nixpkgs/nixos/modules/services/networking/bird.nix

{ config, lib, pkgs, ... }:

let
  inherit (lib) mkEnableOption mkIf mkOption types;

  generic = variant:
    let
      cfg = config.services.${variant};
      pkg = pkgs.${variant};
      birdBin = if variant == "bird6" then "bird6" else "bird";
      birdc = if variant == "bird6" then "birdc6" else "birdc";
      descr =
        { bird = "1.9.x with IPv4 suport";
          bird6 = "1.9.x with IPv6 suport";
          bird2 = "2.x";
        }.${variant};
      configFile = pkgs.stdenv.mkDerivation {
        name = "${variant}.conf";
        text = cfg.config;
        preferLocalBuild = true;
        buildCommand = ''
          echo -n "$text" > $out
          ${pkg}/bin/${birdBin} -d -p -c $out
        '';
      };
    in {
      ###### interface
      options = {
        services.${variant} = {
          enable = mkEnableOption "BIRD Internet Routing Daemon (${descr})";
          config = mkOption {
            type = types.lines;
            description = ''
              BIRD Internet Routing Daemon configuration file.
              <link xlink:href='http://bird.network.cz/'/>
            '';
          };
        };
      };

      ###### implementation
      config = mkIf cfg.enable {
        environment.systemPackages = [ pkg ];
        systemd.services.${variant} = {
          description = "BIRD Internet Routing Daemon (${descr})";
          wantedBy = [ "multi-user.target" ];
          reloadIfChanged = true;
          serviceConfig = {
            Type = "forking";
            Restart = "on-failure";
            ExecStart = "${pkg}/bin/${birdBin} -c ${configFile} -u ${variant} -g ${variant}";
            ExecReload = "${pkg}/bin/${birdc} configure";
            ExecStop = "${pkg}/bin/${birdc} down";
            CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_SETUID" "CAP_SETGID"
                                      # see bird/sysdep/linux/syspriv.h
                                      "CAP_NET_BIND_SERVICE" "CAP_NET_BROADCAST" "CAP_NET_ADMIN" "CAP_NET_RAW" ];
            ProtectSystem = "full";
            ProtectHome = "yes";
            SystemCallFilter="~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
            MemoryDenyWriteExecute = "yes";
          };
        };
        users = {
          users.${variant} = {
            description = "BIRD Internet Routing Daemon user";
            group = variant;
          };
          groups.${variant} = {};
        };
      };
    };

in

{
  imports = map generic [ "bird" "bird6" "bird2" ];
}
nixos: add bird module patch bird to look in /var/run for birc.ctl 2015-05-16 23:22:35 +02:00			`{ config, lib, pkgs, ... }:`

			`let`
bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`inherit (lib) mkEnableOption mkIf mkOption types;`

			`generic = variant:`
			`let`
			`cfg = config.services.${variant};`
			`pkg = pkgs.${variant};`
bird2: init at 2.0.1 2018-02-11 23:28:00 +01:00			`birdBin = if variant == "bird6" then "bird6" else "bird";`
bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`birdc = if variant == "bird6" then "birdc6" else "birdc";`
bird2: init at 2.0.1 2018-02-11 23:28:00 +01:00			`descr =`
			`{ bird = "1.9.x with IPv4 suport";`
			`bird6 = "1.9.x with IPv6 suport";`
			`bird2 = "2.x";`
			`}.${variant};`
bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`configFile = pkgs.stdenv.mkDerivation {`
			`name = "${variant}.conf";`
			`text = cfg.config;`
			`preferLocalBuild = true;`
			`buildCommand = ''`
			`echo -n "$text" > $out`
bird2: init at 2.0.1 2018-02-11 23:28:00 +01:00			`${pkg}/bin/${birdBin} -d -p -c $out`
nixos: add bird module patch bird to look in /var/run for birc.ctl 2015-05-16 23:22:35 +02:00			`'';`
			`};`
bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`in {`
			`###### interface`
			`options = {`
			`services.${variant} = {`
bird2: init at 2.0.1 2018-02-11 23:28:00 +01:00			`enable = mkEnableOption "BIRD Internet Routing Daemon (${descr})";`
bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`config = mkOption {`
			`type = types.lines;`
			`description = ''`
			`BIRD Internet Routing Daemon configuration file.`
			`<link xlink:href='http://bird.network.cz/'/>`
			`'';`
			`};`
			`};`
nixos: add bird module patch bird to look in /var/run for birc.ctl 2015-05-16 23:22:35 +02:00			`};`

bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`###### implementation`
			`config = mkIf cfg.enable {`
bird service: add bird to systemPackages For the tool birdc to monitor and configure bird. 2016-12-28 06:35:31 +01:00			`environment.systemPackages = [ pkg ];`
bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`systemd.services.${variant} = {`
bird2: init at 2.0.1 2018-02-11 23:28:00 +01:00			`description = "BIRD Internet Routing Daemon (${descr})";`
bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`wantedBy = [ "multi-user.target" ];`
bird: set reloadIfChanged to true (#45924) This will trigger the reload instead of restart command if a definition changes, which is much more desireable for a routing daemon. 2018-09-02 06:51:32 +02:00			`reloadIfChanged = true;`
bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`serviceConfig = {`
			`Type = "forking";`
			`Restart = "on-failure";`
bird2: init at 2.0.1 2018-02-11 23:28:00 +01:00			`ExecStart = "${pkg}/bin/${birdBin} -c ${configFile} -u ${variant} -g ${variant}";`
bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`ExecReload = "${pkg}/bin/${birdc} configure";`
			`ExecStop = "${pkg}/bin/${birdc} down";`
			`CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_SETUID" "CAP_SETGID"`
			`# see bird/sysdep/linux/syspriv.h`
			`"CAP_NET_BIND_SERVICE" "CAP_NET_BROADCAST" "CAP_NET_ADMIN" "CAP_NET_RAW" ];`
			`ProtectSystem = "full";`
			`ProtectHome = "yes";`
			`SystemCallFilter="~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";`
			`MemoryDenyWriteExecute = "yes";`
			`};`
			`};`
			`users = {`
nixos/modules: users.(extraUsers\|extraGroup->users\|group) 2018-06-30 01:58:35 +02:00			`users.${variant} = {`
bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`description = "BIRD Internet Routing Daemon user";`
bird2: init at 2.0.1 2018-02-11 23:28:00 +01:00			`group = variant;`
bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`};`
nixos/modules: users.(extraUsers\|extraGroup->users\|group) 2018-06-30 01:58:35 +02:00			`groups.${variant} = {};`
bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening 2016-12-09 10:48:54 +01:00			`};`
nixos: add bird module patch bird to look in /var/run for birc.ctl 2015-05-16 23:22:35 +02:00			`};`
			`};`

bird2: init at 2.0.1 2018-02-11 23:28:00 +01:00			`in`

			`{`
			`imports = map generic [ "bird" "bird6" "bird2" ];`
nixos: add bird module patch bird to look in /var/run for birc.ctl 2015-05-16 23:22:35 +02:00			`}`