2020-04-24 23:36:52 +00:00
|
|
|
{ config, options, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
let
|
|
|
|
cfg = config.services.neo4j;
|
2021-12-19 01:06:50 +00:00
|
|
|
opt = options.services.neo4j;
|
2020-04-24 23:36:52 +00:00
|
|
|
certDirOpt = options.services.neo4j.directories.certificates;
|
|
|
|
isDefaultPathOption = opt: isOption opt && opt.type == types.path && opt.highestPrio >= 1500;
|
|
|
|
|
|
|
|
sslPolicies = mapAttrsToList (
|
|
|
|
name: conf: ''
|
|
|
|
dbms.ssl.policy.${name}.allow_key_generation=${boolToString conf.allowKeyGeneration}
|
|
|
|
dbms.ssl.policy.${name}.base_directory=${conf.baseDirectory}
|
|
|
|
${optionalString (conf.ciphers != null) ''
|
|
|
|
dbms.ssl.policy.${name}.ciphers=${concatStringsSep "," conf.ciphers}
|
|
|
|
''}
|
|
|
|
dbms.ssl.policy.${name}.client_auth=${conf.clientAuth}
|
|
|
|
${if length (splitString "/" conf.privateKey) > 1 then
|
2021-02-05 17:12:51 +00:00
|
|
|
"dbms.ssl.policy.${name}.private_key=${conf.privateKey}"
|
2020-04-24 23:36:52 +00:00
|
|
|
else
|
2021-02-05 17:12:51 +00:00
|
|
|
"dbms.ssl.policy.${name}.private_key=${conf.baseDirectory}/${conf.privateKey}"
|
2020-04-24 23:36:52 +00:00
|
|
|
}
|
|
|
|
${if length (splitString "/" conf.privateKey) > 1 then
|
2021-02-05 17:12:51 +00:00
|
|
|
"dbms.ssl.policy.${name}.public_certificate=${conf.publicCertificate}"
|
2020-04-24 23:36:52 +00:00
|
|
|
else
|
2021-02-05 17:12:51 +00:00
|
|
|
"dbms.ssl.policy.${name}.public_certificate=${conf.baseDirectory}/${conf.publicCertificate}"
|
2020-04-24 23:36:52 +00:00
|
|
|
}
|
|
|
|
dbms.ssl.policy.${name}.revoked_dir=${conf.revokedDir}
|
|
|
|
dbms.ssl.policy.${name}.tls_versions=${concatStringsSep "," conf.tlsVersions}
|
|
|
|
dbms.ssl.policy.${name}.trust_all=${boolToString conf.trustAll}
|
|
|
|
dbms.ssl.policy.${name}.trusted_dir=${conf.trustedDir}
|
|
|
|
''
|
|
|
|
) cfg.ssl.policies;
|
|
|
|
|
|
|
|
serverConfig = pkgs.writeText "neo4j.conf" ''
|
|
|
|
# General
|
|
|
|
dbms.allow_upgrade=${boolToString cfg.allowUpgrade}
|
2022-08-21 13:32:41 +00:00
|
|
|
dbms.default_listen_address=${cfg.defaultListenAddress}
|
|
|
|
dbms.databases.default_to_read_only=${boolToString cfg.readOnly}
|
2020-04-24 23:36:52 +00:00
|
|
|
${optionalString (cfg.workerCount > 0) ''
|
|
|
|
dbms.threads.worker_count=${toString cfg.workerCount}
|
|
|
|
''}
|
|
|
|
|
2022-08-21 13:32:41 +00:00
|
|
|
# Directories (readonly)
|
2020-04-24 23:36:52 +00:00
|
|
|
dbms.directories.certificates=${cfg.directories.certificates}
|
|
|
|
dbms.directories.plugins=${cfg.directories.plugins}
|
2022-08-21 13:32:41 +00:00
|
|
|
dbms.directories.lib=${cfg.package}/share/neo4j/lib
|
2020-04-24 23:36:52 +00:00
|
|
|
${optionalString (cfg.constrainLoadCsv) ''
|
|
|
|
dbms.directories.import=${cfg.directories.imports}
|
2022-08-21 13:32:41 +00:00
|
|
|
''}
|
|
|
|
|
|
|
|
# Directories (read and write)
|
|
|
|
dbms.directories.data=${cfg.directories.data}
|
|
|
|
dbms.directories.logs=${cfg.directories.home}/logs
|
|
