diff options
author | Jaka Hudoklin <jakahudoklin@gmail.com> | 2016-08-24 20:11:39 +0200 |
---|---|---|
committer | Jaka Hudoklin <jakahudoklin@gmail.com> | 2016-08-24 20:12:24 +0200 |
commit | 8256c07fc03625ea37ff2ebb29217c50e2ed6163 (patch) | |
tree | b84649a7bb3d69d4a2b0e4c4d9588953637bbb7d /nixos/modules/services/misc/etcd.nix | |
parent | 54d3556e7aaa36f68cbeb9c9ea40edafda42c823 (diff) | |
download | nixpkgs-8256c07fc03625ea37ff2ebb29217c50e2ed6163.tar nixpkgs-8256c07fc03625ea37ff2ebb29217c50e2ed6163.tar.gz nixpkgs-8256c07fc03625ea37ff2ebb29217c50e2ed6163.tar.bz2 nixpkgs-8256c07fc03625ea37ff2ebb29217c50e2ed6163.tar.lz nixpkgs-8256c07fc03625ea37ff2ebb29217c50e2ed6163.tar.xz nixpkgs-8256c07fc03625ea37ff2ebb29217c50e2ed6163.tar.zst nixpkgs-8256c07fc03625ea37ff2ebb29217c50e2ed6163.zip |
etcd module: add support for ssl, better defaults, fix tests
Diffstat (limited to 'nixos/modules/services/misc/etcd.nix')
-rw-r--r-- | nixos/modules/services/misc/etcd.nix | 65 |
1 files changed, 60 insertions, 5 deletions
diff --git a/nixos/modules/services/misc/etcd.nix b/nixos/modules/services/misc/etcd.nix index 0d6ed8eb904..8a12e183aa3 100644 --- a/nixos/modules/services/misc/etcd.nix +++ b/nixos/modules/services/misc/etcd.nix @@ -28,13 +28,13 @@ in { listenClientUrls = mkOption { description = "Etcd list of URLs to listen on for client traffic."; - default = ["http://localhost:4001"]; + default = ["http://localhost:2379"]; type = types.listOf types.str; }; listenPeerUrls = mkOption { description = "Etcd list of URLs to listen on for peer traffic."; - default = ["http://localhost:7001"]; + default = ["http://localhost:2380"]; type = types.listOf types.str; }; @@ -46,7 +46,7 @@ in { initialCluster = mkOption { description = "Etcd initial cluster configuration for bootstrapping."; - default = ["${cfg.name}=http://localhost:7001"]; + default = ["${cfg.name}=http://127.0.0.1:2380"]; type = types.listOf types.str; }; @@ -68,6 +68,54 @@ in { type = types.str; }; + clientCertAuth = mkOption { + description = "Whether to use certs for client authentication"; + default = false; + type = types.bool; + }; + + trustedCaFile = mkOption { + description = "Certificate authority file to use for clients"; + default = null; + type = types.nullOr types.path; + }; + + certFile = mkOption { + description = "Cert file to use for clients"; + default = null; + type = types.nullOr types.path; + }; + + keyFile = mkOption { + description = "Key file to use for clients"; + default = null; + type = types.nullOr types.path; + }; + + peerCertFile = mkOption { + description = "Cert file to use for peer to peer communication"; + default = cfg.certFile; + type = types.nullOr types.path; + }; + + peerKeyFile = mkOption { + description = "Key file to use for peer to peer communication"; + default = cfg.keyFile; + type = types.nullOr types.path; + }; + + peerTrustedCaFile = mkOption { + description = "Certificate authority file to use for peer to peer communication"; + default = cfg.trustedCaFile; + type = types.nullOr types.path; + }; + + peerClientCertAuth = mkOption { + description = "Whether to check all incoming peer requests from the cluster for valid client certificates signed by the supplied CA"; + default = false; + type = types.bool; + }; + extraConf = mkOption { description = '' Etcd extra configuration. See @@ -99,7 +147,7 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network-interfaces.target" ]; - environment = { + environment = (filterAttrs (n: v: v != null) { ETCD_NAME = cfg.name; ETCD_DISCOVERY = cfg.discovery; ETCD_DATA_DIR = cfg.dataDir; @@ -107,7 +155,14 @@ in { ETCD_LISTEN_CLIENT_URLS = concatStringsSep "," cfg.listenClientUrls; ETCD_LISTEN_PEER_URLS = concatStringsSep "," cfg.listenPeerUrls; ETCD_INITIAL_ADVERTISE_PEER_URLS = concatStringsSep "," cfg.initialAdvertisePeerUrls; - } // (optionalAttrs (cfg.discovery == ""){ + ETCD_PEER_TRUSTED_CA_FILE = cfg.peerTrustedCaFile; + ETCD_PEER_CERT_FILE = cfg.peerCertFile; + ETCD_PEER_KEY_FILE = cfg.peerKeyFile; + ETCD_CLIENT_CERT_AUTH = toString cfg.peerClientCertAuth; + ETCD_TRUSTED_CA_FILE = cfg.trustedCaFile; + ETCD_CERT_FILE = cfg.certFile; + ETCD_KEY_FILE = cfg.keyFile; + }) // (optionalAttrs (cfg.discovery == ""){ ETCD_INITIAL_CLUSTER = concatStringsSep "," cfg.initialCluster; ETCD_INITIAL_CLUSTER_STATE = cfg.initialClusterState; ETCD_INITIAL_CLUSTER_TOKEN = cfg.initialClusterToken; |