348 lines
11 KiB
Nix
348 lines
11 KiB
Nix
|
{ config, lib, pkgs, ... }:
|
||
|
|
||
|
with lib;
|
||
|
|
||
|
let
|
||
|
|
||
|
cfg = config.services.keepalived;
|
||
|
|
||
|
keepalivedConf = pkgs.writeText "keepalived.conf" ''
|
||
|
global_defs {
|
||
|
${optionalString cfg.enableScriptSecurity "enable_script_security"}
|
||
|
${snmpGlobalDefs}
|
||
|
${cfg.extraGlobalDefs}
|
||
|
}
|
||
|
|
||
|
${vrrpScriptStr}
|
||
|
${vrrpInstancesStr}
|
||
|
${cfg.extraConfig}
|
||
|
'';
|
||
|
|
||
|
snmpGlobalDefs = with cfg.snmp; optionalString enable (
|
||
|
optionalString (socket != null) "snmp_socket ${socket}\n"
|
||
|
+ optionalString enableKeepalived "enable_snmp_keepalived\n"
|
||
|
+ optionalString enableChecker "enable_snmp_checker\n"
|
||
|
+ optionalString enableRfc "enable_snmp_rfc\n"
|
||
|
+ optionalString enableRfcV2 "enable_snmp_rfcv2\n"
|
||
|
+ optionalString enableRfcV3 "enable_snmp_rfcv3\n"
|
||
|
+ optionalString enableTraps "enable_traps"
|
||
|
);
|
||
|
|
||
|
vrrpScriptStr = concatStringsSep "\n" (map (s:
|
||
|
''
|
||
|
vrrp_script ${s.name} {
|
||
|
script "${s.script}"
|
||
|
interval ${toString s.interval}
|
||
|
fall ${toString s.fall}
|
||
|
rise ${toString s.rise}
|
||
|
timeout ${toString s.timeout}
|
||
|
weight ${toString s.weight}
|
||
|
user ${s.user} ${optionalString (s.group != null) s.group}
|
||
|
|
||
|
${s.extraConfig}
|
||
|
}
|
||
|
''
|
||
|
) vrrpScripts);
|
||
|
|
||
|
vrrpInstancesStr = concatStringsSep "\n" (map (i:
|
||
|
''
|
||
|
vrrp_instance ${i.name} {
|
||
|
interface ${i.interface}
|
||
|
state ${i.state}
|
||
|
virtual_router_id ${toString i.virtualRouterId}
|
||
|
priority ${toString i.priority}
|
||
|
${optionalString i.noPreempt "nopreempt"}
|
||
|
|
||
|
${optionalString i.useVmac (
|
||
|
"use_vmac" + optionalString (i.vmacInterface != null) " ${i.vmacInterface}"
|
||
|
)}
|
||
|
${optionalString i.vmacXmitBase "vmac_xmit_base"}
|
||
|
|
||
|
${optionalString (i.unicastSrcIp != null) "unicast_src_ip ${i.unicastSrcIp}"}
|
||
|
${optionalString (builtins.length i.unicastPeers > 0) ''
|
||
|
unicast_peer {
|
||
|
${concatStringsSep "\n" i.unicastPeers}
|
||
|
}
|
||
|
''}
|
||
|
|
||
|
virtual_ipaddress {
|
||
|
${concatMapStringsSep "\n" virtualIpLine i.virtualIps}
|
||
|
}
|
||
|
|
||
|
${optionalString (builtins.length i.trackScripts > 0) ''
|
||
|
track_script {
|
||
|
${concatStringsSep "\n" i.trackScripts}
|
||
|
}
|
||
|
''}
|
||
|
|
||
|
${optionalString (builtins.length i.trackInterfaces > 0) ''
|
||
|
track_interface {
|
||
|
${concatStringsSep "\n" i.trackInterfaces}
|
||
|
}
|
||
|
''}
|
||
|
|
||
|
${i.extraConfig}
|
||
|
}
|
||
|
''
|
||
|
) vrrpInstances);
|
||
|
|
||
|
virtualIpLine = ip: ip.addr
|
||
|
+ optionalString (notNullOrEmpty ip.brd) " brd ${ip.brd}"
|
||
|
+ optionalString (notNullOrEmpty ip.dev) " dev ${ip.dev}"
|
||
|
+ optionalString (notNullOrEmpty ip.scope) " scope ${ip.scope}"
|
||
|
+ optionalString (notNullOrEmpty ip.label) " label ${ip.label}";
|
||
|
|
||
|
notNullOrEmpty = s: !(s == null || s == "");
|
||
|
|
||
|
vrrpScripts = mapAttrsToList (name: config:
|
||
|
{
|
||
|
inherit name;
|
||
|
} // config
|
||
|
) cfg.vrrpScripts;
|
||
|
|
||
|
vrrpInstances = mapAttrsToList (iName: iConfig:
|
||
|
{
|
||
|
name = iName;
|
||
|
} // iConfig
|
||
|
) cfg.vrrpInstances;
|
||
|
|
||
|
vrrpInstanceAssertions = i: [
|
||
|
{ assertion = i.interface != "";
|
||
|
message = "services.keepalived.vrrpInstances.${i.name}.interface option cannot be empty.";
|
||
|
}
|
||
|
{ assertion = i.virtualRouterId >= 0 && i.virtualRouterId <= 255;
|
||
|
message = "services.keepalived.vrrpInstances.${i.name}.virtualRouterId must be an integer between 0..255.";
|
||
|
}
|
||
|
{ assertion = i.priority >= 0 && i.priority <= 255;
|
||
|
