diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2024-08-08 10:45:09 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2024-08-08 10:45:09 +0200 |
| commit | 63adb41f1a060c21a68143eb9e86c2790ef66f36 (patch) | |
| tree | 3902b85e7659fd396ded1d2e42ea318153d08a13 /modules/certspotter.nix | |
| parent | 73b08cbd76d4471c9a6fddd05265d7d7fc4c45ff (diff) | |
| download | nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.gz nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.bz2 nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.tar.xz nixos-63adb41f1a060c21a68143eb9e86c2790ef66f36.zip | |
...
Diffstat (limited to 'modules/certspotter.nix')
| -rw-r--r-- | modules/certspotter.nix | 67 |
1 files changed, 0 insertions, 67 deletions
diff --git a/modules/certspotter.nix b/modules/certspotter.nix deleted file mode 100644 index ff7ff7c2..00000000 --- a/modules/certspotter.nix +++ /dev/null | |||
| @@ -1,67 +0,0 @@ | |||
| 1 | { config, pkgs, lib, ... }: | ||
| 2 | |||
| 3 | with lib; | ||
| 4 | |||
| 5 | let | ||
| 6 | cfg = config.services.certspotter; | ||
| 7 | |||
| 8 | script = pkgs.writeShellApplication { | ||
| 9 | name = "certspotter-script"; | ||
| 10 | runtimeInputs = with pkgs; [ coreutils ]; | ||
| 11 | text = '' | ||
| 12 | mkdir -p "''${LOGS_DIRECTORY}" | ||
| 13 | env > "$(mktemp -p "''${LOGS_DIRECTORY}" "$(date -Iseconds).''${PUBKEY_HASH:-na}.XXXXXXXXXX.env")" | ||
| 14 | ''; | ||
| 15 | }; | ||
| 16 | |||
| 17 | startOptions = cfg.extraOptions | ||
| 18 | ++ optionals (cfg.logs != null) ["-logs" cfg.logs] | ||
| 19 | ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList)) | ||
| 20 | "-script" "${script}/bin/certspotter-script" | ||
| 21 | ]; | ||
| 22 | |||
| 23 | startScript = pkgs.writeShellApplication { | ||
| 24 | name = "certspotter-start"; | ||
| 25 | runtimeInputs = [ pkgs.coreutils cfg.package ]; | ||
| 26 | text = '' | ||
| 27 | rm -f "''${STATE_DIRECTORY}/lock" | ||
| 28 | exec -- certspotter -state_dir "''${STATE_DIRECTORY}" ${escapeShellArgs startOptions} | ||
| 29 | ''; | ||
| 30 | }; | ||
| 31 | in { | ||
| 32 | options = { | ||
| 33 | services.certspotter = { | ||
| 34 | watchList = mkOption { | ||
| 35 | type = types.listOf types.str; | ||
| 36 | default = []; | ||
| 37 | }; | ||
| 38 | |||
| 39 | logs = mkOption { | ||
| 40 | type = types.nullOr types.str; | ||
| 41 | default = null; | ||
| 42 | }; | ||
| 43 | |||
| 44 | extraOptions = mkOption { | ||
| 45 | type = types.listOf types.str; | ||
| 46 | default = [ "-verbose" ]; | ||
| 47 | }; | ||
| 48 | |||
| 49 | package = mkPackageOption pkgs "certspotter" {}; | ||
| 50 | }; | ||
| 51 | }; | ||
| 52 | |||
| 53 | config = mkIf (cfg.watchList != []) { | ||
| 54 | systemd.services.certspotter = { | ||
| 55 | serviceConfig = { | ||
| 56 | Type = "oneshot"; | ||
| 57 | ExecStart = "${startScript}/bin/certspotter-start"; | ||
| 58 | StateDirectory = "certspotter"; | ||
| 59 | LogsDirectory = "certspotter"; | ||
| 60 | DynamicUser = true; | ||
| 61 | |||
| 62 | CPUSchedulingPolicy = "idle"; | ||
| 63 | IOSchedulingClass = "idle"; | ||
| 64 | }; | ||
| 65 | }; | ||
| 66 | }; | ||
| 67 | } | ||