|
|
dbms.directories.run=${cfg.directories.home}/run
|
2020-04-24 23:36:52 +00:00
|
|
|
|
|
|
|
# HTTP Connector
|
|
|
|
${optionalString (cfg.http.enable) ''
|
|
|
|
dbms.connector.http.enabled=${boolToString cfg.http.enable}
|
|
|
|
dbms.connector.http.listen_address=${cfg.http.listenAddress}
|
2022-08-21 13:32:41 +00:00
|
|
|
dbms.connector.http.advertised_address=${cfg.http.listenAddress}
|
2020-04-24 23:36:52 +00:00
|
|
|
''}
|
|
|
|
|
|
|
|
# HTTPS Connector
|
|
|
|
dbms.connector.https.enabled=${boolToString cfg.https.enable}
|
|
|
|
dbms.connector.https.listen_address=${cfg.https.listenAddress}
|
2022-08-21 13:32:41 +00:00
|
|
|
dbms.connector.https.advertised_address=${cfg.https.listenAddress}
|
2020-04-24 23:36:52 +00:00
|
|
|
|
|
|
|
# BOLT Connector
|
|
|
|
dbms.connector.bolt.enabled=${boolToString cfg.bolt.enable}
|
|
|
|
dbms.connector.bolt.listen_address=${cfg.bolt.listenAddress}
|
2022-08-21 13:32:41 +00:00
|
|
|
dbms.connector.bolt.advertised_address=${cfg.bolt.listenAddress}
|
2020-04-24 23:36:52 +00:00
|
|
|
dbms.connector.bolt.tls_level=${cfg.bolt.tlsLevel}
|
|
|
|
|
|
|
|
# SSL Policies
|
|
|
|
${concatStringsSep "\n" sslPolicies}
|
|
|
|
|
|
|
|
# Default retention policy from neo4j.conf
|
|
|
|
dbms.tx_log.rotation.retention_policy=1 days
|
|
|
|
|
|
|
|
# Default JVM parameters from neo4j.conf
|
|
|
|
dbms.jvm.additional=-XX:+UseG1GC
|
|
|
|
dbms.jvm.additional=-XX:-OmitStackTraceInFastThrow
|
|
|
|
dbms.jvm.additional=-XX:+AlwaysPreTouch
|
|
|
|
dbms.jvm.additional=-XX:+UnlockExperimentalVMOptions
|
|
|
|
dbms.jvm.additional=-XX:+TrustFinalNonStaticFields
|
|
|
|
dbms.jvm.additional=-XX:+DisableExplicitGC
|
|
|
|
dbms.jvm.additional=-Djdk.tls.ephemeralDHKeySize=2048
|
|
|
|
dbms.jvm.additional=-Djdk.tls.rejectClientInitiatedRenegotiation=true
|
|
|
|
dbms.jvm.additional=-Dunsupported.dbms.udc.source=tarball
|
|
|
|
|
2022-08-21 13:32:41 +00:00
|
|
|
#dbms.memory.heap.initial_size=12000m
|
|
|
|
#dbms.memory.heap.max_size=12000m
|
|
|
|
#dbms.memory.pagecache.size=4g
|
|
|
|
#dbms.tx_state.max_off_heap_memory=8000m
|
2020-04-24 23:36:52 +00:00
|
|
|
|
|
|
|
# Extra Configuration
|
|
|
|
${cfg.extraServerConfig}
|
|
|
|
'';
|
|
|
|
|
|
|
|
in {
|
|
|
|
|
|
|
|
imports = [
|
|
|
|
(mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "defaultListenAddress" ])
|
|
|
|
(mkRenamedOptionModule [ "services" "neo4j" "listenAddress" ] [ "services" "neo4j" "defaultListenAddress" ])
|
|
|
|
(mkRenamedOptionModule [ "services" "neo4j" "enableBolt" ] [ "services" "neo4j" "bolt" "enable" ])
|
|
|
|
(mkRenamedOptionModule [ "services" "neo4j" "enableHttps" ] [ "services" "neo4j" "https" "enable" ])
|
|
|
|
(mkRenamedOptionModule [ "services" "neo4j" "certDir" ] [ "services" "neo4j" "directories" "certificates" ])
|
|
|
|
(mkRenamedOptionModule [ "services" "neo4j" "dataDir" ] [ "services" "neo4j" "directories" "home" ])
|
|
|
|
(mkRemovedOptionModule [ "services" "neo4j" "port" ] "Use services.neo4j.http.listenAddress instead.")
