nixos/modules/services/networking/bird.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / bird.nix
at 24.11-pre 3.4 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3let
  4  inherit (lib) mkEnableOption mkIf mkOption optionalString types;
  5
  6  cfg = config.services.bird2;
  7  caps = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" ];
  8in
  9{
 10  ###### interface
 11  options = {
 12    services.bird2 = {
 13      enable = mkEnableOption "BIRD Internet Routing Daemon";
 14      config = mkOption {
 15        type = types.lines;
 16        description = ''
 17          BIRD Internet Routing Daemon configuration file.
 18          <http://bird.network.cz/>
 19        '';
 20      };
 21      autoReload = mkOption {
 22        type = types.bool;
 23        default = true;
 24        description = ''
 25          Whether bird2 should be automatically reloaded when the configuration changes.
 26        '';
 27      };
 28      checkConfig = mkOption {
 29        type = types.bool;
 30        default = true;
 31        description = ''
 32          Whether the config should be checked at build time.
 33          When the config can't be checked during build time, for example when it includes
 34          other files, either disable this option or use `preCheckConfig` to create
 35          the included files before checking.
 36        '';
 37      };
 38      preCheckConfig = mkOption {
 39        type = types.lines;
 40        default = "";
 41        example = ''
 42          echo "cost 100;" > include.conf
 43        '';
 44        description = ''
 45          Commands to execute before the config file check. The file to be checked will be
 46          available as `bird2.conf` in the current directory.
 47
 48          Files created with this option will not be available at service runtime, only during
 49          build time checking.
 50        '';
 51      };
 52    };
 53  };
 54
 55
 56  imports = [
 57    (lib.mkRemovedOptionModule [ "services" "bird" ] "Use services.bird2 instead")
 58    (lib.mkRemovedOptionModule [ "services" "bird6" ] "Use services.bird2 instead")
 59  ];
 60
 61  ###### implementation
 62  config = mkIf cfg.enable {
 63    environment.systemPackages = [ pkgs.bird ];
 64
 65    environment.etc."bird/bird2.conf".source = pkgs.writeTextFile {
 66      name = "bird2";
 67      text = cfg.config;
 68      checkPhase = optionalString cfg.checkConfig ''
 69        ln -s $out bird2.conf
 70        ${cfg.preCheckConfig}
 71        ${pkgs.buildPackages.bird}/bin/bird -d -p -c bird2.conf
 72      '';
 73    };
 74
 75    systemd.services.bird2 = {
 76      description = "BIRD Internet Routing Daemon";
 77      wantedBy = [ "multi-user.target" ];
 78      reloadTriggers = lib.optional cfg.autoReload config.environment.etc."bird/bird2.conf".source;
 79      serviceConfig = {
 80        Type = "forking";
 81        Restart = "on-failure";
 82        User = "bird2";
 83        Group = "bird2";
 84        ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf";
 85        ExecReload = "${pkgs.bird}/bin/birdc configure";
 86        ExecStop = "${pkgs.bird}/bin/birdc down";
 87        RuntimeDirectory = "bird";
 88        CapabilityBoundingSet = caps;
 89        AmbientCapabilities = caps;
 90        ProtectSystem = "full";
 91        ProtectHome = "yes";
 92        ProtectKernelTunables = true;
 93        ProtectControlGroups = true;
 94        PrivateTmp = true;
 95        PrivateDevices = true;
 96        SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
 97        MemoryDenyWriteExecute = "yes";
 98      };
 99    };
100    users = {
101      users.bird2 = {
102        description = "BIRD Internet Routing Daemon user";
103        group = "bird2";
104        isSystemUser = true;
105      };
106      groups.bird2 = { };
107    };
108  };
109}