_NET_BIND_SERVICE is useless and misleading any reader of those modules.
Technically, this commit also hardens these modules ever so slightly.
(There are corner cases where this could make sense (e.g. across units, using `JoinsNamspaceOf`) but this is arcane enough to not to be present in nixpkgs.)
[1]: systemd.exec(5): PrivateUsers
[2]: found using `rg -e 'PrivateUsers.?=\s+[^f][^a]' -l | xargs rg -e '\bCAP_' -l`
PgBouncer instance running on localhost may not be the on being
monitored in connectionString. Remove checks that forbid valid
configuration from being used and instead document requirements for
PgBouncer configuration when used with the exporter.
Prometheus snmp-exporter has support to pass sensitive data as environment
variables. Since other exporter configurations for NixOS have
environmentFile option, the same option is added to snmp-exporter.
Fixes issues described in #208242 for this part of the nixpkgs tree.
There are no behavioral changes in this, it only adjusts the code so
that it is easier to understand.
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
Environment variables in the alertmanager config are substituted using
envsubst. It is therefore necessary to escape $ as $$ in the config, if it
should be preserved.
- Make the token a required option
- Drop the proto from the listen parameter
- Use systemd credentials to pass the token file
- Drop debug flag, use extraArgs instead
- Actually hook up extraArgs
- Escape shell arguments
- Drop overly broad `with lib` statement
This is introduced and enabled by default because the config syntax for
the exporter changed with release 0.23.0.
This should make the breaking config change obvious before services are
deployed with an incompatible old config.
The check is based on the check present in the blackbox-exporter module.
This reverts commit 413011ddf4.
Using separate lockfile directories prevents the different kea daemons
from using the interprocess sync lockfile.
Keeping the runtime directory around might be the better approach.
Kea may clean the runtime directory when starting (or maybe systemd does
it). I ran into this issue when restarting Kea after changing its
configuration, so I think the fact it normally doesn't clean it is a
race condition (it's cleaned on service start, and normally all Kea
services start at roughly the same time).
The new exporter has proper console scripts definition, that sets up
another executable name.
The package now also shells out to pidof, which is why we require procps
in the unit PATH.
follow-up on 28b3156bc6 which broke
when tokenFile was left empty.
Making both options nullable also allows us to provide a more meaningful
error message when neither authentication method is configured.
