| blob | 434f0e2095f302190c8ee2f5aad22d6d7f1b44c2 |
1 { config, lib, pkgs, ... }:
2 let
3 cfg = config.services.birdwatcher;
4 in
5 {
6 options = {
7 services.birdwatcher = {
8 package = lib.mkPackageOption pkgs "birdwatcher" { };
9 enable = lib.mkEnableOption "Birdwatcher";
10 flags = lib.mkOption {
11 default = [ ];
12 type = lib.types.listOf lib.types.str;
13 example = [ "-worker-pool-size 16" "-6" ];
14 description = ''
15 Flags to append to the program call
16 '';
17 };
19 settings = lib.mkOption {
20 type = lib.types.lines;
21 default = { };
22 description = ''
23 birdwatcher configuration, for configuration options see the example on [github](https://github.com/alice-lg/birdwatcher/blob/master/etc/birdwatcher/birdwatcher.conf)
24 '';
25 example = lib.literalExpression ''
26 [server]
27 allow_from = []
28 allow_uncached = false
29 modules_enabled = ["status",
30 "protocols",
31 "protocols_bgp",
32 "protocols_short",
33 "routes_protocol",
34 "routes_peer",
35 "routes_table",
36 "routes_table_filtered",
37 "routes_table_peer",
38 "routes_filtered",
39 "routes_prefixed",
40 "routes_noexport",
41 "routes_pipe_filtered_count",
42 "routes_pipe_filtered"
43 ]
45 [status]
46 reconfig_timestamp_source = "bird"
47 reconfig_timestamp_match = "# created: (.*)"
49 filter_fields = []
51 [bird]
52 listen = "0.0.0.0:29184"
53 config = "/etc/bird/bird2.conf"
54 birdc = "''${pkgs.bird}/bin/birdc"
55 ttl = 5 # time to live (in minutes) for caching of cli output
57 [parser]
58 filter_fields = []
60 [cache]
61 use_redis = false # if not using redis cache, activate housekeeping to save memory!
63 [housekeeping]
64 interval = 5
65 force_release_memory = true
66 '';
67 };
68 };
69 };
71 config =
72 let flagsStr = lib.escapeShellArgs cfg.flags;
73 in lib.mkIf cfg.enable {
74 environment.etc."birdwatcher/birdwatcher.conf".source = pkgs.writeTextFile {
75 name = "birdwatcher.conf";
76 text = cfg.settings;
77 };
78 systemd.services = {
79 birdwatcher = {
80 wants = [ "network.target" ];
81 after = [ "network.target" ];
82 wantedBy = [ "multi-user.target" ];
83 description = "Birdwatcher";
84 serviceConfig = {
85 Type = "simple";
86 Restart = "on-failure";
87 RestartSec = 15;
88 ExecStart = "${cfg.package}/bin/birdwatcher";
89 StateDirectoryMode = "0700";
90 UMask = "0117";
91 NoNewPrivileges = true;
92 ProtectSystem = "strict";
93 PrivateTmp = true;
94 PrivateDevices = true;
95 ProtectHostname = true;
96 ProtectClock = true;
97 ProtectKernelTunables = true;
98 ProtectKernelModules = true;
99 ProtectKernelLogs = true;
100 ProtectControlGroups = true;
101 RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
102 LockPersonality = true;
103 MemoryDenyWriteExecute = true;
104 RestrictRealtime = true;
105 RestrictSUIDSGID = true;
106 PrivateMounts = true;
107 SystemCallArchitectures = "native";
108 SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
109 BindReadOnlyPaths = [
110 "-/etc/resolv.conf"
111 "-/etc/nsswitch.conf"
112 "-/etc/ssl/certs"
113 "-/etc/static/ssl/certs"
114 "-/etc/hosts"
115 "-/etc/localtime"
116 ];
117 };
118 };
119 };
120 };
121 }