Loading nixos/modules/services/monitoring/netdata.nix +61 −0 Original line number Diff line number Diff line Loading @@ -48,6 +48,13 @@ let defaultUser = "netdata"; isThereAnyWireGuardTunnels = config.networking.wireguard.enable || lib.any (c: lib.hasAttrByPath [ "netdevConfig" "Kind" ] c && c.netdevConfig.Kind == "wireguard") (builtins.attrValues config.systemd.network.netdevs); extraNdsudoPathsEnv = pkgs.buildEnv { name = "netdata-ndsudo-env"; paths = cfg.extraNdsudoPackages; pathsToLink = [ "/bin" ]; }; in { options = { services.netdata = { Loading Loading @@ -131,6 +138,27 @@ in { ''; }; extraNdsudoPackages = lib.mkOption { type = lib.types.listOf lib.types.package; default = [ ]; description = '' Extra packages to add to `PATH` to make available to `ndsudo`. ::: {.warning} `ndsudo` has SUID privileges, be careful what packages you list here. ::: ::: {.note} `cfg.package` must be built with `withNdsudo = true` ::: ''; example = '' [ pkgs.smartmontools pkgs.nvme-cli ] ''; }; config = lib.mkOption { type = lib.types.attrsOf lib.types.attrs; default = {}; Loading Loading @@ -221,6 +249,31 @@ in { environment.etc."netdata/netdata.conf".source = configFile; environment.etc."netdata/conf.d".source = configDirectory; systemd.tmpfiles.settings = lib.mkIf cfg.package.withNdsudo { "95-netdata-ndsudo" = { "/var/lib/netdata/ndsudo" = { "d" = { mode = "0550"; user = cfg.user; group = cfg.group; }; }; "/var/lib/netdata/ndsudo/ndsudo" = { "L+" = { argument = "/run/wrappers/bin/ndsudo"; }; }; "/var/lib/netdata/ndsudo/runtime-dependencies" = { "L+" = { argument = "${extraNdsudoPathsEnv}/bin"; }; }; }; }; systemd.services.netdata = { description = "Real time performance monitoring"; after = [ "network.target" "suid-sgid-wrappers.service" ]; Loading Loading @@ -394,6 +447,14 @@ in { group = cfg.group; permissions = "u+rx,g+x,o-rwx"; }; } // lib.optionalAttrs (cfg.package.withNdsudo) { "ndsudo" = { source = "${cfg.package}/libexec/netdata/plugins.d/ndsudo.org"; setuid = true; owner = "root"; group = cfg.group; permissions = "u+rx,g+x,o-rwx"; }; }; security.pam.loginLimits = [ Loading pkgs/tools/system/netdata/default.nix +8 −1 Original line number Diff line number Diff line Loading @@ -48,6 +48,7 @@ withSsl ? true, withSystemdJournal ? (stdenv.hostPlatform.isLinux), zlib, withNdsudo ? false, }: let stdenv' = if stdenv.hostPlatform.isDarwin then overrideSDK stdenv "11.0" else stdenv; Loading Loading @@ -181,6 +182,12 @@ stdenv'.mkDerivation (finalAttrs: { rm -rf $out/share/netdata/web/index.html cp $out/share/netdata/web/v1/index.html $out/share/netdata/web/index.html ''} ${lib.optionalString withNdsudo '' mv $out/libexec/netdata/plugins.d/ndsudo \ $out/libexec/netdata/plugins.d/ndsudo.org ln -s /var/lib/netdata/ndsudo/ndsudo $out/libexec/netdata/plugins.d/ndsudo ''} ''; preConfigure = '' Loading Loading @@ -270,7 +277,7 @@ stdenv'.mkDerivation (finalAttrs: { license = lib.licenses.gpl3Only; }; }).goModules; inherit withIpmi withNetworkViewer; inherit withIpmi withNetworkViewer withNdsudo; tests.netdata = nixosTests.netdata; }; Loading pkgs/tools/system/netdata/ndsudo-fix-path.patch +4 −3 Original line number Diff line number Diff line Loading @@ -5,13 +5,14 @@ diff --git a/src/collectors/plugins.d/ndsudo.c b/src/collectors/plugins.d/ndsudo index d53ca9f28..b42a121bf 100644 --- a/src/collectors/plugins.d/ndsudo.c +++ b/src/collectors/plugins.d/ndsudo.c @@ -357,9 +357,6 @@ int main(int argc, char *argv[]) { @@ -357,9 +357,9 @@ int main(int argc, char *argv[]) { return 3; } - char new_path[] = "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"; - putenv(new_path); - + char new_path[] = "PATH=/var/lib/netdata/ndsudo/runtime-dependencies"; putenv(new_path); setuid(0); setgid(0); setegid(0); Loading
