Commit f3ea0f50 authored by clerie's avatar clerie
Browse files

Remove modules as they aren't used anymore

parent 92eb817d
{ config, pkgs, lib, ... }:
{
disabledModules = [ "services/networking/keepalived/default.nix" ];
boot.cleanTmpDir = true;
networking.firewall.enable = true;
networking.firewall.allowPing = true;
......
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.clerie.akne;
in {
options = {
clerie.akne = {
enable = mkEnableOption "Makes fun stuff with the nixos acme module.";
selfSigneOnlyHostNames = mkOption {
type = with types; listOf str;
default = {};
description = "List of hostnames for which the acme client gets disabled. This hostnames use the self-signed certs instead.";
};
};
};
config = {
systemd.services = with lib; listToAttrs (
flatten (
map (
name: [
(
nameValuePair "acme-${name}" {
enable = false;
wantedBy = mkForce [];
}
)
(
nameValuePair "acme-selfsigned-${name}" {
wantedBy = [ "multi-user.target" ];
}
)
]
) cfg.selfSigneOnlyHostNames
)
);
};
}
\ No newline at end of file
{ ... }:
{
imports = [
./keepalived
];
}
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.keepalived;
keepalivedConf = pkgs.writeText "keepalived.conf" ''
global_defs {
${optionalString cfg.enableScriptSecurity "enable_script_security"}
${snmpGlobalDefs}
${cfg.extraGlobalDefs}
}
${vrrpScriptStr}
${vrrpInstancesStr}
${cfg.extraConfig}
'';
snmpGlobalDefs = with cfg.snmp; optionalString enable (
optionalString (socket != null) "snmp_socket ${socket}\n"
+ optionalString enableKeepalived "enable_snmp_keepalived\n"
+ optionalString enableChecker "enable_snmp_checker\n"
+ optionalString enableRfc "enable_snmp_rfc\n"
+ optionalString enableRfcV2 "enable_snmp_rfcv2\n"
+ optionalString enableRfcV3 "enable_snmp_rfcv3\n"
+ optionalString enableTraps "enable_traps"
);
vrrpScriptStr = concatStringsSep "\n" (map (s:
''
vrrp_script ${s.name} {
script "${s.script}"
interval ${toString s.interval}
fall ${toString s.fall}
rise ${toString s.rise}
timeout ${toString s.timeout}
weight ${toString s.weight}
user ${s.user} ${optionalString (s.group != null) s.group}
${s.extraConfig}
}
''
) vrrpScripts);
vrrpInstancesStr = concatStringsSep "\n" (map (i:
''
vrrp_instance ${i.name} {
interface ${i.interface}
state ${i.state}
virtual_router_id ${toString i.virtualRouterId}
priority ${toString i.priority}
${optionalString i.noPreempt "nopreempt"}
${optionalString i.useVmac (
"use_vmac" + optionalString (i.vmacInterface != null) " ${i.vmacInterface}"
)}
${optionalString i.vmacXmitBase "vmac_xmit_base"}
${optionalString (i.unicastSrcIp != null) "unicast_src_ip ${i.unicastSrcIp}"}
unicast_peer {
${concatStringsSep "\n" i.unicastPeers}
}
virtual_ipaddress {
${concatMapStringsSep "\n" virtualIpLine i.virtualIps}
}
${optionalString (builtins.length i.trackScripts > 0) ''
track_script {
${concatStringsSep "\n" i.trackScripts}
}
''}
${optionalString (builtins.length i.trackInterfaces > 0) ''
track_interface {
${concatStringsSep "\n" i.trackInterfaces}
}
''}
${i.extraConfig}
}
''
) vrrpInstances);
virtualIpLine = (ip:
ip.addr
+ optionalString (notNullOrEmpty ip.brd) " brd ${ip.brd}"
+ optionalString (notNullOrEmpty ip.dev) " dev ${ip.dev}"
+ optionalString (notNullOrEmpty ip.scope) " scope ${ip.scope}"
+ optionalString (notNullOrEmpty ip.label) " label ${ip.label}"
);
notNullOrEmpty = s: !(s == null || s == "");
vrrpScripts = mapAttrsToList (name: config:
{
inherit name;
} // config
) cfg.vrrpScripts;
vrrpInstances = mapAttrsToList (iName: iConfig:
{
name = iName;
} // iConfig
) cfg.vrrpInstances;
vrrpInstanceAssertions = i: [
{ assertion = i.interface != "";
message = "services.keepalived.vrrpInstances.${i.name}.interface option cannot be empty.";
}
{ assertion = i.virtualRouterId >= 0 && i.virtualRouterId <= 255;