message = "services.keepalived.vrrpInstances.${i.name}.priority must be an integer between 0..255.";
|
||
|
}
|
||
|
{ assertion = i.vmacInterface == null || i.useVmac;
|
||
|
message = "services.keepalived.vrrpInstances.${i.name}.vmacInterface has no effect when services.keepalived.vrrpInstances.${i.name}.useVmac is not set.";
|
||
|
}
|
||
|
{ assertion = !i.vmacXmitBase || i.useVmac;
|
||
|
message = "services.keepalived.vrrpInstances.${i.name}.vmacXmitBase has no effect when services.keepalived.vrrpInstances.${i.name}.useVmac is not set.";
|
||
|
}
|
||
|
] ++ flatten (map (virtualIpAssertions i.name) i.virtualIps)
|
||
|
++ flatten (map (vrrpScriptAssertion i.name) i.trackScripts);
|
||
|
|
||
|
virtualIpAssertions = vrrpName: ip: [
|
||
|
{ assertion = ip.addr != "";
|
||
|
message = "The 'addr' option for an services.keepalived.vrrpInstances.${vrrpName}.virtualIps entry cannot be empty.";
|
||
|
}
|
||
|
];
|
||
|
|
||
|
vrrpScriptAssertion = vrrpName: scriptName: {
|
||
|
assertion = builtins.hasAttr scriptName cfg.vrrpScripts;
|
||
|
message = "services.keepalived.vrrpInstances.${vrrpName} trackscript ${scriptName} is not defined in services.keepalived.vrrpScripts.";
|
||
|
};
|
||
|
|
||
|
pidFile = "/run/keepalived.pid";
|
||
|
|
||
|
in
|
||
|
{
|
||
|
meta.maintainers = [ lib.maintainers.raitobezarius ];
|
||
|
|
||
|
options = {
|
||
|
services.keepalived = {
|
||
|
|
||
|
enable = mkOption {
|
||
|
type = types.bool;
|
||
|
default = false;
|
||
|
description = ''
|
||
|
Whether to enable Keepalived.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
openFirewall = mkOption {
|
||
|
type = types.bool;
|
||
|
default = false;
|
||
|
description = ''
|
||
|
Whether to automatically allow VRRP and AH packets in the firewall.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
enableScriptSecurity = mkOption {
|
||
|
type = types.bool;
|
||
|
default = false;
|
||
|
description = ''
|
||
|
Don't run scripts configured to be run as root if any part of the path is writable by a non-root user.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
snmp = {
|
||
|
|
||
|
enable = mkOption {
|
||
|
type = types.bool;
|
||
|
default = false;
|
||
|
description = ''
|
||
|
Whether to enable the builtin AgentX subagent.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
socket = mkOption {
|
||
|
type = types.nullOr types.str;
|
||
|
default = null;
|
||
|
description = ''
|
||
|
Socket to use for connecting to SNMP master agent. If this value is
|
||
|
set to null, keepalived's default will be used, which is
|
||
|
unix:/var/agentx/master, unless using a network namespace, when the
|
||
|
default is udp:localhost:705.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
enableKeepalived = mkOption {
|
||
|
type = types.bool;
|
||
|
default = false;
|
||
|
description = ''
|
||
|
Enable SNMP handling of vrrp element of KEEPALIVED MIB.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
enableChecker = mkOption {
|
||
|
type = types.bool;
|
||
|
default = false;
|
||
|
description = ''
|
||
|
Enable SNMP handling of checker element of KEEPALIVED MIB.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
enableRfc = mkOption {
|
||
|
type = types.bool;
|
||
|
default = false;
|
||
|
description = ''
|
||
|
Enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
enableRfcV2 = mkOption {
|
||
|
type = types.bool;
|
||
|
default = false;
|
||
|
description = ''
|
||
|
Enable SNMP handling of RFC2787 VRRP MIB.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
enableRfcV3 = mkOption {
|
||
|
type = types.bool;
|
||
|
default = false;
|
||
|
description = ''
|
||
|
Enable SNMP handling of RFC6527 VRRP MIB.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
enableTraps = mkOption {
|
||
|
type = types.bool;
|
||
|
default = false;
|
||
|
description = ''