|
|
|
|
(mkRemovedOptionModule [ "services" "neo4j" "boltPort" ] "Use services.neo4j.bolt.listenAddress instead.")
|
|
|
|
(mkRemovedOptionModule [ "services" "neo4j" "httpsPort" ] "Use services.neo4j.https.listenAddress instead.")
|
2022-08-21 13:32:41 +00:00
|
|
|
(mkRemovedOptionModule [ "services" "neo4j" "shell" "enabled" ] "shell.enabled was removed upstream")
|
|
|
|
(mkRemovedOptionModule [ "services" "neo4j" "udc" "enabled" ] "udc.enabled was removed upstream")
|
2020-04-24 23:36:52 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
###### interface
|
|
|
|
|
|
|
|
options.services.neo4j = {
|
|
|
|
|
|
|
|
enable = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Whether to enable Neo4j Community Edition.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
allowUpgrade = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Allow upgrade of Neo4j database files from an older version.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
constrainLoadCsv = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Sets the root directory for file URLs used with the Cypher
|
2022-08-12 12:06:08 +00:00
|
|
|
`LOAD CSV` clause to be that defined by
|
|
|
|
{option}`directories.imports`. It restricts
|
2020-04-24 23:36:52 +00:00
|
|
|
access to only those files within that directory and its
|
|
|
|
subdirectories.
|
2022-08-12 12:06:08 +00:00
|
|
|
|
|
|
|
Setting this option to `false` introduces
|
2020-04-24 23:36:52 +00:00
|
|
|
possible security problems.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
defaultListenAddress = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "127.0.0.1";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Default network interface to listen for incoming connections. To
|
|
|
|
listen for connections on all interfaces, use "0.0.0.0".
|
2022-08-12 12:06:08 +00:00
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
Specifies the default IP address and address part of connector
|
2022-08-12 12:06:08 +00:00
|
|
|
specific {option}`listenAddress` options. To bind specific
|
2020-04-24 23:36:52 +00:00
|
|
|
connectors to a specific network interfaces, specify the entire
|
2022-08-12 12:06:08 +00:00
|
|
|
{option}`listenAddress` option for that connector.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
extraServerConfig = mkOption {
|
|
|
|
type = types.lines;
|
|
|
|
default = "";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Extra configuration for Neo4j Community server. Refer to the
|
2022-08-12 12:06:08 +00:00
|
|
|
[complete reference](https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/)
|
2020-04-24 23:36:52 +00:00
|
|
|
of Neo4j configuration settings.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
package = mkOption {
|
|
|
|
type = types.package;
|
|
|
|
default = pkgs.neo4j;
|
2021-10-06 13:57:05 +00:00
|
|
|
defaultText = literalExpression "pkgs.neo4j";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Neo4j package to use.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
readOnly = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Only allow read operations from this Neo4j instance.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
workerCount = mkOption {
|
|
|
|
type = types.ints.between 0 44738;
|
|
|
|
default = 0;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Number of Neo4j worker threads, where the default of
|
2022-08-12 12:06:08 +00:00
|
|
|
`0` indicates a worker count equal to the number of
|
2020-04-24 23:36:52 +00:00
|
|
|
available processors.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
bolt = {
|
|
|
|
enable = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Enable the BOLT connector for Neo4j. Setting this option to
|
2022-08-12 12:06:08 +00:00
|
|
|
`false` will stop Neo4j from listening for incoming
|
2020-04-24 23:36:52 +00:00
|
|
|
connections on the BOLT port (7687 by default).
