mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-09-29 07:32:58 +00:00
nixos/services.neo4j: remove with lib;
(#338049)
This commit is contained in:
commit
06aee405da
@ -1,34 +1,31 @@
|
|||||||
{ config, options, lib, pkgs, ... }:
|
{ config, options, lib, pkgs, ... }:
|
||||||
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.services.neo4j;
|
cfg = config.services.neo4j;
|
||||||
opt = options.services.neo4j;
|
opt = options.services.neo4j;
|
||||||
certDirOpt = options.services.neo4j.directories.certificates;
|
certDirOpt = options.services.neo4j.directories.certificates;
|
||||||
isDefaultPathOption = opt: isOption opt && opt.type == types.path && opt.highestPrio >= 1500;
|
isDefaultPathOption = opt: lib.isOption opt && opt.type == lib.types.path && opt.highestPrio >= 1500;
|
||||||
|
|
||||||
sslPolicies = mapAttrsToList (
|
sslPolicies = lib.mapAttrsToList (
|
||||||
name: conf: ''
|
name: conf: ''
|
||||||
dbms.ssl.policy.${name}.allow_key_generation=${boolToString conf.allowKeyGeneration}
|
dbms.ssl.policy.${name}.allow_key_generation=${lib.boolToString conf.allowKeyGeneration}
|
||||||
dbms.ssl.policy.${name}.base_directory=${conf.baseDirectory}
|
dbms.ssl.policy.${name}.base_directory=${conf.baseDirectory}
|
||||||
${optionalString (conf.ciphers != null) ''
|
${lib.optionalString (conf.ciphers != null) ''
|
||||||
dbms.ssl.policy.${name}.ciphers=${concatStringsSep "," conf.ciphers}
|
dbms.ssl.policy.${name}.ciphers=${lib.concatStringsSep "," conf.ciphers}
|
||||||
''}
|
''}
|
||||||
dbms.ssl.policy.${name}.client_auth=${conf.clientAuth}
|
dbms.ssl.policy.${name}.client_auth=${conf.clientAuth}
|
||||||
${if length (splitString "/" conf.privateKey) > 1 then
|
${if lib.length (lib.splitString "/" conf.privateKey) > 1 then
|
||||||
"dbms.ssl.policy.${name}.private_key=${conf.privateKey}"
|
"dbms.ssl.policy.${name}.private_key=${conf.privateKey}"
|
||||||
else
|
else
|
||||||
"dbms.ssl.policy.${name}.private_key=${conf.baseDirectory}/${conf.privateKey}"
|
"dbms.ssl.policy.${name}.private_key=${conf.baseDirectory}/${conf.privateKey}"
|
||||||
}
|
}
|
||||||
${if length (splitString "/" conf.privateKey) > 1 then
|
${if lib.length (lib.splitString "/" conf.privateKey) > 1 then
|
||||||
"dbms.ssl.policy.${name}.public_certificate=${conf.publicCertificate}"
|
"dbms.ssl.policy.${name}.public_certificate=${conf.publicCertificate}"
|
||||||
else
|
else
|
||||||
"dbms.ssl.policy.${name}.public_certificate=${conf.baseDirectory}/${conf.publicCertificate}"
|
"dbms.ssl.policy.${name}.public_certificate=${conf.baseDirectory}/${conf.publicCertificate}"
|
||||||
}
|
}
|
||||||
dbms.ssl.policy.${name}.revoked_dir=${conf.revokedDir}
|
dbms.ssl.policy.${name}.revoked_dir=${conf.revokedDir}
|
||||||
dbms.ssl.policy.${name}.tls_versions=${concatStringsSep "," conf.tlsVersions}
|
dbms.ssl.policy.${name}.tls_versions=${lib.concatStringsSep "," conf.tlsVersions}
|
||||||
dbms.ssl.policy.${name}.trust_all=${boolToString conf.trustAll}
|
dbms.ssl.policy.${name}.trust_all=${lib.boolToString conf.trustAll}
|
||||||
dbms.ssl.policy.${name}.trusted_dir=${conf.trustedDir}
|
