Documentation
¶
Index ¶
- type CPUMetricsConfig
- type DiskMetricsConfig
- type DockerConfig
- type DockerSectionConfig
- type FilesConfig
- type HostMetricsConfig
- type JournalConfig
- type MemoryMetricsConfig
- type MetricsConfig
- type NetworkMetricsConfig
- type PathRule
- type ProcessMetricsConfig
- type ResolvedIdentity
- type SystemdConfig
- type UnitConfig
- type VarScope
- type VarsConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CPUMetricsConfig ¶
type CPUMetricsConfig struct {
Enabled bool `toml:"enabled"`
}
CPUMetricsConfig controls GET /integrations/metrics/cpu.
type DiskMetricsConfig ¶
type DiskMetricsConfig struct {
Enabled bool `toml:"enabled"`
// Paths restricts disk stats to specific mount points.
// All entries must be absolute paths.
// If empty, all mounted filesystems are reported.
Paths []string `toml:"paths"`
}
DiskMetricsConfig controls GET /integrations/metrics/disk.
type DockerConfig ¶ added in v0.2.5
type DockerConfig struct {
Enabled bool
Containers DockerSectionConfig `toml:"containers"`
Images DockerSectionConfig `toml:"images"`
Compose DockerSectionConfig `toml:"compose"`
Swarm DockerSectionConfig `toml:"swarm"`
}
DockerConfig is the parsed and validated representation of docker.toml. Enabled is set to true only after a successful load — absent file means the docker integration is disabled (503), not an error.
type DockerSectionConfig ¶ added in v0.2.5
type DockerSectionConfig struct {
// Enabled gates all operations in this section.
// If false, all endpoints in the section return 403 regardless of Allow.
Enabled bool `toml:"enabled"`
// Allow is the list of permitted operations within this section.
// Valid values differ per section and are validated at startup.
// An unknown value causes a fatal config error with the valid set listed.
Allow []string `toml:"allow"`
}
DockerSectionConfig is the common shape for every docker.toml section. Enabled gates the entire section. Allow is the set of permitted operations within that section — validated at load time against the section's closed set of valid values.
func (DockerSectionConfig) Permits ¶ added in v0.2.5
func (s DockerSectionConfig) Permits(op string) bool
Permits returns true if op is both in the allow list and the section is enabled. Callers use this instead of inspecting Allow directly.
type FilesConfig ¶
FilesConfig is the parsed and validated representation of files.toml.
func (*FilesConfig) MatchPathRule ¶ added in v0.2.5
func (cfg *FilesConfig) MatchPathRule(path string) (PathRule, string, bool)
matchReadRule finds the longest-prefix read rule covering path.
type HostMetricsConfig ¶
type HostMetricsConfig struct {
Enabled bool `toml:"enabled"`
}
HostMetricsConfig controls GET /integrations/metrics/host.
type JournalConfig ¶
type JournalConfig struct {
// Enabled gates the per-unit journal endpoint
// (GET /integrations/systemd/units/{unit}/journal).
Enabled bool `toml:"enabled"`
// Priority is the minimum log severity to return.
// Valid values: emerg, alert, crit, err, warning, notice, info, debug.
// Defaults to "info" if omitted.
Priority string `toml:"priority"`
// Lines is the default number of journal lines returned per request.
// Must be a positive integer. Defaults to 100 if omitted.
Lines int `toml:"lines"`
// SystemJournal permits GET /integrations/systemd/journal (system-wide).
// Kept as a dedicated bool because it is a distinct endpoint, not an
// operation variant of the per-unit journal.
SystemJournal bool `toml:"system_journal"`
}
JournalConfig controls journal retrieval behaviour. It applies to both per-unit journal endpoints and the system-wide journal.
type MemoryMetricsConfig ¶
type MemoryMetricsConfig struct {
Enabled bool `toml:"enabled"`
}
MemoryMetricsConfig controls GET /integrations/metrics/memory.
type MetricsConfig ¶
type MetricsConfig struct {
Enabled bool
Host HostMetricsConfig `toml:"host"`
CPU CPUMetricsConfig `toml:"cpu"`
Memory MemoryMetricsConfig `toml:"memory"`
Disk DiskMetricsConfig `toml:"disk"`
Network NetworkMetricsConfig `toml:"network"`
Processes ProcessMetricsConfig `toml:"processes"`
}
MetricsConfig is the parsed and validated representation of metrics.toml.
