NixOS Module
The flake exports nixosModules.default and nixosModules.codex-quota-monitor.
Minimal Example
{
inputs.codexQuotaMonitor.url = "github:<owner>/codex-quota-monitor";
outputs = inputs@{ self, nixpkgs, codexQuotaMonitor, ... }: {
nixosConfigurations.my-host = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
codexQuotaMonitor.nixosModules.default
({ ... }: {
services.codexQuotaMonitor = {
enable = true;
installCli = true;
managementBaseUrl = "http://127.0.0.1:8317";
managementKeyFile = "/path/to/management-key";
gatewayHealthUrl = "http://127.0.0.1:8317/healthz";
authDir = "/path/to/auth-files";
# Optional and disabled by default. This writes live_plan_* metadata
# back to CPA auth files for routers that consume fresh plan state.
# authLivePlanSync.enable = true;
};
})
];
};
};
}
Key Options
services.codexQuotaMonitor.enableservices.codexQuotaMonitor.packageservices.codexQuotaMonitor.installCliservices.codexQuotaMonitor.userservices.codexQuotaMonitor.groupservices.codexQuotaMonitor.listenAddressservices.codexQuotaMonitor.allowedHostsservices.codexQuotaMonitor.portservices.codexQuotaMonitor.demoservices.codexQuotaMonitor.managementBaseUrlservices.codexQuotaMonitor.managementKeyFileservices.codexQuotaMonitor.manualQuotaRefreshAuthservices.codexQuotaMonitor.allowBrowserKeyStorageservices.codexQuotaMonitor.gatewayHealthUrl(http(s)orfileJSON URL)services.codexQuotaMonitor.authDirservices.codexQuotaMonitor.authLivePlanSync.enableservices.codexQuotaMonitor.refreshSecondsservices.codexQuotaMonitor.usageRefreshSecondsservices.codexQuotaMonitor.directQuotaRecoverySecondsservices.codexQuotaMonitor.timeoutSecondsservices.codexQuotaMonitor.weeklyToFiveHourMultiplierservices.codexQuotaMonitor.stateDbservices.codexQuotaMonitor.clientLabelsFileservices.codexQuotaMonitor.usageQueueRawEventLogservices.codexQuotaMonitor.historyWriteSecondsservices.codexQuotaMonitor.historyRetentionDaysservices.codexQuotaMonitor.benchmarkSummaryservices.codexQuotaMonitor.displayTimezoneservices.codexQuotaMonitor.displayLocaleservices.codexQuotaMonitor.uiFontFamilyservices.codexQuotaMonitor.monoFontFamilyservices.codexQuotaMonitor.alertFiveHourMinPlusservices.codexQuotaMonitor.alertWeeklyMinPlusservices.codexQuotaMonitor.alertRoutableAccountsMinservices.codexQuotaMonitor.openFirewallservices.codexQuotaMonitor.logLevelservices.codexQuotaMonitor.logFormatservices.codexQuotaMonitor.accessLog
Defaults
- Bind address:
127.0.0.1 - Allowed browser hosts/origins: loopback only unless
allowedHostsis set - Port:
4515 - Demo mode: disabled; set
demo = trueonly for a zero-secret preview with built-in sample data - Management gateway:
http://127.0.0.1:8317 - Management key file: disabled by default; for bare CPA set
managementKeyFileto a runtime secret path containing the same plaintext value as CPAremote-management.secret-key; omit it only whenmanagementBaseUrlpoints at a local key-injecting proxy - Manual quota refresh auth:
ui-token; the browser receives an in-page refresh token and does not need the CPA management key. SetmanualQuotaRefreshAuth = "management-key"only for legacy behavior, or"none"only for trusted local deployments. - Browser key storage: disabled; only applies to legacy
manualQuotaRefreshAuth = "management-key"deployments where localStorage persistence is acceptable - Auth live plan sync: disabled. When
authLivePlanSync.enable = true, the module adds a separate timer/oneshot that writes direct Codex plan samples back to auth files aslive_plan_*metadata. This requiresauthDirand gives only the sync unit write access to that directory; the dashboard service remains read-only with respect to auth files. The sync runner refuses to replace an auth file unless it can preserve the original owner and group, so run the unit as the auth-file owner or provide a deployment-specific systemd override. - Firewall: closed
- Interactive CLI: not installed into the system profile by default; set
installCli = truewhen users should be able to runcodex-quota-monitor,cqm, orcodex-quota-benchmarkdirectly from the host shell - Service account:
codex-quota-monitor - Usage refresh interval:
null; the CLI default followsrefreshSeconds. SetusageRefreshSecondsto sample CPA/v0/management/usageless often than ordinary health/auth/config refreshes. - Weekly-to-5h multiplier:
6.0; setweeklyToFiveHourMultiplier = nullto disable the cap. Weekly exhaustion still removes that account from total 5h capacity. - SQLite history DB:
/var/lib/codex-quota-monitor/history.sqlite3; setstateDb = nullto disable Trends, Audit, the Stats time-series workbench, and native history backup. - Usage queue raw event log: disabled by default. Set
usageQueueRawEventLogto a sanitized CLIProxyAPI v7 usage queue collector JSONL path, such as/var/lib/cli-proxy-api/usage-queue/events.jsonl, to import new request details into the SQLite-backed Stats workbench. - Client labels file: disabled by default. Set
clientLabelsFileto a runtime JSON file path to enable the Statsclientgrouping; the module only passes the path, so keep real CPA API names in/run/secrets,/etc, or another protected runtime file rather than inline Nix text. - History write interval:
60seconds - History retention:
30days - Benchmark summary: disabled until
benchmarkSummarypoints to acodex-quota-benchmarksummary.json - Display timezone:
local; setdisplayTimezone = "UTC";,displayTimezone = "Asia/Shanghai";, or another IANA timezone for fixed reset-time display - Display locale:
auto; the dashboard follows the browser locale and currently supportsenandzh-CN. SetdisplayLocale = "en";ordisplayLocale = "zh-CN";for a fixed service default. - UI font family: neutral system UI stack by default. Set
uiFontFamilyto a CSSfont-familylist when the operator wants a site-wide default. - Mono font family: neutral system monospace stack by default. Set
monoFontFamily = "\"Maple Mono NF CN\", ui-monospace, monospace";or another CSS stack when the browser host has that font installed. - Threshold alerts: disabled until an
alert*option is set; they are exposed through/api/v1/alerts - Logging:
logLevel = "INFO",logFormat = "text", andaccessLog = true. Logs are written to stderr for journald; setlogFormat = "json"for one JSON object per line.
Browser-local preferences in the dashboard override these service defaults for
the current browser only. Locale, timezone, and font preferences are separate:
locale controls UI language and browser-side date/number formatting, timezone
controls reset-time display, and fonts only select CSS font-family stacks. The
project does not bundle fonts; a named font is used only when the device
rendering the page already has it installed.
If you want LAN access from a phone or small-screen browser, set
listenAddress = "0.0.0.0", add the browser-facing hostname or IP to
allowedHosts, and set openFirewall = true intentionally. That only makes the
dashboard reachable and allows the expected Host / Origin; it does not
authenticate viewers. Protect LAN or public access with firewall rules and an
authenticated reverse proxy or access layer.