diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking/birdwatcher.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/services/networking/birdwatcher.nix | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/birdwatcher.nix b/nixpkgs/nixos/modules/services/networking/birdwatcher.nix new file mode 100644 index 000000000000..a129b7a2b4cf --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/birdwatcher.nix @@ -0,0 +1,129 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.birdwatcher; +in +{ + options = { + services.birdwatcher = { + package = mkOption { + type = types.package; + default = pkgs.birdwatcher; + defaultText = literalExpression "pkgs.birdwatcher"; + description = lib.mdDoc "The Birdwatcher package to use."; + }; + enable = mkEnableOption (lib.mdDoc "Birdwatcher"); + flags = mkOption { + default = [ ]; + type = types.listOf types.str; + example = [ "-worker-pool-size 16" "-6" ]; + description = lib.mdDoc '' + Flags to append to the program call + ''; + }; + + settings = mkOption { + type = types.lines; + default = { }; + description = lib.mdDoc '' + birdwatcher configuration, for configuration options see the example on [github](https://github.com/alice-lg/birdwatcher/blob/master/etc/birdwatcher/birdwatcher.conf) + ''; + example = literalExpression '' + [server] + allow_from = [] + allow_uncached = false + modules_enabled = ["status", + "protocols", + "protocols_bgp", + "protocols_short", + "routes_protocol", + "routes_peer", + "routes_table", + "routes_table_filtered", + "routes_table_peer", + "routes_filtered", + "routes_prefixed", + "routes_noexport", + "routes_pipe_filtered_count", + "routes_pipe_filtered" + ] + + [status] + reconfig_timestamp_source = "bird" + reconfig_timestamp_match = "# created: (.*)" + + filter_fields = [] + + [bird] + listen = "0.0.0.0:29184" + config = "/etc/bird/bird2.conf" + birdc = "''${pkgs.bird}/bin/birdc" + ttl = 5 # time to live (in minutes) for caching of cli output + + [parser] + filter_fields = [] + + [cache] + use_redis = false # if not using redis cache, activate housekeeping to save memory! + + [housekeeping] + interval = 5 + force_release_memory = true + ''; + }; + }; + }; + + config = + let flagsStr = escapeShellArgs cfg.flags; + in lib.mkIf cfg.enable { + environment.etc."birdwatcher/birdwatcher.conf".source = pkgs.writeTextFile { + name = "birdwatcher.conf"; + text = cfg.settings; + }; + systemd.services = { + birdwatcher = { + wants = [ "network.target" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + description = "Birdwatcher"; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + RestartSec = 15; + ExecStart = "${cfg.package}/bin/birdwatcher"; + StateDirectoryMode = "0700"; + UMask = "0117"; + NoNewPrivileges = true; + ProtectSystem = "strict"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; + BindReadOnlyPaths = [ + "-/etc/resolv.conf" + "-/etc/nsswitch.conf" + "-/etc/ssl/certs" + "-/etc/static/ssl/certs" + "-/etc/hosts" + "-/etc/localtime" + ]; + }; + }; + }; + }; +} |