diff options
| author | superherointj <5861043+superherointj@users.noreply.github.com> | 2024-01-06 22:06:17 -0300 |
|---|---|---|
| committer | superherointj <5861043+superherointj@users.noreply.github.com> | 2024-01-26 16:40:11 -0300 |
| commit | 29d18e8f6f78ff5782c097d019d082a978d90160 (patch) | |
| tree | 556fff2530b64aa6a2ab4a01d05f78f513a3acd4 /nixos/modules/services/misc/etcd.nix | |
| parent | 1aa4e31045559f9edf650503363fd5390e1066be (diff) | |
| download | nixlib-29d18e8f6f78ff5782c097d019d082a978d90160.tar nixlib-29d18e8f6f78ff5782c097d019d082a978d90160.tar.gz nixlib-29d18e8f6f78ff5782c097d019d082a978d90160.tar.bz2 nixlib-29d18e8f6f78ff5782c097d019d082a978d90160.tar.lz nixlib-29d18e8f6f78ff5782c097d019d082a978d90160.tar.xz nixlib-29d18e8f6f78ff5782c097d019d082a978d90160.tar.zst nixlib-29d18e8f6f78ff5782c097d019d082a978d90160.zip | |
nixos/etcd: fixes etcd failing to start at boot and add openFirewall option
Fixes etcd failing to start at boot for network and firewall not being ready and etcd peers being unavailable because of network/firewall * configure etcd systemd unit to: - delay etcd start-up until network and firewall are ready - restart on failure and be always on * add openFirewall option The official etcd ports are 2379 for client requests and 2380 for peer communication: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt https://etcd.io/docs/v3.4/op-guide/configuration/
Diffstat (limited to 'nixos/modules/services/misc/etcd.nix')
| -rw-r--r-- | nixos/modules/services/misc/etcd.nix | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/nixos/modules/services/misc/etcd.nix b/nixos/modules/services/misc/etcd.nix index ee6a56db31d3..a5b3abdbcb59 100644 --- a/nixos/modules/services/misc/etcd.nix +++ b/nixos/modules/services/misc/etcd.nix @@ -99,6 +99,17 @@ in { type = types.nullOr types.path; }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Open etcd ports in the firewall. + Ports opened: + - 2379/tcp for client requests + - 2380/tcp for peer communication + ''; + }; + peerCertFile = mkOption { description = lib.mdDoc "Cert file to use for peer to peer communication"; default = cfg.certFile; @@ -160,7 +171,10 @@ in { systemd.services.etcd = { description = "etcd key-value store"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + after = [ "network-online.target" ] + ++ lib.optional config.networking.firewall.enable "firewall.service"; + wants = [ "network-online.target" ] + ++ lib.optional config.networking.firewall.enable "firewall.service"; environment = (filterAttrs (n: v: v != null) { ETCD_NAME = cfg.name; @@ -190,6 +204,8 @@ in { serviceConfig = { Type = "notify"; + Restart = "always"; + RestartSec = "30s"; ExecStart = "${cfg.package}/bin/etcd"; User = "etcd"; LimitNOFILE = 40000; @@ -198,6 +214,13 @@ in { environment.systemPackages = [ cfg.package ]; + networking.firewall = lib.mkIf cfg.openFirewall { + allowedTCPPorts = [ + 2379 # for client requests + 2380 # for peer communication + ]; + }; + users.users.etcd = { isSystemUser = true; group = "etcd"; |