message = "services.keepalived.vrrpInstances.${i.name}.virtualRouterId must be an integer between 0..255.";
}
{ assertion = i.priority >= 0 && i.priority <= 255;
message = "services.keepalived.vrrpInstances.${i.name}.priority must be an integer between 0..255.";
}
{ assertion = i.vmacInterface == null || i.useVmac;
message = "services.keepalived.vrrpInstances.${i.name}.vmacInterface has no effect when services.keepalived.vrrpInstances.${i.name}.useVmac is not set.";
}
{ assertion = !i.vmacXmitBase || i.useVmac;
message = "services.keepalived.vrrpInstances.${i.name}.vmacXmitBase has no effect when services.keepalived.vrrpInstances.${i.name}.useVmac is not set.";
}
] ++ flatten (map (virtualIpAssertions i.name) i.virtualIps)
++ flatten (map (vrrpScriptAssertion i.name) i.trackScripts);
virtualIpAssertions = vrrpName: ip: [
{ assertion = ip.addr != "";
message = "The 'addr' option for an services.keepalived.vrrpInstances.${vrrpName}.virtualIps entry cannot be empty.";
}
];
vrrpScriptAssertion = vrrpName: scriptName: {
assertion = builtins.hasAttr scriptName cfg.vrrpScripts;
message = "services.keepalived.vrrpInstances.${vrrpName} trackscript ${scriptName} is not defined in services.keepalived.vrrpScripts.";
};
pidFile = "/run/keepalived.pid";
in
{
options = {
services.keepalived = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable Keepalived.
'';
};
enableScriptSecurity = mkOption {
type = types.bool;
default = false;
description = ''
Don't run scripts configured to be run as root if any part of the path is writable by a non-root user.
'';
};
snmp = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable the builtin AgentX subagent.
'';
};
socket = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Socket to use for connecting to SNMP master agent. If this value is
set to null, keepalived's default will be used, which is
unix:/var/agentx/master, unless using a network namespace, when the
default is udp:localhost:705.
'';
};
enableKeepalived = mkOption {
type = types.bool;
default = false;
description = ''
Enable SNMP handling of vrrp element of KEEPALIVED MIB.
'';
};
enableChecker = mkOption {
type = types.bool;
default = false;
description = ''
Enable SNMP handling of checker element of KEEPALIVED MIB.
'';
};
enableRfc = mkOption {
type = types.bool;
default = false;
description = ''
Enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs.
'';
};
enableRfcV2 = mkOption {
type = types.bool;
default = false;
description = ''
Enable SNMP handling of RFC2787 VRRP MIB.
'';
};
enableRfcV3 = mkOption {
type = types.bool;
default = false;
description = ''
Enable SNMP handling of RFC6527 VRRP MIB.
'';
};
enableTraps = mkOption {
type = types.bool;
default = false;
description = ''
Enable SNMP traps.
'';
};
};
vrrpScripts = mkOption {
type = types.attrsOf (types.submodule (import ./vrrp-script-options.nix {
inherit lib;
}));
default = {};
description = "Declarative vrrp script config";
};
vrrpInstances = mkOption {
type = types.attrsOf (types.submodule (import ./vrrp-instance-options.nix {
inherit lib;
}));
default = {};
description = "Declarative vhost config";
};
extraGlobalDefs = mkOption {
type = types.lines;
default = "";
description = ''
Extra lines to be added verbatim to the 'global_defs' block of the
configuration file
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra lines to be added verbatim to the configuration file.
'';
};
secretFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/keepalived.env";
description = ''
Environment variables from this file will be interpolated into the
final config file using envsubst with this syntax: <literal>$ENVIRONMENT</literal>
or <literal>''${VARIABLE}</literal>.
The file should contain lines formatted as <literal>SECRET_VAR=SECRET_VALUE</literal>.
This is useful to avoid putting secrets into the nix store.
