| blob | 07df2ee624443560c3f247581716aa97cb02a201 |
1 {
2 config,
3 lib,
4 pkgs,
5 ...
6 }:
7 let
8 cfg = config.services.birdwatcher;
9 in
10 {
11 options = {
12 services.birdwatcher = {
13 package = lib.mkPackageOption pkgs "birdwatcher" { };
14 enable = lib.mkEnableOption "Birdwatcher";
15 flags = lib.mkOption {
16 default = [ ];
17 type = lib.types.listOf lib.types.str;
18 example = [
19 "-worker-pool-size 16"
20 "-6"
21 ];
22 description = ''
23 Flags to append to the program call
24 '';
25 };
27 settings = lib.mkOption {
28 type = lib.types.lines;
29 default = { };
30 description = ''
31 birdwatcher configuration, for configuration options see the example on [github](https://github.com/alice-lg/birdwatcher/blob/master/etc/birdwatcher/birdwatcher.conf)
32 '';
33 example = lib.literalExpression ''
34 [server]
35 allow_from = []
36 allow_uncached = false
37 modules_enabled = ["status",
38 "protocols",
39 "protocols_bgp",
40 "protocols_short",
41 "routes_protocol",
42 "routes_peer",
43 "routes_table",
44 "routes_table_filtered",
45 "routes_table_peer",
46 "routes_filtered",
47 "routes_prefixed",
48 "routes_noexport",
49 "routes_pipe_filtered_count",
50 "routes_pipe_filtered"
51 ]
53 [status]
54 reconfig_timestamp_source = "bird"
55 reconfig_timestamp_match = "# created: (.*)"
57 filter_fields = []
59 [bird]
60 listen = "0.0.0.0:29184"
61 config = "/etc/bird/bird2.conf"
62 birdc = "''${pkgs.bird}/bin/birdc"
63 ttl = 5 # time to live (in minutes) for caching of cli output
65 [parser]
66 filter_fields = []
68 [cache]
69 use_redis = false # if not using redis cache, activate housekeeping to save memory!
71 [housekeeping]
72 interval = 5
73 force_release_memory = true
74 '';
75 };
76 };
77 };
79 config =
80 let
81 flagsStr = lib.escapeShellArgs cfg.flags;
82 in
83 lib.mkIf cfg.enable {
84 environment.etc."birdwatcher/birdwatcher.conf".source = pkgs.writeTextFile {
85 name = "birdwatcher.conf";
86 text = cfg.settings;
87 };
88 systemd.services = {
89 birdwatcher = {
90 wants = [ "network.target" ];
91 after = [ "network.target" ];
92 wantedBy = [ "multi-user.target" ];
93 description = "Birdwatcher";
94 serviceConfig = {
95 Type = "simple";
96 Restart = "on-failure";
97 RestartSec = 15;
98 ExecStart = "${cfg.package}/bin/birdwatcher";
99 StateDirectoryMode = "0700";
100 UMask = "0117";
101 NoNewPrivileges = true;
102 ProtectSystem = "strict";
103 PrivateTmp = true;
104 PrivateDevices = true;
105 ProtectHostname = true;
106 ProtectClock = true;
107 ProtectKernelTunables = true;
108 ProtectKernelModules = true;
109 ProtectKernelLogs = true;
110 ProtectControlGroups = true;
111 RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
112 LockPersonality = true;
113 MemoryDenyWriteExecute = true;
114 RestrictRealtime = true;
115 RestrictSUIDSGID = true;
116 PrivateMounts = true;
117 SystemCallArchitectures = "native";
118 SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
119 BindReadOnlyPaths = [
120 "-/etc/resolv.conf"
121 "-/etc/nsswitch.conf"
122 "-/etc/ssl/certs"
123 "-/etc/static/ssl/certs"
124 "-/etc/hosts"
125 "-/etc/localtime"
126 ];
127 };
128 };
129 };
130 };
131 }