diff options
| author | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:33 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:57 +0000 |
| commit | 9ff36293d1e428cd7bf03e8d4b03611b6d361c28 (patch) | |
| tree | 1ab51a42b868c55b83f6ccdb80371b9888739dd9 /nixos/modules/services/networking | |
| parent | 1c4fcd0d4b0541e674ee56ace1053e23e562cc80 (diff) | |
| parent | ddc3c396a51918043bb0faa6f676abd9562be62c (diff) | |
| download | nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.tar nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.tar.gz nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.tar.bz2 nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.tar.lz nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.tar.xz nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.tar.zst nixpkgs-9ff36293d1e428cd7bf03e8d4b03611b6d361c28.zip | |
Last good Nixpkgs for Weston+nouveau? archive
I came this commit hash to terwiz[m] on IRC, who is trying to figure out what the last version of Spectrum that worked on their NUC with Nvidia graphics is.
Diffstat (limited to 'nixos/modules/services/networking')
263 files changed, 43791 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/3proxy.nix b/nixos/modules/services/networking/3proxy.nix new file mode 100644 index 00000000000..326a8671fcc --- /dev/null +++ b/nixos/modules/services/networking/3proxy.nix @@ -0,0 +1,413 @@ +{ config, lib, pkgs, ... }: +with lib; +let + pkg = pkgs._3proxy; + cfg = config.services._3proxy; + optionalList = list: if list == [ ] then "*" else concatMapStringsSep "," toString list; +in { + options.services._3proxy = { + enable = mkEnableOption "3proxy"; + confFile = mkOption { + type = types.path; + example = "/var/lib/3proxy/3proxy.conf"; + description = '' + Ignore all other 3proxy options and load configuration from this file. + ''; + }; + usersFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/3proxy/3proxy.passwd"; + description = '' + Load users and passwords from this file. + + Example users file with plain-text passwords: + + <literal> + test1:CL:password1 + test2:CL:password2 + </literal> + + Example users file with md5-crypted passwords: + + <literal> + test1:CR:$1$tFkisVd2$1GA8JXkRmTXdLDytM/i3a1 + test2:CR:$1$rkpibm5J$Aq1.9VtYAn0JrqZ8M.1ME. + </literal> + + You can generate md5-crypted passwords via https://unix4lyfe.org/crypt/ + Note that htpasswd tool generates incompatible md5-crypted passwords. + Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/How-To-(incomplete)#USERS">documentation</link> for more information. + ''; + }; + services = mkOption { + type = types.listOf (types.submodule { + options = { + type = mkOption { + type = types.enum [ + "proxy" + "socks" + "pop3p" + "ftppr" + "admin" + "dnspr" + "tcppm" + "udppm" + ]; + example = "proxy"; + description = '' + Service type. The following values are valid: + + <itemizedlist> + <listitem><para> + <literal>"proxy"</literal>: HTTP/HTTPS proxy (default port 3128). + </para></listitem> + <listitem><para> + <literal>"socks"</literal>: SOCKS 4/4.5/5 proxy (default port 1080). + </para></listitem> + <listitem><para> + <literal>"pop3p"</literal>: POP3 proxy (default port 110). + </para></listitem> + <listitem><para> + <literal>"ftppr"</literal>: FTP proxy (default port 21). + </para></listitem> + <listitem><para> + <literal>"admin"</literal>: Web interface (default port 80). + </para></listitem> + <listitem><para> + <literal>"dnspr"</literal>: Caching DNS proxy (default port 53). + </para></listitem> + <listitem><para> + <literal>"tcppm"</literal>: TCP portmapper. + </para></listitem> + <listitem><para> + <literal>"udppm"</literal>: UDP portmapper. + </para></listitem> + </itemizedlist> + ''; + }; + bindAddress = mkOption { + type = types.str; + default = "[::]"; + example = "127.0.0.1"; + description = '' + Address used for service. + ''; + }; + bindPort = mkOption { + type = types.nullOr types.int; + default = null; + example = 3128; + description = '' + Override default port used for service. + ''; + }; + maxConnections = mkOption { + type = types.int; + default = 100; + example = 1000; + description = '' + Maximum number of simulationeous connections to this service. + ''; + }; + auth = mkOption { + type = types.listOf (types.enum [ "none" "iponly" "strong" ]); + example = [ "iponly" "strong" ]; + description = '' + Authentication type. The following values are valid: + + <itemizedlist> + <listitem><para> + <literal>"none"</literal>: disables both authentication and authorization. You can not use ACLs. + </para></listitem> + <listitem><para> + <literal>"iponly"</literal>: specifies no authentication. ACLs authorization is used. + </para></listitem> + <listitem><para> + <literal>"strong"</literal>: authentication by username/password. If user is not registered their access is denied regardless of ACLs. + </para></listitem> + </itemizedlist> + + Double authentication is possible, e.g. + + <literal> + { + auth = [ "iponly" "strong" ]; + acl = [ + { + rule = "allow"; + targets = [ "192.168.0.0/16" ]; + } + { + rule = "allow" + users = [ "user1" "user2" ]; + } + ]; + } + </literal> + In this example strong username authentication is not required to access 192.168.0.0/16. + ''; + }; + acl = mkOption { + type = types.listOf (types.submodule { + options = { + rule = mkOption { + type = types.enum [ "allow" "deny" ]; + example = "allow"; + description = '' + ACL rule. The following values are valid: + + <itemizedlist> + <listitem><para> + <literal>"allow"</literal>: connections allowed. + </para></listitem> + <listitem><para> + <literal>"deny"</literal>: connections not allowed. + </para></listitem> + </itemizedlist> + ''; + }; + users = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "user1" "user2" "user3" ]; + description = '' + List of users, use empty list for any. + ''; + }; + sources = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "127.0.0.1" "192.168.1.0/24" ]; + description = '' + List of source IP range, use empty list for any. + ''; + }; + targets = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "127.0.0.1" "192.168.1.0/24" ]; + description = '' + List of target IP ranges, use empty list for any. + May also contain host names instead of addresses. + It's possible to use wildmask in the begginning and in the the end of hostname, e.g. *badsite.com or *badcontent*. + Hostname is only checked if hostname presents in request. + ''; + }; + targetPorts = mkOption { + type = types.listOf types.int; + default = [ ]; + example = [ 80 443 ]; + description = '' + List of target ports, use empty list for any. + ''; + }; + }; + }); + default = [ ]; + example = literalExpression '' + [ + { + rule = "allow"; + users = [ "user1" ]; + } + { + rule = "allow"; + sources = [ "192.168.1.0/24" ]; + } + { + rule = "deny"; + } + ] + ''; + description = '' + Use this option to limit user access to resources. + ''; + }; + extraArguments = mkOption { + type = types.nullOr types.str; + default = null; + example = "-46"; + description = '' + Extra arguments for service. + Consult "Options" section in <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/3proxy.cfg">documentation</link> for available arguments. + ''; + }; + extraConfig = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Extra configuration for service. Use this to configure things like bandwidth limiter or ACL-based redirection. + Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/3proxy.cfg">documentation</link> for available options. + ''; + }; + }; + }); + default = [ ]; + example = literalExpression '' + [ + { + type = "proxy"; + bindAddress = "192.168.1.24"; + bindPort = 3128; + auth = [ "none" ]; + } + { + type = "proxy"; + bindAddress = "10.10.1.20"; + bindPort = 3128; + auth = [ "iponly" ]; + } + { + type = "socks"; + bindAddress = "172.17.0.1"; + bindPort = 1080; + auth = [ "strong" ]; + } + ] + ''; + description = '' + Use this option to define 3proxy services. + ''; + }; + denyPrivate = mkOption { + type = types.bool; + default = true; + description = '' + Whether to deny access to private IP ranges including loopback. + ''; + }; + privateRanges = mkOption { + type = types.listOf types.str; + default = [ + "0.0.0.0/8" + "127.0.0.0/8" + "10.0.0.0/8" + "100.64.0.0/10" + "172.16.0.0/12" + "192.168.0.0/16" + "::" + "::1" + "fc00::/7" + ]; + description = '' + What IP ranges to deny access when denyPrivate is set tu true. + ''; + }; + resolution = mkOption { + type = types.submodule { + options = { + nserver = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "127.0.0.53" "192.168.1.3:5353/tcp" ]; + description = '' + List of nameservers to use. + + Up to 5 nservers may be specified. If no nserver is configured, + default system name resolution functions are used. + ''; + }; + nscache = mkOption { + type = types.int; + default = 65535; + description = "Set name cache size for IPv4."; + }; + nscache6 = mkOption { + type = types.int; + default = 65535; + description = "Set name cache size for IPv6."; + }; + nsrecord = mkOption { + type = types.attrsOf types.str; + default = { }; + example = literalExpression '' + { + "files.local" = "192.168.1.12"; + "site.local" = "192.168.1.43"; + } + ''; + description = "Adds static nsrecords."; + }; + }; + }; + default = { }; + description = '' + Use this option to configure name resolution and DNS caching. + ''; + }; + extraConfig = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Extra configuration, appended to the 3proxy configuration file. + Consult <link xlink:href="https://github.com/z3APA3A/3proxy/wiki/3proxy.cfg">documentation</link> for available options. + ''; + }; + }; + + config = mkIf cfg.enable { + services._3proxy.confFile = mkDefault (pkgs.writeText "3proxy.conf" '' + # log to stdout + log + + ${concatMapStringsSep "\n" (x: "nserver " + x) cfg.resolution.nserver} + + nscache ${toString cfg.resolution.nscache} + nscache6 ${toString cfg.resolution.nscache6} + + ${concatMapStringsSep "\n" (x: "nsrecord " + x) + (mapAttrsToList (name: value: "${name} ${value}") + cfg.resolution.nsrecord)} + + ${optionalString (cfg.usersFile != null) + ''users $"${cfg.usersFile}"'' + } + + ${concatMapStringsSep "\n" (service: '' + auth ${concatStringsSep " " service.auth} + + ${optionalString (cfg.denyPrivate) + "deny * * ${optionalList cfg.privateRanges}"} + + ${concatMapStringsSep "\n" (acl: + "${acl.rule} ${ + concatMapStringsSep " " optionalList [ + acl.users + acl.sources + acl.targets + acl.targetPorts + ] + }") service.acl} + + maxconn ${toString service.maxConnections} + + ${optionalString (service.extraConfig != null) service.extraConfig} + + ${service.type} -i${toString service.bindAddress} ${ + optionalString (service.bindPort != null) + "-p${toString service.bindPort}" + } ${ + optionalString (service.extraArguments != null) service.extraArguments + } + + flush + '') cfg.services} + ${optionalString (cfg.extraConfig != null) cfg.extraConfig} + ''); + systemd.services."3proxy" = { + description = "Tiny free proxy server"; + documentation = [ "https://github.com/z3APA3A/3proxy/wiki" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + StateDirectory = "3proxy"; + ExecStart = "${pkg}/bin/3proxy ${cfg.confFile}"; + Restart = "on-failure"; + }; + }; + }; + + meta.maintainers = with maintainers; [ misuzu ]; +} diff --git a/nixos/modules/services/networking/adguardhome.nix b/nixos/modules/services/networking/adguardhome.nix new file mode 100644 index 00000000000..98ddf071608 --- /dev/null +++ b/nixos/modules/services/networking/adguardhome.nix @@ -0,0 +1,140 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.adguardhome; + + args = concatStringsSep " " ([ + "--no-check-update" + "--pidfile /run/AdGuardHome/AdGuardHome.pid" + "--work-dir /var/lib/AdGuardHome/" + "--config /var/lib/AdGuardHome/AdGuardHome.yaml" + ] ++ cfg.extraArgs); + + baseConfig = { + bind_host = cfg.host; + bind_port = cfg.port; + }; + + configFile = pkgs.writeTextFile { + name = "AdGuardHome.yaml"; + text = builtins.toJSON (recursiveUpdate cfg.settings baseConfig); + checkPhase = "${pkgs.adguardhome}/bin/adguardhome -c $out --check-config"; + }; + +in { + options.services.adguardhome = with types; { + enable = mkEnableOption "AdGuard Home network-wide ad blocker"; + + host = mkOption { + default = "0.0.0.0"; + type = str; + description = '' + Host address to bind HTTP server to. + ''; + }; + + port = mkOption { + default = 3000; + type = port; + description = '' + Port to serve HTTP pages on. + ''; + }; + + openFirewall = mkOption { + default = false; + type = bool; + description = '' + Open ports in the firewall for the AdGuard Home web interface. Does not + open the port needed to access the DNS resolver. + ''; + }; + + mutableSettings = mkOption { + default = true; + type = bool; + description = '' + Allow changes made on the AdGuard Home web interface to persist between + service restarts. + ''; + }; + + settings = mkOption { + type = (pkgs.formats.yaml { }).type; + default = { }; + description = '' + AdGuard Home configuration. Refer to + <link xlink:href="https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file"/> + for details on supported values. + + <note><para> + On start and if <option>mutableSettings</option> is <literal>true</literal>, + these options are merged into the configuration file on start, taking + precedence over configuration changes made on the web interface. + </para></note> + ''; + }; + + extraArgs = mkOption { + default = [ ]; + type = listOf str; + description = '' + Extra command line parameters to be passed to the adguardhome binary. + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.settings != { } + -> (hasAttrByPath [ "dns" "bind_host" ] cfg.settings) + || (hasAttrByPath [ "dns" "bind_hosts" ] cfg.settings); + message = + "AdGuard setting dns.bind_host or dns.bind_hosts needs to be configured for a minimal working configuration"; + } + { + assertion = cfg.settings != { } + -> hasAttrByPath [ "dns" "bootstrap_dns" ] cfg.settings; + message = + "AdGuard setting dns.bootstrap_dns needs to be configured for a minimal working configuration"; + } + ]; + + systemd.services.adguardhome = { + description = "AdGuard Home: Network-level blocker"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + StartLimitIntervalSec = 5; + StartLimitBurst = 10; + }; + + preStart = optionalString (cfg.settings != { }) '' + if [ -e "$STATE_DIRECTORY/AdGuardHome.yaml" ] \ + && [ "${toString cfg.mutableSettings}" = "1" ]; then + # Writing directly to AdGuardHome.yaml results in empty file + ${pkgs.yaml-merge}/bin/yaml-merge "$STATE_DIRECTORY/AdGuardHome.yaml" "${configFile}" > "$STATE_DIRECTORY/AdGuardHome.yaml.tmp" + mv "$STATE_DIRECTORY/AdGuardHome.yaml.tmp" "$STATE_DIRECTORY/AdGuardHome.yaml" + else + cp --force "${configFile}" "$STATE_DIRECTORY/AdGuardHome.yaml" + chmod 600 "$STATE_DIRECTORY/AdGuardHome.yaml" + fi + ''; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.adguardhome}/bin/adguardhome ${args}"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + Restart = "always"; + RestartSec = 10; + RuntimeDirectory = "AdGuardHome"; + StateDirectory = "AdGuardHome"; + }; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + }; +} diff --git a/nixos/modules/services/networking/amuled.nix b/nixos/modules/services/networking/amuled.nix new file mode 100644 index 00000000000..aa72a047526 --- /dev/null +++ b/nixos/modules/services/networking/amuled.nix @@ -0,0 +1,83 @@ +{ config, lib, options, pkgs, ... }: + +with lib; + +let + cfg = config.services.amule; + opt = options.services.amule; + user = if cfg.user != null then cfg.user else "amule"; +in + +{ + + ###### interface + + options = { + + services.amule = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run the AMule daemon. You need to manually run "amuled --ec-config" to configure the service for the first time. + ''; + }; + + dataDir = mkOption { + type = types.str; + default = "/home/${user}/"; + defaultText = literalExpression '' + "/home/''${config.${opt.user}}/" + ''; + description = '' + The directory holding configuration, incoming and temporary files. + ''; + }; + + user = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The user the AMule daemon should run as. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + users.users = mkIf (cfg.user == null) [ + { name = "amule"; + description = "AMule daemon"; + group = "amule"; + uid = config.ids.uids.amule; + } ]; + + users.groups = mkIf (cfg.user == null) [ + { name = "amule"; + gid = config.ids.gids.amule; + } ]; + + systemd.services.amuled = { + description = "AMule daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = '' + mkdir -p ${cfg.dataDir} + chown ${user} ${cfg.dataDir} + ''; + + script = '' + ${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${user} \ + -c 'HOME="${cfg.dataDir}" ${pkgs.amule-daemon}/bin/amuled' + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/antennas.nix b/nixos/modules/services/networking/antennas.nix new file mode 100644 index 00000000000..ef98af22f20 --- /dev/null +++ b/nixos/modules/services/networking/antennas.nix @@ -0,0 +1,80 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.services.antennas; +in + +{ + options = { + services.antennas = { + enable = mkEnableOption "Antennas"; + + tvheadendUrl = mkOption { + type = types.str; + default = "http://localhost:9981"; + description = "URL of Tvheadend."; + }; + + antennasUrl = mkOption { + type = types.str; + default = "http://127.0.0.1:5004"; + description = "URL of Antennas."; + }; + + tunerCount = mkOption { + type = types.int; + default = 6; + description = "Numbers of tuners in tvheadend."; + }; + + deviceUUID = mkOption { + type = types.str; + default = "2f70c0d7-90a3-4429-8275-cbeeee9cd605"; + description = "Device tuner UUID. Change this if you are running multiple instances."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.antennas = { + description = "Antennas HDHomeRun emulator for Tvheadend. "; + wantedBy = [ "multi-user.target" ]; + + # Config + environment = { + TVHEADEND_URL = cfg.tvheadendUrl; + ANTENNAS_URL = cfg.antennasUrl; + TUNER_COUNT = toString cfg.tunerCount; + DEVICE_UUID = cfg.deviceUUID; + }; + + serviceConfig = { + ExecStart = "${pkgs.antennas}/bin/antennas"; + + # Antennas expects all resources like html and config to be relative to it's working directory + WorkingDirectory = "${pkgs.antennas}/libexec/antennas/deps/antennas/"; + + # Hardening + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + LockPersonality = true; + ProcSubset = "pid"; + PrivateDevices = true; + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = true; + RestrictRealtime = true; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/aria2.nix b/nixos/modules/services/networking/aria2.nix new file mode 100644 index 00000000000..156fef14479 --- /dev/null +++ b/nixos/modules/services/networking/aria2.nix @@ -0,0 +1,131 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.aria2; + + homeDir = "/var/lib/aria2"; + + settingsDir = "${homeDir}"; + sessionFile = "${homeDir}/aria2.session"; + downloadDir = "${homeDir}/Downloads"; + + rangesToStringList = map (x: builtins.toString x.from +"-"+ builtins.toString x.to); + + settingsFile = pkgs.writeText "aria2.conf" + '' + dir=${cfg.downloadDir} + listen-port=${concatStringsSep "," (rangesToStringList cfg.listenPortRange)} + rpc-listen-port=${toString cfg.rpcListenPort} + rpc-secret=${cfg.rpcSecret} + ''; + +in +{ + options = { + services.aria2 = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether or not to enable the headless Aria2 daemon service. + + Aria2 daemon can be controlled via the RPC interface using + one of many WebUI (http://localhost:6800/ by default). + + Targets are downloaded to ${downloadDir} by default and are + accessible to users in the "aria2" group. + ''; + }; + openPorts = mkOption { + type = types.bool; + default = false; + description = '' + Open listen and RPC ports found in listenPortRange and rpcListenPort + options in the firewall. + ''; + }; + downloadDir = mkOption { + type = types.path; + default = downloadDir; + description = '' + Directory to store downloaded files. + ''; + }; + listenPortRange = mkOption { + type = types.listOf types.attrs; + default = [ { from = 6881; to = 6999; } ]; + description = '' + Set UDP listening port range used by DHT(IPv4, IPv6) and UDP tracker. + ''; + }; + rpcListenPort = mkOption { + type = types.int; + default = 6800; + description = "Specify a port number for JSON-RPC/XML-RPC server to listen to. Possible Values: 1024-65535"; + }; + rpcSecret = mkOption { + type = types.str; + default = "aria2rpc"; + description = '' + Set RPC secret authorization token. + Read https://aria2.github.io/manual/en/html/aria2c.html#rpc-auth to know how this option value is used. + ''; + }; + extraArguments = mkOption { + type = types.separatedString " "; + example = "--rpc-listen-all --remote-time=true"; + default = ""; + description = '' + Additional arguments to be passed to Aria2. