pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / system / boot / systemd / journald-upload.nix
at 24.11-pre 3.7 kB view raw
1{ config, lib, pkgs, ... }: 2 3let 4 cfg = config.services.journald.upload; 5 format = pkgs.formats.systemd; 6in 7{ 8 meta.maintainers = [ lib.maintainers.raitobezarius ]; 9 options.services.journald.upload = { 10 enable = lib.mkEnableOption "uploading the systemd journal to a remote server"; 11 12 settings = lib.mkOption { 13 default = { }; 14 15 description = '' 16 Configuration for journal-upload. See {manpage}`journal-upload.conf(5)` 17 for available options. 18 ''; 19 20 type = lib.types.submodule { 21 freeformType = format.type; 22 23 options.Upload = { 24 URL = lib.mkOption { 25 type = lib.types.str; 26 example = "https://192.168.1.1"; 27 description = '' 28 The URL to upload the journal entries to. 29 30 See the description of `--url=` option in 31 {manpage}`systemd-journal-upload(8)` for the description of 32 possible values. 33 ''; 34 }; 35 36 ServerKeyFile = lib.mkOption { 37 type = with lib.types; nullOr str; 38 example = lib.literalExpression "./server-key.pem"; 39 # Since systemd-journal-upload uses a DynamicUser, permissions must 40 # be done using groups 41 description = '' 42 SSL key in PEM format. 43 44 In contrary to what the name suggests, this option configures the 45 client private key sent to the remote journal server. 46 47 This key should not be world-readable, and must be readably by 48 the `systemd-journal` group. 49 ''; 50 default = null; 51 }; 52 53 ServerCertificateFile = lib.mkOption { 54 type = with lib.types; nullOr str; 55 example = lib.literalExpression "./server-ca.pem"; 56 description = '' 57 SSL CA certificate in PEM format. 58 59 In contrary to what the name suggests, this option configures the 60 client certificate sent to the remote journal server. 61 ''; 62 default = null; 63 }; 64 65 TrustedCertificateFile = lib.mkOption { 66 type = with lib.types; nullOr str; 67 example = lib.literalExpression "./ca"; 68 description = '' 69 SSL CA certificate. 70 71 This certificate will be used to check the remote journal HTTPS 72 server certificate. 73 ''; 74 default = null; 75 }; 76 77 NetworkTimeoutSec = lib.mkOption { 78 type = with lib.types; nullOr str; 79 example = "1s"; 80 description = '' 81 When network connectivity to the server is lost, this option 82 configures the time to wait for the connectivity to get restored. 83 84 If the server is not reachable over the network for the 85 configured time, `systemd-journal-upload` exits. Takes a value in 86 seconds (or in other time units if suffixed with "ms", "min", 87 "h", etc). For details, see {manpage}`systemd.time(5)`. 88 ''; 89 default = null; 90 }; 91 }; 92 }; 93 }; 94 }; 95 96 config = lib.mkIf cfg.enable { 97 systemd.additionalUpstreamSystemUnits = [ "systemd-journal-upload.service" ]; 98 99 systemd.services."systemd-journal-upload" = { 100 wantedBy = [ "multi-user.target" ]; 101 serviceConfig = { 102 Restart = "always"; 103 # To prevent flooding the server in case the server is struggling 104 RestartSec = "3sec"; 105 }; 106 }; 107 108 environment.etc."systemd/journal-upload.conf".source = 109 format.generate "journal-upload.conf" cfg.settings; 110 }; 111}