dbms.ssl.policy.${name}.trusted_dir=${conf.trustedDir}
|
||||||
''
|
''
|
||||||
) cfg.ssl.policies;
|
) cfg.ssl.policies;
|
||||||
@ -36,8 +33,8 @@ let
|
|||||||
serverConfig = pkgs.writeText "neo4j.conf" ''
|
serverConfig = pkgs.writeText "neo4j.conf" ''
|
||||||
# General
|
# General
|
||||||
server.default_listen_address=${cfg.defaultListenAddress}
|
server.default_listen_address=${cfg.defaultListenAddress}
|
||||||
server.databases.default_to_read_only=${boolToString cfg.readOnly}
|
server.databases.default_to_read_only=${lib.boolToString cfg.readOnly}
|
||||||
${optionalString (cfg.workerCount > 0) ''
|
${lib.optionalString (cfg.workerCount > 0) ''
|
||||||
dbms.threads.worker_count=${toString cfg.workerCount}
|
dbms.threads.worker_count=${toString cfg.workerCount}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
@ -45,7 +42,7 @@ let
|
|||||||
# dbms.directories.certificates=${cfg.directories.certificates}
|
# dbms.directories.certificates=${cfg.directories.certificates}
|
||||||
server.directories.plugins=${cfg.directories.plugins}
|
server.directories.plugins=${cfg.directories.plugins}
|
||||||
server.directories.lib=${cfg.package}/share/neo4j/lib
|
server.directories.lib=${cfg.package}/share/neo4j/lib
|
||||||
${optionalString (cfg.constrainLoadCsv) ''
|
${lib.optionalString (cfg.constrainLoadCsv) ''
|
||||||
server.directories.import=${cfg.directories.imports}
|
server.directories.import=${cfg.directories.imports}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
@ -55,25 +52,25 @@ let
|
|||||||
server.directories.run=${cfg.directories.home}/run
|
server.directories.run=${cfg.directories.home}/run
|
||||||
|
|
||||||
# HTTP Connector
|
# HTTP Connector
|
||||||
${optionalString (cfg.http.enable) ''
|
${lib.optionalString (cfg.http.enable) ''
|
||||||
server.http.enabled=${boolToString cfg.http.enable}
|
server.http.enabled=${lib.boolToString cfg.http.enable}
|
||||||
server.http.listen_address=${cfg.http.listenAddress}
|
server.http.listen_address=${cfg.http.listenAddress}
|
||||||
server.http.advertised_address=${cfg.http.listenAddress}
|
server.http.advertised_address=${cfg.http.listenAddress}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
# HTTPS Connector
|
# HTTPS Connector
|
||||||
server.https.enabled=${boolToString cfg.https.enable}
|
server.https.enabled=${lib.boolToString cfg.https.enable}
|
||||||
server.https.listen_address=${cfg.https.listenAddress}
|
server.https.listen_address=${cfg.https.listenAddress}
|
||||||
server.https.advertised_address=${cfg.https.listenAddress}
|
server.https.advertised_address=${cfg.https.listenAddress}
|
||||||
|
|
||||||
# BOLT Connector
|
# BOLT Connector
|
||||||
server.bolt.enabled=${boolToString cfg.bolt.enable}
|
server.bolt.enabled=${lib.boolToString cfg.bolt.enable}
|
||||||
server.bolt.listen_address=${cfg.bolt.listenAddress}
|
server.bolt.listen_address=${cfg.bolt.listenAddress}
|
||||||
server.bolt.advertised_address=${cfg.bolt.listenAddress}
|
server.bolt.advertised_address=${cfg.bolt.listenAddress}
|
||||||
server.bolt.tls_level=${cfg.bolt.tlsLevel}
|
server.bolt.tls_level=${cfg.bolt.tlsLevel}
|
||||||
|
|
||||||
