summaryrefslogtreecommitdiff
path: root/modules/certspotter.nix
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-03-26 16:27:43 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-03-26 16:27:43 +0100
commitec7b0f75b5abad46a0d3653741f3da113b665f02 (patch)
treea7ae38dbcb9d6f5a06f6ad2dc26709db2f0091f7 /modules/certspotter.nix
parent2cf55a9d3feedec5e59e0ff955cf21990af21ed4 (diff)
downloadnixos-ec7b0f75b5abad46a0d3653741f3da113b665f02.tar
nixos-ec7b0f75b5abad46a0d3653741f3da113b665f02.tar.gz
nixos-ec7b0f75b5abad46a0d3653741f3da113b665f02.tar.bz2
nixos-ec7b0f75b5abad46a0d3653741f3da113b665f02.tar.xz
nixos-ec7b0f75b5abad46a0d3653741f3da113b665f02.zip
certspotter
Diffstat (limited to 'modules/certspotter.nix')
-rw-r--r--modules/certspotter.nix47
1 files changed, 47 insertions, 0 deletions
diff --git a/modules/certspotter.nix b/modules/certspotter.nix
new file mode 100644
index 00000000..f82b004f
--- /dev/null
+++ b/modules/certspotter.nix
@@ -0,0 +1,47 @@
1{ config, pkgs, lib, ... }:
2
3with lib;
4
5let
6 cfg = config.services.certspotter;
7
8 startOptions = extraOptions
9 ++ optionals (cfg.logs != null) ["-logs" cfg.logs]
10 ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList))
11 ];
12in {
13 options = {
14 services.certspotter = {
15 watchList = mkOption {
16 type = types.listOf types.str;
17 default = [];
18 };
19
20 logs = mkOption {
21 type = types.nullOr types.str;
22 default = null;
23 };
24
25 extraOptions = mkOption {
26 type = types.listOf types.str;
27 default = [ "-verbose" ];
28 };
29
30 package = mkPackageOption pkgs "certspotter" {};
31 };
32 };
33
34 config = mkIf (cfg.watchList != []) {
35 systemd.services.certspotter = {
36 serviceConfig = {
37 Type = "oneshot";
38 ExecStartPre = "${pkgs.coreutils}/bin/rm $STATE_DIRECTORY/lock";
39 ExecStart = "${cfg.package}/bin/certspotter -state_dir $STATE_DIRECTORY ${escapeShellArgs startOptions}";
40 StateDirectory = "certspotter";
41 LogsDirectory = "certspotter";
42 StandardOutput = "append:$LOGS_DIRECTORY/certspotter.log";
43 DynamicUser = true;
44 };
45 };
46 };
47}