~aasg/nixexprs

ref: 83f5417517270006384c02d0a75dd5e4b81e5ffa nixexprs/modules/services/networking/monitoring/bird-lg.nix -rw-r--r-- 4.1 KiB
83f54175 — Aluísio Augusto Silva Gonçalves bird-lg: init at 2020-05-20-unstable 5 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
{ config, lib, pkgs, ... }:
let
  inherit (lib) mkDefault mkEnableOption mkIf mkOption types;

  jsonFormat = pkgs.formats.json { };
  pyJSONFormat =
    {
      type = jsonFormat.type;
      generate = name: value: pkgs.runCommandNoCC
        name
        {
          passAsFile = [ "script" "value" ];
          value = builtins.toJSON value;
          script = ''
            import json
            import sys
            value = json.load(sys.stdin)
            print("globals().update({!r})".format(value), file=sys.stdout)
          '';
        }
        ''
          ${pkgs.python3}/bin/python $scriptPath <$valuePath >$out
        '';
    };

  cfg = config.services.bird-lg;
  serverGunicornConfigFile = pyJSONFormat.generate "bird-lg-gunicorn.py" cfg.server.gunicornSettings;
  clientGunicornConfigFile = pyJSONFormat.generate "bird-lgproxy-gunicorn.py" cfg.client.gunicornSettings;
in
{

  options = {
    services.bird-lg.server = {
      enable = mkEnableOption "BIRD looking glass server";

      appSettings = mkOption {
        description = "Configuration for bird-lg's server.";
        type = jsonFormat.type;
        default = { };
      };

      gunicornSettings = mkOption {
        description = "Configuration for the Gunicorn instance running bird-lg's server.";
        type = pyJSONFormat.type;
        default = { };
      };
    };

    services.bird-lg.client = {
      enable = mkEnableOption "BIRD looking glass client proxy";

      appSettings = mkOption {
        description = "Configuration for bird-lg's client proxy.";
        type = jsonFormat.type;
        default = { };
      };

      gunicornSettings = mkOption {
        description = "Configuration for the Gunicorn instance running bird-lg's client proxy.";
        type = pyJSONFormat.type;
        default = { };
      };
    };
  };

  config = {

    ################
    # Server setup #
    ################

    environment.etc."bird-lg/lg.json" = mkIf cfg.server.enable {
      source = jsonFormat.generate "bird-lg.json" cfg.server.appSettings;
    };

    systemd.services.bird-lg-server = mkIf cfg.server.enable {
      description = "BIRD looking glass web server";
      requires = [ "network-online.target" ];
      after = [ "bird.service" "bird6.service" "bird2.service" "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "simple";
        ExecStart = "${pkgs.bird-lg}/bin/bird-lg-webservice --config=${serverGunicornConfigFile}";
        Restart = "on-failure";

        WorkingDirectory = "/etc/bird-lg";
        ConfigurationDirectory = "/etc/bird-lg";

        DynamicUser = true;
        NoNewPrivileges = true;
        ProtectSystem = "strict";
        ProtectHome = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectControlGroups = true;
        PrivateDevices = true;
        PrivateTmp = true;
        DevicePolicy = "closed";
        MemoryDenyWriteExecute = true;
      };
    };

    ######################
    # Client proxy setup #
    ######################

    environment.etc."bird-lg/lgproxy.json" = mkIf cfg.client.enable {
      source = jsonFormat.generate "bird-lgproxy.json" cfg.client.appSettings;
    };

    systemd.services.bird-lg-client = mkIf cfg.client.enable {
      description = "BIRD looking glass client proxy";
      requires = [ "network-online.target" ];
      after = [ "bird.service" "bird6.service" "bird2.service" "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "simple";
        ExecStart = "${pkgs.bird-lg}/bin/bird-lg-proxy --config=${clientGunicornConfigFile}";
        Restart = "on-failure";

        WorkingDirectory = "/etc/bird-lg";
        ConfigurationDirectory = "/etc/bird-lg";

        DynamicUser = true;
        NoNewPrivileges = true;
        ProtectSystem = "strict";
        ProtectHome = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectControlGroups = true;
        PrivateDevices = true;
        PrivateTmp = true;
        DevicePolicy = "closed";
      };
    };

  };

}