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + # Need to open ports for proper functioning + networking.firewall = mkIf cfg.openPorts { + allowedUDPPortRanges = config.services.aria2.listenPortRange; + allowedTCPPorts = [ config.services.aria2.rpcListenPort ]; + }; + + users.users.aria2 = { + group = "aria2"; + uid = config.ids.uids.aria2; + description = "aria2 user"; + home = homeDir; + createHome = false; + }; + + users.groups.aria2.gid = config.ids.gids.aria2; + + systemd.tmpfiles.rules = [ + "d '${homeDir}' 0770 aria2 aria2 - -" + "d '${config.services.aria2.downloadDir}' 0770 aria2 aria2 - -" + ]; + + systemd.services.aria2 = { + description = "aria2 Service"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + if [[ ! -e "${sessionFile}" ]] + then + touch "${sessionFile}" + fi + cp -f "${settingsFile}" "${settingsDir}/aria2.conf" + ''; + + serviceConfig = { + Restart = "on-abort"; + ExecStart = "${pkgs.aria2}/bin/aria2c --enable-rpc --conf-path=${settingsDir}/aria2.conf ${config.services.aria2.extraArguments} --save-session=${sessionFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + User = "aria2"; + Group = "aria2"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/asterisk.nix b/nixos/modules/services/networking/asterisk.nix new file mode 100644 index 00000000000..af091d55c01 --- /dev/null +++ b/nixos/modules/services/networking/asterisk.nix @@ -0,0 +1,264 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.asterisk; + + asteriskUser = "asterisk"; + asteriskGroup = "asterisk"; + + varlibdir = "/var/lib/asterisk"; + spooldir = "/var/spool/asterisk"; + logdir = "/var/log/asterisk"; + + # Add filecontents from files of useTheseDefaultConfFiles to confFiles, do not override + defaultConfFiles = subtractLists (attrNames cfg.confFiles) cfg.useTheseDefaultConfFiles; + allConfFiles = + cfg.confFiles // + builtins.listToAttrs (map (x: { name = x; + value = builtins.readFile (cfg.package + "/etc/asterisk/" + x); }) + defaultConfFiles); + + asteriskEtc = pkgs.stdenv.mkDerivation + ((mapAttrs' (name: value: nameValuePair + # Fudge the names to make bash happy + ((replaceChars ["."] ["_"] name) + "_") + (value) + ) allConfFiles) // + { + confFilesString = concatStringsSep " " ( + attrNames allConfFiles + ); + + name = "asterisk-etc"; + + # Default asterisk.conf file + # (Notice that astetcdir will be set to the path of this derivation) + asteriskConf = '' + [directories] + astetcdir => /etc/asterisk + astmoddir => ${cfg.package}/lib/asterisk/modules + astvarlibdir => /var/lib/asterisk + astdbdir => /var/lib/asterisk + astkeydir => /var/lib/asterisk + astdatadir => /var/lib/asterisk + astagidir => /var/lib/asterisk/agi-bin + astspooldir => /var/spool/asterisk + astrundir => /run/asterisk + astlogdir => /var/log/asterisk + astsbindir => ${cfg.package}/sbin + ''; + extraConf = cfg.extraConfig; + + # Loading all modules by default is considered sensible by the authors of + # "Asterisk: The Definitive Guide". Secure sites will likely want to + # specify their own "modules.conf" in the confFiles option. + modulesConf = '' + [modules] + autoload=yes + ''; + + # Use syslog for logging so logs can be viewed with journalctl + loggerConf = '' + [general] + + [logfiles] + syslog.local0 => notice,warning,error + ''; + + buildCommand = '' + mkdir -p "$out" + + # Create asterisk.conf, pointing astetcdir to the path of this derivation + echo "$asteriskConf" | sed "s|@out@|$out|g" > "$out"/asterisk.conf + echo "$extraConf" >> "$out"/asterisk.conf + + echo "$modulesConf" > "$out"/modules.conf + + echo "$loggerConf" > "$out"/logger.conf + + # Config files specified in confFiles option override all other files + for i in $confFilesString; do + conf=$(echo "$i"_ | sed 's/\./_/g') + echo "''${!conf}" > "$out"/"$i" + done + ''; + }); +in + +{ + options = { + services.asterisk = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the Asterisk PBX server. + ''; + }; + + extraConfig = mkOption { + default = ""; + type = types.lines; + example = '' + [options] + verbose=3 + debug=3 + ''; + description = '' + Extra configuration options appended to the default + <literal>asterisk.conf</literal> file. + ''; + }; + + confFiles = mkOption { + default = {}; + type = types.attrsOf types.str; + example = literalExpression + '' + { + "extensions.conf" = ''' + [tests] + ; Dial 100 for "hello, world" + exten => 100,1,Answer() + same => n,Wait(1) + same => n,Playback(hello-world) + same => n,Hangup() + + [softphones] + include => tests + + [unauthorized] + '''; + "sip.conf" = ''' + [general] + allowguest=no ; Require authentication + context=unauthorized ; Send unauthorized users to /dev/null + srvlookup=no ; Don't do DNS lookup + udpbindaddr=0.0.0.0 ; Listen on all interfaces + nat=force_rport,comedia ; Assume device is behind NAT + + [softphone](!) + type=friend ; Match on username first, IP second + context=softphones ; Send to softphones context in + ; extensions.conf file + host=dynamic ; Device will register with asterisk + disallow=all ; Manually specify codecs to allow + allow=g722 + allow=ulaw + allow=alaw + + [myphone](softphone) + secret=GhoshevFew ; Change this password! + '''; + "logger.conf" = ''' + [general] + + [logfiles] + ; Add debug output to log + syslog.local0 => notice,warning,error,debug + '''; + } + ''; + description = '' + Sets the content of config files (typically ending with + <literal>.conf</literal>) in the Asterisk configuration directory. + + Note that if you want to change <literal>asterisk.conf</literal>, it + is preferable to use the <option>services.asterisk.extraConfig</option> + option over this option. If <literal>"asterisk.conf"</literal> is + specified with the <option>confFiles</option> option (not recommended), + you must be prepared to set your own <literal>astetcdir</literal> + path. + + See + <link xlink:href="http://www.asterisk.org/community/documentation"/> + for more examples of what is possible here. + ''; + }; + + useTheseDefaultConfFiles = mkOption { + default = [ "ari.conf" "acl.conf" "agents.conf" "amd.conf" "calendar.conf" "cdr.conf" "cdr_syslog.conf" "cdr_custom.conf" "cel.conf" "cel_custom.conf" "cli_aliases.conf" "confbridge.conf" "dundi.conf" "features.conf" "hep.conf" "iax.conf" "pjsip.conf" "pjsip_wizard.conf" "phone.conf" "phoneprov.conf" "queues.conf" "res_config_sqlite3.conf" "res_parking.conf" "statsd.conf" "udptl.conf" "unistim.conf" ]; + type = types.listOf types.str; + example = [ "sip.conf" "dundi.conf" ]; + description = ''Sets these config files to the default content. The default value for + this option contains all necesscary files to avoid errors at startup. + This does not override settings via <option>services.asterisk.confFiles</option>. + ''; + }; + + extraArguments = mkOption { + default = []; + type = types.listOf types.str; + example = + [ "-vvvddd" "-e" "1024" ]; + description = '' + Additional command line arguments to pass to Asterisk. + ''; + }; + package = mkOption { + type = types.package; + default = pkgs.asterisk; + defaultText = literalExpression "pkgs.asterisk"; + description = "The Asterisk package to use."; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + environment.etc.asterisk.source = asteriskEtc; + + users.users.asterisk = + { name = asteriskUser; + group = asteriskGroup; + uid = config.ids.uids.asterisk; + description = "Asterisk daemon user"; + home = varlibdir; + }; + + users.groups.asterisk = + { name = asteriskGroup; + gid = config.ids.gids.asterisk; + }; + + systemd.services.asterisk = { + description = '' + Asterisk PBX server + ''; + + wantedBy = [ "multi-user.target" ]; + + # Do not restart, to avoid disruption of running calls. Restart unit by yourself! + restartIfChanged = false; + + preStart = '' + # Copy skeleton directory tree to /var + for d in '${varlibdir}' '${spooldir}' '${logdir}'; do + # TODO: Make exceptions for /var directories that likely should be updated + if [ ! -e "$d" ]; then + mkdir -p "$d" + cp --recursive ${cfg.package}/"$d"/* "$d"/ + chown --recursive ${asteriskUser}:${asteriskGroup} "$d" + find "$d" -type d | xargs chmod 0755 + fi + done + ''; + + serviceConfig = { + ExecStart = + let + # FIXME: This doesn't account for arguments with spaces + argString = concatStringsSep " " cfg.extraArguments; + in + "${cfg.package}/bin/asterisk -U ${asteriskUser} -C /etc/asterisk/asterisk.conf ${argString} -F"; + ExecReload = ''${cfg.package}/bin/asterisk -x "core reload" + ''; + Type = "forking"; + PIDFile = "/run/asterisk/asterisk.pid"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/atftpd.nix b/nixos/modules/services/networking/atftpd.nix new file mode 100644 index 00000000000..da5e305201f --- /dev/null +++ b/nixos/modules/services/networking/atftpd.nix @@ -0,0 +1,65 @@ +# NixOS module for atftpd TFTP server + +{ config, pkgs, lib, ... }: + +with lib; + +let + + cfg = config.services.atftpd; + +in + +{ + + options = { + + services.atftpd = { + + enable = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable the atftpd TFTP server. By default, the server + binds to address 0.0.0.0. + ''; + }; + + extraOptions = mkOption { + default = []; + type = types.listOf types.str; + example = literalExpression '' + [ "--bind-address 192.168.9.1" + "--verbose=7" + ] + ''; + description = '' + Extra command line arguments to pass to atftp. + ''; + }; + + root = mkOption { + default = "/srv/tftp"; + type = types.path; + description = '' + Document root directory for the atftpd. + ''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.atftpd = { + description = "TFTP Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + # runs as nobody + serviceConfig.ExecStart = "${pkgs.atftp}/sbin/atftpd --daemon --no-fork ${lib.concatStringsSep " " cfg.extraOptions} ${cfg.root}"; + }; + + }; + +} diff --git a/nixos/modules/services/networking/autossh.nix b/nixos/modules/services/networking/autossh.nix new file mode 100644 index 00000000000..245f2bfc2cf --- /dev/null +++ b/nixos/modules/services/networking/autossh.nix @@ -0,0 +1,113 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.autossh; + +in + +{ + + ###### interface + + options = { + + services.autossh = { + + sessions = mkOption { + type = types.listOf (types.submodule { + options = { + name = mkOption { + type = types.str; + example = "socks-peer"; + description = "Name of the local AutoSSH session"; + }; + user = mkOption { + type = types.str; + example = "bill"; + description = "Name of the user the AutoSSH session should run as"; + }; + monitoringPort = mkOption { + type = types.int; + default = 0; + example = 20000; + description = '' + Port to be used by AutoSSH for peer monitoring. Note, that + AutoSSH also uses mport+1. Value of 0 disables the keep-alive + style monitoring + ''; + }; + extraArguments = mkOption { + type = types.separatedString " "; + example = "-N -D4343 bill@socks.example.net"; + description = '' + Arguments to be passed to AutoSSH and retransmitted to SSH + process. Some meaningful options include -N (don't run remote + command), -D (open SOCKS proxy on local port), -R (forward + remote port), -L (forward local port), -v (Enable debug). Check + ssh manual for the complete list. + ''; + }; + }; + }); + + default = []; + description = '' + List of AutoSSH sessions to start as systemd services. Each service is + named 'autossh-{session.name}'. + ''; + + example = [ + { + name="socks-peer"; + user="bill"; + monitoringPort = 20000; + extraArguments="-N -D4343 billremote@socks.host.net"; + } + ]; + + }; + }; + + }; + + ###### implementation + + config = mkIf (cfg.sessions != []) { + + systemd.services = + + lib.foldr ( s : acc : acc // + { + "autossh-${s.name}" = + let + mport = if s ? monitoringPort then s.monitoringPort else 0; + in + { + description = "AutoSSH session (" + s.name + ")"; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + # To be able to start the service with no network connection + environment.AUTOSSH_GATETIME="0"; + + # How often AutoSSH checks the network, in seconds + environment.AUTOSSH_POLL="30"; + + serviceConfig = { + User = "${s.user}"; + # AutoSSH may exit with 0 code if the SSH session was + # gracefully terminated by either local or remote side. + Restart = "on-success"; + ExecStart = "${pkgs.autossh}/bin/autossh -M ${toString mport} ${s.extraArguments}"; + }; + }; + }) {} cfg.sessions; + + environment.systemPackages = [ pkgs.autossh ]; + + }; +} diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix new file mode 100644 index 00000000000..50c4ffdedce --- /dev/null +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -0,0 +1,286 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.avahi; + + yesNo = yes : if yes then "yes" else "no"; + + avahiDaemonConf = with cfg; pkgs.writeText "avahi-daemon.conf" '' + [server] + ${# Users can set `networking.hostName' to the empty string, when getting + # a host name from DHCP. In that case, let Avahi take whatever the + # current host name is; setting `host-name' to the empty string in + # `avahi-daemon.conf' would be invalid. + optionalString (hostName != "") "host-name=${hostName}"} + browse-domains=${concatStringsSep ", " browseDomains} + use-ipv4=${yesNo ipv4} + use-ipv6=${yesNo ipv6} + ${optionalString (interfaces!=null) "allow-interfaces=${concatStringsSep "," interfaces}"} + ${optionalString (domainName!=null) "domain-name=${domainName}"} + allow-point-to-point=${yesNo allowPointToPoint} + ${optionalString (cacheEntriesMax!=null) "cache-entries-max=${toString cacheEntriesMax}"} + + [wide-area] + enable-wide-area=${yesNo wideArea} + + [publish] + disable-publishing=${yesNo (!publish.enable)} + disable-user-service-publishing=${yesNo (!publish.userServices)} + publish-addresses=${yesNo (publish.userServices || publish.addresses)} + publish-hinfo=${yesNo publish.hinfo} + publish-workstation=${yesNo publish.workstation} + publish-domain=${yesNo publish.domain} + + [reflector] + enable-reflector=${yesNo reflector} + ${extraConfig} + ''; +in +{ + options.services.avahi = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run the Avahi daemon, which allows Avahi clients + to use Avahi's service discovery facilities and also allows + the local machine to advertise its presence and services + (through the mDNS responder implemented by `avahi-daemon'). + ''; + }; + + hostName = mkOption { + type = types.str; + default = config.networking.hostName; + defaultText = literalExpression "config.networking.hostName"; + description = '' + Host name advertised on the LAN. If not set, avahi will use the value + of <option>config.networking.hostName</option>. + ''; + }; + + domainName = mkOption { + type = types.str; + default = "local"; + description = '' + Domain name for all advertisements. + ''; + }; + + browseDomains = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "0pointer.de" "zeroconf.org" ]; + description = '' + List of non-local DNS domains to be browsed. + ''; + }; + + ipv4 = mkOption { + type = types.bool; + default = true; + description = "Whether to use IPv4."; + }; + + ipv6 = mkOption { + type = types.bool; + default = config.networking.enableIPv6; + defaultText = literalExpression "config.networking.enableIPv6"; + description = "Whether to use IPv6."; + }; + + interfaces = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + description = '' + List of network interfaces that should be used by the <command>avahi-daemon</command>. + Other interfaces will be ignored. If <literal>null</literal>, all local interfaces + except loopback and point-to-point will be used. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = true; + description = '' + Whether to open the firewall for UDP port 5353. + ''; + }; + + allowPointToPoint = mkOption { + type = types.bool; + default = false; + description= '' + Whether to use POINTTOPOINT interfaces. Might make mDNS unreliable due to usually large + latencies with such links and opens a potential security hole by allowing mDNS access from Internet + connections. + ''; + }; + + wideArea = mkOption { + type = types.bool; + default = true; + description = "Whether to enable wide-area service discovery."; + }; + + reflector = mkOption { + type = types.bool; + default = false; + description = "Reflect incoming mDNS requests to all allowed network interfaces."; + }; + + extraServiceFiles = mkOption { + type = with types; attrsOf (either str path); + default = {}; + example = literalExpression '' + { + ssh = "''${pkgs.avahi}/etc/avahi/services/ssh.service"; + smb = ''' + <?xml version="1.0" standalone='no'?><!--*-nxml-*--> + <!DOCTYPE service-group SYSTEM "avahi-service.dtd"> + <service-group> + <name replace-wildcards="yes">%h</name> + <service> + <type>_smb._tcp</type> + <port>445</port> + </service> + </service-group> + '''; + } + ''; + description = '' + Specify custom service definitions which are placed in the avahi service directory. + See the <citerefentry><refentrytitle>avahi.service</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> manpage for detailed information. + ''; + }; + + publish = { + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to allow publishing in general."; + }; + + userServices = mkOption { + type = types.bool; + default = false; + description = "Whether to publish user services. Will set <literal>addresses=true</literal>."; + }; + + addresses = mkOption { + type = types.bool; + default = false; + description = "Whether to register mDNS address records for all local IP addresses."; + }; + + hinfo = mkOption { + type = types.bool; + default = false; + description = '' + Whether to register a mDNS HINFO record which contains information about the + local operating system and CPU. + ''; + }; + + workstation = mkOption { + type = types.bool; + default = false; + description = '' + Whether to register a service of type "_workstation._tcp" on the local LAN. + ''; + }; + + domain = mkOption { + type = types.bool; + default = false; + description = "Whether to announce the locally used domain name for browsing by other hosts."; + }; + }; + + nssmdns = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the mDNS NSS (Name Service Switch) plug-in. + Enabling it allows applications to resolve names in the `.local' + domain by transparently querying the Avahi daemon. + ''; + }; + + cacheEntriesMax = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Number of resource records to be cached per interface. Use 0 to + disable caching. Avahi daemon defaults to 4096 if not set. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra config to append to avahi-daemon.conf. + ''; + }; + }; + + config = mkIf cfg.enable { + users.users.avahi = { + description = "avahi-daemon privilege separation user"; + home = "/var/empty"; + group = "avahi"; + isSystemUser = true; + }; + + users.groups.avahi = {}; + + system.nssModules = optional cfg.nssmdns pkgs.nssmdns; + system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [ + (mkBefore [ "mdns_minimal [NOTFOUND=return]" ]) # before resolve + (mkAfter [ "mdns" ]) # after dns + ]); + + environment.systemPackages = [ pkgs.avahi ]; + + environment.etc = (mapAttrs' (n: v: nameValuePair + "avahi/services/${n}.service" + { ${if types.path.check v then "source" else "text"} = v; } + ) cfg.extraServiceFiles); + + systemd.sockets.avahi-daemon = { + description = "Avahi mDNS/DNS-SD Stack Activation Socket"; + listenStreams = [ "/run/avahi-daemon/socket" ]; + wantedBy = [ "sockets.target" ]; + }; + + systemd.tmpfiles.rules = [ "d /run/avahi-daemon - avahi avahi -" ]; + + systemd.services.avahi-daemon = { + description = "Avahi mDNS/DNS-SD Stack"; + wantedBy = [ "multi-user.target" ]; + requires = [ "avahi-daemon.socket" ]; + + # Make NSS modules visible so that `avahi_nss_support ()' can + # return a sensible value. + environment.LD_LIBRARY_PATH = config.system.nssModules.path; + + path = [ pkgs.coreutils pkgs.avahi ]; + + serviceConfig = { + NotifyAccess = "main"; + BusName = "org.freedesktop.Avahi"; + Type = "dbus"; + ExecStart = "${pkgs.avahi}/sbin/avahi-daemon --syslog -f ${avahiDaemonConf}"; + }; + }; + + services.dbus.enable = true; + services.dbus.packages = [ pkgs.avahi ]; + + networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [ 5353 ]; + }; +} diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix new file mode 100644 index 00000000000..aae6f1498a4 --- /dev/null +++ b/nixos/modules/services/networking/babeld.nix @@ -0,0 +1,144 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.babeld; + + conditionalBoolToString = value: if (isBool value) then (boolToString value) else (toString value); + + paramsString = params: + concatMapStringsSep " " (name: "${name} ${conditionalBoolToString (getAttr name params)}") + (attrNames params); + + interfaceConfig = name: + let + interface = getAttr name cfg.interfaces; + in + "interface ${name} ${paramsString interface}\n"; + + configFile = with cfg; pkgs.writeText "babeld.conf" ( + '' + skip-kernel-setup true + '' + + (optionalString (cfg.interfaceDefaults != null) '' + default ${paramsString cfg.interfaceDefaults} + '') + + (concatMapStrings interfaceConfig (attrNames cfg.interfaces)) + + extraConfig); + +in + +{ + + meta.maintainers = with maintainers; [ hexa ]; + + ###### interface + + options = { + + services.babeld = { + + enable = mkEnableOption "the babeld network routing daemon"; + + interfaceDefaults = mkOption { + default = null; + description = '' + A set describing default parameters for babeld interfaces. + See <citerefentry><refentrytitle>babeld</refentrytitle><manvolnum>8</manvolnum></citerefentry> for options. + ''; + type = types.nullOr (types.attrsOf types.unspecified); + example = + { + type = "tunnel"; + split-horizon = true; + }; + }; + + interfaces = mkOption { + default = {}; + description = '' + A set describing babeld interfaces. + See <citerefentry><refentrytitle>babeld</refentrytitle><manvolnum>8</manvolnum></citerefentry> for options. + ''; + type = types.attrsOf (types.attrsOf types.unspecified); + example = + { enp0s2 = + { type = "wired"; + hello-interval = 5; + split-horizon = "auto"; + }; + }; + }; + + extraConfig = mkOption { + default = ""; + type = types.lines; + description = '' + Options that will be copied to babeld.conf. + See <citerefentry><refentrytitle>babeld</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details. + ''; + }; + }; + + }; + + + ###### implementation + + config = mkIf config.services.babeld.enable { + + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv4.conf.all.forwarding" = 1; + "net.ipv4.conf.all.rp_filter" = 0; + } // lib.mapAttrs' (ifname: _: lib.nameValuePair "net.ipv4.conf.