diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index ea87c48705ec..60d6c4ef6dbf 100755 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -213,6 +213,7 @@ ./services/networking/cjdns.nix ./services/networking/cntlm.nix ./services/networking/connman.nix + ./services/networking/consul.nix ./services/networking/ddclient.nix ./services/networking/dhcpcd.nix ./services/networking/dhcpd.nix diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix new file mode 100644 index 000000000000..ebc836814089 --- /dev/null +++ b/nixos/modules/services/networking/consul.nix @@ -0,0 +1,166 @@ +{ config, lib, pkgs, utils, ... }: + +with lib; +let + + dataDir = "/var/lib/consul"; + cfg = config.services.consul; + + configOptions = { + data_dir = dataDir; + rejoin_after_leave = true; + } + // (if cfg.webUi then { ui_dir = "${pkgs.consul.ui}"; } else { }) + // cfg.extraConfig; + + configFiles = [ "/etc/consul.json" "/etc/consul-addrs.json" ] + ++ cfg.extraConfigFiles; + + devices = attrValues (filterAttrs (_: i: i != null) cfg.interface); + systemdDevices = flip map devices + (i: "sys-subsystem-net-devices-${utils.escapeSystemdPath i}.device"); +in +{ + options = { + + services.consul = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables the consul daemon. + ''; + }; + + webUi = mkOption { + type = types.bool; + default = false; + description = '' + Enables the web interface on the consul http port. + ''; + }; + + interface = { + + advertise = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The name of the interface to pull the advertise_addr from. + ''; + }; + + bind = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The name of the interface to pull the bind_addr from. + ''; + }; + + }; + + forceIpv4 = mkOption { + type = types.bool; + default = false; + description = '' + Whether we should force the interfaces to only pull ipv4 addresses. + ''; + }; + + dropPrivileges = mkOption { + type = types.bool; + default = true; + description = '' + Whether the consul agent should be run as a non-root consul user. + ''; + }; + + extraConfig = mkOption { + default = { }; + description = '' + Extra configuration options which are serialized to json and added + to the config.json file. + ''; + }; + + extraConfigFiles = mkOption { + default = [ ]; + type = types.listOf types.str; + description = '' + Additional configuration files to pass to consul + NOTE: These will not trigger the service to be restarted when altered. + ''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + users.extraUsers."consul" = { + description = "Consul agent daemon user"; + uid = config.ids.uids.consul; + }; + + environment = { + etc."consul.json".text = builtins.toJSON configOptions; + systemPackages = with pkgs; [ consul ]; + }; + + systemd.services.consul = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ] ++ systemdDevices; + bindsTo = systemdDevices; + restartTriggers = [ config.environment.etc."consul.json".source ]; + + serviceConfig = { + ExecStart = "@${pkgs.consul}/bin/consul consul agent" + + concatMapStrings (n: " -config-file ${n}") configFiles; + ExecStop = "${pkgs.consul}/bin/consul leave"; + ExecReload = "${pkgs.consul}/bin/consul reload"; + PermissionsStartOnly = true; + User = if cfg.dropPrivileges then "consul" else null; + }; + + path = with pkgs; [ iproute gnugrep gawk ]; + preStart = '' + mkdir -m 0700 -p ${dataDir} + chown -R consul ${dataDir} + + # Determine interface addresses + getAddrOnce () { + ip addr show dev "$1" \ + | grep 'inet${optionalString (cfg.forceIpv4) " "}.*scope global' \ + | awk -F '[ /\t]*' '{print $3}' | head -n 1 + } + getAddr () { + ADDR="$(getAddrOnce $1)" + LEFT=60 # Die after 1 minute + while [ -z "$ADDR" ]; do + sleep 1 + LEFT=$(expr $LEFT - 1) + if [ "$LEFT" -eq "0" ]; then + echo "Address lookup timed out" + exit 1 + fi + ADDR="$(getAddrOnce $1)" + done + echo "$ADDR" + } + echo "{" > /etc/consul-addrs.json + '' + + concatStrings (flip mapAttrsToList cfg.interface (name: i: + optionalString (i != null) '' + echo " \"${name}_addr\": \"$(getAddr "${i}")\"," >> /etc/consul-addrs.json + '')) + + '' + echo " \"\": \"\"" >> /etc/consul-addrs.json + echo "}" >> /etc/consul-addrs.json + ''; + }; + + }; +}