nixos/modules/services/security/hologram.nix at release-16.03-start · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / security / hologram.nix
at release-16.03-start 2.7 kB view raw
  1{pkgs, config, lib, ...}:
  2
  3with lib;
  4
  5let
  6  cfg = config.services.hologram-server;
  7
  8  cfgFile = pkgs.writeText "hologram-server.json" (builtins.toJSON {
  9    ldap = {
 10      host = cfg.ldapHost;
 11      bind = {
 12        dn       = cfg.ldapBindDN;
 13        password = cfg.ldapBindPassword;
 14      };
 15      insecureldap = cfg.ldapInsecure;
 16      userattr     = cfg.ldapUserAttr;
 17      baseDN       = cfg.ldapBaseDN;
 18    };
 19    aws = {
 20      account     = cfg.awsAccount;
 21      defaultrole = cfg.awsDefaultRole;
 22    };
 23    stats  = cfg.statsAddress;
 24    listen = cfg.listenAddress;
 25  });
 26in {
 27  options = {
 28    services.hologram-server = {
 29      enable = mkOption {
 30        type = types.bool;
 31        default = false;
 32        description = "Whether to enable the Hologram server for AWS instance credentials";
 33      };
 34
 35      listenAddress = mkOption {
 36        type        = types.str;
 37        default     = "0.0.0.0:3100";
 38        description = "Address and port to listen on";
 39      };
 40
 41      ldapHost = mkOption {
 42        type        = types.str;
 43        description = "Address of the LDAP server to use";
 44      };
 45
 46      ldapInsecure = mkOption {
 47        type        = types.bool;
 48        default     = false;
 49        description = "Whether to connect to LDAP over SSL or not";
 50      };
 51
 52      ldapUserAttr = mkOption {
 53        type        = types.str;
 54        default     = "cn";
 55        description = "The LDAP attribute for usernames";
 56      };
 57
 58      ldapBaseDN = mkOption {
 59        type        = types.str;
 60        description = "The base DN for your Hologram users";
 61      };
 62
 63      ldapBindDN = mkOption {
 64        type        = types.str;
 65        description = "DN of account to use to query the LDAP server";
 66      };
 67
 68      ldapBindPassword = mkOption {
 69        type        = types.str;
 70        description = "Password of account to use to query the LDAP server";
 71      };
 72
 73      awsAccount = mkOption {
 74        type        = types.str;
 75        description = "AWS account number";
 76      };
 77
 78      awsDefaultRole = mkOption {
 79        type        = types.str;
 80        description = "AWS default role";
 81      };
 82
 83      statsAddress = mkOption {
 84        type        = types.str;
 85        default     = "";
 86        description = "Address of statsd server";
 87      };
 88    };
 89  };
 90
 91  config = mkIf cfg.enable {
 92    systemd.services.hologram-server = {
 93      description = "Provide EC2 instance credentials to machines outside of EC2";
 94      after       = [ "network.target" ];
 95      wantedBy    = [ "multi-user.target" ];
 96
 97      serviceConfig = {
 98        ExecStart = "${pkgs.hologram}/bin/hologram-server --debug --conf ${cfgFile}";
 99      };
100    };
101  };
102}