${ifname}.rp_filter" (lib.mkDefault 0)) config.services.babeld.interfaces; + + systemd.services.babeld = { + description = "Babel routing daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state"; + AmbientCapabilities = [ "CAP_NET_ADMIN" ]; + CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; + DevicePolicy = "closed"; + DynamicUser = true; + IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ]; + IPAddressDeny = "any"; + LockPersonality = true; + NoNewPrivileges = true; + MemoryDenyWriteExecute = true; + ProtectSystem = "strict"; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET6" "AF_INET" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + ProtectHome = true; + ProtectHostname = true; + ProtectProc = "invisible"; + PrivateMounts = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = false; # kernel_route(ADD): Operation not permitted + ProcSubset = "pid"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged @resources" + ]; + UMask = "0177"; + RuntimeDirectory = "babeld"; + StateDirectory = "babeld"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/bee-clef.nix b/nixos/modules/services/networking/bee-clef.nix new file mode 100644 index 00000000000..719714b2898 --- /dev/null +++ b/nixos/modules/services/networking/bee-clef.nix @@ -0,0 +1,107 @@ +{ config, lib, pkgs, ... }: + +# NOTE for now nothing is installed into /etc/bee-clef/. the config files are used as read-only from the nix store. + +with lib; +let + cfg = config.services.bee-clef; +in { + meta = { + maintainers = with maintainers; [ attila-lendvai ]; + }; + + ### interface + + options = { + services.bee-clef = { + enable = mkEnableOption "clef external signer instance for Ethereum Swarm Bee"; + + dataDir = mkOption { + type = types.nullOr types.str; + default = "/var/lib/bee-clef"; + description = '' + Data dir for bee-clef. Beware that some helper scripts may not work when changed! + The service itself should work fine, though. + ''; + }; + + passwordFile = mkOption { + type = types.nullOr types.str; + default = "/var/lib/bee-clef/password"; + description = "Password file for bee-clef."; + }; + + user = mkOption { + type = types.str; + default = "bee-clef"; + description = '' + User the bee-clef daemon should execute under. + ''; + }; + + group = mkOption { + type = types.str; + default = "bee-clef"; + description = '' + Group the bee-clef daemon should execute under. + ''; + }; + }; + }; + + ### implementation + + config = mkIf cfg.enable { + # if we ever want to have rules.js under /etc/bee-clef/ + # environment.etc."bee-clef/rules.js".source = ${pkgs.bee-clef}/rules.js + + systemd.packages = [ pkgs.bee-clef ]; # include the upstream bee-clef.service file + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}/' 0750 ${cfg.user} ${cfg.group}" + "d '${cfg.dataDir}/keystore' 0700 ${cfg.user} ${cfg.group}" + ]; + + systemd.services.bee-clef = { + path = [ + # these are needed for the ensure-clef-account script + pkgs.coreutils + pkgs.gnused + pkgs.gawk + ]; + + wantedBy = [ "bee.service" "multi-user.target" ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStartPre = ''${pkgs.bee-clef}/share/bee-clef/ensure-clef-account "${cfg.dataDir}" "${pkgs.bee-clef}/share/bee-clef/"''; + ExecStart = [ + "" # this hides/overrides what's in the original entry + "${pkgs.bee-clef}/share/bee-clef/bee-clef-service start" + ]; + ExecStop = [ + "" # this hides/overrides what's in the original entry + "${pkgs.bee-clef}/share/bee-clef/bee-clef-service stop" + ]; + Environment = [ + "CONFIGDIR=${cfg.dataDir}" + "PASSWORD_FILE=${cfg.passwordFile}" + ]; + }; + }; + + users.users = optionalAttrs (cfg.user == "bee-clef") { + bee-clef = { + group = cfg.group; + home = cfg.dataDir; + isSystemUser = true; + description = "Daemon user for the bee-clef service"; + }; + }; + + users.groups = optionalAttrs (cfg.group == "bee-clef") { + bee-clef = {}; + }; + }; +} diff --git a/nixos/modules/services/networking/bee.nix b/nixos/modules/services/networking/bee.nix new file mode 100644 index 00000000000..d6efade0630 --- /dev/null +++ b/nixos/modules/services/networking/bee.nix @@ -0,0 +1,149 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.bee; + format = pkgs.formats.yaml {}; + configFile = format.generate "bee.yaml" cfg.settings; +in { + meta = { + # doc = ./bee.xml; + maintainers = with maintainers; [ attila-lendvai ]; + }; + + ### interface + + options = { + services.bee = { + enable = mkEnableOption "Ethereum Swarm Bee"; + + package = mkOption { + type = types.package; + default = pkgs.bee; + defaultText = literalExpression "pkgs.bee"; + example = literalExpression "pkgs.bee-unstable"; + description = "The package providing the bee binary for the service."; + }; + + settings = mkOption { + type = format.type; + description = '' + Ethereum Swarm Bee configuration. Refer to + <link xlink:href="https://gateway.ethswarm.org/bzz/docs.swarm.eth/docs/installation/configuration/"/> + for details on supported values. + ''; + }; + + daemonNiceLevel = mkOption { + type = types.int; + default = 0; + description = '' + Daemon process priority for bee. + 0 is the default Unix process priority, 19 is the lowest. + ''; + }; + + user = mkOption { + type = types.str; + default = "bee"; + description = '' + User the bee binary should execute under. + ''; + }; + + group = mkOption { + type = types.str; + default = "bee"; + description = '' + Group the bee binary should execute under. + ''; + }; + }; + }; + + ### implementation + + config = mkIf cfg.enable { + assertions = [ + { assertion = (hasAttr "password" cfg.settings) != true; + message = '' + `services.bee.settings.password` is insecure. Use `services.bee.settings.password-file` or `systemd.services.bee.serviceConfig.EnvironmentFile` instead. + ''; + } + { assertion = (hasAttr "swap-endpoint" cfg.settings) || (cfg.settings.swap-enable or true == false); + message = '' + In a swap-enabled network a working Ethereum blockchain node is required. You must specify one using `services.bee.settings.swap-endpoint`, or disable `services.bee.settings.swap-enable` = false. + ''; + } + ]; + + warnings = optional (! config.services.bee-clef.enable) "The bee service requires an external signer. Consider setting `config.services.bee-clef.enable` = true"; + + services.bee.settings = { + data-dir = lib.mkDefault "/var/lib/bee"; + password-file = lib.mkDefault "/var/lib/bee/password"; + clef-signer-enable = lib.mkDefault true; + clef-signer-endpoint = lib.mkDefault "/var/lib/bee-clef/clef.ipc"; + swap-endpoint = lib.mkDefault "https://rpc.slock.it/goerli"; + }; + + systemd.packages = [ cfg.package ]; # include the upstream bee.service file + + systemd.tmpfiles.rules = [ + "d '${cfg.settings.data-dir}' 0750 ${cfg.user} ${cfg.group}" + ]; + + systemd.services.bee = { + requires = optional config.services.bee-clef.enable + "bee-clef.service"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Nice = cfg.daemonNiceLevel; + User = cfg.user; + Group = cfg.group; + ExecStart = [ + "" # this hides/overrides what's in the original entry + "${cfg.package}/bin/bee --config=${configFile} start" + ]; + }; + + preStart = with cfg.settings; '' + if ! test -f ${password-file}; then + < /dev/urandom tr -dc _A-Z-a-z-0-9 2> /dev/null | head -c32 > ${password-file} + chmod 0600 ${password-file} + echo "Initialized ${password-file} from /dev/urandom" + fi + if [ ! -f ${data-dir}/keys/libp2p.key ]; then + ${cfg.package}/bin/bee init --config=${configFile} >/dev/null + echo " +Logs: journalctl -f -u bee.service + +Bee has SWAP enabled by default and it needs ethereum endpoint to operate. +It is recommended to use external signer with bee. +Check documentation for more info: +- SWAP https://docs.ethswarm.org/docs/installation/manual#swap-bandwidth-incentives +- External signer https://docs.ethswarm.org/docs/installation/bee-clef + +After you finish configuration run 'sudo bee-get-addr'." + fi + ''; + }; + + users.users = optionalAttrs (cfg.user == "bee") { + bee = { + group = cfg.group; + home = cfg.settings.data-dir; + isSystemUser = true; + description = "Daemon user for Ethereum Swarm Bee"; + extraGroups = optional config.services.bee-clef.enable + config.services.bee-clef.group; + }; + }; + + users.groups = optionalAttrs (cfg.group == "bee") { + bee = {}; + }; + }; +} diff --git a/nixos/modules/services/networking/biboumi.nix b/nixos/modules/services/networking/biboumi.nix new file mode 100644 index 00000000000..3f46b95eaf0 --- /dev/null +++ b/nixos/modules/services/networking/biboumi.nix @@ -0,0 +1,270 @@ +{ config, lib, pkgs, options, ... }: +with lib; +let + cfg = config.services.biboumi; + inherit (config.environment) etc; + rootDir = "/run/biboumi/mnt-root"; + stateDir = "/var/lib/biboumi"; + settingsFile = pkgs.writeText "biboumi.cfg" ( + generators.toKeyValue { + mkKeyValue = k: v: + if v == null then "" + else generators.mkKeyValueDefault {} "=" k v; + } cfg.settings); + need_CAP_NET_BIND_SERVICE = cfg.settings.identd_port != 0 && cfg.settings.identd_port < 1024; +in +{ + options = { + services.biboumi = { + enable = mkEnableOption "the Biboumi XMPP gateway to IRC"; + + settings = mkOption { + description = '' + See <link xlink:href="https://lab.louiz.org/louiz/biboumi/blob/8.5/doc/biboumi.1.rst">biboumi 8.5</link> + for documentation. + ''; + default = {}; + type = types.submodule { + freeformType = with types; + (attrsOf (nullOr (oneOf [str int bool]))) // { + description = "settings option"; + }; + options.admin = mkOption { + type = with types; listOf str; + default = []; + example = ["admin@example.org"]; + apply = concatStringsSep ":"; + description = '' + The bare JID of the gateway administrator. This JID will have more + privileges than other standard users, for example some administration + ad-hoc commands will only be available to that JID. + ''; + }; + options.ca_file = mkOption { + type = types.path; + default = "/etc/ssl/certs/ca-certificates.crt"; + description = '' + Specifies which file should be used as the list of trusted CA + when negociating a TLS session. + ''; + }; + options.db_name = mkOption { + type = with types; either path str; + default = "${stateDir}/biboumi.sqlite"; + description = '' + The name of the database to use. + ''; + example = "postgresql://user:secret@localhost"; + }; + options.hostname = mkOption { + type = types.str; + example = "biboumi.example.org"; + description = '' + The hostname served by the XMPP gateway. + This domain must be configured in the XMPP server + as an external component. + ''; + }; + options.identd_port = mkOption { + type = types.port; + default = 113; + example = 0; + description = '' + The TCP port on which to listen for identd queries. + ''; + }; + options.log_level = mkOption { + type = types.ints.between 0 3; + default = 1; + description = '' + Indicate what type of log messages to write in the logs. + 0 is debug, 1 is info, 2 is warning, 3 is error. + ''; + }; + options.password = mkOption { + type = with types; nullOr str; + description = '' + The password used to authenticate the XMPP component to your XMPP server. + This password must be configured in the XMPP server, + associated with the external component on + <link linkend="opt-services.biboumi.settings.hostname">hostname</link>. + + Set it to null and use <link linkend="opt-services.biboumi.credentialsFile">credentialsFile</link> + if you do not want this password to go into the Nix store. + ''; + }; + options.persistent_by_default = mkOption { + type = types.bool; + default = false; + description = '' + Whether all rooms will be persistent by default: + the value of the “persistent” option in the global configuration of each + user will be “true”, but the value of each individual room will still + default to false. This means that a user just needs to change the global + “persistent” configuration option to false in order to override this. + ''; + }; + options.policy_directory = mkOption { + type = types.path; + default = "${pkgs.biboumi}/etc/biboumi"; + defaultText = literalExpression ''"''${pkgs.biboumi}/etc/biboumi"''; + description = '' + A directory that should contain the policy files, + used to customize Botan’s behaviour + when negociating the TLS connections with the IRC servers. + ''; + }; + options.port = mkOption { + type = types.port; + default = 5347; + description = '' + The TCP port to use to connect to the local XMPP component. + ''; + }; + options.realname_customization = mkOption { + type = types.bool; + default = true; + description = '' + Whether the users will be able to use + the ad-hoc commands that lets them configure + their realname and username. + ''; + }; + options.realname_from_jid = mkOption { + type = types.bool; + default = false; + description = '' + Whether the realname and username of each biboumi + user will be extracted from their JID. + Otherwise they will be set to the nick + they used to connect to the IRC server. + ''; + }; + options.xmpp_server_ip = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + The IP address to connect to the XMPP server on. + The connection to the XMPP server is unencrypted, + so the biboumi instance and the server should + normally be on the same host. + ''; + }; + }; + }; + + credentialsFile = mkOption { + type = types.path; + description = '' + Path to a configuration file to be merged with the settings. + Beware not to surround "=" with spaces when setting biboumi's options in this file. + Useful to merge a file which is better kept out of the Nix store + because it contains sensible data like + <link linkend="opt-services.biboumi.settings.password">password</link>. + ''; + default = "/dev/null"; + example = "/run/keys/biboumi.cfg"; + }; + + openFirewall = mkEnableOption "opening of the identd port in the firewall"; + }; + }; + + config = mkIf cfg.enable { + networking.firewall = mkIf (cfg.openFirewall && cfg.settings.identd_port != 0) + { allowedTCPPorts = [ cfg.settings.identd_port ]; }; + + systemd.services.biboumi = { + description = "Biboumi, XMPP to IRC gateway"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "notify"; + # Biboumi supports systemd's watchdog. + WatchdogSec = 20; + Restart = "always"; + # Use "+" because credentialsFile may not be accessible to User= or Group=. + ExecStartPre = [("+" + pkgs.writeShellScript "biboumi-prestart" '' + set -eux + cat ${settingsFile} '${cfg.credentialsFile}' | + install -m 644 /dev/stdin /run/biboumi/biboumi.cfg + '')]; + ExecStart = "${pkgs.biboumi}/bin/biboumi /run/biboumi/biboumi.cfg"; + ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; + # Firewalls needing opening for output connections can still do that + # selectively for biboumi with: + # users.users.biboumi.isSystemUser = true; + # and, for example: + # networking.nftables.ruleset = '' + # add rule inet filter output meta skuid biboumi tcp accept + # ''; + DynamicUser = true; + RootDirectory = rootDir; + RootDirectoryStartOnly = true; + InaccessiblePaths = [ "-+${rootDir}" ]; + RuntimeDirectory = [ "biboumi" (removePrefix "/run/" rootDir) ]; + RuntimeDirectoryMode = "700"; + StateDirectory = "biboumi"; + StateDirectoryMode = "700"; + MountAPIVFS = true; + UMask = "0066"; + BindPaths = [ + stateDir + # This is for Type="notify" + # See https://github.com/systemd/systemd/issues/3544 + "/run/systemd/notify" + "/run/systemd/journal/socket" + ]; + BindReadOnlyPaths = [ + builtins.storeDir + "/etc" + ]; + # The following options are only for optimizing: + # systemd-analyze security biboumi + AmbientCapabilities = [ (optionalString need_CAP_NET_BIND_SERVICE "CAP_NET_BIND_SERVICE") ]; + CapabilityBoundingSet = [ (optionalString need_CAP_NET_BIND_SERVICE "CAP_NET_BIND_SERVICE") ]; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateNetwork = mkDefault false; + PrivateTmp = true; + # PrivateUsers=true breaks AmbientCapabilities=CAP_NET_BIND_SERVICE + # See https://bugs.archlinux.org/task/65921 + PrivateUsers = !need_CAP_NET_BIND_SERVICE; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + # AF_UNIX is for /run/systemd/notify + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallFilter = [ + "@system-service" + # Groups in @system-service which do not contain a syscall + # listed by perf stat -e 'syscalls:sys_enter_*' biboumi biboumi.cfg + # in tests, and seem likely not necessary for biboumi. + # To run such a perf in ExecStart=, you have to: + # - AmbientCapabilities="CAP_SYS_ADMIN" + # - mount -o remount,mode=755 /sys/kernel/debug/{,tracing} + "~@aio" "~@chown" "~@ipc" "~@keyring" "~@resources" "~@setuid" "~@timer" + ]; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + }; + }; + }; + + meta.maintainers = with maintainers; [ julm ]; +} diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix new file mode 100644 index 00000000000..2045612ec05 --- /dev/null +++ b/nixos/modules/services/networking/bind.nix @@ -0,0 +1,274 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.bind; + + bindPkg = config.services.bind.package; + + bindUser = "named"; + + bindZoneCoerce = list: builtins.listToAttrs (lib.forEach list (zone: { name = zone.name; value = zone; })); + + bindZoneOptions = { name, config, ... }: { + options = { + name = mkOption { + type = types.str; + default = name; + description = "Name of the zone."; + }; + master = mkOption { + description = "Master=false means slave server"; + type = types.bool; + }; + file = mkOption { + type = types.either types.str types.path; + description = "Zone file resource records contain columns of data, separated by whitespace, that define the record."; + }; + masters = mkOption { + type = types.listOf types.str; + description = "List of servers for inclusion in stub and secondary zones."; + }; + slaves = mkOption { + type = types.listOf types.str; + description = "Addresses who may request zone transfers."; + default = [ ]; + }; + extraConfig = mkOption { + type = types.str; + description = "Extra zone config to be appended at the end of the zone section."; + default = ""; + }; + }; + }; + + confFile = pkgs.writeText "named.conf" + '' + include "/etc/bind/rndc.key"; + controls { + inet 127.0.0.1 allow {localhost;} keys {"rndc-key";}; + }; + + acl cachenetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} }; + acl badnetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} }; + + options { + listen-on { ${concatMapStrings (entry: " ${entry}; ") cfg.listenOn} }; + listen-on-v6 { ${concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} }; + allow-query { cachenetworks; }; + blackhole { badnetworks; }; + forward ${cfg.forward}; + forwarders { ${concatMapStrings (entry: " ${entry}; ") cfg.forwarders} }; + directory "${cfg.directory}"; + pid-file "/run/named/named.pid"; + ${cfg.extraOptions} + }; + + ${cfg.extraConfig} + + ${ concatMapStrings + ({ name, file, master ? true, slaves ? [], masters ? [], extraConfig ? "" }: + '' + zone "${name}" { + type ${if master then "master" else "slave"}; + file "${file}"; + ${ if master then + '' + allow-transfer { + ${concatMapStrings (ip: "${ip};\n") slaves} + }; + '' + else + '' + masters { + ${concatMapStrings (ip: "${ip};\n") masters} + }; + '' + } + allow-query { any; }; + ${extraConfig} + }; + '') + (attrValues cfg.zones) } + ''; + +in + +{ + + ###### interface + + options = { + + services.bind = { + + enable = mkEnableOption "BIND domain name server"; + + + package = mkOption { + type = types.package; + default = pkgs.bind; + defaultText = literalExpression "pkgs.bind"; + description = "The BIND package to use."; + }; + + cacheNetworks = mkOption { + default = [ "127.0.0.0/24" ]; + type = types.listOf types.str; + description = " + What networks are allowed to use us as a resolver. Note + that this is for recursive queries -- all networks are + allowed to query zones configured with the `zones` option. + It is recommended that you limit cacheNetworks to avoid your + server being used for DNS amplification attacks. + "; + }; + + blockedNetworks = mkOption { + default = [ ]; + type = types.listOf types.str; + description = " + What networks are just blocked. + "; + }; + + ipv4Only = mkOption { + default = false; + type = types.bool; + description = " + Only use ipv4, even if the host supports ipv6. + "; + }; + + forwarders = mkOption { + default = config.networking.nameservers; + defaultText = literalExpression "config.networking.nameservers"; + type = types.listOf types.str; + description = " + List of servers we should forward requests to. + "; + }; + + forward = mkOption { + default = "first"; + type = types.enum ["first" "only"]; + description = " + Whether to forward 'first' (try forwarding but lookup directly if forwarding fails) or 'only'. + "; + }; + + listenOn = mkOption { + default = [ "any" ]; + type = types.listOf types.str; + description = " + Interfaces to listen on. + "; + }; + + listenOnIpv6 = mkOption { + default = [ "any" ]; + type = types.listOf types.str; + description = " + Ipv6 interfaces to listen on. + "; + }; + + directory = mkOption { + type = types.str; + default = "/run/named"; + description = "Working directory of BIND."; + }; + + zones = mkOption { + default = [ ]; + type = with types; coercedTo (listOf attrs) bindZoneCoerce (attrsOf (types.submodule bindZoneOptions)); + description = " + List of zones we claim authority over. + "; + example = { + "example.com" = { + master = false; + file = "/var/dns/example.com"; + masters = [ "192.168.0.1" ]; + slaves = [ ]; + extraConfig = ""; + }; + }; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = " + Extra lines to be added verbatim to the generated named configuration file. + "; + }; + + extraOptions = mkOption { + type = types.lines; + default = ""; + description = '' + Extra lines to be added verbatim to the options section of the + generated named configuration file. + ''; + }; + + configFile = mkOption { + type = types.path; + default = confFile; + defaultText = literalExpression "confFile"; + description = " + Overridable config file to use for named. By default, that + generated by nixos. + "; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + networking.resolvconf.useLocalResolver = mkDefault true; + + users.users.