New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/unifi-poller: add unifi-poller service #95994
Conversation
description = "Username used to access the unifi controller. The user needs read access."; | ||
example = "unifipoller"; | ||
}; | ||
passwordFile = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately this is almost no safer than storing a password in the nix store because of DynamicUser
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What are the alternatives?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally using LoadCredential. Until that lands in NixOS the better option would be a script in ExecStart
which is executed as root
and copies passwordFile
into the private WorkingDirectory
StateDirectory
(or such) folder so the DynamicUser
service could read it (but no one else). As a last resort you could avoid DynamicUser
... but then you are foregoing certain security features in favour of a secure passwordFile
option which is not ideal.
The module is somewhat opionionanted in the sense that it supports multiple controllers only in the recommnded approach described in https://github.com/unifi-poller/unifi-poller/wiki/Prometheus#approach-4-recommended In the longterm this should replace unifi-exporter which is no longer maintained.
Thanks for this! I think I prefer the JSON-based approach in #96830 — it uses existing structured-data mechanisms and is less susceptible to escaping issues than generating shell script, as well as providing integration with the prometheus exporter structure and a test, albeit simple. Does this cover any use cases I may have missed which #96830 doesn't? |
@lheckemann I don't think it's missing anything. Closing in favor of #96830 |
Motivation for this change
Replace unifi_exporter and resolve #88846
It is not a drop in replacement so I added it in addition to the old unifi exporter.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)