Commit aaccbed9 authored by Raito Bezarius's avatar Raito Bezarius
Browse files

nixos/netdata: add wireguard support 



CAP_NET_ADMIN is required.

Change-Id: I8559e50ccf2d34a4bc7c8f4f2aeafb7771fe751b
Signed-off-by: default avatarRaito Bezarius <masterancpp@gmail.com>
parent 6955aab4

nixos/modules/services/monitoring/netdata.nix

+4 −1
Original line number Diff line number Diff line
@@ -50,6 +50,7 @@ let 


  defaultUser = "netdata";



  isThereAnyWireGuardTunnels = config.networking.wireguard.enable || lib.any (c: lib.hasAttrByPath [ "netdevConfig" "Kind" ] c && c.netdevConfig.Kind == "wireguard") (builtins.attrValues config.systemd.network.netdevs);

in {

  options = {

    services.netdata = {
@@ -286,6 +287,8 @@ in { 
        # Configuration directory and mode

        ConfigurationDirectory = "netdata";

        ConfigurationDirectoryMode = "0755";

        # AmbientCapabilities

        AmbientCapabilities = lib.optional isThereAnyWireGuardTunnels "CAP_NET_ADMIN";

        # Capabilities

        CapabilityBoundingSet = [

          "CAP_DAC_OVERRIDE"      # is required for freeipmi and slabinfo plugins
@@ -299,7 +302,7 @@ in { 
          "CAP_SYS_CHROOT"        # is required for cgroups plugin

          "CAP_SETUID"            # is required for cgroups and cgroups-network plugins

          "CAP_SYSLOG"            # is required for systemd-journal plugin

        ];

        ] ++ lib.optional isThereAnyWireGuardTunnels "CAP_NET_ADMIN";

        # Sandboxing

        ProtectSystem = "full";

        ProtectHome = "read-only";