${bindUser} = + { + group = bindUser; + description = "BIND daemon user"; + isSystemUser = true; + }; + users.groups.${bindUser} = {}; + + systemd.services.bind = { + description = "BIND Domain Name Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + preStart = '' + mkdir -m 0755 -p /etc/bind + if ! [ -f "/etc/bind/rndc.key" ]; then + ${bindPkg.out}/sbin/rndc-confgen -c /etc/bind/rndc.key -u ${bindUser} -a -A hmac-sha256 2>/dev/null + fi + + ${pkgs.coreutils}/bin/mkdir -p /run/named + chown ${bindUser} /run/named + + ${pkgs.coreutils}/bin/mkdir -p ${cfg.directory} + chown ${bindUser} ${cfg.directory} + ''; + + serviceConfig = { + ExecStart = "${bindPkg.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; + ExecReload = "${bindPkg.out}/sbin/rndc -k '/etc/bind/rndc.key' reload"; + ExecStop = "${bindPkg.out}/sbin/rndc -k '/etc/bind/rndc.key' stop"; + }; + + unitConfig.Documentation = "man:named(8)"; + }; + }; +} diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix new file mode 100644 index 00000000000..3049c4f2bce --- /dev/null +++ b/nixos/modules/services/networking/bird.nix @@ -0,0 +1,103 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkIf mkOption optionalString types; + + cfg = config.services.bird2; + caps = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" ]; +in +{ + ###### interface + options = { + services.bird2 = { + enable = mkEnableOption "BIRD Internet Routing Daemon"; + config = mkOption { + type = types.lines; + description = '' + BIRD Internet Routing Daemon configuration file. + <link xlink:href='http://bird.network.cz/'/> + ''; + }; + checkConfig = mkOption { + type = types.bool; + default = true; + description = '' + Whether the config should be checked at build time. + When the config can't be checked during build time, for example when it includes + other files, either disable this option or use <code>preCheckConfig</code> to create + the included files before checking. + ''; + }; + preCheckConfig = mkOption { + type = types.lines; + default = ""; + example = '' + echo "cost 100;" > include.conf + ''; + description = '' + Commands to execute before the config file check. The file to be checked will be + available as <code>bird2.conf</code> in the current directory. + + Files created with this option will not be available at service runtime, only during + build time checking. + ''; + }; + }; + }; + + + imports = [ + (lib.mkRemovedOptionModule [ "services" "bird" ] "Use services.bird2 instead") + (lib.mkRemovedOptionModule [ "services" "bird6" ] "Use services.bird2 instead") + ]; + + ###### implementation + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.bird ]; + + environment.etc."bird/bird2.conf".source = pkgs.writeTextFile { + name = "bird2"; + text = cfg.config; + checkPhase = optionalString cfg.checkConfig '' + ln -s $out bird2.conf + ${cfg.preCheckConfig} + ${pkgs.bird}/bin/bird -d -p -c bird2.conf + ''; + }; + + systemd.services.bird2 = { + description = "BIRD Internet Routing Daemon"; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = [ config.environment.etc."bird/bird2.conf".source ]; + serviceConfig = { + Type = "forking"; + Restart = "on-failure"; + User = "bird2"; + Group = "bird2"; + ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf"; + ExecReload = "${pkgs.bird}/bin/birdc configure"; + ExecStop = "${pkgs.bird}/bin/birdc down"; + RuntimeDirectory = "bird"; + CapabilityBoundingSet = caps; + AmbientCapabilities = caps; + ProtectSystem = "full"; + ProtectHome = "yes"; + ProtectKernelTunables = true; + ProtectControlGroups = true; + PrivateTmp = true; + PrivateDevices = true; + SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io"; + MemoryDenyWriteExecute = "yes"; + }; + }; + users = { + users.bird2 = { + description = "BIRD Internet Routing Daemon user"; + group = "bird2"; + isSystemUser = true; + }; + groups.bird2 = { }; + }; + }; +} diff --git a/nixos/modules/services/networking/bitcoind.nix b/nixos/modules/services/networking/bitcoind.nix new file mode 100644 index 00000000000..80033d95860 --- /dev/null +++ b/nixos/modules/services/networking/bitcoind.nix @@ -0,0 +1,261 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + + eachBitcoind = config.services.bitcoind; + + rpcUserOpts = { name, ... }: { + options = { + name = mkOption { + type = types.str; + example = "alice"; + description = '' + Username for JSON-RPC connections. + ''; + }; + passwordHMAC = mkOption { + type = types.uniq (types.strMatching "[0-9a-f]+\\$[0-9a-f]{64}"); + example = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae"; + description = '' + Password HMAC-SHA-256 for JSON-RPC connections. Must be a string of the + format <SALT-HEX>$<HMAC-HEX>. + + Tool (Python script) for HMAC generation is available here: + <link xlink:href="https://github.com/bitcoin/bitcoin/blob/master/share/rpcauth/rpcauth.py"/> + ''; + }; + }; + config = { + name = mkDefault name; + }; + }; + + bitcoindOpts = { config, lib, name, ...}: { + options = { + + enable = mkEnableOption "Bitcoin daemon"; + + package = mkOption { + type = types.package; + default = pkgs.bitcoind; + defaultText = literalExpression "pkgs.bitcoind"; + description = "The package providing bitcoin binaries."; + }; + + configFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/${name}/bitcoin.conf"; + description = "The configuration file path to supply bitcoind."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + par=16 + rpcthreads=16 + logips=1 + ''; + description = "Additional configurations to be appended to <filename>bitcoin.conf</filename>."; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/bitcoind-${name}"; + description = "The data directory for bitcoind."; + }; + + user = mkOption { + type = types.str; + default = "bitcoind-${name}"; + description = "The user as which to run bitcoind."; + }; + + group = mkOption { + type = types.str; + default = config.user; + description = "The group as which to run bitcoind."; + }; + + rpc = { + port = mkOption { + type = types.nullOr types.port; + default = null; + description = "Override the default port on which to listen for JSON-RPC connections."; + }; + users = mkOption { + default = {}; + example = literalExpression '' + { + alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae"; + bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99"; + } + ''; + type = types.attrsOf (types.submodule rpcUserOpts); + description = "RPC user information for JSON-RPC connnections."; + }; + }; + + pidFile = mkOption { + type = types.path; + default = "${config.dataDir}/bitcoind.pid"; + description = "Location of bitcoind pid file."; + }; + + testnet = mkOption { + type = types.bool; + default = false; + description = "Whether to use the testnet instead of mainnet."; + }; + + port = mkOption { + type = types.nullOr types.port; + default = null; + description = "Override the default port on which to listen for connections."; + }; + + dbCache = mkOption { + type = types.nullOr (types.ints.between 4 16384); + default = null; + example = 4000; + description = "Override the default database cache size in MiB."; + }; + + prune = mkOption { + type = types.nullOr (types.coercedTo + (types.enum [ "disable" "manual" ]) + (x: if x == "disable" then 0 else 1) + types.ints.unsigned + ); + default = null; + example = 10000; + description = '' + Reduce storage requirements by enabling pruning (deleting) of old + blocks. This allows the pruneblockchain RPC to be called to delete + specific blocks, and enables automatic pruning of old blocks if a + target size in MiB is provided. This mode is incompatible with -txindex + and -rescan. Warning: Reverting this setting requires re-downloading + the entire blockchain. ("disable" = disable pruning blocks, "manual" + = allow manual pruning via RPC, >=550 = automatically prune block files + to stay under the specified target size in MiB). + ''; + }; + + extraCmdlineOptions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra command line options to pass to bitcoind. + Run bitcoind --help to list all available options. + ''; + }; + }; + }; +in +{ + + options = { + services.bitcoind = mkOption { + type = types.attrsOf (types.submodule bitcoindOpts); + default = {}; + description = "Specification of one or more bitcoind instances."; + }; + }; + + config = mkIf (eachBitcoind != {}) { + + assertions = flatten (mapAttrsToList (bitcoindName: cfg: [ + { + assertion = (cfg.prune != null) -> (builtins.elem cfg.prune [ "disable" "manual" 0 1 ] || (builtins.isInt cfg.prune && cfg.prune >= 550)); + message = '' + If set, services.bitcoind.${bitcoindName}.prune has to be "disable", "manual", 0 , 1 or >= 550. + ''; + } + { + assertion = (cfg.rpc.users != {}) -> (cfg.configFile == null); + message = '' + You cannot set both services.bitcoind.${bitcoindName}.rpc.users and services.bitcoind.${bitcoindName}.configFile + as they are exclusive. RPC user setting would have no effect if custom configFile would be used. + ''; + } + ]) eachBitcoind); + + environment.systemPackages = flatten (mapAttrsToList (bitcoindName: cfg: [ + cfg.package + ]) eachBitcoind); + + systemd.services = mapAttrs' (bitcoindName: cfg: ( + nameValuePair "bitcoind-${bitcoindName}" ( + let + configFile = pkgs.writeText "bitcoin.conf" '' + # If Testnet is enabled, we need to add [test] section + # otherwise, some options (e.g.: custom RPC port) will not work + ${optionalString cfg.testnet "[test]"} + # RPC users + ${concatMapStringsSep "\n" + (rpcUser: "rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}") + (attrValues cfg.rpc.users) + } + # Extra config options (from bitcoind nixos service) + ${cfg.extraConfig} + ''; + in { + description = "Bitcoin daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = '' + ${cfg.package}/bin/bitcoind \ + ${if (cfg.configFile != null) then + "-conf=${cfg.configFile}" + else + "-conf=${configFile}" + } \ + -datadir=${cfg.dataDir} \ + -pid=${cfg.pidFile} \ + ${optionalString cfg.testnet "-testnet"}\ + ${optionalString (cfg.port != null) "-port=${toString cfg.port}"}\ + ${optionalString (cfg.prune != null) "-prune=${toString cfg.prune}"}\ + ${optionalString (cfg.dbCache != null) "-dbcache=${toString cfg.dbCache}"}\ + ${optionalString (cfg.rpc.port != null) "-rpcport=${toString cfg.rpc.port}"}\ + ${toString cfg.extraCmdlineOptions} + ''; + Restart = "on-failure"; + + # Hardening measures + PrivateTmp = "true"; + ProtectSystem = "full"; + NoNewPrivileges = "true"; + PrivateDevices = "true"; + MemoryDenyWriteExecute = "true"; + }; + } + ))) eachBitcoind; + + systemd.tmpfiles.rules = flatten (mapAttrsToList (bitcoindName: cfg: [ + "d '${cfg.dataDir}' 0770 '${cfg.user}' '${cfg.group}' - -" + ]) eachBitcoind); + + users.users = mapAttrs' (bitcoindName: cfg: ( + nameValuePair "bitcoind-${bitcoindName}" { + name = cfg.user; + group = cfg.group; + description = "Bitcoin daemon user"; + home = cfg.dataDir; + isSystemUser = true; + })) eachBitcoind; + + users.groups = mapAttrs' (bitcoindName: cfg: ( + nameValuePair "${cfg.group}" { } + )) eachBitcoind; + + }; + + meta.maintainers = with maintainers; [ _1000101 ]; + +} diff --git a/nixos/modules/services/networking/bitlbee.nix b/nixos/modules/services/networking/bitlbee.nix new file mode 100644 index 00000000000..8bf04e3a1a2 --- /dev/null +++ b/nixos/modules/services/networking/bitlbee.nix @@ -0,0 +1,189 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.bitlbee; + bitlbeeUid = config.ids.uids.bitlbee; + + bitlbeePkg = pkgs.bitlbee.override { + enableLibPurple = cfg.libpurple_plugins != []; + enablePam = cfg.authBackend == "pam"; + }; + + bitlbeeConfig = pkgs.writeText "bitlbee.conf" + '' + [settings] + RunMode = Daemon + ConfigDir = ${cfg.configDir} + DaemonInterface = ${cfg.interface} + DaemonPort = ${toString cfg.portNumber} + AuthMode = ${cfg.authMode} + AuthBackend = ${cfg.authBackend} + Plugindir = ${pkgs.bitlbee-plugins cfg.plugins}/lib/bitlbee + ${lib.optionalString (cfg.hostName != "") "HostName = ${cfg.hostName}"} + ${lib.optionalString (cfg.protocols != "") "Protocols = ${cfg.protocols}"} + ${cfg.extraSettings} + + [defaults] + ${cfg.extraDefaults} + ''; + + purple_plugin_path = + lib.concatMapStringsSep ":" + (plugin: "${plugin}/lib/pidgin/:${plugin}/lib/purple-2/") + cfg.libpurple_plugins + ; + +in + +{ + + ###### interface + + options = { + + services.bitlbee = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run the BitlBee IRC to other chat network gateway. + Running it allows you to access the MSN, Jabber, Yahoo! and ICQ chat + networks via an IRC client. + ''; + }; + + interface = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + The interface the BitlBee deamon will be listening to. If `127.0.0.1', + only clients on the local host can connect to it; if `0.0.0.0', clients + can access it from any network interface. + ''; + }; + + portNumber = mkOption { + default = 6667; + type = types.int; + description = '' + Number of the port BitlBee will be listening to. + ''; + }; + + authBackend = mkOption { + default = "storage"; + type = types.enum [ "storage" "pam" ]; + description = '' + How users are authenticated + storage -- save passwords internally + pam -- Linux PAM authentication + ''; + }; + + authMode = mkOption { + default = "Open"; + type = types.enum [ "Open" "Closed" "Registered" ]; + description = '' + The following authentication modes are available: + Open -- Accept connections from anyone, use NickServ for user authentication. + Closed -- Require authorization (using the PASS command during login) before allowing the user to connect at all. + Registered -- Only allow registered users to use this server; this disables the register- and the account command until the user identifies himself. + ''; + }; + + hostName = mkOption { + default = ""; + type = types.str; + description = '' + Normally, BitlBee gets a hostname using getsockname(). If you have a nicer + alias for your BitlBee daemon, you can set it here and BitlBee will identify + itself with that name instead. + ''; + }; + + plugins = mkOption { + type = types.listOf types.package; + default = []; + example = literalExpression "[ pkgs.bitlbee-facebook ]"; + description = '' + The list of bitlbee plugins to install. + ''; + }; + + libpurple_plugins = mkOption { + type = types.listOf types.package; + default = []; + example = literalExpression "[ pkgs.purple-matrix ]"; + description = '' + The list of libpurple plugins to install. + ''; + }; + + configDir = mkOption { + default = "/var/lib/bitlbee"; + type = types.path; + description = '' + Specify an alternative directory to store all the per-user configuration + files. + ''; + }; + + protocols = mkOption { + default = ""; + type = types.str; + description = '' + This option allows to remove the support of protocol, even if compiled + in. If nothing is given, there are no restrictions. + ''; + }; + + extraSettings = mkOption { + default = ""; + type = types.lines; + description = '' + Will be inserted in the Settings section of the config file. + ''; + }; + + extraDefaults = mkOption { + default = ""; + type = types.lines; + description = '' + Will be inserted in the Default section of the config file. + ''; + }; + + }; + + }; + + ###### implementation + + config = mkMerge [ + (mkIf config.services.bitlbee.enable { + systemd.services.bitlbee = { + environment.PURPLE_PLUGIN_PATH = purple_plugin_path; + description = "BitlBee IRC to other chat networks gateway"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + DynamicUser = true; + StateDirectory = "bitlbee"; + ExecStart = "${bitlbeePkg}/sbin/bitlbee -F -n -c ${bitlbeeConfig}"; + }; + }; + + environment.systemPackages = [ bitlbeePkg ]; + + }) + (mkIf (config.services.bitlbee.authBackend == "pam") { + security.pam.services.bitlbee = {}; + }) + ]; + +} diff --git a/nixos/modules/services/networking/blockbook-frontend.nix b/nixos/modules/services/networking/blockbook-frontend.nix new file mode 100644 index 00000000000..eeea521c8d5 --- /dev/null +++ b/nixos/modules/services/networking/blockbook-frontend.nix @@ -0,0 +1,278 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + eachBlockbook = config.services.blockbook-frontend; + + blockbookOpts = { config, lib, name, ...}: { + + options = { + + enable = mkEnableOption "blockbook-frontend application."; + + package = mkOption { + type = types.package; + default = pkgs.blockbook; + defaultText = literalExpression "pkgs.blockbook"; + description = "Which blockbook package to use."; + }; + + user = mkOption { + type = types.str; + default = "blockbook-frontend-${name}"; + description = "The user as which to run blockbook-frontend-${name}."; + }; + + group = mkOption { + type = types.str; + default = "${config.user}"; + description = "The group as which to run blockbook-frontend-${name}."; + }; + + certFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/secrets/blockbook-frontend-${name}/certFile"; + description = '' + To enable SSL, specify path to the name of certificate files without extension. + Expecting <filename>certFile.crt</filename> and <filename>certFile.key</filename>. + ''; + }; + + configFile = mkOption { + type = with types; nullOr path; + default = null; + example = "${config.dataDir}/config.json"; + description = "Location of the blockbook configuration file."; + }; + + coinName = mkOption { + type = types.str; + default = "Bitcoin"; + description = '' + See <link xlink:href="https://github.com/trezor/blockbook/blob/master/bchain/coins/blockchain.go#L61"/> + for current of coins supported in master (Note: may differ from release). + ''; + }; + + cssDir = mkOption { + type = types.path; + default = "${config.package}/share/css/"; + defaultText = literalExpression ''"''${package}/share/css/"''; + example = literalExpression ''"''${dataDir}/static/css/"''; + description = '' + Location of the dir with <filename>main.css</filename> CSS file. + By default, the one shipped with the package is used. + ''; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/blockbook-frontend-${name}"; + description = "Location of blockbook-frontend-${name} data directory."; + }; + + debug = mkOption { + type = types.bool; + default = false; + description = "Debug mode, return more verbose errors, reload templates on each request."; + }; + + internal = mkOption { + type = types.nullOr types.str; + default = ":9030"; + description = "Internal http server binding <literal>[address]:port</literal>."; + }; + + messageQueueBinding = mkOption { + type = types.str; + default = "tcp://127.0.0.1:38330"; + description = "Message Queue Binding <literal>address:port</literal>."; + }; + + public = mkOption { + type = types.nullOr types.str; + default = ":9130"; + description = "Public http server binding <literal>[address]:port</literal>."; + }; + + rpc = { + url = mkOption { + type = types.str; + default = "http://127.0.0.1"; + description = "URL for JSON-RPC connections."; + }; + + port = mkOption { + type = types.port; + default = 8030; + description = "Port for JSON-RPC connections."; + }; + + user = mkOption { + type = types.str; + default = "rpc"; + description = "Username for JSON-RPC connections."; + }; + + password = mkOption { + type = types.str; + default = "rpc"; + description = '' + RPC password for JSON-RPC connections. + Warning: this is stored in cleartext in the Nix store!!! + Use <literal>configFile</literal> or <literal>passwordFile</literal> if needed. + ''; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + File containing password of the RPC user. + Note: This options is ignored when <literal>configFile</literal> is used. + ''; + }; + }; + + sync = mkOption { + type = types.bool; + default = true; + description = "Synchronizes until tip, if together with zeromq, keeps index synchronized."; + }; + + templateDir = mkOption { + type = types.path; + default = "${config.package}/share/templates/"; + defaultText = literalExpression ''"''${package}/share/templates/"''; + example = literalExpression ''"''${dataDir}/templates/static/"''; + description = "Location of the HTML templates. By default, ones shipped with the package are used."; + }; + + extraConfig = mkOption { + type = types.attrs; + default = {}; + example = literalExpression '' { + "alternative_estimate_fee" = "whatthefee-disabled"; + "alternative_estimate_fee_params" = "{\"url\": \"https://whatthefee.io/data.json\", \"periodSeconds\": 60}"; + "fiat_rates" = "coingecko"; + "fiat_rates_params" = "{\"url\": \"https://api.coingecko.com/api/v3\", \"coin\": \"bitcoin\", \"periodSeconds\": 60}"; + "coin_shortcut" = "BTC"; + "coin_label" = "Bitcoin"; + "parse" = true; + "subversion" = ""; + "address_format" = ""; + "xpub_magic" = 76067358; + "xpub_magic_segwit_p2sh" = 77429938; + "xpub_magic_segwit_native" = 78792518; + "mempool_workers" = 8; + "mempool_sub_workers" = 2; + "block_addresses_to_keep" = 300; + }''; + description = '' + Additional configurations to be appended to <filename>coin.conf</filename>. + Overrides any already defined configuration options. + See <link xlink:href="https://github.com/trezor/blockbook/tree/master/configs/coins"/> + for current configuration options supported in master (Note: may differ from release). + ''; + }; + + extraCmdLineOptions = mkOption { + type = types.listOf types.str; + default = []; + example = [ "-workers=1" "-dbcache=0" "-logtosderr" ]; + description = '' + Extra command line options to pass to Blockbook. + Run blockbook --help to list all available options. + ''; + }; + }; + }; +in +{ + # interface + + options = { + services.blockbook-frontend = mkOption { + type = types.attrsOf (types.submodule blockbookOpts); + default = {}; + description = "Specification of one or more blockbook-frontend instances."; + }; + }; + + # implementation + + config = mkIf (eachBlockbook != {}) { + + systemd.services = mapAttrs' (blockbookName: cfg: ( + nameValuePair "blockbook-frontend-${blockbookName}" ( + let + configFile = if cfg.configFile != null then cfg.configFile else + pkgs.writeText "config.conf" (builtins.toJSON ( { + coin_name = "${cfg.coinName}"; + rpc_user = "${cfg.rpc.user}"; + rpc_pass = "${cfg.rpc.password}"; + rpc_url = "${cfg.rpc.url}:${toString cfg.rpc.port}"; + message_queue_binding = "${cfg.messageQueueBinding}"; + } // cfg.extraConfig) + ); + in { + description = "blockbook-frontend-${blockbookName} daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + ln -sf ${cfg.templateDir} ${cfg.dataDir}/static/ + ln -sf ${cfg.cssDir} ${cfg.dataDir}/static/ + ${optionalString (cfg.rpc.passwordFile != null && cfg.configFile == null) '' + CONFIGTMP=$(mktemp) + ${pkgs.jq}/bin/jq ".rpc_pass = \"$(cat ${cfg.rpc.passwordFile})\"" ${configFile} > $CONFIGTMP + mv $CONFIGTMP ${cfg.dataDir}/${blockbookName}-config.json + ''} + ''; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = '' + ${cfg.package}/bin/blockbook \ + ${if (cfg.rpc.passwordFile != null && cfg.configFile == null) then + "-blockchaincfg=${cfg.dataDir}/${blockbookName}-config.json" + else + "-blockchaincfg=${configFile}" + } \ + -datadir=${cfg.dataDir} \ + ${optionalString (cfg.sync != false) "-sync"} \ + ${optionalString (cfg.certFile != null) "-certfile=${toString cfg.certFile}"} \ + ${optionalString (cfg.debug != false) "-debug"} \ + ${optionalString (cfg.internal != null) "-internal=${toString cfg.internal}"} \ + ${optionalString (cfg.public != null) "-public=${toString cfg.public}"} \ + ${toString cfg.extraCmdLineOptions} + ''; + Restart = "on-failure"; + WorkingDirectory = cfg.dataDir; + LimitNOFILE = 65536; + }; + } + ) )) eachBlockbook; + + systemd.tmpfiles.rules = flatten (mapAttrsToList (blockbookName: cfg: [ + "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} - -" + "d ${cfg.dataDir}/static 0750 ${cfg.user} ${cfg.group} - -" + ]) eachBlockbook); + + users.users = mapAttrs' (blockbookName: cfg: ( + nameValuePair "blockbook-frontend-${blockbookName}" { + name = cfg.user; + group = cfg.group; + home = cfg.dataDir; + isSystemUser = true; + })) eachBlockbook; + + users.groups = mapAttrs' (instanceName: cfg: ( + nameValuePair "${cfg.group}" { })) eachBlockbook; + }; + + meta.maintainers = with maintainers; [ _1000101 ]; + +} diff --git a/nixos/modules/services/networking/blocky.nix b/nixos/modules/services/networking/blocky.nix new file mode 100644 index 00000000000..7488e05fc03 --- /dev/null +++ b/nixos/modules/services/networking/blocky.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.blocky; + + format = pkgs.formats.yaml { }; + configFile = format.generate "config.yaml" cfg.settings; +in +{ + options.services.blocky = { + enable = mkEnableOption "Fast and lightweight DNS proxy as ad-blocker for local network with many features"; + + settings = mkOption { + type = format.type; + default = { }; + description = '' + Blocky configuration. Refer to + <link xlink:href="https://0xerr0r.github.io/blocky/configuration/"/> + for details on supported values. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.blocky = { + description = "A DNS proxy and ad-blocker for the local network"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.blocky}/bin/blocky --config ${configFile}"; + + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/charybdis.nix b/nixos/modules/services/networking/charybdis.nix new file mode 100644 index 00000000000..ff09c0160cb --- /dev/null +++ b/nixos/modules/services/networking/charybdis.nix @@ -0,0 +1,114 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkIf mkOption singleton types; + inherit (pkgs) coreutils charybdis; + cfg = config.services.charybdis; + + configFile = pkgs.writeText "charybdis.conf" '' + ${cfg.config} + ''; +in + +{ + + ###### interface + + options = { + + services.charybdis = { + + enable = mkEnableOption "Charybdis IRC daemon"; + + config = mkOption { + type = types.str; + description = '' + Charybdis IRC daemon configuration file. + ''; + }; + + statedir = mkOption { + type = types.path; + default = "/var/lib/charybdis"; + description = '' + Location of the state directory of charybdis. + ''; + }; + + user = mkOption { + type = types.str; + default = "ircd"; + description = '' + Charybdis IRC daemon user. + ''; + }; + + group = mkOption { + type = types.str; + default = "ircd"; + description = '' + Charybdis IRC daemon group. + ''; + }; + + motd = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Charybdis MOTD text. + + Charybdis will read its MOTD from /etc/charybdis/ircd.motd . + If set, the value of this option will be written to this path. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable (lib.mkMerge [ + { + users.users.${cfg.user} = { + description = "Charybdis IRC daemon user"; + uid = config.ids.uids.ircd; + group = cfg.group; + }; + + users.groups.${cfg.group} = { + gid = config.ids.gids.ircd; + }; + + systemd.tmpfiles.rules = [ + "d ${cfg.statedir} - ${cfg.user} ${cfg.group} - -" + ]; + + environment.etc."charybdis/ircd.conf".source = configFile; + + systemd.services.charybdis = { + description = "Charybdis IRC daemon"; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = [ + configFile + ]; + environment = { + BANDB_DBPATH = "${cfg.statedir}/ban.db"; + }; + serviceConfig = { + ExecStart = "${charybdis}/bin/charybdis -foreground -logfile /dev/stdout -configfile /etc/charybdis/ircd.conf"; + ExecReload = "${coreutils}/bin/kill -HUP $MAINPID"; + Group = cfg.group; + User = cfg.user; + }; + }; + + } + + (mkIf (cfg.motd != null) { + environment.etc."charybdis/ircd.motd".text = cfg.motd; + }) + ]); +} diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix new file mode 100644 index 00000000000..0d97d379e90 --- /dev/null +++ b/nixos/modules/services/networking/cjdns.nix @@ -0,0 +1,304 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + pkg = pkgs.cjdns; + + cfg = config.services.cjdns; + + connectToSubmodule = + { ... }: + { options = + { password = mkOption { + type = types.str; + description = "Authorized password to the opposite end of the tunnel."; + }; + login = mkOption { + default = ""; + type = types.str; + description = "(optional) name your peer has for you"; + }; + peerName = mkOption { + default = ""; + type = types.str; + description = "(optional) human-readable name for peer"; + }; + publicKey = mkOption { + type = types.str; + description = "Public key at the opposite end of the tunnel."; + }; + hostname = mkOption { + default = ""; + example = "foobar.hype"; + type = types.str; + description = "Optional hostname to add to /etc/hosts; prevents reverse lookup failures."; + }; + }; + }; + + # Additional /etc/hosts entries for peers with an associated hostname + cjdnsExtraHosts = pkgs.runCommand "cjdns-hosts" {} '' + exec >$out + ${concatStringsSep "\n" (mapAttrsToList (k: v: + optionalString (v.hostname != "") + "echo $(${pkgs.cjdns}/bin/publictoip6 ${v.publicKey}) ${v.hostname}") + (cfg.ETHInterface.connectTo // cfg.UDPInterface.connectTo))} + ''; + + parseModules = x: + x // { connectTo = mapAttrs (name: value: { inherit (value) password publicKey; }) x.connectTo; }; + + cjdrouteConf = builtins.toJSON ( recursiveUpdate { + admin = { + bind = cfg.admin.bind; + password = "@CJDNS_ADMIN_PASSWORD@"; + }; + authorizedPasswords = map (p: { password = p; }) cfg.authorizedPasswords; + interfaces = { + ETHInterface = if (cfg.ETHInterface.bind != "") then [ (parseModules cfg.ETHInterface) ] else [ ]; + UDPInterface = if (cfg.UDPInterface.bind != "") then [ (parseModules cfg.UDPInterface) ] else [ ]; + }; + + privateKey = "@CJDNS_PRIVATE_KEY@"; + + resetAfterInactivitySeconds = 100; + + router = { + interface = { type = "TUNInterface"; }; + ipTunnel = { + allowedConnections = []; + outgoingConnections = []; + }; + }; + + security = [ { exemptAngel = 1; setuser = "nobody"; } ]; + + } cfg.extraConfig); + +in + +{ + options = { + + services.cjdns = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the cjdns network encryption + and routing engine. A file at /etc/cjdns.keys will + be created if it does not exist to contain a random + secret key that your IPv6 address will be derived from. + ''; + }; + + extraConfig = mkOption { + type = types.attrs; + default = {}; + example = { router.interface.tunDevice = "tun10"; }; + description = '' + Extra configuration, given as attrs, that will be merged recursively + with the rest of the JSON generated by this module, at the root node. + ''; + }; + + confFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/cjdroute.conf"; + description = '' + Ignore all other cjdns options and load configuration from this file. + ''; + }; + + authorizedPasswords = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ + "snyrfgkqsc98qh1y4s5hbu0j57xw5s0" + "z9md3t4p45mfrjzdjurxn4wuj0d8swv" + "49275fut6tmzu354pq70sr5b95qq0vj" + ]; + description = '' + Any remote cjdns nodes that offer these passwords on + connection will be allowed to route through this node. + ''; + }; + + admin = { + bind = mkOption { + type = types.str; + default = "127.0.0.1:11234"; + description = '' + Bind the administration port to this address and port. + ''; + }; + }; + + UDPInterface = { + bind = mkOption { + type = types.str; + default = ""; + example = "192.168.1.32:43211"; + description = '' + Address and port to bind UDP tunnels to. + ''; + }; + connectTo = mkOption { + type = types.attrsOf ( types.submodule ( connectToSubmodule ) ); + default = { }; + example = literalExpression '' + { + "192.168.1.1:27313" = { + hostname = "homer.hype"; + password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM"; + publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k"; + }; + } + ''; + description = '' + Credentials for making UDP tunnels. + ''; + }; + }; + + ETHInterface = { + bind = mkOption { + type = types.str; + default = ""; + example = "eth0"; + description = + '' + Bind to this device for native ethernet operation. + <literal>all</literal> is a pseudo-name which will try to connect to all devices. + ''; + }; + + beacon = mkOption { + type = types.int; + default = 2; + description = '' + Auto-connect to other cjdns nodes on the same network. + Options: + 0: Disabled. + 1: Accept beacons, this will cause cjdns to accept incoming + beacon messages and try connecting to the sender. + 2: Accept and send beacons, this will cause cjdns to broadcast + messages on the local network which contain a randomly + generated per-session password, other nodes which have this + set to 1 or 2 will hear the beacon messages and connect + automatically. + ''; + }; + + connectTo = mkOption { + type = types.attrsOf ( types.submodule ( connectToSubmodule ) ); + default = { }; + example = literalExpression '' + { + "01:02:03:04:05:06" = { + hostname = "homer.hype"; + password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM"; + publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k"; + }; + } + ''; + description = '' + Credentials for connecting look similar to UDP credientials + except they begin with the mac address. + ''; + }; + }; + + addExtraHosts = mkOption { + type = types.bool; + default = false; + description = '' + Whether to add cjdns peers with an associated hostname to + <filename>/etc/hosts</filename>. Beware that enabling this + incurs heavy eval-time costs. + ''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + boot.kernelModules = [ "tun" ]; + + # networking.firewall.allowedUDPPorts = ... + + systemd.services.cjdns = { + description = "cjdns: routing engine designed for security, scalability, speed and ease of use"; + wantedBy = [ "multi-user.target" "sleep.target"]; + after = [ "network-online.target" ]; + bindsTo = [ "network-online.target" ]; + + preStart = if cfg.confFile != null then "" else '' + [ -e /etc/cjdns.keys ] && source /etc/cjdns.keys + + if [ -z "$CJDNS_PRIVATE_KEY" ]; then + shopt -s lastpipe + ${pkg}/bin/makekeys | { read private ipv6 public; } + + umask 0077 + echo "CJDNS_PRIVATE_KEY=$private" >> /etc/cjdns.keys + echo -e "CJDNS_IPV6=$ipv6\nCJDNS_PUBLIC_KEY=$public" > /etc/cjdns.public + + chmod 600 /etc/cjdns.keys + chmod 444 /etc/cjdns.public + fi + + if [ -z "$CJDNS_ADMIN_PASSWORD" ]; then + echo "CJDNS_ADMIN_PASSWORD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)" \ + >> /etc/cjdns.keys + fi + ''; + + script = ( + if cfg.confFile != null then "${pkg}/bin/cjdroute < ${cfg.confFile}" else + '' + source /etc/cjdns.keys + (cat <<'EOF' + ${cjdrouteConf} + EOF + ) | sed \ + -e "s/@CJDNS_ADMIN_PASSWORD@/$CJDNS_ADMIN_PASSWORD/g" \ + -e "s/@CJDNS_PRIVATE_KEY@/$CJDNS_PRIVATE_KEY/g" \ + | ${pkg}/bin/cjdroute + '' + ); + + startLimitIntervalSec = 0; + serviceConfig = { + Type = "forking"; + Restart = "always"; + RestartSec = 1; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID"; + ProtectSystem = true; + # Doesn't work on i686, causing service to fail + MemoryDenyWriteExecute = !pkgs.stdenv.isi686; + ProtectHome = true; + PrivateTmp = true; + }; + }; + + networking.hostFiles = mkIf cfg.addExtraHosts [ cjdnsExtraHosts ]; + + assertions = [ + { assertion = ( cfg.ETHInterface.bind != "" || cfg.UDPInterface.bind != "" || cfg.confFile != null ); + message = "Neither cjdns.ETHInterface.bind nor cjdns.UDPInterface.bind defined."; + } + { assertion = config.networking.enableIPv6; + message = "networking.enableIPv6 must be enabled for CJDNS to work"; + } + ]; + + }; + +} diff --git a/nixos/modules/services/networking/cntlm.nix b/nixos/modules/services/networking/cntlm.nix new file mode 100644 index 00000000000..eea28e12ce0 --- /dev/null +++ b/nixos/modules/services/networking/cntlm.nix @@ -0,0 +1,126 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.cntlm; + + configFile = if cfg.configText != "" then + pkgs.writeText "cntlm.conf" '' + ${cfg.configText} + '' + else + pkgs.writeText "lighttpd.conf" '' + # Cntlm Authentication Proxy Configuration + Username ${cfg.username} + Domain ${cfg.domain} + Password ${cfg.password} + ${optionalString (cfg.netbios_hostname != "") "Workstation ${cfg.netbios_hostname}"} + ${concatMapStrings (entry: "Proxy ${entry}\n") cfg.proxy} + ${optionalString (cfg.noproxy != []) "NoProxy ${concatStringsSep ", " cfg.noproxy}"} + + ${concatMapStrings (port: '' + Listen ${toString port} + '') cfg.port} + + ${cfg.extraConfig} + ''; + +in + +{ + + options.services.cntlm = { + + enable = mkEnableOption "cntlm, which starts a local proxy"; + + username = mkOption { + type = types.str; + description = '' + Proxy account name, without the possibility to include domain name ('at' sign is interpreted literally). + ''; + }; + + domain = mkOption { + type = types.str; + description = "Proxy account domain/workgroup name."; + }; + + password = mkOption { + default = "/etc/cntlm.password"; + type = types.str; + description = "Proxy account password. Note: use chmod 0600 on /etc/cntlm.password for security."; + }; + + netbios_hostname = mkOption { + type = types.str; + default = ""; + description = '' + The hostname of your machine. + ''; + }; + + proxy = mkOption { + type = types.listOf types.str; + description = '' + A list of NTLM/NTLMv2 authenticating HTTP proxies. + + Parent proxy, which requires authentication. The same as proxy on the command-line, can be used more than once to specify unlimited + number of proxies. Should one proxy fail, cntlm automatically moves on to the next one. The connect request fails only if the whole + list of proxies is scanned and (for each request) and found to be invalid. Command-line takes precedence over the configuration file. + ''; + example = [ "proxy.example.com:81" ]; + }; + + noproxy = mkOption { + description = '' + A list of domains where the proxy is skipped. + ''; + default = []; + type = types.listOf types.str; + example = [ "*.example.com" "example.com" ]; + }; + + port = mkOption { + default = [3128]; + type = types.listOf types.port; + description = "Specifies on which ports the cntlm daemon listens."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional config appended to the end of the generated <filename>cntlm.conf</filename>."; + }; + + configText = mkOption { + type = types.lines; + default = ""; + description = "Verbatim contents of <filename>cntlm.conf</filename>."; + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + systemd.services.cntlm = { + description = "CNTLM is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "cntlm"; + ExecStart = '' + ${pkgs.cntlm}/bin/cntlm -U cntlm -c ${configFile} -v -f + ''; + }; + }; + + users.users.cntlm = { + name = "cntlm"; + description = "cntlm system-wide daemon"; + isSystemUser = true; + }; + }; +} diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix new file mode 100644 index 00000000000..9945dc83a27 --- /dev/null +++ b/nixos/modules/services/networking/connman.nix @@ -0,0 +1,162 @@ +{ config, lib, pkgs, ... }: + +with pkgs; +with lib; + +let + cfg = config.services.connman; + configFile = pkgs.writeText "connman.conf" '' + [General] + NetworkInterfaceBlacklist=${concatStringsSep "," cfg.networkInterfaceBlacklist} + + ${cfg.extraConfig} + ''; + enableIwd = cfg.wifi.backend == "iwd"; +in { + + imports = [ + (mkRenamedOptionModule [ "networking" "connman" ] [ "services" "connman" ]) + ]; + + ###### interface + + options = { + + services.connman = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to use ConnMan for managing your network connections. + ''; + }; + + enableVPN = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable ConnMan VPN service. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Configuration lines appended to the generated connman configuration file. + ''; + }; + + networkInterfaceBlacklist = mkOption { + type = with types; listOf str; + default = [ "vmnet" "vboxnet" "virbr" "ifb" "ve" ]; + description = '' + Default blacklisted interfaces, this includes NixOS containers interfaces (ve). + ''; + }; + + wifi = { + backend = mkOption { + type = types.enum [ "wpa_supplicant" "iwd" ]; + default = "wpa_supplicant"; + description = '' + Specify the Wi-Fi backend used. + Currently supported are <option>wpa_supplicant</option> or <option>iwd</option>. + ''; + }; + }; + + extraFlags = mkOption { + type = with types; listOf str; + default = [ ]; + example = [ "--nodnsproxy" ]; + description = '' + Extra flags to pass to connmand + ''; + }; + + package = mkOption { + type = types.package; + description = "The connman package / build flavor"; + default = connman; + defaultText = literalExpression "pkgs.connman"; + example = literalExpression "pkgs.connmanFull"; + }; + + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + assertions = [{ + assertion = !config.networking.useDHCP; + message = "You can not use services.connman with networking.useDHCP"; + }{ + # TODO: connman seemingly can be used along network manager and + # connmanFull supports this - so this should be worked out somehow + assertion = !config.networking.networkmanager.enable; + message = "You can not use services.connman with networking.networkmanager"; + }]; + + environment.systemPackages = [ cfg.package ]; + + systemd.services.connman = { + description = "Connection service"; + wantedBy = [ "multi-user.target" ]; + after = [ "syslog.target" ] ++ optional enableIwd "iwd.service"; + requires = optional enableIwd "iwd.service"; + serviceConfig = { + Type = "dbus"; + BusName = "net.connman"; + Restart = "on-failure"; + ExecStart = toString ([ + "${cfg.package}/sbin/connmand" + "--config=${configFile}" + "--nodaemon" + ] ++ optional enableIwd "--wifi=iwd_agent" + ++ cfg.extraFlags); + StandardOutput = "null"; + }; + }; + + systemd.services.connman-vpn = mkIf cfg.enableVPN { + description = "ConnMan VPN service"; + wantedBy = [ "multi-user.target" ]; + after = [ "syslog.target" ]; + before = [ "connman.service" ]; + serviceConfig = { + Type = "dbus"; + BusName = "net.connman.vpn"; + ExecStart = "${cfg.package}/sbin/connman-vpnd -n"; + StandardOutput = "null"; + }; + }; + + systemd.services.net-connman-vpn = mkIf cfg.enableVPN { + description = "D-BUS Service"; + serviceConfig = { + Name = "net.connman.vpn"; + before = [ "connman.service" ]; + ExecStart = "${cfg.package}/sbin/connman-vpnd -n"; + User = "root"; + SystemdService = "connman-vpn.service"; + }; + }; + + networking = { + useDHCP = false; + wireless = { + enable = mkIf (!enableIwd) true; + dbusControlled = true; + iwd = mkIf enableIwd { + enable = true; + }; + }; + networkmanager.enable = false; + }; + }; +} diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix new file mode 100644 index 00000000000..ca9c422e6d7 --- /dev/null +++ b/nixos/modules/services/networking/consul.nix @@ -0,0 +1,259 @@ +{ config, lib, pkgs, utils, ... }: + +with lib; +let + + dataDir = "/var/lib/consul"; + cfg = config.services.consul; + + configOptions = { + data_dir = dataDir; + ui_config = { + enabled = cfg.webUi; + }; + } // cfg.extraConfig; + + configFiles = [ "/etc/consul.json" "/etc/consul-addrs.json" ] + ++ cfg.extraConfigFiles; + + devices = attrValues (filterAttrs (_: i: i != null) cfg.interface); + systemdDevices = forEach devices + (i: "sys-subsystem-net-devices-${utils.escapeSystemdPath i}.device"); +in +{ + options = { + + services.consul = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables the consul daemon. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.consul; + defaultText = literalExpression "pkgs.consul"; + description = '' + The package used for the Consul agent and CLI. + ''; + }; + + + webUi = mkOption { + type = types.bool; + default = false; + description = '' + Enables the web interface on the consul http port. + ''; + }; + + leaveOnStop = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, causes a leave action to be sent when closing consul. + This allows a clean termination of the node, but permanently removes + it from the cluster. You probably don't want this option unless you + are running a node which going offline in a permanent / semi-permanent + fashion. + ''; + }; + + interface = { + + advertise = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The name of the interface to pull the advertise_addr from. + ''; + }; + + bind = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The name of the interface to pull the bind_addr from. + ''; + }; + + }; + + forceIpv4 = mkOption { + type = types.bool; + default = false; + description = '' + Whether we should force the interfaces to only pull ipv4 addresses. + ''; + }; + + dropPrivileges = mkOption { + type = types.bool; + default = true; + description = '' + Whether the consul agent should be run as a non-root consul user. + ''; + }; + + extraConfig = mkOption { + default = { }; + type = types.attrsOf types.anything; + description = '' + Extra configuration options which are serialized to json and added + to the config.json file. + ''; + }; + + extraConfigFiles = mkOption { + default = [ ]; + type = types.listOf types.str; + description = '' + Additional configuration files to pass to consul + NOTE: These will not trigger the service to be restarted when altered. + ''; + }; + + alerts = { + enable = mkEnableOption "consul-alerts"; + + package = mkOption { + description = "Package to use for consul-alerts."; + default = pkgs.consul-alerts; + defaultText = literalExpression "pkgs.consul-alerts"; + type = types.package; + }; + + listenAddr = mkOption { + description = "Api listening address."; + default = "localhost:9000"; + type = types.str; + }; + + consulAddr = mkOption { + description = "Consul api listening adddress"; + default = "localhost:8500"; + type = types.str; + }; + + watchChecks = mkOption { + description = "Whether to enable check watcher."; + default = true; + type = types.bool; + }; + + watchEvents = mkOption { + description = "Whether to enable event watcher."; + default = true; + type = types.bool; + }; + }; + + }; + + }; + + config = mkIf cfg.enable ( + mkMerge [{ + + users.users.consul = { + description = "Consul agent daemon user"; + isSystemUser = true; + group = "consul"; + # The shell is needed for health checks + shell = "/run/current-system/sw/bin/bash"; + }; + users.groups.consul = {}; + + environment = { + etc."consul.json".text = builtins.toJSON configOptions; + # We need consul.d to exist for consul to start + etc."consul.d/dummy.json".text = "{ }"; + systemPackages = [ cfg.package ]; + }; + + systemd.services.consul = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ] ++ systemdDevices; + bindsTo = systemdDevices; + restartTriggers = [ config.environment.etc."consul.json".source ] + ++ mapAttrsToList (_: d: d.source) + (filterAttrs (n: _: hasPrefix "consul.d/" n) config.environment.etc); + + serviceConfig = { + ExecStart = "@${cfg.package}/bin/consul consul agent -config-dir /etc/consul.d" + + concatMapStrings (n: " -config-file ${n}") configFiles; + ExecReload = "${cfg.package}/bin/consul reload"; + PermissionsStartOnly = true; + User = if cfg.dropPrivileges then "consul" else null; + Restart = "on-failure"; + TimeoutStartSec = "infinity"; + } // (optionalAttrs (cfg.leaveOnStop) { + ExecStop = "${cfg.package}/bin/consul leave"; + }); + + path = with pkgs; [ iproute2 gnugrep gawk consul ]; + preStart = '' + mkdir -m 0700 -p ${dataDir} + chown -R consul ${dataDir} + + # Determine interface addresses + getAddrOnce () { + ip addr show dev "$1" \ + | grep 'inet${optionalString (cfg.forceIpv4) " "}.*scope global' \ + | awk -F '[ /\t]*' '{print $3}' | head -n 1 + } + getAddr () { + ADDR="$(getAddrOnce $1)" + LEFT=60 # Die after 1 minute + while [ -z "$ADDR" ]; do + sleep 1 + LEFT=$(expr $LEFT - 1) + if [ "$LEFT" -eq "0" ]; then + echo "Address lookup timed out" + exit 1 + fi + ADDR="$(getAddrOnce $1)" + done + echo "$ADDR" + } + echo "{" > /etc/consul-addrs.json + delim=" " + '' + + concatStrings (flip mapAttrsToList cfg.interface (name: i: + optionalString (i != null) '' + echo "$delim \"${name}_addr\": \"$(getAddr "${i}")\"" >> /etc/consul-addrs.json + delim="," + '')) + + '' + echo "}" >> /etc/consul-addrs.json + ''; + }; + } + + (mkIf (cfg.alerts.enable) { + systemd.services.consul-alerts = { + wantedBy = [ "multi-user.target" ]; + after = [ "consul.service" ]; + + path = [ cfg.package ]; + + serviceConfig = { + ExecStart = '' + ${cfg.alerts.package}/bin/consul-alerts start \ + --alert-addr=${cfg.alerts.listenAddr} \ + --consul-addr=${cfg.alerts.consulAddr} \ + ${optionalString cfg.alerts.watchChecks "--watch-checks"} \ + ${optionalString cfg.alerts.watchEvents "--watch-events"} + ''; + User = if cfg.dropPrivileges then "consul" else null; + Restart = "on-failure"; + }; + }; + }) + + ]); +} diff --git a/nixos/modules/services/networking/coredns.nix b/nixos/modules/services/networking/coredns.nix new file mode 100644 index 00000000000..88615d8e610 --- /dev/null +++ b/nixos/modules/services/networking/coredns.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.coredns; + configFile = pkgs.writeText "Corefile" cfg.config; +in { + options.services.coredns = { + enable = mkEnableOption "Coredns dns server"; + + config = mkOption { + default = ""; + example = '' + . { + whoami + } + ''; + type = types.lines; + description = "Verbatim Corefile to use. See <link xlink:href=\"https://coredns.io/manual/toc/#configuration\"/> for details."; + }; + + package = mkOption { + default = pkgs.coredns; + defaultText = literalExpression "pkgs.coredns"; + type = types.package; + description = "Coredns package to use."; + }; + }; + + config = mkIf cfg.enable { + systemd.services.coredns = { + description = "Coredns dns server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + PermissionsStartOnly = true; + LimitNPROC = 512; + LimitNOFILE = 1048576; + CapabilityBoundingSet = "cap_net_bind_service"; + AmbientCapabilities = "cap_net_bind_service"; + NoNewPrivileges = true; + DynamicUser = true; + ExecStart = "${getBin cfg.package}/bin/coredns -conf=${configFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -SIGUSR1 $MAINPID"; + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/corerad.nix b/nixos/modules/services/networking/corerad.nix new file mode 100644 index 00000000000..9d79d5d7686 --- /dev/null +++ b/nixos/modules/services/networking/corerad.nix @@ -0,0 +1,82 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.corerad; + settingsFormat = pkgs.formats.toml {}; + +in { + meta.maintainers = with maintainers; [ mdlayher ]; + + options.services.corerad = { + enable = mkEnableOption "CoreRAD IPv6 NDP RA daemon"; + + settings = mkOption { + type = settingsFormat.type; + example = literalExpression '' + { + interfaces = [ + # eth0 is an upstream interface monitoring for IPv6 router advertisements. + { + name = "eth0"; + monitor = true; + } + # eth1 is a downstream interface advertising IPv6 prefixes for SLAAC. + { + name = "eth1"; + advertise = true; + prefix = [{ prefix = "::/64"; }]; + } + ]; + # Optionally enable Prometheus metrics. + debug = { + address = "localhost:9430"; + prometheus = true; + }; + } + ''; + description = '' + Configuration for CoreRAD, see <link xlink:href="https://github.com/mdlayher/corerad/blob/main/internal/config/reference.toml"/> + for supported values. Ignored if configFile is set. + ''; + }; + + configFile = mkOption { + type = types.path; + example = literalExpression ''"''${pkgs.corerad}/etc/corerad/corerad.toml"''; + description = "Path to CoreRAD TOML configuration file."; + }; + + package = mkOption { + default = pkgs.corerad; + defaultText = literalExpression "pkgs.corerad"; + type = types.package; + description = "CoreRAD package to use."; + }; + }; + + config = mkIf cfg.enable { + # Prefer the config file over settings if both are set. + services.corerad.configFile = mkDefault (settingsFormat.generate "corerad.toml" cfg.settings); + + systemd.services.corerad = { + description = "CoreRAD IPv6 NDP RA daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + LimitNPROC = 512; + LimitNOFILE = 1048576; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; + AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW"; + NoNewPrivileges = true; + DynamicUser = true; + Type = "notify"; + NotifyAccess = "main"; + ExecStart = "${getBin cfg.package}/bin/corerad -c=${cfg.configFile}"; + Restart = "on-failure"; + RestartKillSignal = "SIGHUP"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/coturn.nix b/nixos/modules/services/networking/coturn.nix new file mode 100644 index 00000000000..ce563c31136 --- /dev/null +++ b/nixos/modules/services/networking/coturn.nix @@ -0,0 +1,365 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.coturn; + pidfile = "/run/turnserver/turnserver.pid"; + configFile = pkgs.writeText "turnserver.conf" '' +listening-port=${toString cfg.listening-port} +tls-listening-port=${toString cfg.tls-listening-port} +alt-listening-port=${toString cfg.alt-listening-port} +alt-tls-listening-port=${toString cfg.alt-tls-listening-port} +${concatStringsSep "\n" (map (x: "listening-ip=${x}") cfg.listening-ips)} +${concatStringsSep "\n" (map (x: "relay-ip=${x}") cfg.relay-ips)} +min-port=${toString cfg.min-port} +max-port=${toString cfg.max-port} +${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"} +${lib.optionalString cfg.no-auth "no-auth"} +${lib.optionalString cfg.use-auth-secret "use-auth-secret"} +${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")} +${lib.optionalString (cfg.static-auth-secret-file != null) ("static-auth-secret=#static-auth-secret#")} +realm=${cfg.realm} +${lib.optionalString cfg.no-udp "no-udp"} +${lib.optionalString cfg.no-tcp "no-tcp"} +${lib.optionalString cfg.no-tls "no-tls"} +${lib.optionalString cfg.no-dtls "no-dtls"} +${lib.optionalString cfg.no-udp-relay "no-udp-relay"} +${lib.optionalString cfg.no-tcp-relay "no-tcp-relay"} +${lib.optionalString (cfg.cert != null) "cert=${cfg.cert}"} +${lib.optionalString (cfg.pkey != null) "pkey=${cfg.pkey}"} +${lib.optionalString (cfg.dh-file != null) ("dh-file=${cfg.dh-file}")} +no-stdout-log +syslog +pidfile=${pidfile} +${lib.optionalString cfg.secure-stun "secure-stun"} +${lib.optionalString cfg.no-cli "no-cli"} +cli-ip=${cfg.cli-ip} +cli-port=${toString cfg.cli-port} +${lib.optionalString (cfg.cli-password != null) ("cli-password=${cfg.cli-password}")} +${cfg.extraConfig} +''; +in { + options = { + services.coturn = { + enable = mkEnableOption "coturn TURN server"; + listening-port = mkOption { + type = types.int; + default = 3478; + description = '' + TURN listener port for UDP and TCP. + Note: actually, TLS and DTLS sessions can connect to the + "plain" TCP and UDP port(s), too - if allowed by configuration. + ''; + }; + tls-listening-port = mkOption { + type = types.int; + default = 5349; + description = '' + TURN listener port for TLS. + Note: actually, "plain" TCP and UDP sessions can connect to the TLS and + DTLS port(s), too - if allowed by configuration. The TURN server + "automatically" recognizes the type of traffic. Actually, two listening + endpoints (the "plain" one and the "tls" one) are equivalent in terms of + functionality; but we keep both endpoints to satisfy the RFC 5766 specs. + For secure TCP connections, we currently support SSL version 3 and + TLS version 1.0, 1.1 and 1.2. + For secure UDP connections, we support DTLS version 1. + ''; + }; + alt-listening-port = mkOption { + type = types.int; + default = cfg.listening-port + 1; + defaultText = literalExpression "listening-port + 1"; + description = '' + Alternative listening port for UDP and TCP listeners; + default (or zero) value means "listening port plus one". + This is needed for RFC 5780 support + (STUN extension specs, NAT behavior discovery). The TURN Server + supports RFC 5780 only if it is started with more than one + listening IP address of the same family (IPv4 or IPv6). + RFC 5780 is supported only by UDP protocol, other protocols + are listening to that endpoint only for "symmetry". + ''; + }; + alt-tls-listening-port = mkOption { + type = types.int; + default = cfg.tls-listening-port + 1; + defaultText = literalExpression "tls-listening-port + 1"; + description = '' + Alternative listening port for TLS and DTLS protocols. + ''; + }; + listening-ips = mkOption { + type = types.listOf types.str; + default = []; + example = [ "203.0.113.42" "2001:DB8::42" ]; + description = '' + Listener IP addresses of relay server. + If no IP(s) specified in the config file or in the command line options, + then all IPv4 and IPv6 system IPs will be used for listening. + ''; + }; + relay-ips = mkOption { + type = types.listOf types.str; + default = []; + example = [ "203.0.113.42" "2001:DB8::42" ]; + description = '' + Relay address (the local IP address that will be used to relay the + packets to the peer). + Multiple relay addresses may be used. + The same IP(s) can be used as both listening IP(s) and relay IP(s). + + If no relay IP(s) specified, then the turnserver will apply the default + policy: it will decide itself which relay addresses to be used, and it + will always be using the client socket IP address as the relay IP address + of the TURN session (if the requested relay address family is the same + as the family of the client socket). + ''; + }; + min-port = mkOption { + type = types.int; + default = 49152; + description = '' + Lower bound of UDP relay endpoints + ''; + }; + max-port = mkOption { + type = types.int; + default = 65535; + description = '' + Upper bound of UDP relay endpoints + ''; + }; + lt-cred-mech = mkOption { + type = types.bool; + default = false; + description = '' + Use long-term credential mechanism. + ''; + }; + no-auth = mkOption { + type = types.bool; + default = false; + description = '' + This option is opposite to lt-cred-mech. + (TURN Server with no-auth option allows anonymous access). + If neither option is defined, and no users are defined, + then no-auth is default. If at least one user is defined, + in this file or in command line or in usersdb file, then + lt-cred-mech is default. + ''; + }; + use-auth-secret = mkOption { + type = types.bool; + default = false; + description = '' + TURN REST API flag. + Flag that sets a special authorization option that is based upon authentication secret. + This feature can be used with the long-term authentication mechanism, only. + This feature purpose is to support "TURN Server REST API", see + "TURN REST API" link in the project's page + https://github.com/coturn/coturn/ + + This option is used with timestamp: + + usercombo -> "timestamp:userid" + turn user -> usercombo + turn password -> base64(hmac(secret key, usercombo)) + + This allows TURN credentials to be accounted for a specific user id. + If you don't have a suitable id, the timestamp alone can be used. + This option is just turning on secret-based authentication. + The actual value of the secret is defined either by option static-auth-secret, + or can be found in the turn_secret table in the database. + ''; + }; + static-auth-secret = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + 'Static' authentication secret value (a string) for TURN REST API only. + If not set, then the turn server + will try to use the 'dynamic' value in turn_secret table + in user database (if present). The database-stored value can be changed on-the-fly + by a separate program, so this is why that other mode is 'dynamic'. + ''; + }; + static-auth-secret-file = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to the file containing the static authentication secret. + ''; + }; + realm = mkOption { + type = types.str; + default = config.networking.hostName; + defaultText = literalExpression "config.networking.hostName"; + example = "example.com"; + description = '' + The default realm to be used for the users when no explicit + origin/realm relationship was found in the database, or if the TURN + server is not using any database (just the commands-line settings + and the userdb file). Must be used with long-term credentials + mechanism or with TURN REST API. + ''; + }; + cert = mkOption { + type = types.nullOr types.str; + default = null; + example = "/var/lib/acme/example.com/fullchain.pem"; + description = '' + Certificate file in PEM format. + ''; + }; + pkey = mkOption { + type = types.nullOr types.str; + default = null; + example = "/var/lib/acme/example.com/key.pem"; + description = '' + Private key file in PEM format. + ''; + }; + dh-file = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Use custom DH TLS key, stored in PEM format in the file. + ''; + }; + secure-stun = mkOption { + type = types.bool; + default = false; + description = '' + Require authentication of the STUN Binding request. + By default, the clients are allowed anonymous access to the STUN Binding functionality. + ''; + }; + no-cli = mkOption { + type = types.bool; + default = false; + description = '' + Turn OFF the CLI support. + ''; + }; + cli-ip = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + Local system IP address to be used for CLI server endpoint. + ''; + }; + cli-port = mkOption { + type = types.int; + default = 5766; + description = '' + CLI server port. + ''; + }; + cli-password = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + CLI access password. + For the security reasons, it is recommended to use the encrypted + for of the password (see the -P command in the turnadmin utility). + ''; + }; + no-udp = mkOption { + type = types.bool; + default = false; + description = "Disable UDP client listener"; + }; + no-tcp = mkOption { + type = types.bool; + default = false; + description = "Disable TCP client listener"; + }; + no-tls = mkOption { + type = types.bool; + default = false; + description = "Disable TLS client listener"; + }; + no-dtls = mkOption { + type = types.bool; + default = false; + description = "Disable DTLS client listener"; + }; + no-udp-relay = mkOption { + type = types.bool; + default = false; + description = "Disable UDP relay endpoints"; + }; + no-tcp-relay = mkOption { + type = types.bool; + default = false; + description = "Disable TCP relay endpoints"; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional configuration options"; + }; + }; + }; + + config = mkIf cfg.enable (mkMerge ([ + { assertions = [ + { assertion = cfg.static-auth-secret != null -> cfg.static-auth-secret-file == null ; + message = "static-auth-secret and static-auth-secret-file cannot be set at the same time"; + } + ];} + + { + users.users.turnserver = + { uid = config.ids.uids.turnserver; + group = "turnserver"; + description = "coturn TURN server user"; + }; + users.groups.turnserver = + { gid = config.ids.gids.turnserver; + members = [ "turnserver" ]; + }; + + systemd.services.coturn = let + runConfig = "/run/coturn/turnserver.cfg"; + in { + description = "coturn TURN server"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig = { + Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)"; + }; + + preStart = '' + cat ${configFile} > ${runConfig} + ${optionalString (cfg.static-auth-secret-file != null) '' + STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)" + sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \ + -i ${runConfig} + '' } + chmod 640 ${runConfig} + ''; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.coturn}/bin/turnserver -c ${runConfig}"; + RuntimeDirectory = "turnserver"; + User = "turnserver"; + Group = "turnserver"; + AmbientCapabilities = + mkIf ( + cfg.listening-port < 1024 || + cfg.alt-listening-port < 1024 || + cfg.tls-listening-port < 1024 || + cfg.alt-tls-listening-port < 1024 || + cfg.min-port < 1024 + ) "cap_net_bind_service"; + Restart = "on-abort"; + }; + }; + systemd.tmpfiles.rules = [ + "d /run/coturn 0700 turnserver turnserver - -" + ]; + }])); +} diff --git a/nixos/modules/services/networking/croc.nix b/nixos/modules/services/networking/croc.nix new file mode 100644 index 00000000000..d044979e10d --- /dev/null +++ b/nixos/modules/services/networking/croc.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, ... }: +let + inherit (lib) types; + cfg = config.services.croc; + rootDir = "/run/croc"; +in +{ + options.services.croc = { + enable = lib.mkEnableOption "croc relay"; + ports = lib.mkOption { + type = with types; listOf port; + default = [9009 9010 9011 9012 9013]; + description = "Ports of the relay."; + }; + pass = lib.mkOption { + type = with types; either path str; + default = "pass123"; + description = "Password or passwordfile for the relay."; + }; + openFirewall = lib.mkEnableOption "opening of the peer port(s) in the firewall"; + debug = lib.mkEnableOption "debug logs"; + }; + + config = lib.mkIf cfg.enable { + systemd.services.croc = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.croc}/bin/croc --pass '${cfg.pass}' ${lib.optionalString cfg.debug "--debug"} relay --ports ${lib.concatMapStringsSep "," toString cfg.ports}"; + # The following options are only for optimizing: + # systemd-analyze security croc + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + DynamicUser = true; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + MountAPIVFS = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateNetwork = lib.mkDefault false; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RootDirectory = rootDir; + # Avoid mounting rootDir in the own rootDir of ExecStart='s mount namespace. + InaccessiblePaths = [ "-+${rootDir}" ]; + BindReadOnlyPaths = [ + builtins.storeDir + ] ++ lib.optional (types.path.check cfg.pass) cfg.pass; + # This is for BindReadOnlyPaths= + # to allow traversal of directories they create in RootDirectory=. + UMask = "0066"; + # Create rootDir in the host's mount namespace. + RuntimeDirectory = [(baseNameOf rootDir)]; + RuntimeDirectoryMode = "700"; + SystemCallFilter = [ + "@system-service" + "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@setuid" "~@sync" "~@timer" + ]; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + }; + }; + + networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall cfg.ports; + }; + + meta.maintainers = with lib.maintainers; [ hax404 julm ]; +} diff --git a/nixos/modules/services/networking/dante.nix b/nixos/modules/services/networking/dante.nix new file mode 100644 index 00000000000..20d4faa1cdb --- /dev/null +++ b/nixos/modules/services/networking/dante.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: +with lib; + +let + cfg = config.services.dante; + confFile = pkgs.writeText "dante-sockd.conf" '' + user.privileged: root + user.unprivileged: dante + logoutput: syslog + + ${cfg.config} + ''; +in + +{ + meta = { + maintainers = with maintainers; [ arobyn ]; + }; + + options = { + services.dante = { + enable = mkEnableOption "Dante SOCKS proxy"; + + config = mkOption { + type = types.lines; + description = '' + Contents of Dante's configuration file. + NOTE: user.privileged, user.unprivileged and logoutput are set by the service. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { assertion = cfg.config != ""; + message = "please provide Dante configuration file contents"; + } + ]; + + users.users.dante = { + description = "Dante SOCKS proxy daemon user"; + isSystemUser = true; + group = "dante"; + }; + users.groups.dante = {}; + + systemd.services.dante = { + description = "Dante SOCKS v4 and v5 compatible proxy server"; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.dante}/bin/sockd -f ${confFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + # Can crash sometimes; see https://github.com/NixOS/nixpkgs/pull/39005#issuecomment-381828708 + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix new file mode 100644 index 00000000000..d025c8f8177 --- /dev/null +++ b/nixos/modules/services/networking/ddclient.nix @@ -0,0 +1,239 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.services.ddclient; + boolToStr = bool: if bool then "yes" else "no"; + dataDir = "/var/lib/ddclient"; + StateDirectory = builtins.baseNameOf dataDir; + RuntimeDirectory = StateDirectory; + + configFile' = pkgs.writeText "ddclient.conf" '' + # This file can be used as a template for configFile or is automatically generated by Nix options. + cache=${dataDir}/ddclient.cache + foreground=YES + use=${cfg.use} + login=${cfg.username} + password=${lib.optionalString (cfg.protocol == "nsupdate") "/run/${RuntimeDirectory}/ddclient.key"} + protocol=${cfg.protocol} + ${lib.optionalString (cfg.script != "") "script=${cfg.script}"} + ${lib.optionalString (cfg.server != "") "server=${cfg.server}"} + ${lib.optionalString (cfg.zone != "") "zone=${cfg.zone}"} + ssl=${boolToStr cfg.ssl} + wildcard=YES + ipv6=${boolToStr cfg.ipv6} + quiet=${boolToStr cfg.quiet} + verbose=${boolToStr cfg.verbose} + ${cfg.extraConfig} + ${lib.concatStringsSep "," cfg.domains} + ''; + configFile = if (cfg.configFile != null) then cfg.configFile else configFile'; + + preStart = '' + install ${configFile} /run/${RuntimeDirectory}/ddclient.conf + ${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then '' + install ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key + '' else if (cfg.passwordFile != null) then '' + password=$(printf "%q" "$(head -n 1 "${cfg.passwordFile}")") + sed -i "s|^password=$|password=$password|" /run/${RuntimeDirectory}/ddclient.conf + '' else '' + sed -i '/^password=$/d' /run/${RuntimeDirectory}/ddclient.conf + '')} + ''; + +in + +with lib; + +{ + + imports = [ + (mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ] + (config: + let value = getAttrFromPath [ "services" "ddclient" "domain" ] config; + in if value != "" then [ value ] else [])) + (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "") + (mkRemovedOptionModule [ "services" "ddclient" "password" ] "Use services.ddclient.passwordFile instead.") + ]; + + ###### interface + + options = { + + services.ddclient = with lib.types; { + + enable = mkOption { + default = false; + type = bool; + description = '' + Whether to synchronise your machine's IP address with a dynamic DNS provider (e.g. dyndns.org). + ''; + }; + + package = mkOption { + type = package; + default = pkgs.ddclient; + defaultText = "pkgs.ddclient"; + description = '' + The ddclient executable package run by the service. + ''; + }; + + domains = mkOption { + default = [ "" ]; + type = listOf str; + description = '' + Domain name(s) to synchronize. + ''; + }; + + username = mkOption { + # For `nsupdate` username contains the path to the nsupdate executable + default = lib.optionalString (config.services.ddclient.protocol == "nsupdate") "${pkgs.bind.dnsutils}/bin/nsupdate"; + defaultText = ""; + type = str; + description = '' + User name. + ''; + }; + + passwordFile = mkOption { + default = null; + type = nullOr str; + description = '' + A file containing the password or a TSIG key in named format when using the nsupdate protocol. + ''; + }; + + interval = mkOption { + default = "10min"; + type = str; + description = '' + The interval at which to run the check and update. + See <command>man 7 systemd.time</command> for the format. + ''; + }; + + configFile = mkOption { + default = null; + type = nullOr path; + description = '' + Path to configuration file. + When set this overrides the generated configuration from module options. + ''; + example = "/root/nixos/secrets/ddclient.conf"; + }; + + protocol = mkOption { + default = "dyndns2"; + type = str; + description = '' + Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols). + ''; + }; + + server = mkOption { + default = ""; + type = str; + description = '' + Server address. + ''; + }; + + ssl = mkOption { + default = true; + type = bool; + description = '' + Whether to use SSL/TLS to connect to dynamic DNS provider. + ''; + }; + + ipv6 = mkOption { + default = false; + type = bool; + description = '' + Whether to use IPv6. + ''; + }; + + + quiet = mkOption { + default = false; + type = bool; + description = '' + Print no messages for unnecessary updates. + ''; + }; + + script = mkOption { + default = ""; + type = str; + description = '' + script as required by some providers. + ''; + }; + + use = mkOption { + default = "web, web=checkip.dyndns.com/, web-skip='Current IP Address: '"; + type = str; + description = '' + Method to determine the IP address to send to the dynamic DNS provider. + ''; + }; + + verbose = mkOption { + default = true; + type = bool; + description = '' + Print verbose information. + ''; + }; + + zone = mkOption { + default = ""; + type = str; + description = '' + zone as required by some providers. + ''; + }; + + extraConfig = mkOption { + default = ""; + type = lines; + description = '' + Extra configuration. Contents will be added verbatim to the configuration file. + ''; + }; + }; + }; + + + ###### implementation + + config = mkIf config.services.ddclient.enable { + systemd.services.ddclient = { + description = "Dynamic DNS Client"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + restartTriggers = optional (cfg.configFile != null) cfg.configFile; + + serviceConfig = { + DynamicUser = true; + RuntimeDirectoryMode = "0700"; + inherit RuntimeDirectory; + inherit StateDirectory; + Type = "oneshot"; + ExecStartPre = "!${pkgs.writeShellScript "ddclient-prestart" preStart}"; + ExecStart = "${lib.getBin cfg.package}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf"; + }; + }; + + systemd.timers.ddclient = { + description = "Run ddclient"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = cfg.interval; + OnUnitInactiveSec = cfg.interval; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix new file mode 100644 index 00000000000..3eb7ca99eaf --- /dev/null +++ b/nixos/modules/services/networking/dhcpcd.nix @@ -0,0 +1,250 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + dhcpcd = if !config.boot.isContainer then pkgs.dhcpcd else pkgs.dhcpcd.override { udev = null; }; + + cfg = config.networking.dhcpcd; + + interfaces = attrValues config.networking.interfaces; + + enableDHCP = config.networking.dhcpcd.enable && + (config.networking.useDHCP || any (i: i.useDHCP == true) interfaces); + + # Don't start dhcpcd on explicitly configured interfaces or on + # interfaces that are part of a bridge, bond or sit device. + ignoredInterfaces = + map (i: i.name) (filter (i: if i.useDHCP != null then !i.useDHCP else i.ipv4.addresses != [ ]) interfaces) + ++ mapAttrsToList (i: _: i) config.networking.sits + ++ concatLists (attrValues (mapAttrs (n: v: v.interfaces) config.networking.bridges)) + ++ flatten (concatMap (i: attrNames (filterAttrs (_: config: config.type != "internal") i.interfaces)) (attrValues config.networking.vswitches)) + ++ concatLists (attrValues (mapAttrs (n: v: v.interfaces) config.networking.bonds)) + ++ config.networking.dhcpcd.denyInterfaces; + + arrayAppendOrNull = a1: a2: if a1 == null && a2 == null then null + else if a1 == null then a2 else if a2 == null then a1 + else a1 ++ a2; + + # If dhcp is disabled but explicit interfaces are enabled, + # we need to provide dhcp just for those interfaces. + allowInterfaces = arrayAppendOrNull cfg.allowInterfaces + (if !config.networking.useDHCP && enableDHCP then + map (i: i.name) (filter (i: i.useDHCP == true) interfaces) else null); + + # Config file adapted from the one that ships with dhcpcd. + dhcpcdConf = pkgs.writeText "dhcpcd.conf" + '' + # Inform the DHCP server of our hostname for DDNS. + hostname + + # A list of options to request from the DHCP server. + option domain_name_servers, domain_name, domain_search, host_name + option classless_static_routes, ntp_servers, interface_mtu + + # A ServerID is required by RFC2131. + # Commented out because of many non-compliant DHCP servers in the wild :( + #require dhcp_server_identifier + + # A hook script is provided to lookup the hostname if not set by + # the DHCP server, but it should not be run by default. + nohook lookup-hostname + + # Ignore peth* devices; on Xen, they're renamed physical + # Ethernet cards used for bridging. Likewise for vif* and tap* + # (Xen) and virbr* and vnet* (libvirt). + denyinterfaces ${toString ignoredInterfaces} lo peth* vif* tap* tun* virbr* vnet* vboxnet* sit* + + # Use the list of allowed interfaces if specified + ${optionalString (allowInterfaces != null) "allowinterfaces ${toString allowInterfaces}"} + + # Immediately fork to background if specified, otherwise wait for IP address to be assigned + ${{ + background = "background"; + any = "waitip"; + ipv4 = "waitip 4"; + ipv6 = "waitip 6"; + both = "waitip 4\nwaitip 6"; + if-carrier-up = ""; + }.${cfg.wait}} + + ${optionalString (config.networking.enableIPv6 == false) '' + # Don't solicit or accept IPv6 Router Advertisements and DHCPv6 if disabled IPv6 + noipv6 + ''} + + ${cfg.extraConfig} + ''; + + exitHook = pkgs.writeText "dhcpcd.exit-hook" + '' + if [ "$reason" = BOUND -o "$reason" = REBOOT ]; then + # Restart ntpd. We need to restart it to make sure that it + # will actually do something: if ntpd cannot resolve the + # server hostnames in its config file, then it will never do + # anything ever again ("couldn't resolve ..., giving up on + # it"), so we silently lose time synchronisation. This also + # applies to openntpd. + /run/current-system/systemd/bin/systemctl try-reload-or-restart ntpd.service openntpd.service chronyd.service || true + fi + + ${cfg.runHook} + ''; + +in + +{ + + ###### interface + + options = { + + networking.dhcpcd.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable dhcpcd for device configuration. This is mainly to + explicitly disable dhcpcd (for example when using networkd). + ''; + }; + + networking.dhcpcd.persistent = mkOption { + type = types.bool; + default = false; + description = '' + Whenever to leave interfaces configured on dhcpcd daemon + shutdown. Set to true if you have your root or store mounted + over the network or this machine accepts SSH connections + through DHCP interfaces and clients should be notified when + it shuts down. + ''; + }; + + networking.dhcpcd.denyInterfaces = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Disable the DHCP client for any interface whose name matches + any of the shell glob patterns in this list. The purpose of + this option is to blacklist virtual interfaces such as those + created by Xen, libvirt, LXC, etc. + ''; + }; + + networking.dhcpcd.allowInterfaces = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + description = '' + Enable the DHCP client for any interface whose name matches + any of the shell glob patterns in this list. Any interface not + explicitly matched by this pattern will be denied. This pattern only + applies when non-null. + ''; + }; + + networking.dhcpcd.extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Literal string to append to the config file generated for dhcpcd. + ''; + }; + + networking.dhcpcd.runHook = mkOption { + type = types.lines; + default = ""; + example = "if [[ $reason =~ BOUND ]]; then echo $interface: Routers are $new_routers - were $old_routers; fi"; + description = '' + Shell code that will be run after all other hooks. See + `man dhcpcd-run-hooks` for details on what is possible. + ''; + }; + + networking.dhcpcd.wait = mkOption { + type = types.enum [ "background" "any" "ipv4" "ipv6" "both" "if-carrier-up" ]; + default = "any"; + description = '' + This option specifies when the dhcpcd service will fork to background. + If set to "background", dhcpcd will fork to background immediately. + If set to "ipv4" or "ipv6", dhcpcd will wait for the corresponding IP + address to be assigned. If set to "any", dhcpcd will wait for any type + (IPv4 or IPv6) to be assigned. If set to "both", dhcpcd will wait for + both an IPv4 and an IPv6 address before forking. + The option "if-carrier-up" is equivalent to "any" if either ethernet + is plugged nor WiFi is powered, and to "background" otherwise. + ''; + }; + + }; + + + ###### implementation + + config = mkIf enableDHCP { + + assertions = [ { + # dhcpcd doesn't start properly with malloc ∉ [ libc scudo ] + # see https://github.com/NixOS/nixpkgs/issues/151696 + assertion = + dhcpcd.enablePrivSep + -> elem config.environment.memoryAllocator.provider [ "libc" "scudo" ]; + message = '' + dhcpcd with privilege separation is incompatible with chosen system malloc. + Currently only the `libc` and `scudo` allocators are known to work. + To disable dhcpcd's privilege separation, overlay Nixpkgs and override dhcpcd + to set `enablePrivSep = false`. + ''; + } ]; + + systemd.services.dhcpcd = let + cfgN = config.networking; + hasDefaultGatewaySet = (cfgN.defaultGateway != null && cfgN.defaultGateway.address != "") + && (!cfgN.enableIPv6 || (cfgN.defaultGateway6 != null && cfgN.defaultGateway6.address != "")); + in + { description = "DHCP Client"; + + wantedBy = [ "multi-user.target" ] ++ optional (!hasDefaultGatewaySet) "network-online.target"; + wants = [ "network.target" ]; + before = [ "network-online.target" ]; + + restartTriggers = [ exitHook ]; + + # Stopping dhcpcd during a reconfiguration is undesirable + # because it brings down the network interfaces configured by + # dhcpcd. So do a "systemctl restart" instead. + stopIfChanged = false; + + path = [ dhcpcd pkgs.nettools pkgs.openresolv ]; + + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + + serviceConfig = + { Type = "forking"; + PIDFile = "/run/dhcpcd/pid"; + RuntimeDirectory = "dhcpcd"; + ExecStart = "@${dhcpcd}/sbin/dhcpcd dhcpcd --quiet ${optionalString cfg.persistent "--persistent"} --config ${dhcpcdConf}"; + ExecReload = "${dhcpcd}/sbin/dhcpcd --rebind"; + Restart = "always"; + }; + }; + + users.users.dhcpcd = { + isSystemUser = true; + group = "dhcpcd"; + }; + users.groups.dhcpcd = {}; + + environment.systemPackages = [ dhcpcd ]; + + environment.etc."dhcpcd.exit-hook".source = exitHook; + + powerManagement.resumeCommands = mkIf config.systemd.services.dhcpcd.enable + '' + # Tell dhcpcd to rebind its interfaces if it's running. + /run/current-system/systemd/bin/systemctl reload dhcpcd.service + ''; + + }; + +} diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix new file mode 100644 index 00000000000..3c4c0069dfd --- /dev/null +++ b/nixos/modules/services/networking/dhcpd.nix @@ -0,0 +1,221 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg4 = config.services.dhcpd4; + cfg6 = config.services.dhcpd6; + + writeConfig = cfg: pkgs.writeText "dhcpd.conf" + '' + default-lease-time 600; + max-lease-time 7200; + ${optionalString (!cfg.authoritative) "not "}authoritative; + ddns-update-style interim; + log-facility local1; # see dhcpd.nix + + ${cfg.extraConfig} + + ${lib.concatMapStrings + (machine: '' + host ${machine.hostName} { + hardware ethernet ${machine.ethernetAddress}; + fixed-address ${machine.ipAddress}; + } + '') + cfg.machines + } + ''; + + dhcpdService = postfix: cfg: + let + configFile = + if cfg.configFile != null + then cfg.configFile + else writeConfig cfg; + leaseFile = "/var/lib/dhcpd${postfix}/dhcpd.leases"; + args = [ + "@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}" + "-pf" "/run/dhcpd${postfix}/dhcpd.pid" + "-cf" configFile + "-lf" leaseFile + ] ++ cfg.extraFlags + ++ cfg.interfaces; + in + optionalAttrs cfg.enable { + "dhcpd${postfix}" = { + description = "DHCPv${postfix} server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = "touch ${leaseFile}"; + serviceConfig = { + ExecStart = concatMapStringsSep " " escapeShellArg args; + Type = "forking"; + Restart = "always"; + DynamicUser = true; + User = "dhcpd"; + Group = "dhcpd"; + AmbientCapabilities = [ + "CAP_NET_RAW" # to send ICMP messages + "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67) + ]; + StateDirectory = "dhcpd${postfix}"; + RuntimeDirectory = "dhcpd${postfix}"; + PIDFile = "/run/dhcpd${postfix}/dhcpd.pid"; + }; + }; + }; + + machineOpts = { ... }: { + + options = { + + hostName = mkOption { + type = types.str; + example = "foo"; + description = '' + Hostname which is assigned statically to the machine. + ''; + }; + + ethernetAddress = mkOption { + type = types.str; + example = "00:16:76:9a:32:1d"; + description = '' + MAC address of the machine. + ''; + }; + + ipAddress = mkOption { + type = types.str; + example = "192.168.1.10"; + description = '' + IP address of the machine. + ''; + }; + + }; + }; + + dhcpConfig = postfix: { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the DHCPv${postfix} server. