summaryrefslogtreecommitdiff
path: root/modules/certspotter.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/certspotter.nix')
-rw-r--r--modules/certspotter.nix47
1 files changed, 47 insertions, 0 deletions
diff --git a/modules/certspotter.nix b/modules/certspotter.nix
new file mode 100644
index 00000000..f82b004f
--- /dev/null
+++ b/modules/certspotter.nix
@@ -0,0 +1,47 @@
1{ config, pkgs, lib, ... }:
2
3with lib;
4
5let
6 cfg = config.services.certspotter;
7
8 startOptions = extraOptions
9 ++ optionals (cfg.logs != null) ["-logs" cfg.logs]
10 ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList))
11 ];
12in {
13 options = {
14 services.certspotter = {
15 watchList = mkOption {
16 type = types.listOf types.str;
17 default = [];
18 };
19
20 logs = mkOption {
21 type = types.nullOr types.str;
22 default = null;
23 };
24
25 extraOptions = mkOption {
26 type = types.listOf types.str;
27 default = [ "-verbose" ];
28 };
29
30 package = mkPackageOption pkgs "certspotter" {};
31 };
32 };
33
34 config = mkIf (cfg.watchList != []) {
35 systemd.services.certspotter = {
36 serviceConfig = {
37 Type = "oneshot";
38 ExecStartPre = "${pkgs.coreutils}/bin/rm $STATE_DIRECTORY/lock";
39 ExecStart = "${cfg.package}/bin/certspotter -state_dir $STATE_DIRECTORY ${escapeShellArgs startOptions}";
40 StateDirectory = "certspotter";
41 LogsDirectory = "certspotter";
42 StandardOutput = "append:$LOGS_DIRECTORY/certspotter.log";
43 DynamicUser = true;
44 };
45 };
46 };
47}