forked from DGNum/infrastructure
Tom Hubrecht
88d9b8c3e3
Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu> Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu> Acked-by: Maurice Debray <maurice.debray@dgnum.eu> Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu> Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum. Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel.
119 lines
3.1 KiB
Nix
119 lines
3.1 KiB
Nix
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
|
|
#
|
|
# SPDX-License-Identifier: EUPL-1.2
|
|
|
|
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
utils,
|
|
...
|
|
}:
|
|
|
|
let
|
|
inherit (lib)
|
|
getExe
|
|
mkEnableOption
|
|
mkIf
|
|
mkOption
|
|
mkPackageOption
|
|
;
|
|
|
|
inherit (lib.types)
|
|
either
|
|
listOf
|
|
nullOr
|
|
path
|
|
str
|
|
;
|
|
|
|
settingsFormat = pkgs.formats.yaml { };
|
|
|
|
cfg = config.services.netbox-agent;
|
|
in
|
|
{
|
|
options.services.netbox-agent = {
|
|
enable = mkEnableOption "Netbox-agent";
|
|
|
|
package = (mkPackageOption pkgs "netbox-agent" { }) // {
|
|
default = pkgs.callPackage ./package.nix { };
|
|
};
|
|
|
|
startAt = mkOption {
|
|
type = either str (listOf str);
|
|
default = "*-*-* 00:00:00";
|
|
description = ''
|
|
Automatically start this unit at the given date/time, which
|
|
must be in the format described in
|
|
{manpage}`systemd.time(7)`.
|
|
'';
|
|
};
|
|
|
|
randomizedDelaySec = mkOption {
|
|
type = str;
|
|
default = "0";
|
|
example = "45min";
|
|
description = ''
|
|
Add a randomized delay before each netbox-agent runs.
|
|
The delay will be chosen between zero and this value.
|
|
This value must be a time span in the format specified by
|
|
{manpage}`systemd.time(7)`
|
|
'';
|
|
};
|
|
|
|
settings = mkOption {
|
|
inherit (settingsFormat) type;
|
|
description = ''
|
|
Settings to be passed to the netbox agent. Will be converted to a YAML
|
|
config file
|
|
'';
|
|
default = { };
|
|
};
|
|
|
|
environmentFile = mkOption {
|
|
type = nullOr path;
|
|
default = null;
|
|
description = ''
|
|
Environment file to pass to netbox-agent. See `netbox-agent --help` for
|
|
possible environment variables
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
systemd.services.netbox-agent = {
|
|
description = "Netbox-agent service. It generates an existing infrastructure on Netbox and have the ability to update it regularly through this service.";
|
|
wants = [ "network-online.target" ];
|
|
after = [ "network-online.target" ];
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
# We could link directly into pkgs.tzdata, but at least timedatectl seems
|
|
# to expect the symlink to point directly to a file in etc.
|
|
# Setting the "debian timezone file" to point at /dev/null stops it doing anything.
|
|
ExecStart = utils.escapeSystemdExecArgs [
|
|
(getExe cfg.package)
|
|
"-c"
|
|
(settingsFormat.generate "config.yaml" cfg.settings)
|
|
];
|
|
EnvironmentFile = cfg.environmentFile;
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
NoNewPrivileges = true;
|
|
PrivateTmp = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectSystem = "strict";
|
|
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
};
|
|
inherit (cfg) startAt;
|
|
};
|
|
|
|
systemd.timers.netbox-agent.timerConfig.RandomizedDelaySec = cfg.randomizedDelaySec;
|
|
};
|
|
}
|