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
listenAddress = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = ":7687";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Neo4j listen address for BOLT traffic. The listen address is
|
2022-08-12 12:06:08 +00:00
|
|
|
expressed in the format `<ip-address>:<port-number>`.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
sslPolicy = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "legacy";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Neo4j SSL policy for BOLT traffic.
|
2022-08-12 12:06:08 +00:00
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
The legacy policy is a special policy which is not defined in
|
|
|
|
the policy configuration section, but rather derives from
|
2022-08-12 12:06:08 +00:00
|
|
|
{option}`directories.certificates` and
|
|
|
|
associated files (by default: {file}`neo4j.key` and
|
|
|
|
{file}`neo4j.cert`). Its use will be deprecated.
|
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
Note: This connector must be configured to support/require
|
|
|
|
SSL/TLS for the legacy policy to actually be utilized. See
|
2022-08-12 12:06:08 +00:00
|
|
|
{option}`bolt.tlsLevel`.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
tlsLevel = mkOption {
|
|
|
|
type = types.enum [ "REQUIRED" "OPTIONAL" "DISABLED" ];
|
|
|
|
default = "OPTIONAL";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
SSL/TSL requirement level for BOLT traffic.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
directories = {
|
|
|
|
certificates = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
default = "${cfg.directories.home}/certificates";
|
2021-12-19 01:06:50 +00:00
|
|
|
defaultText = literalExpression ''"''${config.${opt.directories.home}}/certificates"'';
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Directory for storing certificates to be used by Neo4j for
|
|
|
|
TLS connections.
|
2022-08-12 12:06:08 +00:00
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
When setting this directory to something other than its default,
|
|
|
|
ensure the directory's existence, and that read/write permissions are
|
2022-08-12 12:06:08 +00:00
|
|
|
given to the Neo4j daemon user `neo4j`.
|
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
Note that changing this directory from its default will prevent
|
|
|
|
the directory structure required for each SSL policy from being
|
|
|
|
automatically generated. A policy's directory structure as defined by
|
2022-08-12 12:06:08 +00:00
|
|
|
its {option}`baseDirectory`,{option}`revokedDir` and
|
|
|
|
{option}`trustedDir` must then be setup manually. The
|
2020-04-24 23:36:52 +00:00
|
|
|
existence of these directories is mandatory, as well as the presence
|
|
|
|
of the certificate file and the private key. Ensure the correct
|
|
|
|
permissions are set on these directories and files.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
data = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
default = "${cfg.directories.home}/data";
|
2021-12-19 01:06:50 +00:00
|
|
|
defaultText = literalExpression ''"''${config.${opt.directories.home}}/data"'';
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Path of the data directory. You must not configure more than one
|
|
|
|
Neo4j installation to use the same data directory.
|
2022-08-12 12:06:08 +00:00
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
When setting this directory to something other than its default,
|
|
|
|
ensure the directory's existence, and that read/write permissions are
|
2022-08-12 12:06:08 +00:00
|
|
|
given to the Neo4j daemon user `neo4j`.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
home = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
default = "/var/lib/neo4j";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Path of the Neo4j home directory. Other default directories are
|
|
|
|
subdirectories of this path. This directory will be created if
|
2022-08-12 12:06:08 +00:00
|
|
|
non-existent, and its ownership will be {command}`chown` to
|
|
|
|
the Neo4j daemon user `neo4j`.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
imports = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
default = "${cfg.directories.home}/import";
|
2021-12-19 01:06:50 +00:00
|
|
|
defaultText = literalExpression ''"''${config.${opt.directories.home}}/import"'';
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
The root directory for file URLs used with the Cypher
|
2022-08-12 12:06:08 +00:00
|
|
|
`LOAD CSV` clause. Only meaningful when
|
|
|
|
{option}`constrainLoadCvs` is set to
|
|
|
|
`true`.
|
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
When setting this directory to something other than its default,
|
|
|
|
ensure the directory's existence, and that read permission is
|
2022-08-12 12:06:08 +00:00
|
|
|
given to the Neo4j daemon user `neo4j`.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
plugins = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
default = "${cfg.directories.home}/plugins";
|
2021-12-19 01:06:50 +00:00
|
|
|
defaultText = literalExpression ''"''${config.${opt.directories.home}}/plugins"'';
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Path of the database plugin directory. Compiled Java JAR files that
|
|
|
|
contain database procedures will be loaded if they are placed in
|
|
|
|
this directory.
|
2022-08-12 12:06:08 +00:00
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
When setting this directory to something other than its default,
|
|
|
|
ensure the directory's existence, and that read permission is
|
2022-08-12 12:06:08 +00:00
|
|
|
given to the Neo4j daemon user `neo4j`.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
http = {
|
|
|
|
enable = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
2022-08-21 13:32:41 +00:00
|
|
|
description = ''
|
|
|
|
Enable the HTTP connector for Neo4j. Setting this option to
|
|
|
|
<literal>false</literal> will stop Neo4j from listening for incoming
|
|
|
|
connections on the HTTPS port (7474 by default).
