pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / system / boot / systemd / journald-gateway.nix
at master 3.9 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7 8let 9 cfg = config.services.journald.gateway; 10 11 cliArgs = lib.cli.toGNUCommandLineShell { } { 12 # If either of these are null / false, they are not passed in the command-line 13 inherit (cfg) 14 cert 15 key 16 trust 17 system 18 user 19 merge 20 ; 21 }; 22in 23{ 24 meta.maintainers = [ lib.maintainers.raitobezarius ]; 25 options.services.journald.gateway = { 26 enable = lib.mkEnableOption "the HTTP gateway to the journal"; 27 28 port = lib.mkOption { 29 default = 19531; 30 type = lib.types.port; 31 description = '' 32 The port to listen to. 33 ''; 34 }; 35 36 cert = lib.mkOption { 37 default = null; 38 type = with lib.types; nullOr str; 39 description = '' 40 The path to a file or `AF_UNIX` stream socket to read the server 41 certificate from. 42 43 The certificate must be in PEM format. This option switches 44 `systemd-journal-gatewayd` into HTTPS mode and must be used together 45 with {option}`services.journald.gateway.key`. 46 ''; 47 }; 48 49 key = lib.mkOption { 50 default = null; 51 type = with lib.types; nullOr str; 52 description = '' 53 Specify the path to a file or `AF_UNIX` stream socket to read the 54 secret server key corresponding to the certificate specified with 55 {option}`services.journald.gateway.cert` from. 56 57 The key must be in PEM format. 58 59 This key should not be world-readable, and must be readably by the 60 `systemd-journal-gateway` user. 61 ''; 62 }; 63 64 trust = lib.mkOption { 65 default = null; 66 type = with lib.types; nullOr str; 67 description = '' 68 Specify the path to a file or `AF_UNIX` stream socket to read a CA 69 certificate from. 70 71 The certificate must be in PEM format. 72 73 Setting this option enforces client certificate checking. 74 ''; 75 }; 76 77 system = lib.mkOption { 78 default = true; 79 type = lib.types.bool; 80 description = '' 81 Serve entries from system services and the kernel. 82 83 This has the same meaning as `--system` for {manpage}`journalctl(1)`. 84 ''; 85 }; 86 87 user = lib.mkOption { 88 default = true; 89 type = lib.types.bool; 90 description = '' 91 Serve entries from services for the current user. 92 93 This has the same meaning as `--user` for {manpage}`journalctl(1)`. 94 ''; 95 }; 96 97 merge = lib.mkOption { 98 default = false; 99 type = lib.types.bool; 100 description = '' 101 Serve entries interleaved from all available journals, including other 102 machines. 103 104 This has the same meaning as `--merge` option for 105 {manpage}`journalctl(1)`. 106 ''; 107 }; 108 }; 109 110 config = lib.mkIf cfg.enable { 111 assertions = [ 112 { 113 # This prevents the weird case were disabling "system" and "user" 114 # actually enables both because the cli flags are not present. 115 assertion = cfg.system || cfg.user; 116 message = '' 117 systemd-journal-gatewayd cannot serve neither "system" nor "user" 118 journals. 119 ''; 120 } 121 ]; 122 123 systemd.additionalUpstreamSystemUnits = [ 124 "systemd-journal-gatewayd.socket" 125 "systemd-journal-gatewayd.service" 126 ]; 127 128 users.users.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway; 129 users.users.systemd-journal-gateway.group = "systemd-journal-gateway"; 130 users.groups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway; 131 132 systemd.services.systemd-journal-gatewayd.serviceConfig.ExecStart = [ 133 # Clear the default command line 134 "" 135 "${pkgs.systemd}/lib/systemd/systemd-journal-gatewayd ${cliArgs}" 136 ]; 137 138 systemd.sockets.systemd-journal-gatewayd = { 139 wantedBy = [ "sockets.target" ]; 140 listenStreams = [ 141 # Clear the default port 142 "" 143 (toString cfg.port) 144 ]; 145 }; 146 }; 147}