# SSL Policies
|
# SSL Policies
|
||||||
${concatStringsSep "\n" sslPolicies}
|
${lib.concatStringsSep "\n" sslPolicies}
|
||||||
|
|
||||||
# Default retention policy from neo4j.conf
|
# Default retention policy from neo4j.conf
|
||||||
db.tx_log.rotation.retention_policy=1 days
|
db.tx_log.rotation.retention_policy=1 days
|
||||||
@ -101,33 +98,33 @@ let
|
|||||||
in {
|
in {
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
(mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "defaultListenAddress" ])
|
(lib.mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "defaultListenAddress" ])
|
||||||
(mkRenamedOptionModule [ "services" "neo4j" "listenAddress" ] [ "services" "neo4j" "defaultListenAddress" ])
|
(lib.mkRenamedOptionModule [ "services" "neo4j" "listenAddress" ] [ "services" "neo4j" "defaultListenAddress" ])
|
||||||
(mkRenamedOptionModule [ "services" "neo4j" "enableBolt" ] [ "services" "neo4j" "bolt" "enable" ])
|
(lib.mkRenamedOptionModule [ "services" "neo4j" "enableBolt" ] [ "services" "neo4j" "bolt" "enable" ])
|
||||||
(mkRenamedOptionModule [ "services" "neo4j" "enableHttps" ] [ "services" "neo4j" "https" "enable" ])
|
(lib.mkRenamedOptionModule [ "services" "neo4j" "enableHttps" ] [ "services" "neo4j" "https" "enable" ])
|
||||||
(mkRenamedOptionModule [ "services" "neo4j" "certDir" ] [ "services" "neo4j" "directories" "certificates" ])
|
(lib.mkRenamedOptionModule [ "services" "neo4j" "certDir" ] [ "services" "neo4j" "directories" "certificates" ])
|
||||||
(mkRenamedOptionModule [ "services" "neo4j" "dataDir" ] [ "services" "neo4j" "directories" "home" ])
|
(lib.mkRenamedOptionModule [ "services" "neo4j" "dataDir" ] [ "services" "neo4j" "directories" "home" ])
|
||||||
(mkRemovedOptionModule [ "services" "neo4j" "port" ] "Use services.neo4j.http.listenAddress instead.")
|
(lib.mkRemovedOptionModule [ "services" "neo4j" "port" ] "Use services.neo4j.http.listenAddress instead.")
|
||||||
(mkRemovedOptionModule [ "services" "neo4j" "boltPort" ] "Use services.neo4j.bolt.listenAddress instead.")
|
(lib.mkRemovedOptionModule [ "services" "neo4j" "boltPort" ] "Use services.neo4j.bolt.listenAddress instead.")
|
||||||
(mkRemovedOptionModule [ "services" "neo4j" "httpsPort" ] "Use services.neo4j.https.listenAddress instead.")
|
(lib.mkRemovedOptionModule [ "services" "neo4j" "httpsPort" ] "Use services.neo4j.https.listenAddress instead.")
|
||||||
(mkRemovedOptionModule [ "services" "neo4j" "shell" "enabled" ] "shell.enabled was removed upstream")
|
(lib.mkRemovedOptionModule [ "services" "neo4j" "shell" "enabled" ] "shell.enabled was removed upstream")
|
||||||
(mkRemovedOptionModule [ "services" "neo4j" "udc" "enabled" ] "udc.enabled was removed upstream")
|
(lib.mkRemovedOptionModule [ "services" "neo4j" "udc" "enabled" ] "udc.enabled was removed upstream")
|
||||||
];
|
];
|
||||||
|
|
||||||
###### interface
|
###### interface
|
||||||
|
|
||||||
options.services.neo4j = {
|
options.services.neo4j = {
|
||||||
|
|
||||||
enable = mkOption {
|
enable = lib.mkOption {
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
Whether to enable Neo4j Community Edition.
