| blob | b6cf300d3bfb6f354576809e2eb89e7a0a38c5cc |
1 {
2 config,
3 lib,
4 pkgs,
5 ...
6 }:
8 let
9 cfg = config.services.journald.gateway;
11 cliArgs = lib.cli.toGNUCommandLineShell { } {
12 # If either of these are null / false, they are not passed in the command-line
13 inherit (cfg)
14 cert
15 key
16 trust
17 system
18 user
19 merge
20 ;
21 };
22 in
23 {
24 meta.maintainers = [ lib.maintainers.raitobezarius ];
25 options.services.journald.gateway = {
26 enable = lib.mkEnableOption "the HTTP gateway to the journal";
28 port = lib.mkOption {
29 default = 19531;
30 type = lib.types.port;
31 description = ''
32 The port to listen to.
33 '';
34 };
36 cert = lib.mkOption {
37 default = null;
38 type = with lib.types; nullOr str;
39 description = ''
40 The path to a file or `AF_UNIX` stream socket to read the server
41 certificate from.
43 The certificate must be in PEM format. This option switches
44 `systemd-journal-gatewayd` into HTTPS mode and must be used together
45 with {option}`services.journald.gateway.key`.
46 '';
47 };
49 key = lib.mkOption {
50 default = null;
51 type = with lib.types; nullOr str;
52 description = ''
53 Specify the path to a file or `AF_UNIX` stream socket to read the
54 secret server key corresponding to the certificate specified with
55 {option}`services.journald.gateway.cert` from.
57 The key must be in PEM format.
59 This key should not be world-readable, and must be readably by the
60 `systemd-journal-gateway` user.
61 '';
62 };
64 trust = lib.mkOption {
65 default = null;
66 type = with lib.types; nullOr str;
67 description = ''
68 Specify the path to a file or `AF_UNIX` stream socket to read a CA
69 certificate from.
71 The certificate must be in PEM format.
73 Setting this option enforces client certificate checking.
74 '';
75 };
77 system = lib.mkOption {
78 default = true;
79 type = lib.types.bool;
80 description = ''
81 Serve entries from system services and the kernel.
83 This has the same meaning as `--system` for {manpage}`journalctl(1)`.
84 '';
85 };
87 user = lib.mkOption {
88 default = true;
89 type = lib.types.bool;
90 description = ''
91 Serve entries from services for the current user.
93 This has the same meaning as `--user` for {manpage}`journalctl(1)`.
94 '';
95 };
97 merge = lib.mkOption {
98 default = false;
99 type = lib.types.bool;
100 description = ''
101 Serve entries interleaved from all available journals, including other
102 machines.
104 This has the same meaning as `--merge` option for
105 {manpage}`journalctl(1)`.
106 '';
107 };
108 };
110 config = lib.mkIf cfg.enable {
111 assertions = [
112 {
113 # This prevents the weird case were disabling "system" and "user"
114 # actually enables both because the cli flags are not present.
115 assertion = cfg.system || cfg.user;
116 message = ''
117 systemd-journal-gatewayd cannot serve neither "system" nor "user"
118 journals.
119 '';
120 }
121 ];
123 systemd.additionalUpstreamSystemUnits = [
124 "systemd-journal-gatewayd.socket"
125 "systemd-journal-gatewayd.service"
126 ];
128 users.users.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway;
129 users.users.systemd-journal-gateway.group = "systemd-journal-gateway";
130 users.groups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway;
132 systemd.services.systemd-journal-gatewayd.serviceConfig.ExecStart = [
133 # Clear the default command line
134 ""
135 "${pkgs.systemd}/lib/systemd/systemd-journal-gatewayd ${cliArgs}"
136 ];
138 systemd.sockets.systemd-journal-gatewayd = {
139 wantedBy = [ "sockets.target" ];
140 listenStreams = [
141 # Clear the default port
142 ""
143 (toString cfg.port)
144 ];
145 };
146 };
147 }