{ lib, config, pkgs, ... }: let cfg = config.services.redpanda-connect; in { options.services.redpanda-connect = { enable = lib.mkEnableOption "Enable Redpanda Connect"; package = lib.mkOption { type = lib.types.package; default = (pkgs.callPackage ./package.nix { }); description = "The Redpanda Connect package"; }; pipelines = lib.mkOption { type = lib.types.attrsOf ( lib.types.submodule { options = { enable = lib.mkEnableOption "Enable the pipeline"; allowSudo = lib.mkEnableOption "Allow sudo"; config = lib.mkOption { type = lib.types.attrs; description = "The configuration for the pipeline"; }; }; } ); }; }; config = lib.mkIf cfg.enable ( let sudoEnabledServices = builtins.filter (pipeline: pipeline.value.allowSudo) (lib.attrsToList cfg.pipelines); in { systemd.services = builtins.listToAttrs ( lib.mapAttrsToList (name: pipeline: { name = "redpanda-connect-${name}"; value = { wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "simple"; ExecStart = let configFile = pkgs.writeText "redpanda-connect-${name}.json" (builtins.toJSON pipeline.config); in "${cfg.package}/bin/redpanda-connect run ${configFile}"; Restart = "always"; RestartSec = "5"; DynamicUser = !pipeline.allowSudo; User = if pipeline.allowSudo then "root" else null; }; }; }) cfg.pipelines ); #security.polkit.extraConfig = builtins.concatStringsSep "\n" ( # builtins.map (value: '' # polkit.addRule(function(action, subject) { # if (action.id == "org.freedesktop.systemd1.manage-units" && # action.lookup("unit") == "redpanda-connect-${value.name}") { # return polkit.Result.YES; # } # }); # '') sudoEnabledServices #); #users.users.redpanda-connect-sudo = { # isSystemUser = true; # description = "Redpanda Connect sudo user"; # createHome = false; # shell = "/run/current-system/sw/bin/nologin"; # group = "nogroup"; # We don't need a group... #}; } ); }