mirror of
https://forgejo.altau.su/lego/lego-monitoring.git
synced 2026-03-10 04:41:10 +00:00
vulnix integration
This commit is contained in:
Alex Tau
parent
758438382d
commit
436855d8c1
11 changed files with 172 additions and 2 deletions
|
|
@ -9,6 +9,7 @@ package:
|
|||
|
||||
let
|
||||
tempSensorOptions = (import ./submodules/tempSensorOptions.nix) { inherit lib; };
|
||||
vulnixWhitelistRule = (import ./submodules/vulnixWhitelistRule.nix) { inherit lib; };
|
||||
in
|
||||
{
|
||||
options.services.lego-monitoring = {
|
||||
|
|
@ -19,6 +20,7 @@ in
|
|||
"start"
|
||||
"stop"
|
||||
"temp"
|
||||
"vulnix"
|
||||
]);
|
||||
default = [ ];
|
||||
description = "List of enabled check sets. Each check set is a module which checks something and generates alerts based on check results.";
|
||||
|
|
@ -63,12 +65,40 @@ in
|
|||
'';
|
||||
};
|
||||
};
|
||||
|
||||
vulnix = {
|
||||
whitelist = lib.mkOption {
|
||||
type = lib.types.attrsOf (lib.types.submodule vulnixWhitelistRule);
|
||||
default = { };
|
||||
description = "Whitelist rules for vulnix. Attr name is package with version, package name, or `*`.";
|
||||
example = lib.literalExpression ''{
|
||||
"ffmpeg-3.4.2" = {
|
||||
cve = [ "CVE-2018-6912" "CVE-2018-7557" ];
|
||||
until = "2018-05-01";
|
||||
issueUrl = "https://issues.example.com/29952";
|
||||
};
|
||||
}'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = let
|
||||
cfg = config.services.lego-monitoring;
|
||||
json = pkgs.formats.json {};
|
||||
toml = pkgs.formats.toml {};
|
||||
|
||||
# This monstrous incantation has the effect of converting the options to snake_case
|
||||
# and removing those that are null (because TOML does not support null values)
|
||||
vulnixWhitelistFile = toml.generate "vulnix-whitelist.toml" (lib.attrsets.filterAttrsRecursive (
|
||||
k: v: v != null
|
||||
) (
|
||||
lib.mapAttrs (_: rule: {
|
||||
inherit (rule) cve until;
|
||||
issue_url = rule.issueUrl;
|
||||
}) cfg.checks.vulnix.whitelist
|
||||
));
|
||||
|
||||
serviceConfigFile = json.generate "config.json" {
|
||||
enabled_check_sets = cfg.enabledCheckSets;
|
||||
telegram = with cfg.telegram; {
|
||||
|
|
@ -88,6 +118,8 @@ in
|
|||
}) sensorCfg.readings;
|
||||
|
||||
}) cfg.checks.temp.sensors;
|
||||
|
||||
vulnix.whitelist_path = vulnixWhitelistFile;
|
||||
};
|
||||
};
|
||||
in lib.mkIf cfg.enable {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue