mirror of
https://codeberg.org/icewind/mitemp-prometheus.git
synced 2026-06-03 09:04:13 +02:00
91 lines
2.2 KiB
Nix
91 lines
2.2 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
with lib; let
|
|
cfg = config.services.mitemp;
|
|
format = pkgs.formats.toml {};
|
|
configFile = format.generate "mitemp-config.toml" {
|
|
inherit (cfg) names;
|
|
listen = {
|
|
inherit (cfg) socket;
|
|
};
|
|
};
|
|
in {
|
|
options.services.mitemp = {
|
|
enable = mkEnableOption "mitemp";
|
|
|
|
names = mkOption {
|
|
type = types.attrs;
|
|
default = {};
|
|
description = "Names for mitemp sensors";
|
|
};
|
|
|
|
socket = mkOption {
|
|
type = types.str;
|
|
default = "/run/mitemp/mitemp.sock";
|
|
description = "socket to listen on";
|
|
};
|
|
|
|
package = mkOption {
|
|
type = types.package;
|
|
defaultText = literalExpression "pkgs.mitemp-prometheus";
|
|
description = "package to use";
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
users.users.mitemp = {
|
|
isSystemUser = true;
|
|
group = "mitemp";
|
|
};
|
|
users.groups.mitemp = {};
|
|
|
|
services.dbus.packages = [cfg.package];
|
|
systemd.services."mitemp" = {
|
|
wantedBy = ["multi-user.target"];
|
|
after = ["dbus.service"];
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${cfg.package}/bin/mitemp-prometheus ${configFile}";
|
|
|
|
Restart = "on-failure";
|
|
User = "mitemp";
|
|
PrivateTmp = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
NoNewPrivileges = true;
|
|
ProtectClock = true;
|
|
CapabilityBoundingSet = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
SystemCallArchitectures = "native";
|
|
ProtectKernelModules = true;
|
|
RestrictNamespaces = true;
|
|
MemoryDenyWriteExecute = true;
|
|
ProtectHostname = true;
|
|
LockPersonality = true;
|
|
ProtectKernelTunables = true;
|
|
RestrictAddressFamilies = ["AF_UNIX"];
|
|
RuntimeDirectory = "mitemp";
|
|
RestrictRealtime = true;
|
|
ProtectProc = "invisible";
|
|
SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
|
|
IPAddressDeny = "any";
|
|
PrivateUsers = true;
|
|
ProcSubset = "pid";
|
|
RemoveIPC = true;
|
|
PrivateDevices = true;
|
|
RestrictSUIDSGID = true;
|
|
BindPaths = ["/run/dbus"];
|
|
};
|
|
|
|
confinement = {
|
|
enable = true;
|
|
binSh = null;
|
|
};
|
|
};
|
|
};
|
|
}
|