|
Whether to enable Neo4j Community Edition.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
constrainLoadCsv = mkOption {
|
constrainLoadCsv = lib.mkOption {
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
description = ''
|
description = ''
|
||||||
Sets the root directory for file URLs used with the Cypher
|
Sets the root directory for file URLs used with the Cypher
|
||||||
@ -141,8 +138,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
defaultListenAddress = mkOption {
|
defaultListenAddress = lib.mkOption {
|
||||||
type = types.str;
|
type = lib.types.str;
|
||||||
default = "127.0.0.1";
|
default = "127.0.0.1";
|
||||||
description = ''
|
description = ''
|
||||||
Default network interface to listen for incoming connections. To
|
Default network interface to listen for incoming connections. To
|
||||||
@ -155,8 +152,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
extraServerConfig = mkOption {
|
extraServerConfig = lib.mkOption {
|
||||||
type = types.lines;
|
type = lib.types.lines;
|
||||||
default = "";
|
default = "";
|
||||||
description = ''
|
description = ''
|
||||||
Extra configuration for Neo4j Community server. Refer to the
|
Extra configuration for Neo4j Community server. Refer to the
|
||||||
@ -165,18 +162,18 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
package = mkPackageOption pkgs "neo4j" { };
|
package = lib.mkPackageOption pkgs "neo4j" { };
|
||||||
|
|
||||||
readOnly = mkOption {
|
readOnly = lib.mkOption {
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
Only allow read operations from this Neo4j instance.
|
Only allow read operations from this Neo4j instance.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
workerCount = mkOption {
|
workerCount = lib.mkOption {
|
||||||
type = types.ints.between 0 44738;
|
type = lib.types.ints.between 0 44738;
|
||||||
default = 0;
|
default = 0;
|
||||||
description = ''
|
description = ''
|
||||||
Number of Neo4j worker threads, where the default of
|
Number of Neo4j worker threads, where the default of
|
||||||
@ -186,8 +183,8 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
bolt = {
|
bolt = {
|
||||||
enable = mkOption {
|
enable = lib.mkOption {
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
description = ''
|
description = ''
|
||||||
Enable the BOLT connector for Neo4j. Setting this option to
|
Enable the BOLT connector for Neo4j. Setting this option to
|
||||||
@ -196,8 +193,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
listenAddress = mkOption {
|
listenAddress = lib.mkOption {
|
||||||
type = types.str;
|
type = lib.types.str;
|
||||||
default = ":7687";
|
default = ":7687";
|
||||||
description = ''
|
description = ''
|
||||||
Neo4j listen address for BOLT traffic. The listen address is
|
Neo4j listen address for BOLT traffic. The listen address is
|
||||||
@ -205,8 +202,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
sslPolicy = mkOption {
|
sslPolicy = lib.mkOption {
|
||||||
type = types.str;
|
type = lib.types.str;
|
||||||
default = "legacy";
|
default = "legacy";
|
||||||
description = ''
|
description = ''
|
||||||
Neo4j SSL policy for BOLT traffic.
|
Neo4j SSL policy for BOLT traffic.
|
||||||
@ -223,8 +220,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
tlsLevel = mkOption {
|
tlsLevel = lib.mkOption {
|
||||||
type = types.enum [ "REQUIRED" "OPTIONAL" "DISABLED" ];
|
type = lib.types.enum [ "REQUIRED" "OPTIONAL" "DISABLED" ];
|
||||||
default = "OPTIONAL";
|
default = "OPTIONAL";
|
||||||
description = ''
|
description = ''
|
||||||
SSL/TSL requirement level for BOLT traffic.
|
SSL/TSL requirement level for BOLT traffic.