|
||
|
Enable SNMP traps.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
};
|
||
|
|
||
|
vrrpScripts = mkOption {
|
||
|
type = types.attrsOf (types.submodule (import ./vrrp-script-options.nix {
|
||
|
inherit lib;
|
||
|
}));
|
||
|
default = {};
|
||
|
description = "Declarative vrrp script config";
|
||
|
};
|
||
|
|
||
|
vrrpInstances = mkOption {
|
||
|
type = types.attrsOf (types.submodule (import ./vrrp-instance-options.nix {
|
||
|
inherit lib;
|
||
|
}));
|
||
|
default = {};
|
||
|
description = "Declarative vhost config";
|
||
|
};
|
||
|
|
||
|
extraGlobalDefs = mkOption {
|
||
|
type = types.lines;
|
||
|
default = "";
|
||
|
description = ''
|
||
|
Extra lines to be added verbatim to the 'global_defs' block of the
|
||
|
configuration file
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
extraConfig = mkOption {
|
||
|
type = types.lines;
|
||
|
default = "";
|
||
|
description = ''
|
||
|
Extra lines to be added verbatim to the configuration file.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
secretFile = mkOption {
|
||
|
type = types.nullOr types.path;
|
||
|
default = null;
|
||
|
example = "/run/keys/keepalived.env";
|
||
|
description = ''
|
||
|
Environment variables from this file will be interpolated into the
|
||
|
final config file using envsubst with this syntax: `$ENVIRONMENT`
|
||
|
or `''${VARIABLE}`.
|
||
|
The file should contain lines formatted as `SECRET_VAR=SECRET_VALUE`.
|
||
|
This is useful to avoid putting secrets into the nix store.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = mkIf cfg.enable {
|
||
|
|
||
|
assertions = flatten (map vrrpInstanceAssertions vrrpInstances);
|
||
|
|
||
|
networking.firewall = lib.mkIf cfg.openFirewall {
|
||
|
extraCommands = ''
|
||
|
# Allow VRRP and AH packets
|
||
|
ip46tables -A nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
|
||
|
ip46tables -A nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
|
||
|
'';
|
||
|
|
||
|
extraStopCommands = ''
|
||
|
ip46tables -D nixos-fw -p vrrp -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
|
||
|
ip46tables -D nixos-fw -p ah -m comment --comment "services.keepalived.openFirewall" -j ACCEPT
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
systemd.timers.keepalived-boot-delay = {
|
||
|
description = "Keepalive Daemon delay to avoid instant transition to MASTER state";
|
||
|
after = [ "network.target" "network-online.target" "syslog.target" ];
|
||
|
requires = [ "network-online.target" ];
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
timerConfig = {
|
||
|
OnActiveSec = "5s";
|
||
|
Unit = "keepalived.service";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
systemd.services.keepalived = let
|
||
|
finalConfigFile = if cfg.secretFile == null then keepalivedConf else "/run/keepalived/keepalived.conf";
|
||
|
in {
|
||
|
description = "Keepalive Daemon (LVS and VRRP)";
|
||
|
after = [ "network.target" "network-online.target" "syslog.target" ];
|
||
|
wants = [ "network-online.target" ];
|
||
|
serviceConfig = {
|
||
|
Type = "forking";
|
||
|
PIDFile = pidFile;
|
||
|
KillMode = "process";
|
||
|
RuntimeDirectory = "keepalived";
|
||
|
EnvironmentFile = lib.optional (cfg.secretFile != null) cfg.secretFile;
|
||
|
ExecStartPre = lib.optional (cfg.secretFile != null)
|
||
|
(pkgs.writeShellScript "keepalived-pre-start" ''
|
||
|
umask 077
|
||
|
${pkgs.envsubst}/bin/envsubst -i "${keepalivedConf}" > ${finalConfigFile}
|
||
|
'');
|
||
|
ExecStart = "${pkgs.keepalived}/sbin/keepalived"
|
||
|
+ " -f ${finalConfigFile}"
|
||
|
+ " -p ${pidFile}"
|
||
|
+ optionalString cfg.snmp.enable " --snmp";
|
||
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||
|
Restart = "always";
|
||
|
RestartSec = "1s";
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
}
|