fmt: formatted

CPUShares and MemoryLimit are depricated
Sep 05 20:30:42 marvin systemd[1]: /etc/systemd/system/splunk.service:9: Unit uses CPUShares=; please use CPUWeight= instead. Support for CPUShares= will be removed soon.
Sep 05 20:30:42 marvin systemd[1]: /etc/systemd/system/splunk.service:18: Unit uses MemoryLimit=; please use MemoryMax= instead. Support for MemoryLimit= will be removed soon.

applications/acme.nix

@@ -27,7 +27,6 @@ in {
     age.secrets.acme.file = ../secrets/dns_certs.secret.age;
 
     security.acme = {
-      preliminarySelfsigned = false;
       acceptTerms = true;
 
       defaults = {

applications/itd/splunk/module.nix

@@ -0,0 +1,189 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  name = "splunk";
+  cfg = config.services.itd."${name}";
+
+  package = pkgs.callPackage ./package.nix {};
+in {
+  imports = [];
+
+  options.services.itd."${name}" = {
+    enable = mkEnableOption "ITD Splunk";
+
+    user = {
+      user = mkOption {
+        type = types.str;
+        default = "splunk";
+      };
+      group = mkOption {
+        type = types.str;
+        default = "splunk";
+      };
+
+      home = mkOption {
+        type = types.str;
+        default = "/etc/itd/splunk";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # create user and group for the program
+    users.groups."${cfg.user.group}" = {};
+    users.users."${cfg.user.user}" = {
+      createHome = true;
+      isNormalUser = true;
+      home = cfg.user.home;
+      group = cfg.user.group;
+      # X11 is to ensure the directory can be traversed
+      homeMode = "711";
+    };
+
+    # might not be required
+    networking.firewall.allowedTCPPorts = [8089];
+
+    # need to set access controls
+    systemd.tmpfiles.rules = [
+      "a /var/log                 - - - - u:splunk:rx"
+      "a /var/log/auth.log        - - - - u:splunk:r "
+      "a /var/log/messages        - - - - u:splunk:r "
+      "a /var/log/secure          - - - - u:splunk:r "
+      "a /var/log/audit           - - - - u:splunk:rx"
+      "a /var/log/audit.log       - - - - u:splunk:r "
+      "a /var/log/audit/audit.log - - - - u:splunk:r "
+      "a /root                    - - - - u:splunk:rx"
+      "a /root/.bash_history      - - - - u:splunk:r "
+      "a /home/*                  - - - - u:splunk:rx"
+      "a /home/*/.bash_history    - - - - u:splunk:r "
+    ];
+
+    security.auditd = {
+      enable = true;
+      settings = {
+        log_group = cfg.user.group;
+      };
+    };
+
+    # set up the core files
+    systemd.services."${name}_prestart" = {
+      wantedBy = [
+        #      "gitlab.target"
+      ];
+      partOf = [
+        #      "gitlab.target"
+      ];
+      path = with pkgs; [util-linux];
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+        #        User = cfg.user.user;
+        #        Group = cfg.user.group;
+        #        TimeoutSec = "infinity";
+        #        Restart = "on-failure";
+        #        WorkingDirectory = "${cfg.package}/share/gitlab";
+        #        Slice = "system-gitlab.slice";
+        RemainAfterExit = true;
+        ExecStart = let
+          # from $SPLUNK_HOME/etc/splunk-launch.conf.default
+          splunk_launch = pkgs.writeText "splunk-launch" ''
+            SPLUNK_HOME=${cfg.user.home}
+            SPLUNK_SERVER_NAME=SplunkForwarder
+            PYTHONHTTPSVERIFY=0
+            PYTHONUTF8=1
+          '';
+
+          etc_passwd = pkgs.writeText "passwd" ''
+            :admin:$6$XOFhpq0Y1Ul1pejO$DUkXU6xSAKYrl3nLTPFS7LJqlnWC4r97SSikjCzv7XNEG6lgP32TZHyLDY/aJs8ZYyblZ5spfmnlMvh8Lxndi/::Administrator:admin:changeme@example.com:::20329
+          '';
+
+          deployment_client = pkgs.writeText "deploymentclient" ''
+            [deployment-client]
+            clientName = UL_client
+            [target-broker:deploymentServer]
+            targetUri = soc-deployment.heanet.ie:8089
+          '';
+        in
+          pkgs.writeShellScript "splunk-config" ''
+            set -o errexit -o pipefail -o nounset
+            shopt -s inherit_errexit
+
+            umask u=rwx,g=rx,o=
+
+            # start with a clean slate, it yells at ye if ye try to boot it up without doing this
+            rm -rf ${cfg.user.home}/*
+
+            chmod 771 -R ${cfg.user.home}
+
+            # pull in all relevent files
+            cp -f -R ${package}/* ${cfg.user.home}
+
+            chmod 771 -R ${cfg.user.home}
+            chown ${cfg.user.user}:${cfg.user.group} -R ${cfg.user.home}
+
+            # if [ ! -f ${cfg.user.home}/etc/splunk-launch.conf ]; then
+              export SPLUNK_HOME=${cfg.user.home}
+
+              cp ${splunk_launch} $SPLUNK_HOME/etc/splunk-launch.conf
+
+              cp ${etc_passwd} $SPLUNK_HOME/etc/passwd
+
+              # ensure the dir exists
+              mkdir -p $SPLUNK_HOME/etc/apps/000_ul_umbrio_essentials/local/
+              cp ${deployment_client} $SPLUNK_HOME/etc/apps/000_ul_umbrio_essentials/local/deploymentclient.conf
+
+              # make sure user permissions are correct
+              chmod 771 -R ${cfg.user.home}
+              chown ${cfg.user.user}:${cfg.user.group} -R ${cfg.user.home}
+
+              # run it to see if that works
+              runuser -u ${cfg.user.user} -- $SPLUNK_HOME/bin/splunk start --accept-license
+
+              # $SPLUNK_HOME/bin/splunk enable boot-start
+              # /etc/systemd/system/multi-user.target.wants/SplunkForwarder.service
+            # fi
+          '';
+      };
+    };
+
+    systemd.services."${name}" = {
+      wantedBy = [
+      ];
+      requires = [
+        "${name}_prestart.service"
+      ];
+      path = with pkgs; [util-linux toybox];
+      serviceConfig = {
+        Type = "simple";
+        Restart = "always";
+        Environment = "SPLUNK_HOME=${cfg.user.home}";
+        ExecStart = "${package}/bin/splunk  _internal_launch_under_systemd";
+        KillMode = "mixed";
+        KillSignal = "SIGINT";
+        TimeoutStopSec = 360;
+        LimitNOFILE = 65536;
+        LimitRTPRIO = 99;
+        SuccessExitStatus = "51 52";
+        RestartPreventExitStatus = 51;
+        RestartForceExitStatus = 52;
+        User = cfg.user.user;
+        Group = cfg.user.group;
+        NoNewPrivileges = "yes";
+        AmbientCapabilities = "CAP_DAC_READ_SEARCH";
+
+        # ExecStartPre=-/bin/bash -c "chown -R splunk:splunk /opt/splunkforwarder"
+        Delegate = "true";
+        #         CPUShares=1024;
+        #         MemoryLimit=3973632000;
+        PermissionsStartOnly = "true";
+        # ExecStartPost=-/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/cpu/system.slice/%n"
+        # ExecStartPost=-/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/memory/system.slice/%n"
+      };
+    };
+  };
+}

