Commit 04352278 authored by Guillaume DELVIT's avatar Guillaume DELVIT Committed by Guillaume D
Browse files

nixos/services/netdata: add systemd-journald plugin as a privileged wrapper 

https://learn.netdata.cloud/docs/logs/systemd-journal/
need acces to

    Kernel Logs (dmesg):
        Capability: CAP_SYSLOG
        Description: This capability allows the program to read kernel logs using the dmesg command or by reading the /dev/kmsg file.

    System Logs (e.g., /var/log/syslog):
        Capability: CAP_DAC_READ_SEARCH
        Description: This capability allows the program to read system logs located in directories such as /var/log/.

    User Logs (e.g., /var/log/auth.log):
        Capability: CAP_DAC_READ_SEARCH
        Description: This capability allows the program to read user logs located in directories such as /var/log/.
parent 7d517bfb

nixos/modules/services/monitoring/netdata.nix

+11 −1
Original line number Diff line number Diff line
@@ -12,6 +12,7 @@ let 
    ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin

    ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin

    ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin

    ln -s /run/wrappers/bin/systemd-journal.plugin $out/libexec/netdata/plugins.d/systemd-journal.plugin

  '';



  plugins = [
@@ -254,7 +255,7 @@ in { 
        # Capabilities

        CapabilityBoundingSet = [

          "CAP_DAC_OVERRIDE"      # is required for freeipmi and slabinfo plugins

          "CAP_DAC_READ_SEARCH"   # is required for apps plugin

          "CAP_DAC_READ_SEARCH"   # is required for apps and systemd-journal plugin

          "CAP_FOWNER"            # is required for freeipmi plugin

          "CAP_SETPCAP"           # is required for apps, perf and slabinfo plugins

          "CAP_SYS_ADMIN"         # is required for perf plugin
@@ -263,6 +264,7 @@ in { 
          "CAP_NET_RAW"           # is required for fping app

          "CAP_SYS_CHROOT"        # is required for cgroups plugin

          "CAP_SETUID"            # is required for cgroups and cgroups-network plugins

          "CAP_SYSLOG"            # is required for systemd-journal plugin

        ];

        # Sandboxing

        ProtectSystem = "full";
@@ -318,6 +320,14 @@ in { 
        permissions = "u+rx,g+x,o-rwx";

      };



      "systemd-journal.plugin" = {

        source = "${cfg.package}/libexec/netdata/plugins.d/systemd-journal.plugin.org";

        capabilities = "cap_dac_read_search,cap_syslog+ep";

        owner = cfg.user;

        group = cfg.group;

        permissions = "u+rx,g+x,o-rwx";

      };



      "slabinfo.plugin" = {

        source = "${cfg.package}/libexec/netdata/plugins.d/slabinfo.plugin.org";

        capabilities = "cap_dac_override+ep";