nixos/keepalived: Implemented vrrp-instance tracking scripts and interfaces.

Tracking scripts in particular, cannot be included in extraOpts, because script declaration has to be above script usage in keepalived.conf.
Changes are fully backward compatible.

1 files changed, 60 insertions, 2 deletions

diff --git a/nixos/modules/services/networking/keepalived/default.nix b/nixos/modules/services/networking/keepalived/default.nix
index 378cd936584..c9ac2ee2599 100644
--- a/nixos/modules/services/networking/keepalived/default.nix
+++ b/nixos/modules/services/networking/keepalived/default.nix
@@ -8,10 +8,12 @@ let
 
   keepalivedConf = pkgs.writeText "keepalived.conf" ''
     global_defs {
+      ${optionalString cfg.enableScriptSecurity "enable_script_security"}
       ${snmpGlobalDefs}
       ${cfg.extraGlobalDefs}
     }
 
+    ${vrrpScriptStr}
     ${vrrpInstancesStr}
     ${cfg.extraConfig}
   '';
@@ -26,6 +28,22 @@ let
     + optionalString enableTraps "enable_traps"
   );
 
+  vrrpScriptStr = concatStringsSep "\n" (map (s:
+    ''
+      vrrp_script ${s.name} {
+        script "${s.script}"
+        interval ${toString s.interval}
+        fall ${toString s.fall}
+        rise ${toString s.rise}
+        timeout ${toString s.timeout}
+        weight ${toString s.weight}
+        user ${s.user} ${optionalString (s.group != null) s.group}
+
+        ${s.extraConfig}
+      }
+    ''
+  ) vrrpScripts);
+
   vrrpInstancesStr = concatStringsSep "\n" (map (i:
     ''
       vrrp_instance ${i.name} {
@@ -49,6 +67,18 @@ let
           ${concatMapStringsSep "\n" virtualIpLine i.virtualIps}
         }
 
+        ${optionalString (builtins.length i.trackScripts > 0) ''
+          track_script {
+            ${concatStringsSep "\n" i.trackScripts}
+          }
+        ''}
+
+        ${optionalString (builtins.length i.trackInterfaces > 0) ''
+          track_interface {
+            ${concatStringsSep "\n" i.trackInterfaces}
+          }
+        ''}
+
         ${i.extraConfig}
       }
     ''
@@ -64,6 +94,12 @@ let
 
   notNullOrEmpty = s: !(s == null || s == "");
 
+  vrrpScripts = mapAttrsToList (name: config:
+    {
+      inherit name;
+    } // config
+  ) cfg.vrrpScripts;
+
   vrrpInstances = mapAttrsToList (iName: iConfig:
     {
       name = iName;
@@ -86,7 +122,8 @@ let
     { assertion = !i.vmacXmitBase || i.useVmac;
       message = "services.keepalived.vrrpInstances.${i.name}.vmacXmitBase has no effect when services.keepalived.vrrpInstances.${i.name}.useVmac is not set.";
     }
-  ] ++ flatten (map (virtualIpAssertions i.name) i.virtualIps);
+  ] ++ flatten (map (virtualIpAssertions i.name) i.virtualIps)
+    ++ flatten (map (vrrpScriptAssertion i.name) i.trackScripts);
 
   virtualIpAssertions = vrrpName: ip: [
     { assertion = ip.addr != "";
@@ -94,6 +131,11 @@ let
     }
   ];
 
+  vrrpScriptAssertion = vrrpName: scriptName: {
+    assertion = builtins.hasAttr scriptName cfg.vrrpScripts;
+    message = "services.keepalived.vrrpInstances.${vrrpName} trackscript ${scriptName} is not defined in services.keepalived.vrrpScripts.";
+  };
+
   pidFile = "/run/keepalived.pid";
 
 in
@@ -110,6 +152,14 @@ in
         '';
       };
 
+      enableScriptSecurity = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Don't run scripts configured to be run as root if any part of the path is writable by a non-root user.
+        '';
+      };
+
       snmp = {
 
         enable = mkOption {
@@ -181,8 +231,16 @@ in
 
       };
 
+      vrrpScripts = mkOption {
+        type = types.attrsOf (types.submodule (import ./vrrp-script-options.nix {
+          inherit lib;
+        }));
+        default = {};
+        description = "Declarative vrrp script config";
+      };
+
       vrrpInstances = mkOption {
-        type = types.attrsOf (types.submodule (import ./vrrp-options.nix {
+        type = types.attrsOf (types.submodule (import ./vrrp-instance-options.nix {
           inherit lib;
         }));
         default = {};