diff options
author | clerie <git@clerie.de> | 2021-06-26 14:10:05 +0200 |
---|---|---|
committer | clerie <git@clerie.de> | 2022-08-27 17:19:16 +0200 |
commit | bf7d05e64d1172ad9356b87bc8c2a643f600e1f0 (patch) | |
tree | 37a6eedffda362e46b42f17f0636a4ccc2726578 | |
parent | 1bc07dc1dd6e2693cc6c6a94464fa6c43658d3d5 (diff) | |
download | nixpkgs-bf7d05e64d1172ad9356b87bc8c2a643f600e1f0.tar nixpkgs-bf7d05e64d1172ad9356b87bc8c2a643f600e1f0.tar.gz nixpkgs-bf7d05e64d1172ad9356b87bc8c2a643f600e1f0.tar.bz2 nixpkgs-bf7d05e64d1172ad9356b87bc8c2a643f600e1f0.tar.lz nixpkgs-bf7d05e64d1172ad9356b87bc8c2a643f600e1f0.tar.xz nixpkgs-bf7d05e64d1172ad9356b87bc8c2a643f600e1f0.tar.zst nixpkgs-bf7d05e64d1172ad9356b87bc8c2a643f600e1f0.zip |
nixos/keepalived: add secrets support
-rw-r--r-- | nixos/modules/services/networking/keepalived/default.nix | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/nixos/modules/services/networking/keepalived/default.nix b/nixos/modules/services/networking/keepalived/default.nix index c9ac2ee2599..c9bfe64b1a8 100644 --- a/nixos/modules/services/networking/keepalived/default.nix +++ b/nixos/modules/services/networking/keepalived/default.nix @@ -264,6 +264,19 @@ in ''; }; + secretFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/keepalived.env"; + description = '' + Environment variables from this file will be interpolated into the + final config file using envsubst with this syntax: <literal>$ENVIRONMENT</literal> + or <literal>''${VARIABLE}</literal>. + The file should contain lines formatted as <literal>SECRET_VAR=SECRET_VALUE</literal>. + This is useful to avoid putting secrets into the nix store. + ''; + }; + }; }; @@ -282,7 +295,9 @@ in }; }; - systemd.services.keepalived = { + systemd.services.keepalived = let + finalConfigFile = if cfg.secretFile == null then keepalivedConf else "/run/keepalived/keepalived.conf"; + in { description = "Keepalive Daemon (LVS and VRRP)"; after = [ "network.target" "network-online.target" "syslog.target" ]; wants = [ "network-online.target" ]; @@ -290,8 +305,15 @@ in Type = "forking"; PIDFile = pidFile; KillMode = "process"; + RuntimeDirectory = "keepalived"; + EnvironmentFile = lib.optional (cfg.secretFile != null) cfg.secretFile; + ExecStartPre = lib.optional (cfg.secretFile != null) + (pkgs.writeShellScript "keepalived-pre-start" '' + umask 077 + ${pkgs.envsubst}/bin/envsubst -i "${keepalivedConf}" > ${finalConfigFile} + ''); ExecStart = "${pkgs.keepalived}/sbin/keepalived" - + " -f ${keepalivedConf}" + + " -f ${finalConfigFile}" + " -p ${pidFile}" + optionalString cfg.snmp.enable " --snmp"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |