pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / birdwatcher.nix
at 23.11-pre 4.2 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 cfg = config.services.birdwatcher; 7in 8{ 9 options = { 10 services.birdwatcher = { 11 package = mkOption { 12 type = types.package; 13 default = pkgs.birdwatcher; 14 defaultText = literalExpression "pkgs.birdwatcher"; 15 description = lib.mdDoc "The Birdwatcher package to use."; 16 }; 17 enable = mkEnableOption (lib.mdDoc "Birdwatcher"); 18 flags = mkOption { 19 default = [ ]; 20 type = types.listOf types.str; 21 example = [ "-worker-pool-size 16" "-6" ]; 22 description = lib.mdDoc '' 23 Flags to append to the program call 24 ''; 25 }; 26 27 settings = mkOption { 28 type = types.lines; 29 default = { }; 30 description = lib.mdDoc '' 31 birdwatcher configuration, for configuration options see the example on [github](https://github.com/alice-lg/birdwatcher/blob/master/etc/birdwatcher/birdwatcher.conf) 32 ''; 33 example = literalExpression '' 34 [server] 35 allow_from = [] 36 allow_uncached = false 37 modules_enabled = ["status", 38 "protocols", 39 "protocols_bgp", 40 "protocols_short", 41 "routes_protocol", 42 "routes_peer", 43 "routes_table", 44 "routes_table_filtered", 45 "routes_table_peer", 46 "routes_filtered", 47 "routes_prefixed", 48 "routes_noexport", 49 "routes_pipe_filtered_count", 50 "routes_pipe_filtered" 51 ] 52 53 [status] 54 reconfig_timestamp_source = "bird" 55 reconfig_timestamp_match = "# created: (.*)" 56 57 filter_fields = [] 58 59 [bird] 60 listen = "0.0.0.0:29184" 61 config = "/etc/bird/bird2.conf" 62 birdc = "''${pkgs.bird}/bin/birdc" 63 ttl = 5 # time to live (in minutes) for caching of cli output 64 65 [parser] 66 filter_fields = [] 67 68 [cache] 69 use_redis = false # if not using redis cache, activate housekeeping to save memory! 70 71 [housekeeping] 72 interval = 5 73 force_release_memory = true 74 ''; 75 }; 76 }; 77 }; 78 79 config = 80 let flagsStr = escapeShellArgs cfg.flags; 81 in lib.mkIf cfg.enable { 82 environment.etc."birdwatcher/birdwatcher.conf".source = pkgs.writeTextFile { 83 name = "birdwatcher.conf"; 84 text = cfg.settings; 85 }; 86 systemd.services = { 87 birdwatcher = { 88 wants = [ "network.target" ]; 89 after = [ "network.target" ]; 90 wantedBy = [ "multi-user.target" ]; 91 description = "Birdwatcher"; 92 serviceConfig = { 93 Type = "simple"; 94 Restart = "on-failure"; 95 RestartSec = 15; 96 ExecStart = "${cfg.package}/bin/birdwatcher"; 97 StateDirectoryMode = "0700"; 98 UMask = "0117"; 99 NoNewPrivileges = true; 100 ProtectSystem = "strict"; 101 PrivateTmp = true; 102 PrivateDevices = true; 103 ProtectHostname = true; 104 ProtectClock = true; 105 ProtectKernelTunables = true; 106 ProtectKernelModules = true; 107 ProtectKernelLogs = true; 108 ProtectControlGroups = true; 109 RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; 110 LockPersonality = true; 111 MemoryDenyWriteExecute = true; 112 RestrictRealtime = true; 113 RestrictSUIDSGID = true; 114 PrivateMounts = true; 115 SystemCallArchitectures = "native"; 116 SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; 117 BindReadOnlyPaths = [ 118 "-/etc/resolv.conf" 119 "-/etc/nsswitch.conf" 120 "-/etc/ssl/certs" 121 "-/etc/static/ssl/certs" 122 "-/etc/hosts" 123 "-/etc/localtime" 124 ]; 125 }; 126 }; 127 }; 128 }; 129}