nixos/unifi-poller: add unifi-poller service #95994
Conversation
| description = "Username used to access the unifi controller. The user needs read access."; | ||
| example = "unifipoller"; | ||
| }; | ||
| passwordFile = mkOption { |
There was a problem hiding this comment.
Unfortunately this is almost no safer than storing a password in the nix store because of DynamicUser...
There was a problem hiding this comment.
What are the alternatives?
There was a problem hiding this comment.
Ideally using LoadCredential. Until that lands in NixOS the better option would be a script in ExecStart which is executed as root and copies passwordFile into the private WorkingDirectoryStateDirectory (or such) folder so the DynamicUser service could read it (but no one else). As a last resort you could avoid DynamicUser... but then you are foregoing certain security features in favour of a secure passwordFile option which is not ideal.
The module is somewhat opionionanted in the sense that it supports multiple controllers only in the recommnded approach described in https://github.com/unifi-poller/unifi-poller/wiki/Prometheus#approach-4-recommended In the longterm this should replace unifi-exporter which is no longer maintained.
|
Thanks for this! I think I prefer the JSON-based approach in #96830 — it uses existing structured-data mechanisms and is less susceptible to escaping issues than generating shell script, as well as providing integration with the prometheus exporter structure and a test, albeit simple. Does this cover any use cases I may have missed which #96830 doesn't? |
|
@lheckemann I don't think it's missing anything. Closing in favor of #96830 |
Motivation for this change
Replace unifi_exporter and resolve #88846
It is not a drop in replacement so I added it in addition to the old unifi exporter.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)