From d174bf438b1dcc3d2d9f3f21c3277e76e69cacf9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Claes=20Hallstr=C3=B6m?= <hallstrom.claes@gmail.com>
Date: Mon, 1 Apr 2024 22:44:08 +0200
Subject: [PATCH] nixos/glances: init module

---
 .../manual/release-notes/rl-2411.section.md   |   2 +
 nixos/modules/module-list.nix                 |   1 +
 nixos/modules/services/monitoring/glances.md  |  20 ++++
 nixos/modules/services/monitoring/glances.nix | 110 ++++++++++++++++++
 nixos/tests/all-tests.nix                     |   1 +
 nixos/tests/glances.nix                       |  36 ++++++
 pkgs/applications/system/glances/default.nix  |   6 +
 7 files changed, 176 insertions(+)
 create mode 100644 nixos/modules/services/monitoring/glances.md
 create mode 100644 nixos/modules/services/monitoring/glances.nix
 create mode 100644 nixos/tests/glances.nix

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index 000df6e978b4..1060e444a53f 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -197,6 +197,8 @@
 
 - [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](option.html#opt-services.zapret.enable).
 
+- [Glances](https://github.com/nicolargo/glances), an open-source system cross-platform monitoring tool. Available as [services.glances](option.html#opt-services.glances).
+
 ## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
 
 - Nixpkgs now requires Nix 2.3.17 or newer to allow for zstd compressed binary artifacts.
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index eef106a91229..07d1d880a074 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -888,6 +888,7 @@
   ./services/monitoring/do-agent.nix
   ./services/monitoring/fusion-inventory.nix
   ./services/monitoring/gatus.nix
+  ./services/monitoring/glances.nix
   ./services/monitoring/goss.nix
   ./services/monitoring/grafana-agent.nix
   ./services/monitoring/grafana-image-renderer.nix
diff --git a/nixos/modules/services/monitoring/glances.md b/nixos/modules/services/monitoring/glances.md
new file mode 100644
index 000000000000..69554b6bc5e4
--- /dev/null
+++ b/nixos/modules/services/monitoring/glances.md
@@ -0,0 +1,20 @@
+# Glances {#module-serives-glances}
+
+Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS
+and Windows operating systems.
+
+Visit [the Glances project page](https://github.com/nicolargo/glances) to learn
+more about it.
+
+# Quickstart {#module-serives-glances-quickstart}
+
+Use the following configuration to start a public instance of Glances locally:
+
+```nix
+{
+  services.glances = {
+    enable = true;
+    openFirewall = true;
+  };
+};
+```
diff --git a/nixos/modules/services/monitoring/glances.nix b/nixos/modules/services/monitoring/glances.nix
new file mode 100644
index 000000000000..fd976ce2f060
--- /dev/null
+++ b/nixos/modules/services/monitoring/glances.nix
@@ -0,0 +1,110 @@
+{
+  pkgs,
+  config,
+  lib,
+  utils,
+  ...
+}:
+let
+  cfg = config.services.glances;
+
+  inherit (lib)
+    getExe
+    maintainers
+    mkEnableOption
+    mkOption
+    mkIf
+    mkPackageOption
+    ;
+
+  inherit (lib.types)
+    bool
+    listOf
+    port
+    str
+    ;
+
+  inherit (utils)
+    escapeSystemdExecArgs
+    ;
+
+in
+{
+  options.services.glances = {
+    enable = mkEnableOption "Glances";
+
+    package = mkPackageOption pkgs "glances" { };
+
+    port = mkOption {
+      description = "Port the server will isten on.";
+      type = port;
+      default = 61208;
+    };
+
+    openFirewall = mkOption {
+      description = "Open port in the firewall for glances.";
+      type = bool;
+      default = false;
+    };
+
+    extraArgs = mkOption {
+      type = listOf str;
+      default = [ "--webserver" ];
+      example = [
+        "--webserver"
+        "--disable-webui"
+      ];
+      description = ''
+        Extra command-line arguments to pass to glances.
+
+        See https://glances.readthedocs.io/en/latest/cmds.html for all available options.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    environment.systemPackages = [ cfg.package ];
+
+    systemd.services."glances" = {
+      description = "Glances";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        DynamicUser = true;
+        ExecStart = "${getExe cfg.package} --port ${toString cfg.port} ${escapeSystemdExecArgs cfg.extraArgs}";
+        Restart = "on-failure";
+
+        NoNewPrivileges = true;
+        ProtectSystem = "full";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        MemoryDenyWriteExecute = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+          "AF_UNIX"
+        ];
+        LockPersonality = true;
+        RestrictRealtime = true;
+        ProtectClock = true;
+        ReadWritePaths = [ "/var/log" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+        SystemCallFilter = [ "@system-service" ];
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
+  };
+
+  meta.maintainers = with maintainers; [ claha ];
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 37e005f128a2..042010fe6972 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -383,6 +383,7 @@ in {
   gitolite = handleTest ./gitolite.nix {};
   gitolite-fcgiwrap = handleTest ./gitolite-fcgiwrap.nix {};
   glance = runTest ./glance.nix;
+  glances = runTest ./glances.nix;
   glusterfs = handleTest ./glusterfs.nix {};
   gnome = handleTest ./gnome.nix {};
   gnome-extensions = handleTest ./gnome-extensions.nix {};
diff --git a/nixos/tests/glances.nix b/nixos/tests/glances.nix
new file mode 100644
index 000000000000..a5f07b53386e
--- /dev/null
+++ b/nixos/tests/glances.nix
@@ -0,0 +1,36 @@
+{ lib, ... }:
+
+{
+  name = "glances";
+
+  nodes = {
+    machine_default =
+      { pkgs, ... }:
+      {
+        services.glances = {
+          enable = true;
+        };
+      };
+
+    machine_custom_port =
+      { pkgs, ... }:
+      {
+        services.glances = {
+          enable = true;
+          port = 5678;
+        };
+      };
+  };
+
+  testScript = ''
+    machine_default.start()
+    machine_default.wait_for_unit("glances.service")
+    machine_default.wait_for_open_port(61208)
+
+    machine_custom_port.start()
+    machine_custom_port.wait_for_unit("glances.service")
+    machine_custom_port.wait_for_open_port(5678)
+  '';
+
+  meta.maintainers = [ lib.maintainers.claha ];
+}
diff --git a/pkgs/applications/system/glances/default.nix b/pkgs/applications/system/glances/default.nix
index 1438e9729af4..e47ca24064a2 100644
--- a/pkgs/applications/system/glances/default.nix
+++ b/pkgs/applications/system/glances/default.nix
@@ -8,6 +8,8 @@
   packaging,
   psutil,
   setuptools,
+  pydantic,
+  nixosTests,
   # Optional dependencies:
   fastapi,
   jinja2,
@@ -69,6 +71,10 @@ buildPythonApplication rec {
     prometheus-client
   ] ++ lib.optional stdenv.hostPlatform.isLinux hddtemp;
 
+  passthru.tests = {
+    service = nixosTests.glances;
+  };
+
   meta = {
     homepage = "https://nicolargo.github.io/glances/";
     description = "Cross-platform curses-based monitoring tool";