diff options
Diffstat (limited to 'modules')
-rw-r--r-- | modules/certspotter.nix | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/modules/certspotter.nix b/modules/certspotter.nix new file mode 100644 index 00000000..f82b004f --- /dev/null +++ b/modules/certspotter.nix | |||
@@ -0,0 +1,47 @@ | |||
1 | { config, pkgs, lib, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | cfg = config.services.certspotter; | ||
7 | |||
8 | startOptions = extraOptions | ||
9 | ++ optionals (cfg.logs != null) ["-logs" cfg.logs] | ||
10 | ++ ["-watchlist" (pkgs.writeText "watchlist" (concatStringsSep "\n" cfg.watchList)) | ||
11 | ]; | ||
12 | in { | ||
13 | options = { | ||
14 | services.certspotter = { | ||
15 | watchList = mkOption { | ||
16 | type = types.listOf types.str; | ||
17 | default = []; | ||
18 | }; | ||
19 | |||
20 | logs = mkOption { | ||
21 | type = types.nullOr types.str; | ||
22 | default = null; | ||
23 | }; | ||
24 | |||
25 | extraOptions = mkOption { | ||
26 | type = types.listOf types.str; | ||
27 | default = [ "-verbose" ]; | ||
28 | }; | ||
29 | |||
30 | package = mkPackageOption pkgs "certspotter" {}; | ||
31 | }; | ||
32 | }; | ||
33 | |||
34 | config = mkIf (cfg.watchList != []) { | ||
35 | systemd.services.certspotter = { | ||
36 | serviceConfig = { | ||
37 | Type = "oneshot"; | ||
38 | ExecStartPre = "${pkgs.coreutils}/bin/rm $STATE_DIRECTORY/lock"; | ||
39 | ExecStart = "${cfg.package}/bin/certspotter -state_dir $STATE_DIRECTORY ${escapeShellArgs startOptions}"; | ||
40 | StateDirectory = "certspotter"; | ||
41 | LogsDirectory = "certspotter"; | ||
42 | StandardOutput = "append:$LOGS_DIRECTORY/certspotter.log"; | ||
43 | DynamicUser = true; | ||
44 | }; | ||
45 | }; | ||
46 | }; | ||
47 | } | ||