nixos/modules/services/networking/bird.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / bird.nix
at 23.11-pre 3.2 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3let
  4  inherit (lib) mkEnableOption mkIf mkOption optionalString types;
  5
  6  cfg = config.services.bird2;
  7  caps = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" ];
  8in
  9{
 10  ###### interface
 11  options = {
 12    services.bird2 = {
 13      enable = mkEnableOption (lib.mdDoc "BIRD Internet Routing Daemon");
 14      config = mkOption {
 15        type = types.lines;
 16        description = lib.mdDoc ''
 17          BIRD Internet Routing Daemon configuration file.
 18          <http://bird.network.cz/>
 19        '';
 20      };
 21      checkConfig = mkOption {
 22        type = types.bool;
 23        default = true;
 24        description = lib.mdDoc ''
 25          Whether the config should be checked at build time.
 26          When the config can't be checked during build time, for example when it includes
 27          other files, either disable this option or use `preCheckConfig` to create
 28          the included files before checking.
 29        '';
 30      };
 31      preCheckConfig = mkOption {
 32        type = types.lines;
 33        default = "";
 34        example = ''
 35          echo "cost 100;" > include.conf
 36        '';
 37        description = lib.mdDoc ''
 38          Commands to execute before the config file check. The file to be checked will be
 39          available as `bird2.conf` in the current directory.
 40
 41          Files created with this option will not be available at service runtime, only during
 42          build time checking.
 43        '';
 44      };
 45    };
 46  };
 47
 48
 49  imports = [
 50    (lib.mkRemovedOptionModule [ "services" "bird" ] "Use services.bird2 instead")
 51    (lib.mkRemovedOptionModule [ "services" "bird6" ] "Use services.bird2 instead")
 52  ];
 53
 54  ###### implementation
 55  config = mkIf cfg.enable {
 56    environment.systemPackages = [ pkgs.bird ];
 57
 58    environment.etc."bird/bird2.conf".source = pkgs.writeTextFile {
 59      name = "bird2";
 60      text = cfg.config;
 61      checkPhase = optionalString cfg.checkConfig ''
 62        ln -s $out bird2.conf
 63        ${cfg.preCheckConfig}
 64        ${pkgs.bird}/bin/bird -d -p -c bird2.conf
 65      '';
 66    };
 67
 68    systemd.services.bird2 = {
 69      description = "BIRD Internet Routing Daemon";
 70      wantedBy = [ "multi-user.target" ];
 71      reloadTriggers = [ config.environment.etc."bird/bird2.conf".source ];
 72      serviceConfig = {
 73        Type = "forking";
 74        Restart = "on-failure";
 75        User = "bird2";
 76        Group = "bird2";
 77        ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf";
 78        ExecReload = "${pkgs.bird}/bin/birdc configure";
 79        ExecStop = "${pkgs.bird}/bin/birdc down";
 80        RuntimeDirectory = "bird";
 81        CapabilityBoundingSet = caps;
 82        AmbientCapabilities = caps;
 83        ProtectSystem = "full";
 84        ProtectHome = "yes";
 85        ProtectKernelTunables = true;
 86        ProtectControlGroups = true;
 87        PrivateTmp = true;
 88        PrivateDevices = true;
 89        SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
 90        MemoryDenyWriteExecute = "yes";
 91      };
 92    };
 93    users = {
 94      users.bird2 = {
 95        description = "BIRD Internet Routing Daemon user";
 96        group = "bird2";
 97        isSystemUser = true;
 98      };
 99      groups.bird2 = { };
100    };
101  };
102}