nixos/modules/services/monitoring/netdata.nix +61 −0 Original line number Diff line number Diff line Loading @@ -48,6 +48,13 @@ let defaultUser = "netdata"; isThereAnyWireGuardTunnels = config.networking.wireguard.enable || lib.any (c: lib.hasAttrByPath [ "netdevConfig" "Kind" ] c && c.netdevConfig.Kind == "wireguard") (builtins.attrValues config.systemd.network.netdevs); extraNdsudoPathsEnv = pkgs.buildEnv { name = "netdata-ndsudo-env"; paths = cfg.extraNdsudoPackages; pathsToLink = [ "/bin" ]; }; in { options = { services.netdata = { Loading Loading @@ -131,6 +138,27 @@ in { ''; }; extraNdsudoPackages = lib.mkOption { type = lib.types.listOf lib.types.package; default = [ ]; description = '' Extra packages to add to `PATH` to make available to `ndsudo`. ::: {.warning} `ndsudo` has SUID privileges, be careful what packages you list here. ::: ::: {.note} `cfg.package` must be built with `withNdsudo = true` ::: ''; example = '' [ pkgs.smartmontools pkgs.nvme-cli ] ''; }; config = lib.mkOption { type = lib.types.attrsOf lib.types.attrs; default = {}; Loading Loading @@ -221,6 +249,31 @@ in { environment.etc."netdata/netdata.conf".source = configFile; environment.etc."netdata/conf.d".source = configDirectory; systemd.tmpfiles.settings = lib.mkIf cfg.package.withNdsudo { "95-netdata-ndsudo" = { "/var/lib/netdata/ndsudo" = { "d" = { mode = "0550"; user = cfg.user; group = cfg.group; }; }; "/var/lib/netdata/ndsudo/ndsudo" = { "L+" = { argument = "/run/wrappers/bin/ndsudo"; }; }; "/var/lib/netdata/ndsudo/runtime-dependencies" = { "L+" = { argument = "${extraNdsudoPathsEnv}/bin"; }; }; }; }; systemd.services.netdata = { description = "Real time performance monitoring"; after = [ "network.target" "suid-sgid-wrappers.service" ]; Loading Loading @@ -394,6 +447,14 @@ in { group = cfg.group; permissions = "u+rx,g+x,o-rwx"; }; } // lib.optionalAttrs (cfg.package.withNdsudo) { "ndsudo" = { source = "${cfg.package}/libexec/netdata/plugins.d/ndsudo.org"; setuid = true; owner = "root"; group = cfg.group; permissions = "u+rx,g+x,o-rwx"; }; }; security.pam.loginLimits = [ Loading
pkgs/tools/system/netdata/default.nix +8 −1 Original line number Diff line number Diff line Loading @@ -48,6 +48,7 @@ withSsl ? true, withSystemdJournal ? (stdenv.hostPlatform.isLinux), zlib, withNdsudo ? false, }: let stdenv' = if stdenv.hostPlatform.isDarwin then overrideSDK stdenv "11.0" else stdenv; Loading Loading @@ -181,6 +182,12 @@ stdenv'.mkDerivation (finalAttrs: { rm -rf $out/share/netdata/web/index.html cp $out/share/netdata/web/v1/index.html $out/share/netdata/web/index.html ''} ${lib.optionalString withNdsudo '' mv $out/libexec/netdata/plugins.d/ndsudo \ $out/libexec/netdata/plugins.d/ndsudo.org ln -s /var/lib/netdata/ndsudo/ndsudo $out/libexec/netdata/plugins.d/ndsudo ''} ''; preConfigure = '' Loading Loading @@ -270,7 +277,7 @@ stdenv'.mkDerivation (finalAttrs: { license = lib.licenses.gpl3Only; }; }).goModules; inherit withIpmi withNetworkViewer; inherit withIpmi withNetworkViewer withNdsudo; tests.netdata = nixosTests.netdata; }; Loading
pkgs/tools/system/netdata/ndsudo-fix-path.patch +4 −3 Original line number Diff line number Diff line Loading @@ -5,13 +5,14 @@ diff --git a/src/collectors/plugins.d/ndsudo.c b/src/collectors/plugins.d/ndsudo index d53ca9f28..b42a121bf 100644 --- a/src/collectors/plugins.d/ndsudo.c +++ b/src/collectors/plugins.d/ndsudo.c @@ -357,9 +357,6 @@ int main(int argc, char *argv[]) { @@ -357,9 +357,9 @@ int main(int argc, char *argv[]) { return 3; } - char new_path[] = "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"; - putenv(new_path); - + char new_path[] = "PATH=/var/lib/netdata/ndsudo/runtime-dependencies"; putenv(new_path); setuid(0); setgid(0); setegid(0);