|
||||||
@ -233,10 +230,10 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
directories = {
|
directories = {
|
||||||
certificates = mkOption {
|
certificates = lib.mkOption {
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
default = "${cfg.directories.home}/certificates";
|
default = "${cfg.directories.home}/certificates";
|
||||||
defaultText = literalExpression ''"''${config.${opt.directories.home}}/certificates"'';
|
defaultText = lib.literalExpression ''"''${config.${opt.directories.home}}/certificates"'';
|
||||||
description = ''
|
description = ''
|
||||||
Directory for storing certificates to be used by Neo4j for
|
Directory for storing certificates to be used by Neo4j for
|
||||||
TLS connections.
|
TLS connections.
|
||||||
@ -256,10 +253,10 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
data = mkOption {
|
data = lib.mkOption {
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
default = "${cfg.directories.home}/data";
|
default = "${cfg.directories.home}/data";
|
||||||
defaultText = literalExpression ''"''${config.${opt.directories.home}}/data"'';
|
defaultText = lib.literalExpression ''"''${config.${opt.directories.home}}/data"'';
|
||||||
description = ''
|
description = ''
|
||||||
Path of the data directory. You must not configure more than one
|
Path of the data directory. You must not configure more than one
|
||||||
Neo4j installation to use the same data directory.
|
Neo4j installation to use the same data directory.
|
||||||
@ -270,8 +267,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
home = mkOption {
|
home = lib.mkOption {
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
default = "/var/lib/neo4j";
|
default = "/var/lib/neo4j";
|
||||||
description = ''
|
description = ''
|
||||||
Path of the Neo4j home directory. Other default directories are
|
Path of the Neo4j home directory. Other default directories are
|
||||||
@ -281,10 +278,10 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
imports = mkOption {
|
imports = lib.mkOption {
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
default = "${cfg.directories.home}/import";
|
default = "${cfg.directories.home}/import";
|
||||||
defaultText = literalExpression ''"''${config.${opt.directories.home}}/import"'';
|
defaultText = lib.literalExpression ''"''${config.${opt.directories.home}}/import"'';
|
||||||
description = ''
|
description = ''
|
||||||
The root directory for file URLs used with the Cypher
|
The root directory for file URLs used with the Cypher
|
||||||
`LOAD CSV` clause. Only meaningful when
|
`LOAD CSV` clause. Only meaningful when
|
||||||
@ -297,10 +294,10 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
plugins = mkOption {
|
plugins = lib.mkOption {
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
default = "${cfg.directories.home}/plugins";
|
default = "${cfg.directories.home}/plugins";
|
||||||
defaultText = literalExpression ''"''${config.${opt.directories.home}}/plugins"'';
|
defaultText = lib.literalExpression ''"''${config.${opt.directories.home}}/plugins"'';
|
||||||
description = ''
|
description = ''
|
||||||
Path of the database plugin directory. Compiled Java JAR files that
|
Path of the database plugin directory. Compiled Java JAR files that
|
||||||
contain database procedures will be loaded if they are placed in
|
contain database procedures will be loaded if they are placed in
|
||||||
@ -314,8 +311,8 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
http = {
|
http = {
|
||||||
enable = mkOption {
|
enable = lib.mkOption {
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
description = ''
|
description = ''
|
||||||
Enable the HTTP connector for Neo4j. Setting this option to
|
Enable the HTTP connector for Neo4j. Setting this option to
|
||||||
@ -324,8 +321,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
listenAddress = mkOption {
|
listenAddress = lib.mkOption {
|
||||||
type = types.str;
|
type = lib.types.str;
|
||||||
default = ":7474";
|
default = ":7474";
|
||||||
description = ''
|
description = ''
|
||||||
Neo4j listen address for HTTP traffic. The listen address is
|
Neo4j listen address for HTTP traffic. The listen address is
|
||||||
@ -335,8 +332,8 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
https = {
|
https = {
|
||||||
enable = mkOption {
|
enable = lib.mkOption {
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
description = ''
|
description = ''
|
||||||
Enable the HTTPS connector for Neo4j. Setting this option to
|
Enable the HTTPS connector for Neo4j. Setting this option to
|
||||||
@ -345,8 +342,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
listenAddress = mkOption {
|
listenAddress = lib.mkOption {
|
||||||
type = types.str;
|
type = lib.types.str;
|
||||||
default = ":7473";
|
default = ":7473";
|
||||||
description = ''
|
description = ''
|
||||||
Neo4j listen address for HTTPS traffic. The listen address is
|
Neo4j listen address for HTTPS traffic. The listen address is
|
||||||
@ -354,8 +351,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
sslPolicy = mkOption {
|
sslPolicy = lib.mkOption {
|
||||||
type = types.str;
|
type = lib.types.str;
|
||||||
default = "legacy";
|
default = "legacy";
|
||||||
description = ''
|
description = ''
|
||||||
Neo4j SSL policy for HTTPS traffic.
