Merge master into staging-next

    githubId = 43564;

    name = "Claes Holmerson";

  };

  claha = {

    email = "hallstrom.claes@gmail.com";

    github = "claha";

    githubId = 9336788;

    name = "Claes Hallström";

  };

  clebs = {

    email = "borja.clemente@gmail.com";

    github = "clebs";

    githubId = 47071325;

  };

  ymstnt = {

    name = "YMSTNT";

    name = "ymstnt";

    github = "ymstnt";

    githubId = 21342713;

  };

- [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](option.html#opt-services.zapret.enable).

- [Glances](https://github.com/nicolargo/glances), an open-source system cross-platform monitoring tool. Available as [services.glances](option.html#opt-services.glances).

## Backward Incompatibilities {#sec-release-24.11-incompatibilities}

- Nixpkgs now requires Nix 2.3.17 or newer to allow for zstd compressed binary artifacts.

  ./services/monitoring/do-agent.nix

  ./services/monitoring/fusion-inventory.nix

  ./services/monitoring/gatus.nix

  ./services/monitoring/glances.nix

  ./services/monitoring/goss.nix

  ./services/monitoring/grafana-agent.nix

  ./services/monitoring/grafana-image-renderer.nix

# Glances {#module-serives-glances}

Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS

and Windows operating systems.

Visit [the Glances project page](https://github.com/nicolargo/glances) to learn

more about it.

# Quickstart {#module-serives-glances-quickstart}

Use the following configuration to start a public instance of Glances locally:

```nix

{

  services.glances = {

    enable = true;

    openFirewall = true;

  };

};

```

{

  pkgs,

  config,

  lib,

  utils,

  ...

}:

let

  cfg = config.services.glances;

  inherit (lib)

    getExe

    maintainers

    mkEnableOption

    mkOption

    mkIf

    mkPackageOption

    ;

  inherit (lib.types)

    bool

    listOf

    port

    str

    ;

  inherit (utils)

    escapeSystemdExecArgs

    ;

in

{

  options.services.glances = {

    enable = mkEnableOption "Glances";

    package = mkPackageOption pkgs "glances" { };

    port = mkOption {

      description = "Port the server will isten on.";

      type = port;

      default = 61208;

    };

    openFirewall = mkOption {

      description = "Open port in the firewall for glances.";

      type = bool;

      default = false;

    };

    extraArgs = mkOption {

      type = listOf str;

      default = [ "--webserver" ];

      example = [

        "--webserver"

        "--disable-webui"

      ];

      description = ''

        Extra command-line arguments to pass to glances.

        See https://glances.readthedocs.io/en/latest/cmds.html for all available options.

      '';

    };

  };

  config = mkIf cfg.enable {

    environment.systemPackages = [ cfg.package ];

    systemd.services."glances" = {

      description = "Glances";

      after = [ "network.target" ];

      wantedBy = [ "multi-user.target" ];

      serviceConfig = {

        Type = "simple";

        DynamicUser = true;

        ExecStart = "${getExe cfg.package} --port ${toString cfg.port} ${escapeSystemdExecArgs cfg.extraArgs}";

        Restart = "on-failure";

        NoNewPrivileges = true;

        ProtectSystem = "full";

        ProtectHome = true;

        PrivateTmp = true;

        PrivateDevices = true;

        ProtectKernelTunables = true;

        ProtectKernelModules = true;

        ProtectKernelLogs = true;

        ProtectControlGroups = true;

        MemoryDenyWriteExecute = true;

        RestrictAddressFamilies = [

          "AF_INET"

          "AF_INET6"

          "AF_NETLINK"

          "AF_UNIX"

        ];

        LockPersonality = true;

        RestrictRealtime = true;

        ProtectClock = true;

        ReadWritePaths = [ "/var/log" ];

        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];

        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];

        SystemCallFilter = [ "@system-service" ];

      };

    };

    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];

  };

  meta.maintainers = with maintainers; [ claha ];

}