pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / birdwatcher.nix
at 25.11-pre 4.1 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 cfg = config.services.birdwatcher; 9in 10{ 11 options = { 12 services.birdwatcher = { 13 package = lib.mkPackageOption pkgs "birdwatcher" { }; 14 enable = lib.mkEnableOption "Birdwatcher"; 15 flags = lib.mkOption { 16 default = [ ]; 17 type = lib.types.listOf lib.types.str; 18 example = [ 19 "-worker-pool-size 16" 20 "-6" 21 ]; 22 description = '' 23 Flags to append to the program call 24 ''; 25 }; 26 27 settings = lib.mkOption { 28 type = lib.types.lines; 29 default = { }; 30 description = '' 31 birdwatcher configuration, for configuration options see the example on [github](https://github.com/alice-lg/birdwatcher/blob/master/etc/birdwatcher/birdwatcher.conf) 32 ''; 33 example = lib.literalExpression '' 34 [server] 35 allow_from = [] 36 allow_uncached = false 37 modules_enabled = ["status", 38 "protocols", 39 "protocols_bgp", 40 "protocols_short", 41 "routes_protocol", 42 "routes_peer", 43 "routes_table", 44 "routes_table_filtered", 45 "routes_table_peer", 46 "routes_filtered", 47 "routes_prefixed", 48 "routes_noexport", 49 "routes_pipe_filtered_count", 50 "routes_pipe_filtered" 51 ] 52 53 [status] 54 reconfig_timestamp_source = "bird" 55 reconfig_timestamp_match = "# created: (.*)" 56 57 filter_fields = [] 58 59 [bird] 60 listen = "0.0.0.0:29184" 61 config = "/etc/bird/bird.conf" 62 birdc = "''${pkgs.bird2}/bin/birdc" 63 ttl = 5 # time to live (in minutes) for caching of cli output 64 65 [parser] 66 filter_fields = [] 67 68 [cache] 69 use_redis = false # if not using redis cache, activate housekeeping to save memory! 70 71 [housekeeping] 72 interval = 5 73 force_release_memory = true 74 ''; 75 }; 76 }; 77 }; 78 79 config = 80 let 81 flagsStr = lib.escapeShellArgs cfg.flags; 82 in 83 lib.mkIf cfg.enable { 84 environment.etc."birdwatcher/birdwatcher.conf".source = pkgs.writeTextFile { 85 name = "birdwatcher.conf"; 86 text = cfg.settings; 87 }; 88 systemd.services = { 89 birdwatcher = { 90 wants = [ "network.target" ]; 91 after = [ "network.target" ]; 92 wantedBy = [ "multi-user.target" ]; 93 description = "Birdwatcher"; 94 serviceConfig = { 95 Type = "simple"; 96 Restart = "on-failure"; 97 RestartSec = 15; 98 ExecStart = "${cfg.package}/bin/birdwatcher"; 99 StateDirectoryMode = "0700"; 100 UMask = "0117"; 101 NoNewPrivileges = true; 102 ProtectSystem = "strict"; 103 PrivateTmp = true; 104 PrivateDevices = true; 105 ProtectHostname = true; 106 ProtectClock = true; 107 ProtectKernelTunables = true; 108 ProtectKernelModules = true; 109 ProtectKernelLogs = true; 110 ProtectControlGroups = true; 111 RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; 112 LockPersonality = true; 113 MemoryDenyWriteExecute = true; 114 RestrictRealtime = true; 115 RestrictSUIDSGID = true; 116 PrivateMounts = true; 117 SystemCallArchitectures = "native"; 118 SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; 119 BindReadOnlyPaths = [ 120 "-/etc/resolv.conf" 121 "-/etc/nsswitch.conf" 122 "-/etc/ssl/certs" 123 "-/etc/static/ssl/certs" 124 "-/etc/hosts" 125 "-/etc/localtime" 126 ]; 127 }; 128 }; 129 }; 130 }; 131}