|
Neo4j SSL policy for HTTPS traffic.
|
||||||
@ -370,8 +367,8 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
shell = {
|
shell = {
|
||||||
enable = mkOption {
|
enable = lib.mkOption {
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
Enable a remote shell server which Neo4j Shell clients can log in to.
|
Enable a remote shell server which Neo4j Shell clients can log in to.
|
||||||
@ -380,12 +377,12 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
ssl.policies = mkOption {
|
ssl.policies = lib.mkOption {
|
||||||
type = with types; attrsOf (submodule ({ name, config, options, ... }: {
|
type = with lib.types; attrsOf (submodule ({ name, config, options, ... }: {
|
||||||
options = {
|
options = {
|
||||||
|
|
||||||
allowKeyGeneration = mkOption {
|
allowKeyGeneration = lib.mkOption {
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
Allows the generation of a private key and associated self-signed
|
Allows the generation of a private key and associated self-signed
|
||||||
@ -402,10 +399,10 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
baseDirectory = mkOption {
|
baseDirectory = lib.mkOption {
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
default = "${cfg.directories.certificates}/${name}";
|
default = "${cfg.directories.certificates}/${name}";
|
||||||
defaultText = literalExpression ''"''${config.${opt.directories.certificates}}/''${name}"'';
|
defaultText = lib.literalExpression ''"''${config.${opt.directories.certificates}}/''${name}"'';
|
||||||
description = ''
|
description = ''
|
||||||
The mandatory base directory for cryptographic objects of this
|
The mandatory base directory for cryptographic objects of this
|
||||||
policy. This path is only automatically generated when this
|
policy. This path is only automatically generated when this
|
||||||
@ -420,8 +417,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
ciphers = mkOption {
|
ciphers = lib.mkOption {
|
||||||
type = types.nullOr (types.listOf types.str);
|
type = lib.types.nullOr (lib.types.listOf lib.types.str);
|
||||||
default = null;
|
default = null;
|
||||||
description = ''
|
description = ''
|
||||||
Restrict the allowed ciphers of this policy to those defined
|
Restrict the allowed ciphers of this policy to those defined
|
||||||
@ -429,16 +426,16 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
clientAuth = mkOption {
|
clientAuth = lib.mkOption {
|
||||||
type = types.enum [ "NONE" "OPTIONAL" "REQUIRE" ];
|
type = lib.types.enum [ "NONE" "OPTIONAL" "REQUIRE" ];
|
||||||
default = "REQUIRE";
|
default = "REQUIRE";
|
||||||
description = ''
|
description = ''
|
||||||
The client authentication stance for this policy.