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
listenAddress = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = ":7474";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Neo4j listen address for HTTP traffic. The listen address is
|
2022-08-12 12:06:08 +00:00
|
|
|
expressed in the format `<ip-address>:<port-number>`.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
https = {
|
|
|
|
enable = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Enable the HTTPS connector for Neo4j. Setting this option to
|
2022-08-12 12:06:08 +00:00
|
|
|
`false` will stop Neo4j from listening for incoming
|
2020-04-24 23:36:52 +00:00
|
|
|
connections on the HTTPS port (7473 by default).
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
listenAddress = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = ":7473";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Neo4j listen address for HTTPS traffic. The listen address is
|
2022-08-12 12:06:08 +00:00
|
|
|
expressed in the format `<ip-address>:<port-number>`.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
sslPolicy = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "legacy";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Neo4j SSL policy for HTTPS traffic.
|
2022-08-12 12:06:08 +00:00
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
The legacy policy is a special policy which is not defined in the
|
|
|
|
policy configuration section, but rather derives from
|
2022-08-12 12:06:08 +00:00
|
|
|
{option}`directories.certificates` and
|
|
|
|
associated files (by default: {file}`neo4j.key` and
|
|
|
|
{file}`neo4j.cert`). Its use will be deprecated.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
shell = {
|
|
|
|
enable = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Enable a remote shell server which Neo4j Shell clients can log in to.
|
2022-08-12 12:06:08 +00:00
|
|
|
Only applicable to {command}`neo4j-shell`.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
ssl.policies = mkOption {
|
|
|
|
type = with types; attrsOf (submodule ({ name, config, options, ... }: {
|
|
|
|
options = {
|
|
|
|
|
|
|
|
allowKeyGeneration = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Allows the generation of a private key and associated self-signed
|
|
|
|
certificate. Only performed when both objects cannot be found for
|
|
|
|
this policy. It is recommended to turn this off again after keys
|
|
|
|
have been generated.
|
2022-08-12 12:06:08 +00:00
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
The public certificate is required to be duplicated to the
|
|
|
|
directory holding trusted certificates as defined by the
|
2022-08-12 12:06:08 +00:00
|
|
|
{option}`trustedDir` option.
|
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
Keys should in general be generated and distributed offline by a
|
|
|
|
trusted certificate authority and not by utilizing this mode.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
baseDirectory = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
default = "${cfg.directories.certificates}/${name}";
|
2021-12-19 01:06:50 +00:00
|
|
|
defaultText = literalExpression ''"''${config.${opt.directories.certificates}}/''${name}"'';
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
The mandatory base directory for cryptographic objects of this
|
|
|
|
policy. This path is only automatically generated when this
|
2022-08-12 12:06:08 +00:00
|
|
|
option as well as {option}`directories.certificates` are
|
2020-04-24 23:36:52 +00:00
|
|
|
left at their default. Ensure read/write permissions are given
|
2022-08-12 12:06:08 +00:00
|
|
|
to the Neo4j daemon user `neo4j`.
|
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
It is also possible to override each individual
|
|
|
|
configuration with absolute paths. See the
|
2022-08-12 12:06:08 +00:00
|
|
|
{option}`privateKey` and {option}`publicCertificate`
|
2020-04-24 23:36:52 +00:00
|
|
|
policy options.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
ciphers = mkOption {
|
|
|
|
type = types.nullOr (types.listOf types.str);
|
|
|
|
default = null;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Restrict the allowed ciphers of this policy to those defined
|
|
|
|
here. The default ciphers are those of the JVM platform.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
clientAuth = mkOption {
|
|
|
|
type = types.enum [ "NONE" "OPTIONAL" "REQUIRE" ];
|
|
|
|
default = "REQUIRE";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
The client authentication stance for this policy.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
privateKey = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "private.key";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
The name of private PKCS #8 key file for this policy to be found
|
2022-08-12 12:06:08 +00:00
|
|
|
in the {option}`baseDirectory`, or the absolute path to
|
2020-04-24 23:36:52 +00:00
|
|
|
the key file. It is mandatory that a key can be found or generated.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
publicCertificate = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "public.crt";
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
The name of public X.509 certificate (chain) file in PEM format
|
2022-08-12 12:06:08 +00:00
|
|
|
for this policy to be found in the {option}`baseDirectory`,
|
2020-04-24 23:36:52 +00:00
|
|
|
or the absolute path to the certificate file. It is mandatory
|
|
|
|
that a certificate can be found or generated.
