| blob | c2437e7aadf8985365f2ed587e8cceef14457aef |
1 {
2 config,
3 lib,
4 pkgs,
5 ...
6 }:
8 let
9 cfg = config.services.journald.upload;
10 format = pkgs.formats.systemd;
11 in
12 {
13 meta.maintainers = [ lib.maintainers.raitobezarius ];
14 options.services.journald.upload = {
15 enable = lib.mkEnableOption "uploading the systemd journal to a remote server";
17 settings = lib.mkOption {
18 default = { };
20 description = ''
21 Configuration for journal-upload. See {manpage}`journal-upload.conf(5)`
22 for available options.
23 '';
25 type = lib.types.submodule {
26 freeformType = format.type;
28 options.Upload = {
29 URL = lib.mkOption {
30 type = lib.types.str;
31 example = "https://192.168.1.1";
32 description = ''
33 The URL to upload the journal entries to.
35 See the description of `--url=` option in
36 {manpage}`systemd-journal-upload(8)` for the description of
37 possible values.
38 '';
39 };
41 ServerKeyFile = lib.mkOption {
42 type = with lib.types; nullOr str;
43 example = lib.literalExpression "./server-key.pem";
44 # Since systemd-journal-upload uses a DynamicUser, permissions must
45 # be done using groups
46 description = ''
47 SSL key in PEM format.
49 In contrary to what the name suggests, this option configures the
50 client private key sent to the remote journal server.
52 This key should not be world-readable, and must be readably by
53 the `systemd-journal` group.
54 '';
55 default = null;
56 };
58 ServerCertificateFile = lib.mkOption {
59 type = with lib.types; nullOr str;
60 example = lib.literalExpression "./server-ca.pem";
61 description = ''
62 SSL CA certificate in PEM format.
64 In contrary to what the name suggests, this option configures the
65 client certificate sent to the remote journal server.
66 '';
67 default = null;
68 };
70 TrustedCertificateFile = lib.mkOption {
71 type = with lib.types; nullOr str;
72 example = lib.literalExpression "./ca";
73 description = ''
74 SSL CA certificate.
76 This certificate will be used to check the remote journal HTTPS
77 server certificate.
78 '';
79 default = null;
80 };
82 NetworkTimeoutSec = lib.mkOption {
83 type = with lib.types; nullOr str;
84 example = "1s";
85 description = ''
86 When network connectivity to the server is lost, this option
87 configures the time to wait for the connectivity to get restored.
89 If the server is not reachable over the network for the
90 configured time, `systemd-journal-upload` exits. Takes a value in
91 seconds (or in other time units if suffixed with "ms", "min",
92 "h", etc). For details, see {manpage}`systemd.time(5)`.
93 '';
94 default = null;
95 };
96 };
97 };
98 };
99 };
101 config = lib.mkIf cfg.enable {
102 systemd.additionalUpstreamSystemUnits = [ "systemd-journal-upload.service" ];
104 systemd.services."systemd-journal-upload" = {
105 wantedBy = [ "multi-user.target" ];
106 serviceConfig = {
107 Restart = "always";
108 # To prevent flooding the server in case the server is struggling
109 RestartSec = "3sec";
110 };
111 };
113 environment.etc."systemd/journal-upload.conf".source =
114 format.generate "journal-upload.conf" cfg.settings;
115 };
116 }