pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / birdwatcher.nix
at 24.11-pre 4.0 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 cfg = config.services.birdwatcher; 7in 8{ 9 options = { 10 services.birdwatcher = { 11 package = mkPackageOption pkgs "birdwatcher" { }; 12 enable = mkEnableOption "Birdwatcher"; 13 flags = mkOption { 14 default = [ ]; 15 type = types.listOf types.str; 16 example = [ "-worker-pool-size 16" "-6" ]; 17 description = '' 18 Flags to append to the program call 19 ''; 20 }; 21 22 settings = mkOption { 23 type = types.lines; 24 default = { }; 25 description = '' 26 birdwatcher configuration, for configuration options see the example on [github](https://github.com/alice-lg/birdwatcher/blob/master/etc/birdwatcher/birdwatcher.conf) 27 ''; 28 example = literalExpression '' 29 [server] 30 allow_from = [] 31 allow_uncached = false 32 modules_enabled = ["status", 33 "protocols", 34 "protocols_bgp", 35 "protocols_short", 36 "routes_protocol", 37 "routes_peer", 38 "routes_table", 39 "routes_table_filtered", 40 "routes_table_peer", 41 "routes_filtered", 42 "routes_prefixed", 43 "routes_noexport", 44 "routes_pipe_filtered_count", 45 "routes_pipe_filtered" 46 ] 47 48 [status] 49 reconfig_timestamp_source = "bird" 50 reconfig_timestamp_match = "# created: (.*)" 51 52 filter_fields = [] 53 54 [bird] 55 listen = "0.0.0.0:29184" 56 config = "/etc/bird/bird2.conf" 57 birdc = "''${pkgs.bird}/bin/birdc" 58 ttl = 5 # time to live (in minutes) for caching of cli output 59 60 [parser] 61 filter_fields = [] 62 63 [cache] 64 use_redis = false # if not using redis cache, activate housekeeping to save memory! 65 66 [housekeeping] 67 interval = 5 68 force_release_memory = true 69 ''; 70 }; 71 }; 72 }; 73 74 config = 75 let flagsStr = escapeShellArgs cfg.flags; 76 in lib.mkIf cfg.enable { 77 environment.etc."birdwatcher/birdwatcher.conf".source = pkgs.writeTextFile { 78 name = "birdwatcher.conf"; 79 text = cfg.settings; 80 }; 81 systemd.services = { 82 birdwatcher = { 83 wants = [ "network.target" ]; 84 after = [ "network.target" ]; 85 wantedBy = [ "multi-user.target" ]; 86 description = "Birdwatcher"; 87 serviceConfig = { 88 Type = "simple"; 89 Restart = "on-failure"; 90 RestartSec = 15; 91 ExecStart = "${cfg.package}/bin/birdwatcher"; 92 StateDirectoryMode = "0700"; 93 UMask = "0117"; 94 NoNewPrivileges = true; 95 ProtectSystem = "strict"; 96 PrivateTmp = true; 97 PrivateDevices = true; 98 ProtectHostname = true; 99 ProtectClock = true; 100 ProtectKernelTunables = true; 101 ProtectKernelModules = true; 102 ProtectKernelLogs = true; 103 ProtectControlGroups = true; 104 RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; 105 LockPersonality = true; 106 MemoryDenyWriteExecute = true; 107 RestrictRealtime = true; 108 RestrictSUIDSGID = true; 109 PrivateMounts = true; 110 SystemCallArchitectures = "native"; 111 SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; 112 BindReadOnlyPaths = [ 113 "-/etc/resolv.conf" 114 "-/etc/nsswitch.conf" 115 "-/etc/ssl/certs" 116 "-/etc/static/ssl/certs" 117 "-/etc/hosts" 118 "-/etc/localtime" 119 ]; 120 }; 121 }; 122 }; 123 }; 124}