|
The client authentication stance for this policy.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
privateKey = mkOption {
|
privateKey = lib.mkOption {
|
||||||
type = types.str;
|
type = lib.types.str;
|
||||||
default = "private.key";
|
default = "private.key";
|
||||||
description = ''
|
description = ''
|
||||||
The name of private PKCS #8 key file for this policy to be found
|
The name of private PKCS #8 key file for this policy to be found
|
||||||
@ -447,8 +444,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
publicCertificate = mkOption {
|
publicCertificate = lib.mkOption {
|
||||||
type = types.str;
|
type = lib.types.str;
|
||||||
default = "public.crt";
|
default = "public.crt";
|
||||||
description = ''
|
description = ''
|
||||||
The name of public X.509 certificate (chain) file in PEM format
|
The name of public X.509 certificate (chain) file in PEM format
|
||||||
@ -462,10 +459,10 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
revokedDir = mkOption {
|
revokedDir = lib.mkOption {
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
default = "${config.baseDirectory}/revoked";
|
default = "${config.baseDirectory}/revoked";
|
||||||
defaultText = literalExpression ''"''${config.${options.baseDirectory}}/revoked"'';
|
defaultText = lib.literalExpression ''"''${config.${options.baseDirectory}}/revoked"'';
|
||||||
description = ''
|
description = ''
|
||||||
Path to directory of CRLs (Certificate Revocation Lists) in
|
Path to directory of CRLs (Certificate Revocation Lists) in
|
||||||
PEM format. Must be an absolute path. The existence of this
|
PEM format. Must be an absolute path. The existence of this
|
||||||
@ -478,8 +475,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
tlsVersions = mkOption {
|
tlsVersions = lib.mkOption {
|
||||||
type = types.listOf types.str;
|
type = lib.types.listOf lib.types.str;
|
||||||
default = [ "TLSv1.2" ];
|
default = [ "TLSv1.2" ];
|
||||||
description = ''
|
description = ''
|
||||||
Restrict the TLS protocol versions of this policy to those
|
Restrict the TLS protocol versions of this policy to those
|
||||||
@ -487,8 +484,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
trustAll = mkOption {
|
trustAll = lib.mkOption {
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
Makes this policy trust all remote parties. Enabling this is not
|
Makes this policy trust all remote parties. Enabling this is not
|
||||||
@ -498,10 +495,10 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
trustedDir = mkOption {
|
trustedDir = lib.mkOption {
|
||||||
type = types.path;
|
type = lib.types.path;
|
||||||
default = "${config.baseDirectory}/trusted";
|
default = "${config.baseDirectory}/trusted";
|
||||||
defaultText = literalExpression ''"''${config.${options.baseDirectory}}/trusted"'';
|
defaultText = lib.literalExpression ''"''${config.${options.baseDirectory}}/trusted"'';
|
||||||
description = ''
|
description = ''
|
||||||
Path to directory of X.509 certificates in PEM format for
|
Path to directory of X.509 certificates in PEM format for
|
||||||
trusted parties. Must be an absolute path. The existence of this
|
trusted parties. Must be an absolute path. The existence of this
|
||||||
@ -518,8 +515,8 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
directoriesToCreate = mkOption {
|
directoriesToCreate = lib.mkOption {
|
||||||
type = types.listOf types.path;
|
type = lib.types.listOf lib.types.path;
|
||||||
internal = true;
|
internal = true;
|
||||||
readOnly = true;
|
readOnly = true;
|
||||||
description = ''
|
description = ''
|
||||||
@ -532,9 +529,9 @@ in {
|
|||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config.directoriesToCreate = optionals
|
config.directoriesToCreate = lib.optionals
|
||||||
(certDirOpt.highestPrio >= 1500 && options.baseDirectory.highestPrio >= 1500)
|
(certDirOpt.highestPrio >= 1500 && options.baseDirectory.highestPrio >= 1500)
|
||||||
(map (opt: opt.value) (filter isDefaultPathOption (attrValues options)));
|
(map (opt: opt.value) (lib.filter isDefaultPathOption (lib.attrValues options)));
|
||||||
|
|
||||||
}));
|
}));
|
||||||
default = {};
|
default = {};
|
||||||
@ -555,22 +552,22 @@ in {
|
|||||||
config =
|
config =
|
||||||
let
|
let
|
||||||
# Assertion helpers
|
# Assertion helpers
|
||||||
policyNameList = attrNames cfg.ssl.policies;
|
policyNameList = lib.attrNames cfg.ssl.policies;
|
||||||
validPolicyNameList = [ "legacy" ] ++ policyNameList;
|
validPolicyNameList = [ "legacy" ] ++ policyNameList;
|
||||||
validPolicyNameString = concatStringsSep ", " validPolicyNameList;
|
validPolicyNameString = lib.concatStringsSep ", " validPolicyNameList;