|
2022-08-12 12:06:08 +00:00
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
The public certificate is required to be duplicated to the
|
|
|
|
directory holding trusted certificates as defined by the
|
2022-08-12 12:06:08 +00:00
|
|
|
{option}`trustedDir` option.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
revokedDir = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
default = "${config.baseDirectory}/revoked";
|
2021-12-19 01:06:50 +00:00
|
|
|
defaultText = literalExpression ''"''${config.${options.baseDirectory}}/revoked"'';
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Path to directory of CRLs (Certificate Revocation Lists) in
|
|
|
|
PEM format. Must be an absolute path. The existence of this
|
|
|
|
directory is mandatory and will need to be created manually when:
|
|
|
|
setting this option to something other than its default; setting
|
2022-08-12 12:06:08 +00:00
|
|
|
either this policy's {option}`baseDirectory` or
|
|
|
|
{option}`directories.certificates` to something other than
|
2020-04-24 23:36:52 +00:00
|
|
|
their default. Ensure read/write permissions are given to the
|
2022-08-12 12:06:08 +00:00
|
|
|
Neo4j daemon user `neo4j`.
|
2020-04-24 23:36:52 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
tlsVersions = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [ "TLSv1.2" ];
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Restrict the TLS protocol versions of this policy to those
|
|
|
|
defined here.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
trustAll = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Makes this policy trust all remote parties. Enabling this is not
|
|
|
|
recommended and the policy's trusted directory will be ignored.
|
|
|
|
Use of this mode is discouraged. It would offer encryption but
|
|
|
|
no security.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
trustedDir = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
default = "${config.baseDirectory}/trusted";
|
2021-12-19 01:06:50 +00:00
|
|
|
defaultText = literalExpression ''"''${config.${options.baseDirectory}}/trusted"'';
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Path to directory of X.509 certificates in PEM format for
|
|
|
|
trusted parties. Must be an absolute path. The existence of this
|
|
|
|
directory is mandatory and will need to be created manually when:
|
|
|
|
setting this option to something other than its default; setting
|
2022-08-12 12:06:08 +00:00
|
|
|
either this policy's {option}`baseDirectory` or
|
|
|
|
{option}`directories.certificates` to something other than
|
2020-04-24 23:36:52 +00:00
|
|
|
their default. Ensure read/write permissions are given to the
|
2022-08-12 12:06:08 +00:00
|
|
|
Neo4j daemon user `neo4j`.
|
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
The public certificate as defined by
|
2022-08-12 12:06:08 +00:00
|
|
|
{option}`publicCertificate` is required to be duplicated
|
2020-04-24 23:36:52 +00:00
|
|
|
to this directory.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
directoriesToCreate = mkOption {
|
|
|
|
type = types.listOf types.path;
|
|
|
|
internal = true;
|
|
|
|
readOnly = true;
|
|
|
|
description = ''
|
|
|
|
Directories of this policy that will be created automatically
|
|
|
|
when the certificates directory is left at its default value.
|
|
|
|
This includes all options of type path that are left at their
|
|
|
|
default value.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
config.directoriesToCreate = optionals
|
|
|
|
(certDirOpt.highestPrio >= 1500 && options.baseDirectory.highestPrio >= 1500)
|
|
|
|
(map (opt: opt.value) (filter isDefaultPathOption (attrValues options)));
|
|
|
|
|
|
|
|
}));
|
|
|
|
default = {};
|
2022-08-12 12:06:08 +00:00
|
|
|
description = lib.mdDoc ''
|
2020-04-24 23:36:52 +00:00
|
|
|
Defines the SSL policies for use with Neo4j connectors. Each attribute
|
|
|
|
of this set defines a policy, with the attribute name defining the name
|
|
|
|
of the policy and its namespace. Refer to the operations manual section
|
|
|
|
on Neo4j's
|
2022-08-12 12:06:08 +00:00
|
|
|
[SSL Framework](https://neo4j.com/docs/operations-manual/current/security/ssl-framework/)
|
2020-04-24 23:36:52 +00:00
|
|
|
for further details.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
###### implementation
|
|
|
|
|
|
|
|
config =
|
|
|
|
let
|
|
|
|
# Assertion helpers
|
|
|
|
policyNameList = attrNames cfg.ssl.policies;
|
|
|
|
validPolicyNameList = [ "legacy" ] ++ policyNameList;
|
|
|
|
validPolicyNameString = concatStringsSep ", " validPolicyNameList;
