Merge pull request #182104 from mayflower/mail-exporter-secrets

nixos/prometheus-mail-exporter: support storing `passphrase` outside of the store, use umask when using envsubst
2025-01-18 19:03:28 +00:00 · 2022-07-20 20:42:14 +02:00 · 2022-07-20 20:42:14 +02:00 · 501bbad4ce
commit 501bbad4ce
parent a115cf16e7 92bd77e85e
4 changed files with 25 additions and 6 deletions
--- a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix
@ -5,6 +5,8 @@ with lib;
 let
  cfg = config.services.prometheus.exporters.mail;

+  configFile = if cfg.configuration != null then configurationFile else (escapeShellArg cfg.configFile);
+
  configurationFile = pkgs.writeText "prometheus-mail-exporter.conf" (builtins.toJSON (
    # removes the _module attribute, null values and converts attrNames to lowercase
    mapAttrs' (name: value:
@ -137,6 +139,13 @@ in
 {
  port = 9225;
  extraOpts = {
+    environmentFile = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = ''
+        File containing env-vars to be substituted into the exporter's config.
+      '';
+    };
    configFile = mkOption {
      type = types.nullOr types.path;
      default = null;
@ -162,13 +171,19 @@ in
  serviceOpts = {
    serviceConfig = {
      DynamicUser = false;
+      EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
+      RuntimeDirectory = "prometheus-mail-exporter";
+      ExecStartPre = [
+        "${pkgs.writeShellScript "subst-secrets-mail-exporter" ''
+          umask 0077
+          ${pkgs.envsubst}/bin/envsubst -i ${configFile} -o ''${RUNTIME_DIRECTORY}/mail-exporter.json
+        ''}"
+      ];
      ExecStart = ''
        ${pkgs.prometheus-mail-exporter}/bin/mailexporter \
          --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
          --web.telemetry-path ${cfg.telemetryPath} \
-          --config.file ${
-            if cfg.configuration != null then configurationFile else (escapeShellArg cfg.configFile)
-          } \
+          --config.file ''${RUNTIME_DIRECTORY}/mail-exporter.json \
          ${concatStringsSep " \\\n  " cfg.extraFlags}
      '';
    };
--- a/nixos/modules/services/networking/mxisd.nix
+++ b/nixos/modules/services/networking/mxisd.nix
@ -130,6 +130,7 @@ in {
        EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
        ExecStart = "${cfg.package}/bin/${executable} -c ${cfg.dataDir}/mxisd-config.yaml";
        ExecStartPre = "${pkgs.writeShellScript "mxisd-substitute-secrets" ''
+          umask 0077
          ${pkgs.envsubst}/bin/envsubst -o ${cfg.dataDir}/mxisd-config.yaml \
            -i ${configFile}
        ''}";
--- a/nixos/modules/services/security/privacyidea.nix
+++ b/nixos/modules/services/security/privacyidea.nix
@ -332,6 +332,7 @@ in
            [ cfg.ldap-proxy.environmentFile ];
          ExecStartPre =
            "${pkgs.writeShellScript "substitute-secrets-ldap-proxy" ''
+              umask 0077
              ${pkgs.envsubst}/bin/envsubst \
                -i ${ldapProxyConfig} \
                -o $STATE_DIRECTORY/ldap-proxy.ini
--- a/nixos/tests/prometheus-exporters.nix
+++ b/nixos/tests/prometheus-exporters.nix
@ -557,10 +557,12 @@ let
        systemd.services.prometheus-mail-exporter = {
          after = [ "postfix.service" ];
          requires = [ "postfix.service" ];
-          preStart = ''
-            mkdir -p -m 0700 mail-exporter/new
-          '';
          serviceConfig = {
+            ExecStartPre = [
+              "${pkgs.writeShellScript "create-maildir" ''
+                mkdir -p -m 0700 mail-exporter/new
+              ''}"
+            ];
            ProtectHome = true;
            ReadOnlyPaths = "/";
            ReadWritePaths = "/var/spool/mail";