|
||||||
|
|
||||||
# Capture various directories left at their default so they can be created.
|
# Capture various directories left at their default so they can be created.
|
||||||
defaultDirectoriesToCreate = map (opt: opt.value) (filter isDefaultPathOption (attrValues options.services.neo4j.directories));
|
defaultDirectoriesToCreate = map (opt: opt.value) (lib.filter isDefaultPathOption (lib.attrValues options.services.neo4j.directories));
|
||||||
policyDirectoriesToCreate = concatMap (pol: pol.directoriesToCreate) (attrValues cfg.ssl.policies);
|
policyDirectoriesToCreate = lib.concatMap (pol: pol.directoriesToCreate) (lib.attrValues cfg.ssl.policies);
|
||||||
in
|
in
|
||||||
|
|
||||||
mkIf cfg.enable {
|
lib.mkIf cfg.enable {
|
||||||
assertions = [
|
assertions = [
|
||||||
{ assertion = !elem "legacy" policyNameList;
|
{ assertion = !lib.elem "legacy" policyNameList;
|
||||||
message = "The policy 'legacy' is special to Neo4j, and its name is reserved."; }
|
message = "The policy 'legacy' is special to Neo4j, and its name is reserved."; }
|
||||||
{ assertion = elem cfg.bolt.sslPolicy validPolicyNameList;
|
{ assertion = lib.elem cfg.bolt.sslPolicy validPolicyNameList;
|
||||||
message = "Invalid policy assigned: `services.neo4j.bolt.sslPolicy = \"${cfg.bolt.sslPolicy}\"`, defined policies are: ${validPolicyNameString}"; }
|
message = "Invalid policy assigned: `services.neo4j.bolt.sslPolicy = \"${cfg.bolt.sslPolicy}\"`, defined policies are: ${validPolicyNameString}"; }
|
||||||
{ assertion = elem cfg.https.sslPolicy validPolicyNameList;
|
{ assertion = lib.elem cfg.https.sslPolicy validPolicyNameList;
|
||||||
message = "Invalid policy assigned: `services.neo4j.https.sslPolicy = \"${cfg.https.sslPolicy}\"`, defined policies are: ${validPolicyNameString}"; }
|
message = "Invalid policy assigned: `services.neo4j.https.sslPolicy = \"${cfg.https.sslPolicy}\"`, defined policies are: ${validPolicyNameString}"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
@ -595,7 +592,7 @@ in {
|
|||||||
mkdir -m 0700 -p ${cfg.directories.home}/{conf,logs}
|
mkdir -m 0700 -p ${cfg.directories.home}/{conf,logs}
|
||||||
|
|
||||||
# Create other sub-directories and policy directories that have been left at their default.
|
# Create other sub-directories and policy directories that have been left at their default.
|
||||||
${concatMapStringsSep "\n" (
|
${lib.concatMapStringsSep "\n" (
|
||||||
dir: ''
|
dir: ''
|
||||||
mkdir -m 0700 -p ${dir}
|
mkdir -m 0700 -p ${dir}
|
||||||
'') (defaultDirectoriesToCreate ++ policyDirectoriesToCreate)}
|
'') (defaultDirectoriesToCreate ++ policyDirectoriesToCreate)}
|
||||||
|
Loading…
Reference in New Issue
Block a user