Skip to content

Commit

Permalink
nixos/routinator: init module
Browse files Browse the repository at this point in the history
  • Loading branch information
@peterablehmann
peterablehmann committed Feb 8, 2025
1 parent a01189f commit 3089395
Show file tree
Hide file tree
Showing 2 changed files with 109 additions and 0 deletions.
2 changes: 2 additions & 0 deletions nixos/doc/manual/release-notes/rl-2505.section.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,8 @@

- [networking.modemmanager](options.html#opt-networking.modemmanager) has been split out of [networking.networkmanager](options.html#opt-networking.networkmanager). NetworkManager still enables ModemManager by default, but options exist now to run NetworkManager without ModemManager.

- [Routinator 3000](https://nlnetlabs.nl/projects/routing/routinator/), a full-featured RPKI Relying Party software package that runs as a service which periodically downloads and verifies RPKI data.

- [doh-server](https://github.com/m13253/dns-over-https), a high performance DNS over HTTPS server. Available as [services.doh-server](options.html#opt-services.doh-server.enable).

- [ncps](https://github.com/kalbasit/ncps), a Nix binary cache proxy service implemented in Go using [go-nix](https://github.com/nix-community/go-nix). Available as [services.ncps](options.html#opt-services.ncps.enable).
Expand Down
107 changes: 107 additions & 0 deletions nixos/modules/services/networking/routinator.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
{
config,
lib,
pkgs,
utils,
...
}:
let
inherit (lib)
getExe
maintainers
mkEnableOption
mkPackageOption
mkOption
types
;
inherit (utils) escapeSystemdExecArgs;
cfg = config.services.routinator;
settingsFormat = pkgs.formats.toml { };
in
{
options.services.routinator = {
enable = mkEnableOption "Routinator 3000";

package = mkPackageOption pkgs "routinator" { };

extraArgs = mkOption {
description = ''
Extra arguments to passed to routinator, see <https://routinator.docs.nlnetlabs.nl/en/stable/manual-page.html#options> for options.";
'';
type = types.listOf types.str;
default = [ ];
example = [ "--no-rir-tals" ];
};

extraServerArgs = mkOption {
description = ''
Extra arguments to passed to the server subcommand, see <https://routinator.docs.nlnetlabs.nl/en/stable/manual-page.html#subcmd-server> for options.";
'';
type = types.listOf types.str;
default = [ ];
example = [ "--rtr-client-metrics" ];
};

settings = mkOption {
type = types.submodule {
freeformType = settingsFormat.type;
options = {
repository-dir = mkOption {
type = types.path;
default = "/var/lib/routinator/rpki-cache";
};
};
};
description = ''
Configuration for Routinator 3000, see <https://routinator.docs.nlnetlabs.nl/en/stable/manual-page.html#configuration-file> for options.
'';
default = { };
};
};

config = {
environment.etc."routinator.conf".source = settingsFormat.generate "routinator.conf" cfg.settings;

systemd.services.routinator = {
description = "Routinator 3000 is free, open-source RPKI Relying Party software made by NLnet Labs.";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
path = with pkgs; [ rsync ];
serviceConfig = {
Type = "exec";
ExecStart = escapeSystemdExecArgs (
[
(getExe cfg.package)
"--config=/etc/routinator.conf"
]
++ cfg.extraArgs
++ [
"server"
]
++ cfg.extraServerArgs
);
Restart = "on-failure";
DynamicUser = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
RestrictNamespaces = true;
RestrictRealtime = true;
StateDirectory = "routinator";
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = "@system-service";
};
};
};

meta.maintainers = with maintainers; [ xgwq ];
}

0 comments on commit 3089395

Please sign in to comment.