pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / system / boot / systemd / journald-gateway.nix
at 24.11-pre 3.9 kB view raw
1{ config, lib, pkgs, ... }: 2 3let 4 cfg = config.services.journald.gateway; 5 6 cliArgs = lib.cli.toGNUCommandLineShell { } { 7 # If either of these are null / false, they are not passed in the command-line 8 inherit (cfg) cert key trust system user merge; 9 }; 10in 11{ 12 meta.maintainers = [ lib.maintainers.raitobezarius ]; 13 options.services.journald.gateway = { 14 enable = lib.mkEnableOption "the HTTP gateway to the journal"; 15 16 port = lib.mkOption { 17 default = 19531; 18 type = lib.types.port; 19 description = '' 20 The port to listen to. 21 ''; 22 }; 23 24 cert = lib.mkOption { 25 default = null; 26 type = with lib.types; nullOr str; 27 description = '' 28 The path to a file or `AF_UNIX` stream socket to read the server 29 certificate from. 30 31 The certificate must be in PEM format. This option switches 32 `systemd-journal-gatewayd` into HTTPS mode and must be used together 33 with {option}`services.journald.gateway.key`. 34 ''; 35 }; 36 37 key = lib.mkOption { 38 default = null; 39 type = with lib.types; nullOr str; 40 description = '' 41 Specify the path to a file or `AF_UNIX` stream socket to read the 42 secret server key corresponding to the certificate specified with 43 {option}`services.journald.gateway.cert` from. 44 45 The key must be in PEM format. 46 47 This key should not be world-readable, and must be readably by the 48 `systemd-journal-gateway` user. 49 ''; 50 }; 51 52 trust = lib.mkOption { 53 default = null; 54 type = with lib.types; nullOr str; 55 description = '' 56 Specify the path to a file or `AF_UNIX` stream socket to read a CA 57 certificate from. 58 59 The certificate must be in PEM format. 60 61 Setting this option enforces client certificate checking. 62 ''; 63 }; 64 65 system = lib.mkOption { 66 default = true; 67 type = lib.types.bool; 68 description = '' 69 Serve entries from system services and the kernel. 70 71 This has the same meaning as `--system` for {manpage}`journalctl(1)`. 72 ''; 73 }; 74 75 user = lib.mkOption { 76 default = true; 77 type = lib.types.bool; 78 description = '' 79 Serve entries from services for the current user. 80 81 This has the same meaning as `--user` for {manpage}`journalctl(1)`. 82 ''; 83 }; 84 85 merge = lib.mkOption { 86 default = false; 87 type = lib.types.bool; 88 description = '' 89 Serve entries interleaved from all available journals, including other 90 machines. 91 92 This has the same meaning as `--merge` option for 93 {manpage}`journalctl(1)`. 94 ''; 95 }; 96 }; 97 98 config = lib.mkIf cfg.enable { 99 assertions = [ 100 { 101 # This prevents the weird case were disabling "system" and "user" 102 # actually enables both because the cli flags are not present. 103 assertion = cfg.system || cfg.user; 104 message = '' 105 systemd-journal-gatewayd cannot serve neither "system" nor "user" 106 journals. 107 ''; 108 } 109 ]; 110 111 systemd.additionalUpstreamSystemUnits = [ 112 "systemd-journal-gatewayd.socket" 113 "systemd-journal-gatewayd.service" 114 ]; 115 116 users.users.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway; 117 users.users.systemd-journal-gateway.group = "systemd-journal-gateway"; 118 users.groups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway; 119 120 systemd.services.systemd-journal-gatewayd.serviceConfig.ExecStart = [ 121 # Clear the default command line 122 "" 123 "${pkgs.systemd}/lib/systemd/systemd-journal-gatewayd ${cliArgs}" 124 ]; 125 126 systemd.sockets.systemd-journal-gatewayd = { 127 wantedBy = [ "sockets.target" ]; 128 listenStreams = [ 129 # Clear the default port 130 "" 131 (toString cfg.port) 132 ]; 133 }; 134 }; 135}