pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / routinator.nix
at 25.11-pre 6.5 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 utils, 6 ... 7}: 8let 9 inherit (lib) 10 filterAttrsRecursive 11 getExe 12 maintainers 13 mkEnableOption 14 mkIf 15 mkPackageOption 16 mkOption 17 types 18 ; 19 inherit (utils) escapeSystemdExecArgs; 20 cfg = config.services.routinator; 21 settingsFormat = pkgs.formats.toml { }; 22in 23{ 24 options.services.routinator = { 25 enable = mkEnableOption "Routinator 3000"; 26 27 package = mkPackageOption pkgs "routinator" { }; 28 29 extraArgs = mkOption { 30 description = '' 31 Extra arguments passed to routinator, see <https://routinator.docs.nlnetlabs.nl/en/stable/manual-page.html#options> for options."; 32 ''; 33 type = types.listOf types.str; 34 default = [ ]; 35 example = [ "--no-rir-tals" ]; 36 }; 37 38 extraServerArgs = mkOption { 39 description = '' 40 Extra arguments passed to the server subcommand, see <https://routinator.docs.nlnetlabs.nl/en/stable/manual-page.html#subcmd-server> for options."; 41 ''; 42 type = types.listOf types.str; 43 default = [ ]; 44 example = [ "--rtr-client-metrics" ]; 45 }; 46 47 settings = mkOption { 48 type = types.submodule { 49 freeformType = settingsFormat.type; 50 options = { 51 repository-dir = mkOption { 52 type = types.path; 53 description = '' 54 The path where the collected RPKI data is stored. 55 ''; 56 default = "/var/lib/routinator/rpki-cache"; 57 }; 58 log-level = mkOption { 59 type = types.nullOr ( 60 types.enum [ 61 "error" 62 "warn" 63 "info" 64 "debug" 65 ] 66 ); 67 description = '' 68 A string value specifying the maximum log level for which log messages should be emitted. 69 See, <https://routinator.docs.nlnetlabs.nl/en/stable/manual-page.html#logging> 70 ''; 71 default = "warn"; 72 }; 73 log = mkOption { 74 type = types.nullOr ( 75 types.enum [ 76 "default" 77 "stderr" 78 "syslog" 79 "file" 80 ] 81 ); 82 description = '' 83 A string specifying where to send log messages to. 84 See, <https://routinator.docs.nlnetlabs.nl/en/stable/manual-page.html#term-log> 85 ''; 86 default = "default"; 87 }; 88 log-file = mkOption { 89 type = types.nullOr types.path; 90 description = '' 91 A string value containing the path to a file to which log messages will be appended if the log configuration value is set to file. In this case, the value is mandatory. 92 ''; 93 default = null; 94 }; 95 http-listen = mkOption { 96 type = types.nullOr (types.listOf types.str); 97 description = '' 98 An array of string values each providing an address and port on which the HTTP server should listen. Address and port should be separated by a colon. IPv6 address should be enclosed in square brackets. 99 ''; 100 default = null; 101 }; 102 rtr-listen = mkOption { 103 type = types.nullOr (types.listOf types.str); 104 description = '' 105 An array of string values each providing an address and port on which the RTR server should listen in TCP mode. Address and port should be separated by a colon. IPv6 address should be enclosed in square brackets. 106 ''; 107 default = null; 108 }; 109 refresh = mkOption { 110 type = types.nullOr types.int; 111 description = '' 112 An integer value specifying the number of seconds Routinator should wait between consecutive validation runs in server mode. The next validation run will happen earlier, if objects expire earlier. 113 ''; 114 default = 600; 115 }; 116 retry = mkOption { 117 type = types.nullOr types.int; 118 description = '' 119 An integer value specifying the number of seconds an RTR client is requested to wait after it failed to receive a data set. 120 ''; 121 default = 600; 122 }; 123 expire = mkOption { 124 type = types.nullOr types.int; 125 description = '' 126 An integer value specifying the number of seconds an RTR client is requested to use a data set if it cannot get an update before throwing it away and continuing with no data at all. 127 ''; 128 default = 7200; 129 }; 130 }; 131 }; 132 description = '' 133 Configuration for Routinator 3000, see <https://routinator.docs.nlnetlabs.nl/en/stable/manual-page.html#configuration-file> for options. 134 ''; 135 default = { }; 136 }; 137 }; 138 139 config = mkIf cfg.enable { 140 systemd.services.routinator = { 141 description = "Routinator 3000 is free, open-source RPKI Relying Party software made by NLnet Labs."; 142 wantedBy = [ "multi-user.target" ]; 143 after = [ "network.target" ]; 144 path = with pkgs; [ rsync ]; 145 serviceConfig = { 146 Type = "exec"; 147 ExecStart = escapeSystemdExecArgs ( 148 [ 149 (getExe cfg.package) 150 "--config=${ 151 settingsFormat.generate "routinator.conf" (filterAttrsRecursive (n: v: v != null) cfg.settings) 152 }" 153 ] 154 ++ cfg.extraArgs 155 ++ [ 156 "server" 157 ] 158 ++ cfg.extraServerArgs 159 ); 160 Restart = "on-failure"; 161 CapabilityBoundingSet = [ "" ]; 162 DynamicUser = true; 163 LockPersonality = true; 164 MemoryDenyWriteExecute = true; 165 NoNewPrivileges = true; 166 PrivateDevices = true; 167 PrivateTmp = true; 168 ProtectClock = true; 169 ProtectControlGroups = true; 170 ProtectHome = true; 171 ProtectHostname = true; 172 ProtectKernelLogs = true; 173 ProtectKernelModules = true; 174 ProtectKernelTunables = true; 175 ProtectSystem = "strict"; 176 RestrictAddressFamilies = [ 177 "AF_INET" 178 "AF_INET6" 179 "AF_UNIX" 180 ]; 181 RestrictNamespaces = true; 182 RestrictRealtime = true; 183 StateDirectory = "routinator"; 184 SystemCallArchitectures = "native"; 185 SystemCallErrorNumber = "EPERM"; 186 SystemCallFilter = "@system-service"; 187 UMask = "0027"; 188 }; 189 }; 190 }; 191 192 meta.maintainers = with maintainers; [ xgwq ]; 193}