'';
};
};
};
config = mkIf cfg.enable {
assertions = flatten (map vrrpInstanceAssertions vrrpInstances);
systemd.timers.keepalived-boot-delay = {
description = "Keepalive Daemon delay to avoid instant transition to MASTER state";
after = [ "network.target" "network-online.target" "syslog.target" ];
requires = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
timerConfig = {
OnActiveSec = "5s";
Unit = "keepalived.service";
};
};
systemd.services.keepalived = let
finalConfigFile = if cfg.secretFile == null then keepalivedConf else "/var/run/keepalived/keepalived.conf";
in {
description = "Keepalive Daemon (LVS and VRRP)";
after = [ "network.target" "network-online.target" "syslog.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "forking";
PIDFile = pidFile;
KillMode = "process";
RuntimeDirectory = "keepalived";
ExecStartPre = lib.optional (cfg.secretFile != null)
(pkgs.writeShellScript "pre-start" ''
umask 077
export $(xargs < ${cfg.secretFile})
${pkgs.envsubst}/bin/envsubst -i "${keepalivedConf}" > ${finalConfigFile}
'');
ExecStart = "${pkgs.keepalived}/sbin/keepalived"
+ " -f ${finalConfigFile}"
+ " -p ${pidFile}"
+ optionalString cfg.snmp.enable " --snmp";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = "1s";
};
};
};
}
{ lib } :
with lib;
{
options = {
addr = mkOption {
type = types.str;
description = ''
IP address, optionally with a netmask: IPADDR[/MASK]
'';
};
brd = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The broadcast address on the interface.
'';
};
dev = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The name of the device to add the address to.
'';
};
scope = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The scope of the area where this address is valid.
'';
};
label = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Each address may be tagged with a label string. In order to preserve
compatibility with Linux-2.0 net aliases, this string must coincide with
the name of the device or must be prefixed with the device name followed
by colon.
'';
};
};
}
{ lib } :
with lib;
{
options = {
interface = mkOption {
type = types.str;
description = ''
Interface for inside_network, bound by vrrp.
'';
};
state = mkOption {
type = types.enum [ "MASTER" "BACKUP" ];
default = "BACKUP";
description = ''
Initial state. As soon as the other machine(s) come up, an election will
be held and the machine with the highest "priority" will become MASTER.
So the entry here doesn't matter a whole lot.
'';
};
virtualRouterId = mkOption {
type = types.int;
description = ''
Arbitrary unique number 0..255. Used to differentiate multiple instances
of vrrpd running on the same NIC (and hence same socket).
'';
};
priority = mkOption {
type = types.int;
default = 100;
description = ''
For electing MASTER, highest priority wins. To be MASTER, make 50 more
than other machines.
'';
};
noPreempt = mkOption {
type = types.bool;
default = false;
description = ''
VRRP will normally preempt a lower priority machine when a higher
priority machine comes online. "nopreempt" allows the lower priority
machine to maintain the master role, even when a higher priority machine
comes back online. NOTE: For this to work, the initial state of this
entry must be BACKUP.
'';
};
useVmac = mkOption {
type = types.bool;
default = false;
description = ''
Use VRRP Virtual MAC.
'';
};
vmacInterface = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Name of the vmac interface to use. keepalived will come up with a name
if you don't specify one.
'';
};
vmacXmitBase = mkOption {
type = types.bool;
default = false;
description = ''
Send/Recv VRRP messages from base interface instead of VMAC interface.
'';
};
unicastSrcIp = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Default IP for binding vrrpd is the primary IP on interface. If you
want to hide location of vrrpd, use this IP as src_addr for unicast
vrrp packets.
'';
};
unicastPeers = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Do not send VRRP adverts over VRRP multicast group. Instead it sends
adverts to the following list of ip addresses using unicast design
fashion. It can be cool to use VRRP FSM and features in a networking
environment where multicast is not supported! IP Addresses specified can
IPv4 as well as IPv6.
'';
};
virtualIps = mkOption {
type = types.listOf (types.submodule (import ./virtual-ip-options.nix {
inherit lib;
}));
default = [];
example = literalExample ''
TODO: Example
'';
description = "Declarative vhost config";
};
trackScripts = mkOption {
type = types.listOf types.str;
default = [];
example = [ "chk_cmd1" "chk_cmd2" ];
description = "List of script names to invoke for health tracking.";
};
trackInterfaces = mkOption {
type = types.listOf types.str;
default = [];
example = [ "eth0" "eth1" ];
description = "List of network interfaces to monitor for health tracking.";
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra lines to be added verbatim to the vrrp_instance section.
'';
};
};
}
{ lib } :
with lib;
with lib.types;
{
options = {
script = mkOption {
type = str;
example = "\${pkgs.curl} -f http://localhost:80";
description = "(Path of) Script command to execute followed by args, i.e. cmd [args]...";
};
interval = mkOption {
type = int;
default = 1;
description = "Seconds between script invocations.";
};
timeout = mkOption {
type = int;
default = 5;
description = "Seconds after which script is considered to have failed.";
};
weight = mkOption {
type = int;
default = 0;
description = "Following a failure, adjust the priority by this weight.";
};
rise = mkOption {
type = int;
default = 5;
description = "Required number of successes for OK transition.";
};
fall = mkOption {
type = int;
default = 3;