|
|
|
|
|
|
|
|
# Capture various directories left at their default so they can be created.
|
|
|
|
defaultDirectoriesToCreate = map (opt: opt.value) (filter isDefaultPathOption (attrValues options.services.neo4j.directories));
|
|
|
|
policyDirectoriesToCreate = concatMap (pol: pol.directoriesToCreate) (attrValues cfg.ssl.policies);
|
|
|
|
in
|
|
|
|
|
|
|
|
mkIf cfg.enable {
|
|
|
|
assertions = [
|
|
|
|
{ assertion = !elem "legacy" policyNameList;
|
|
|
|
message = "The policy 'legacy' is special to Neo4j, and its name is reserved."; }
|
|
|
|
{ assertion = elem cfg.bolt.sslPolicy validPolicyNameList;
|
|
|
|
message = "Invalid policy assigned: `services.neo4j.bolt.sslPolicy = \"${cfg.bolt.sslPolicy}\"`, defined policies are: ${validPolicyNameString}"; }
|
|
|
|
{ assertion = elem cfg.https.sslPolicy validPolicyNameList;
|
|
|
|
message = "Invalid policy assigned: `services.neo4j.https.sslPolicy = \"${cfg.https.sslPolicy}\"`, defined policies are: ${validPolicyNameString}"; }
|
|
|
|
];
|
|
|
|
|
|
|
|
systemd.services.neo4j = {
|
|
|
|
description = "Neo4j Daemon";
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
after = [ "network.target" ];
|
|
|
|
environment = {
|
2022-08-21 13:32:41 +00:00
|
|
|
NEO4J_HOME = "${cfg.directories.home}";
|
2020-04-24 23:36:52 +00:00
|
|
|
NEO4J_CONF = "${cfg.directories.home}/conf";
|
|
|
|
};
|
|
|
|
serviceConfig = {
|
|
|
|
ExecStart = "${cfg.package}/bin/neo4j console";
|
|
|
|
User = "neo4j";
|
|
|
|
PermissionsStartOnly = true;
|
|
|
|
LimitNOFILE = 40000;
|
|
|
|
};
|
|
|
|
|
|
|
|
preStart = ''
|
|
|
|
# Directories Setup
|
|
|
|
# Always ensure home exists with nested conf, logs directories.
|
|
|
|
mkdir -m 0700 -p ${cfg.directories.home}/{conf,logs}
|
|
|
|
|
|
|
|
# Create other sub-directories and policy directories that have been left at their default.
|
|
|
|
${concatMapStringsSep "\n" (
|
|
|
|
dir: ''
|
|
|
|
mkdir -m 0700 -p ${dir}
|
|
|
|
'') (defaultDirectoriesToCreate ++ policyDirectoriesToCreate)}
|
|
|
|
|
|
|
|
# Place the configuration where Neo4j can find it.
|
|
|
|
ln -fs ${serverConfig} ${cfg.directories.home}/conf/neo4j.conf
|
|
|
|
|
|
|
|
# Ensure neo4j user ownership
|
|
|
|
chown -R neo4j ${cfg.directories.home}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
environment.systemPackages = [ cfg.package ];
|
|
|
|
|
|
|
|
users.users.neo4j = {
|
2021-09-18 10:52:07 +00:00
|
|
|
isSystemUser = true;
|
|
|
|
group = "neo4j";
|
2020-04-24 23:36:52 +00:00
|
|
|
description = "Neo4j daemon user";
|
|
|
|
home = cfg.directories.home;
|
|
|
|
};
|
2021-09-18 10:52:07 +00:00
|
|
|
users.groups.neo4j = {};
|
2020-04-24 23:36:52 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
meta = {
|
2022-08-21 13:32:41 +00:00
|
|
|
maintainers = with lib.maintainers; [ patternspandemic jonringer erictapen ];
|
2020-04-24 23:36:52 +00:00
|
|
|
};
|
|
|
|
}
|