add the checkmk agent and config

checkmk-agent.nix

@@ -0,0 +1,22 @@
+{ lib, pkgs, ... }:
+
+let
+	agentcmd = "${ (pkgs.callPackage ./checkmk-agent/default.nix { }) }/bin/check_mk_agent.sshwrapper";
+in
+{
+  users.users.mon = {
+	  isNormalUser = true;
+		extraGroups = [ "wheel" ];
+		openssh.authorizedKeys.keys = [
+			''restrict,command="${ agentcmd }" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHkivi9Ye/Uj4ZQxrEfarSaz0iLF/XXhY/crNsLoDMu checkmk''
+    ];
+	};
+	security.sudo.extraRules = [ {
+		users = [ "mon" ];
+		commands = [ {
+			command = agentcmd;
+			options = [ "NOPASSWD" ];
+			} ];
+		}
+	];
+}

checkmk-agent/default.nix

@@ -0,0 +1,26 @@
+{ stdenv, lib, makeWrapper }:
+
+stdenv.mkDerivation rec {
+  name = "checkmk-agent";
+  src = ./agent.tar.gz;
+  phases = [ "unpackPhase" "installPhase" "fixupPhase" "wrapPhase" ];
+  buildInputs = [ ];
+  nativeBuildInputs = [ makeWrapper ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    install -m 0755 check_mk_agent.linux $out/bin/check_mk_agent
+    substitute sshwrapper $out/bin/check_mk_agent.sshwrapper \
+      --replace SUDOCOMMAND "$out/bin/check_mk_agent"
+    chmod 0755 $out/bin/check_mk_agent.sshwrapper
+    '';
+  wrapPhase = ''
+    wrapProgram $out/bin/check_mk_agent --suffix PATH : /run/current-system/sw/bin
+    '';
+
+  meta = with lib; {
+    description = "checkmk-agent";
+    platforms   = platforms.all;
+  };
+}
+

checkmk-agent/files/sshwrapper

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# The agent does not need stdin
+exec </dev/null
+exec sudo --non-interactive -- SUDOCOMMAND

configuration.nix

@@ -9,6 +9,7 @@
     [
       ./hardware-configuration.nix
       ./acme.nix
+      ./checkmk-agent.nix
       ./sshusers.nix
       ./mailserver.nix
       ./borgbackup.nix