applications/itd/splunk/package.nix

@@ -0,0 +1,48 @@
+{
+  stdenv,
+  lib,
+  fetchurl,
+  gnused,
+  openssl,
+  zlib,
+  autoPatchelfHook,
+}:
+stdenv.mkDerivation rec {
+  pname = "splunk-forwarder";
+  version = "9.1.7";
+  version_long = "${version}-e17104057ef0";
+
+  src = fetchurl {
+    url = "https://download.splunk.com/products/universalforwarder/releases/${version}/linux/splunkforwarder-${version_long}-Linux-x86_64.tgz";
+    hash = "sha256-EWpfenEhExe5qDscqb7ZQUwahYgAgPQ+APLlweRQAoc=";
+  };
+
+  nativeBuildInputs = [autoPatchelfHook];
+
+  buildInputs = [
+    #    alsaLib
+    openssl
+    zlib
+    gnused
+  ];
+
+  sourceRoot = ".";
+
+  installPhase = ''
+    runHook preInstall
+    # gets unzipped and we just pop it all into teh output
+    cp -R ./splunkforwarder $out
+
+    # Splunk is doing a crime by deciding what teh path is, need to comment out this line in /bin/pid_check.sh
+    # PATH=/usr/xpg4/bin:/usr/bin:/bin
+    find $out -type f -name "*.sh" -print0 | xargs -0 sed -i -e 's/PATH=/#PATH=/g'
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://splunk.com";
+    description = "Logging Service";
+    platforms = platforms.linux;
+  };
+}

flake.lock

@@ -910,11 +910,11 @@
     },
     "nixpkgs_7": {
       "locked": {
-        "lastModified": 1751271578,
+        "lastModified": 1756787288,
-        "narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=",
+        "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df",
+        "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1",
         "type": "github"
       },
       "original": {

machines/marvin.nix

@@ -30,6 +30,7 @@ Notes:
   groups_trusted = map (x: "@${x}") groups;
 in {
   imports = [
+    ../applications/itd/splunk/module.nix
   ];
 
   deployment = {
@@ -58,4 +59,8 @@ in {
     host = host;
     backup.enable = true;
   };
+
+  services.itd.splunk = {
+    enable = true;
+  };
 }