Each sub-section maps to one metrics endpoint group. Sections are independent — enabling disk does not require enabling cpu, and so on.
type NetworkMetricsConfig ¶
type NetworkMetricsConfig struct {
Enabled bool `toml:"enabled"`
// Interfaces restricts stats to specific network interfaces by name.
// If empty, all interfaces are reported.
Interfaces []string `toml:"interfaces"`
}
NetworkMetricsConfig controls GET /integrations/metrics/network.
type PathRule ¶
type PathRule struct {
// Dir is the directory this rule applies to.
// Must be an absolute path ending with "/".
Dir string `toml:"dir"`
// Allow is the list of permitted operations for this directory.
// Valid values: "read", "write".
Allow []string `toml:"allow"`
// WriteAsUser is the username to drop to when writing files to this path.
// Requires the daemon to hold CAP_SETUID (granted by AmbientCapabilities
// in the systemd unit). If absent, writes succeed as the daemon user.
// Resolved to WriteAs at load time via os/user.Lookup.
UseAsUser string `toml:"use_as"`
// WriteAs is the resolved identity for WriteAsUser.
// Zero value (Set=false) means no privilege drop — write as daemon user.
// Populated by LoadFilesConfig; never set directly by callers.
UseAs ResolvedIdentity `toml:"-"`
// Defaults to false.
Share bool `toml:"share"`
}
PathRule defines access permissions for a single directory.
Dir must be an absolute path ending with "/". Allow contains the permitted operations for that directory. WriteAsUser is the optional username to drop to when writing files. WriteAs is the resolved identity, populated at load time.
When write_as is set but cannot be honoured (CAP_SETUID absent or username not found), a warning is logged at startup and the write proceeds as the daemon user — the write is NOT disabled.
type ProcessMetricsConfig ¶
type ProcessMetricsConfig struct {
Enabled bool `toml:"enabled"`
// Limit caps the number of processes returned, sorted by CPU usage desc.
// Must be a positive integer, maximum 100.
// Uses a pointer so we can distinguish "omitted" (nil → default 20)
// from "explicitly set to 0" (→ validation error).
Limit *int `toml:"limit"`
}
ProcessMetricsConfig controls GET /integrations/metrics/processes.
type ResolvedIdentity ¶
type ResolvedIdentity struct {
UID int
GID int
Set bool // true when a write_as user was successfully resolved
}
ResolvedIdentity holds a uid/gid resolved from a username at startup.
type SystemdConfig ¶
type SystemdConfig struct {
Enabled bool
Units UnitConfig `toml:"units"`
Journal JournalConfig `toml:"journal"`
}
SystemdConfig is the parsed and validated representation of systemd.toml.
type UnitConfig ¶
type UnitConfig struct {
// Enabled gates all unit operations.
Enabled bool `toml:"enabled"`
// Allow is the list of permitted unit operations.
// Valid values: list, inspect, unit_file, logs, start, stop, restart,
// reload, enable, disable.
// An unknown value is a fatal config error.
Allow []string `toml:"allow"`
}
UnitConfig controls which systemd unit operations are permitted.
func (UnitConfig) Permits ¶ added in v0.2.5
func (u UnitConfig) Permits(op string) bool
Permits returns true if op is enabled and present in the allow list.
type VarScope ¶
type VarScope struct {
// Project is the project identifier (e.g. "myapp").
// Must match ^[a-z0-9_-]+$.
Project string `toml:"project"`
// Env is the environment identifier (e.g. "prod", "staging").
// Must match ^[a-z0-9_-]+$.
Env string `toml:"env"`
// Allow is the list of permitted operations for this scope.
// Valid values: "read", "write".
// At least one value is required.
Allow []string `toml:"allow"`
}
VarScope defines access permissions for a single project+env combination.
Project and Env must both match ^[a-z0-9_-]+$. Allow must contain at least one of "read" or "write". Duplicate project/env pairs are a validation error.
type VarsConfig ¶
VarsConfig is the parsed and validated representation of vars.toml.
Source Files