diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c94c07e4130a..87dd91971e48 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -326,6 +326,7 @@ ./services/security/fprot.nix ./services/security/frandom.nix ./services/security/haveged.nix + ./services/security/munge.nix ./services/security/torify.nix ./services/security/tor.nix ./services/security/torsocks.nix diff --git a/nixos/modules/services/security/munge.nix b/nixos/modules/services/security/munge.nix new file mode 100644 index 000000000000..919c2c2b0e15 --- /dev/null +++ b/nixos/modules/services/security/munge.nix @@ -0,0 +1,61 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.munge; + +in + +{ + + ###### interface + + options = { + + services.munge = { + enable = mkEnableOption "munge service"; + + password = mkOption { + default = "/etc/munge/munge.key"; + type = types.string; + description = '' + The path to a daemon's secret key. + ''; + }; + + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.munge ]; + + systemd.services.munged = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + path = [ pkgs.munge pkgs.coreutils ]; + + preStart = '' + chmod 0700 ${cfg.password} + mkdir -p /var/lib/munge -m 0711 + mkdir -p /var/log/munge -m 0700 + mkdir -p /run/munge -m 0755 + ''; + + serviceConfig = { + ExecStart = "${pkgs.munge}/bin/munged --syslog --key-file ${cfg.password}"; + PIDFile = "/run/munge/munged.pid"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; + + }; + + }; + +}