diff --git a/modules/module-list.nix b/modules/module-list.nix index 697cc60e35e..08927d747ff 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -80,6 +80,7 @@ ./services/hardware/udisks.nix ./services/hardware/upower.nix ./services/logging/klogd.nix + ./services/logging/logcheck.nix ./services/logging/logrotate.nix ./services/logging/logstash.nix ./services/logging/syslogd.nix diff --git a/modules/services/logging/logcheck.nix b/modules/services/logging/logcheck.nix new file mode 100644 index 00000000000..30a9bf870e9 --- /dev/null +++ b/modules/services/logging/logcheck.nix @@ -0,0 +1,138 @@ +{config, pkgs, ...}: + +with pkgs.lib; + +let + cfg = config.services.logcheck; + + rulesDir = pkgs.runCommand "logcheck-rules-dir" + {} ( + '' + mkdir $out + cp -prd ${pkgs.logcheck}/etc/logcheck/* $out/ + rm $out/logcheck.* + '' + optionalString (! builtins.isNull cfg.extraRulesDir) '' + cp -prd ${cfg.extraRulesDir}/* $out/ + '' ); + + configFile = pkgs.writeText "logcheck.conf" cfg.config; + + logFiles = pkgs.writeText "logcheck.logfiles" cfg.files; + + flags = "-r ${rulesDir} -c ${configFile} -L ${logFiles} -${levelFlag} -m ${cfg.mailTo}"; + + levelFlag = getAttrFromPath [cfg.level] + { "paranoid" = "p"; + "server" = "s"; + "workstation" = "w"; + }; + + cronJob = '' + @reboot logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags} + 2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} + ''; + +in +{ + options = { + services.logcheck = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enable the logcheck cron job. + ''; + }; + + user = mkOption { + default = "logcheck"; + type = types.uniq types.string; + description = '' + Username for the logcheck user. + ''; + }; + + timeOfDay = mkOption { + default = "*"; + example = "6"; + type = types.uniq types.string; + description = '' + Time of day to run logcheck. A logcheck will be scheduled at xx:02 each day. + Leave default (*) to run every hour. Of course when nothing special was logged, + logcheck will be silent. + ''; + }; + + mailTo = mkOption { + default = "root"; + example = "you@domain.com"; + type = types.uniq types.string; + description = '' + Email address to send reports to. + ''; + }; + + level = mkOption { + default = "server"; + type = types.uniq types.string; + description = '' + Set the logcheck level. Either "workstation", "server", or "paranoid". + ''; + }; + + config = mkOption { + default = "FQDN=1"; + type = types.string; + description = '' + Config options that you would like in logcheck.conf. + ''; + }; + + files = mkOption { + default = [ "/var/log/messages" ]; + type = types.listOf types.path; + example = [ "/var/log/messages" "/var/log/mail" ]; + description = '' + Which log files to check. + ''; + }; + + extraRulesDir = mkOption { + default = null; + example = "/etc/logcheck"; + type = types.nullOr types.path; + description = '' + Directory with extra rules. + Will be merged with bundled rules, so it's possible to override certain behaviour. + ''; + }; + + extraGroups = mkOption { + default = []; + type = types.listOf types.string; + example = [ "postdrop" "mongodb" ]; + description = '' + Extra groups for the logcheck user, for example to be able to use sendmail, + or to access certain log files. + ''; + }; + + }; + }; + + config = mkIf cfg.enable { + users.extraUsers = singleton + { name = cfg.user; + shell = "/bin/sh"; + description = "Logcheck user account"; + extraGroups = cfg.extraGroups; + }; + + system.activationScripts.logcheck = '' + mkdir -m 700 -p /var/{lib,lock}/logcheck + chown ${cfg.user} /var/{lib,lock}/logcheck + ''; + + services.cron.systemCronJobs = [ cronJob ]; + }; +}