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + option subnet-mask 255.255.255.0; + option broadcast-address 192.168.1.255; + option routers 192.168.1.5; + option domain-name-servers 130.161.158.4, 130.161.33.17, 130.161.180.1; + option domain-name "example.org"; + subnet 192.168.1.0 netmask 255.255.255.0 { + range 192.168.1.100 192.168.1.200; + } + ''; + description = '' + Extra text to be appended to the DHCP server configuration + file. Currently, you almost certainly need to specify something + there, such as the options specifying the subnet mask, DNS servers, + etc. + ''; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Additional command line flags to be passed to the dhcpd daemon. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + The path of the DHCP server configuration file. If no file + is specified, a file is generated using the other options. + ''; + }; + + interfaces = mkOption { + type = types.listOf types.str; + default = ["eth0"]; + description = '' + The interfaces on which the DHCP server should listen. + ''; + }; + + machines = mkOption { + type = with types; listOf (submodule machineOpts); + default = []; + example = [ + { hostName = "foo"; + ethernetAddress = "00:16:76:9a:32:1d"; + ipAddress = "192.168.1.10"; + } + { hostName = "bar"; + ethernetAddress = "00:19:d1:1d:c4:9a"; + ipAddress = "192.168.1.11"; + } + ]; + description = '' + A list mapping Ethernet addresses to IPv${postfix} addresses for the + DHCP server. + ''; + }; + + authoritative = mkOption { + type = types.bool; + default = true; + description = '' + Whether the DHCP server shall send DHCPNAK messages to misconfigured + clients. If this is not done, clients may be unable to get a correct + IP address after changing subnets until their old lease has expired. + ''; + }; + + }; + +in + +{ + + imports = [ + (mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ]) + ] ++ flip map [ "4" "6" ] (postfix: + mkRemovedOptionModule [ "services" "dhcpd${postfix}" "stateDir" ] '' + The DHCP server state directory is now managed with the systemd's DynamicUser mechanism. + This means the directory is named after the service (dhcpd${postfix}), created under + /var/lib/private/ and symlinked to /var/lib/. + '' + ); + + ###### interface + + options = { + + services.dhcpd4 = dhcpConfig "4"; + services.dhcpd6 = dhcpConfig "6"; + + }; + + + ###### implementation + + config = mkIf (cfg4.enable || cfg6.enable) { + + systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6; + + }; + +} diff --git a/nixos/modules/services/networking/dnscache.nix b/nixos/modules/services/networking/dnscache.nix new file mode 100644 index 00000000000..7452210de47 --- /dev/null +++ b/nixos/modules/services/networking/dnscache.nix @@ -0,0 +1,108 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.dnscache; + + dnscache-root = pkgs.runCommand "dnscache-root" { preferLocalBuild = true; } '' + mkdir -p $out/{servers,ip} + + ${concatMapStrings (ip: '' + touch "$out/ip/"${lib.escapeShellArg ip} + '') cfg.clientIps} + + ${concatStrings (mapAttrsToList (host: ips: '' + ${concatMapStrings (ip: '' + echo ${lib.escapeShellArg ip} >> "$out/servers/"${lib.escapeShellArg host} + '') ips} + '') cfg.domainServers)} + + # if a list of root servers was not provided in config, copy it + # over. (this is also done by dnscache-conf, but we 'rm -rf + # /var/lib/dnscache/root' below & replace it wholesale with this, + # so we have to ensure servers/@ exists ourselves.) + if [ ! -e $out/servers/@ ]; then + # symlink does not work here, due chroot + cp ${pkgs.djbdns}/etc/dnsroots.global $out/servers/@; + fi + ''; + +in { + + ###### interface + + options = { + services.dnscache = { + + enable = mkOption { + default = false; + type = types.bool; + description = "Whether to run the dnscache caching dns server."; + }; + + ip = mkOption { + default = "0.0.0.0"; + type = types.str; + description = "IP address on which to listen for connections."; + }; + + clientIps = mkOption { + default = [ "127.0.0.1" ]; + type = types.listOf types.str; + description = "Client IP addresses (or prefixes) from which to accept connections."; + example = ["192.168" "172.23.75.82"]; + }; + + domainServers = mkOption { + default = { }; + type = types.attrsOf (types.listOf types.str); + description = '' + Table of {hostname: server} pairs to use as authoritative servers for hosts (and subhosts). + If entry for @ is not specified predefined list of root servers is used. + ''; + example = literalExpression '' + { + "@" = ["8.8.8.8" "8.8.4.4"]; + "example.com" = ["192.168.100.100"]; + } + ''; + }; + + forwardOnly = mkOption { + default = false; + type = types.bool; + description = '' + Whether to treat root servers (for @) as caching + servers, requesting addresses the same way a client does. This is + needed if you want to use e.g. Google DNS as your upstream DNS. + ''; + }; + + }; + }; + + ###### implementation + + config = mkIf config.services.dnscache.enable { + environment.systemPackages = [ pkgs.djbdns ]; + users.users.dnscache.isSystemUser = true; + + systemd.services.dnscache = { + description = "djbdns dnscache server"; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ bash daemontools djbdns ]; + preStart = '' + rm -rf /var/lib/dnscache + dnscache-conf dnscache dnscache /var/lib/dnscache ${config.services.dnscache.ip} + rm -rf /var/lib/dnscache/root + ln -sf ${dnscache-root} /var/lib/dnscache/root + ''; + script = '' + cd /var/lib/dnscache/ + ${optionalString cfg.forwardOnly "export FORWARDONLY=1"} + exec ./run + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/dnscrypt-proxy2.nix b/nixos/modules/services/networking/dnscrypt-proxy2.nix new file mode 100644 index 00000000000..316e6e37f9d --- /dev/null +++ b/nixos/modules/services/networking/dnscrypt-proxy2.nix @@ -0,0 +1,124 @@ +{ config, lib, pkgs, ... }: with lib; + +let + cfg = config.services.dnscrypt-proxy2; +in + +{ + options.services.dnscrypt-proxy2 = { + enable = mkEnableOption "dnscrypt-proxy2"; + + settings = mkOption { + description = '' + Attrset that is converted and passed as TOML config file. + For available params, see: <link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/${pkgs.dnscrypt-proxy2.version}/dnscrypt-proxy/example-dnscrypt-proxy.toml"/> + ''; + example = literalExpression '' + { + sources.public-resolvers = { + urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ]; + cache_file = "public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + refresh_delay = 72; + }; + } + ''; + type = types.attrs; + default = {}; + }; + + upstreamDefaults = mkOption { + description = '' + Whether to base the config declared in <option>services.dnscrypt-proxy2.settings</option> on the upstream example config (<link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml"/>) + + Disable this if you want to declare your dnscrypt config from scratch. + ''; + type = types.bool; + default = true; + }; + + configFile = mkOption { + description = '' + Path to TOML config file. See: <link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml"/> + If this option is set, it will override any configuration done in options.services.dnscrypt-proxy2.settings. + ''; + example = "/etc/dnscrypt-proxy/dnscrypt-proxy.toml"; + type = types.path; + default = pkgs.runCommand "dnscrypt-proxy.toml" { + json = builtins.toJSON cfg.settings; + passAsFile = [ "json" ]; + } '' + ${if cfg.upstreamDefaults then '' + ${pkgs.remarshal}/bin/toml2json ${pkgs.dnscrypt-proxy2.src}/dnscrypt-proxy/example-dnscrypt-proxy.toml > example.json + ${pkgs.jq}/bin/jq --slurp add example.json $jsonPath > config.json # merges the two + '' else '' + cp $jsonPath config.json + ''} + ${pkgs.remarshal}/bin/json2toml < config.json > $out + ''; + defaultText = literalDocBook "TOML file generated from <option>services.dnscrypt-proxy2.settings</option>"; + }; + }; + + config = mkIf cfg.enable { + + networking.nameservers = lib.mkDefault [ "127.0.0.1" ]; + + systemd.services.dnscrypt-proxy2 = { + description = "DNSCrypt-proxy client"; + wants = [ + "network-online.target" + "nss-lookup.target" + ]; + before = [ + "nss-lookup.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + serviceConfig = { + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CacheDirectory = "dnscrypt-proxy"; + DynamicUser = true; + ExecStart = "${pkgs.dnscrypt-proxy2}/bin/dnscrypt-proxy -config ${cfg.configFile}"; + LockPersonality = true; + LogsDirectory = "dnscrypt-proxy"; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + NonBlocking = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + Restart = "always"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RuntimeDirectory = "dnscrypt-proxy"; + StateDirectory = "dnscrypt-proxy"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@chown" + "~@aio" + "~@keyring" + "~@memlock" + "~@resources" + "~@setuid" + "~@timer" + ]; + }; + }; + }; + + # uses attributes of the linked package + meta.buildDocsInSandbox = false; +} diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix new file mode 100644 index 00000000000..c2add170e9c --- /dev/null +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -0,0 +1,286 @@ +{ config, lib, pkgs, ... }: +with lib; + +let + cfg = config.services.dnscrypt-wrapper; + dataDir = "/var/lib/dnscrypt-wrapper"; + + mkPath = path: default: + if path != null + then toString path + else default; + + publicKey = mkPath cfg.providerKey.public "${dataDir}/public.key"; + secretKey = mkPath cfg.providerKey.secret "${dataDir}/secret.key"; + + daemonArgs = with cfg; [ + "--listen-address=${address}:${toString port}" + "--resolver-address=${upstream.address}:${toString upstream.port}" + "--provider-name=${providerName}" + "--provider-publickey-file=${publicKey}" + "--provider-secretkey-file=${secretKey}" + "--provider-cert-file=${providerName}.crt" + "--crypt-secretkey-file=${providerName}.key" + ]; + + genKeys = '' + # generates time-limited keypairs + keyGen() { + dnscrypt-wrapper --gen-crypt-keypair \ + --crypt-secretkey-file=${cfg.providerName}.key + + dnscrypt-wrapper --gen-cert-file \ + --crypt-secretkey-file=${cfg.providerName}.key \ + --provider-cert-file=${cfg.providerName}.crt \ + --provider-publickey-file=${publicKey} \ + --provider-secretkey-file=${secretKey} \ + --cert-file-expire-days=${toString cfg.keys.expiration} + } + + cd ${dataDir} + + # generate provider keypair (first run only) + ${optionalString (cfg.providerKey.public == null || cfg.providerKey.secret == null) '' + if [ ! -f ${publicKey} ] || [ ! -f ${secretKey} ]; then + dnscrypt-wrapper --gen-provider-keypair + fi + ''} + + # generate new keys for rotation + if [ ! -f ${cfg.providerName}.key ] || [ ! -f ${cfg.providerName}.crt ]; then + keyGen + fi + ''; + + rotateKeys = '' + # check if keys are not expired + keyValid() { + fingerprint=$(dnscrypt-wrapper \ + --show-provider-publickey \ + --provider-publickey-file=${publicKey} \ + | awk '{print $(NF)}') + dnscrypt-proxy --test=${toString (cfg.keys.checkInterval + 1)} \ + --resolver-address=127.0.0.1:${toString cfg.port} \ + --provider-name=${cfg.providerName} \ + --provider-key=$fingerprint + } + + cd ${dataDir} + + # archive old keys and restart the service + if ! keyValid; then + echo "certificate soon to become invalid; backing up old cert" + mkdir -p oldkeys + mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key + mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt + systemctl restart dnscrypt-wrapper + fi + ''; + + + # This is the fork of the original dnscrypt-proxy maintained by Dyne.org. + # dnscrypt-proxy2 doesn't provide the `--test` feature that is needed to + # correctly implement key rotation of dnscrypt-wrapper ephemeral keys. + dnscrypt-proxy1 = pkgs.callPackage + ({ stdenv, fetchFromGitHub, autoreconfHook + , pkg-config, libsodium, ldns, openssl, systemd }: + + stdenv.mkDerivation rec { + pname = "dnscrypt-proxy"; + version = "2019-08-20"; + + src = fetchFromGitHub { + owner = "dyne"; + repo = "dnscrypt-proxy"; + rev = "07ac3825b5069adc28e2547c16b1d983a8ed8d80"; + sha256 = "0c4mq741q4rpmdn09agwmxap32kf0vgfz7pkhcdc5h54chc3g3xy"; + }; + + configureFlags = optional stdenv.isLinux "--with-systemd"; + + nativeBuildInputs = [ autoreconfHook pkg-config ]; + + # <ldns/ldns.h> depends on <openssl/ssl.h> + buildInputs = [ libsodium openssl.dev ldns ] ++ optional stdenv.isLinux systemd; + + postInstall = '' + # Previous versions required libtool files to load plugins; they are + # now strictly optional. + rm $out/lib/dnscrypt-proxy/*.la + ''; + + meta = { + description = "A tool for securing communications between a client and a DNS resolver"; + homepage = "https://github.com/dyne/dnscrypt-proxy"; + license = licenses.isc; + maintainers = with maintainers; [ rnhmjoj ]; + platforms = platforms.linux; + }; + }) { }; + +in { + + + ###### interface + + options.services.dnscrypt-wrapper = { + enable = mkEnableOption "DNSCrypt wrapper"; + + address = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + The DNSCrypt wrapper will bind to this IP address. + ''; + }; + + port = mkOption { + type = types.int; + default = 5353; + description = '' + The DNSCrypt wrapper will listen for DNS queries on this port. + ''; + }; + + providerName = mkOption { + type = types.str; + default = "2.dnscrypt-cert.${config.networking.hostName}"; + defaultText = literalExpression ''"2.dnscrypt-cert.''${config.networking.hostName}"''; + example = "2.dnscrypt-cert.myresolver"; + description = '' + The name that will be given to this DNSCrypt resolver. + Note: the resolver name must start with <literal>2.dnscrypt-cert.</literal>. + ''; + }; + + providerKey.public = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/secrets/public.key"; + description = '' + The filepath to the provider public key. If not given a new + provider key pair will be generated on the first run. + ''; + }; + + providerKey.secret = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/secrets/secret.key"; + description = '' + The filepath to the provider secret key. If not given a new + provider key pair will be generated on the first run. + ''; + }; + + upstream.address = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + The IP address of the upstream DNS server DNSCrypt will "wrap". + ''; + }; + + upstream.port = mkOption { + type = types.int; + default = 53; + description = '' + The port of the upstream DNS server DNSCrypt will "wrap". + ''; + }; + + keys.expiration = mkOption { + type = types.int; + default = 30; + description = '' + The duration (in days) of the time-limited secret key. + This will be automatically rotated before expiration. + ''; + }; + + keys.checkInterval = mkOption { + type = types.int; + default = 1440; + description = '' + The time interval (in minutes) between key expiration checks. + ''; + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + users.users.dnscrypt-wrapper = { + description = "dnscrypt-wrapper daemon user"; + home = "${dataDir}"; + createHome = true; + isSystemUser = true; + group = "dnscrypt-wrapper"; + }; + users.groups.dnscrypt-wrapper = { }; + + security.polkit.extraConfig = '' + // Allow dnscrypt-wrapper user to restart dnscrypt-wrapper.service + polkit.addRule(function(action, subject) { + if (action.id == "org.freedesktop.systemd1.manage-units" && + action.lookup("unit") == "dnscrypt-wrapper.service" && + subject.user == "dnscrypt-wrapper") { + return polkit.Result.YES; + } + }); + ''; + + systemd.services.dnscrypt-wrapper = { + description = "dnscrypt-wrapper daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.dnscrypt-wrapper ]; + + serviceConfig = { + User = "dnscrypt-wrapper"; + WorkingDirectory = dataDir; + Restart = "on-failure"; + ExecStart = "${pkgs.dnscrypt-wrapper}/bin/dnscrypt-wrapper ${toString daemonArgs}"; + }; + + preStart = genKeys; + }; + + + systemd.services.dnscrypt-wrapper-rotate = { + after = [ "network.target" ]; + requires = [ "dnscrypt-wrapper.service" ]; + description = "Rotates DNSCrypt wrapper keys if soon to expire"; + + path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk ]; + script = rotateKeys; + serviceConfig.User = "dnscrypt-wrapper"; + }; + + + systemd.timers.dnscrypt-wrapper-rotate = { + description = "Periodically check DNSCrypt wrapper keys for expiration"; + wantedBy = [ "multi-user.target" ]; + + timerConfig = { + Unit = "dnscrypt-wrapper-rotate.service"; + OnBootSec = "1min"; + OnUnitActiveSec = cfg.keys.checkInterval * 60; + }; + }; + + assertions = with cfg; [ + { assertion = (providerKey.public == null && providerKey.secret == null) || + (providerKey.secret != null && providerKey.public != null); + message = "The secret and public provider key must be set together."; + } + ]; + + }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + +} diff --git a/nixos/modules/services/networking/dnsdist.nix b/nixos/modules/services/networking/dnsdist.nix new file mode 100644 index 00000000000..c7c6a79864c --- /dev/null +++ b/nixos/modules/services/networking/dnsdist.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.dnsdist; + configFile = pkgs.writeText "dnsdist.conf" '' + setLocal('${cfg.listenAddress}:${toString cfg.listenPort}') + ${cfg.extraConfig} + ''; +in { + options = { + services.dnsdist = { + enable = mkEnableOption "dnsdist domain name server"; + + listenAddress = mkOption { + type = types.str; + description = "Listen IP Address"; + default = "0.0.0.0"; + }; + listenPort = mkOption { + type = types.int; + description = "Listen port"; + default = 53; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra lines to be added verbatim to dnsdist.conf. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.packages = [ pkgs.dnsdist ]; + + systemd.services.dnsdist = { + wantedBy = [ "multi-user.target" ]; + + startLimitIntervalSec = 0; + serviceConfig = { + DynamicUser = true; + + # upstream overrides for better nixos compatibility + ExecStartPre = [ "" "${pkgs.dnsdist}/bin/dnsdist --check-config --config ${configFile}" ]; + ExecStart = [ "" "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}" ]; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/dnsmasq.nix b/nixos/modules/services/networking/dnsmasq.nix new file mode 100644 index 00000000000..59a3ca2f28e --- /dev/null +++ b/nixos/modules/services/networking/dnsmasq.nix @@ -0,0 +1,130 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.dnsmasq; + dnsmasq = pkgs.dnsmasq; + stateDir = "/var/lib/dnsmasq"; + + dnsmasqConf = pkgs.writeText "dnsmasq.conf" '' + dhcp-leasefile=${stateDir}/dnsmasq.leases + ${optionalString cfg.resolveLocalQueries '' + conf-file=/etc/dnsmasq-conf.conf + resolv-file=/etc/dnsmasq-resolv.conf + ''} + ${flip concatMapStrings cfg.servers (server: '' + server=${server} + '')} + ${cfg.extraConfig} + ''; + +in + +{ + + ###### interface + + options = { + + services.dnsmasq = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run dnsmasq. + ''; + }; + + resolveLocalQueries = mkOption { + type = types.bool; + default = true; + description = '' + Whether dnsmasq should resolve local queries (i.e. add 127.0.0.1 to + /etc/resolv.conf). + ''; + }; + + servers = mkOption { + type = types.listOf types.str; + default = []; + example = [ "8.8.8.8" "8.8.4.4" ]; + description = '' + The DNS servers which dnsmasq should query. + ''; + }; + + alwaysKeepRunning = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, systemd will always respawn dnsmasq even if shut down manually. The default, disabled, will only restart it on error. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration directives that should be added to + <literal>dnsmasq.conf</literal>. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + networking.nameservers = + optional cfg.resolveLocalQueries "127.0.0.1"; + + services.dbus.packages = [ dnsmasq ]; + + users.users.dnsmasq = { + isSystemUser = true; + group = "dnsmasq"; + description = "Dnsmasq daemon user"; + }; + users.groups.dnsmasq = {}; + + networking.resolvconf = mkIf cfg.resolveLocalQueries { + useLocalResolver = mkDefault true; + + extraConfig = '' + dnsmasq_conf=/etc/dnsmasq-conf.conf + dnsmasq_resolv=/etc/dnsmasq-resolv.conf + ''; + }; + + systemd.services.dnsmasq = { + description = "Dnsmasq Daemon"; + after = [ "network.target" "systemd-resolved.service" ]; + wantedBy = [ "multi-user.target" ]; + path = [ dnsmasq ]; + preStart = '' + mkdir -m 755 -p ${stateDir} + touch ${stateDir}/dnsmasq.leases + chown -R dnsmasq ${stateDir} + touch /etc/dnsmasq-{conf,resolv}.conf + dnsmasq --test + ''; + serviceConfig = { + Type = "dbus"; + BusName = "uk.org.thekelleys.dnsmasq"; + ExecStart = "${dnsmasq}/bin/dnsmasq -k --enable-dbus --user=dnsmasq -C ${dnsmasqConf}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + PrivateTmp = true; + ProtectSystem = true; + ProtectHome = true; + Restart = if cfg.alwaysKeepRunning then "always" else "on-failure"; + }; + restartTriggers = [ config.environment.etc.hosts.source ]; + }; + }; +} diff --git a/nixos/modules/services/networking/doh-proxy-rust.nix b/nixos/modules/services/networking/doh-proxy-rust.nix new file mode 100644 index 00000000000..efd492e23f8 --- /dev/null +++ b/nixos/modules/services/networking/doh-proxy-rust.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.doh-proxy-rust; + +in { + + options.services.doh-proxy-rust = { + + enable = mkEnableOption "doh-proxy-rust"; + + flags = mkOption { + type = types.listOf types.str; + default = []; + example = [ "--server-address=9.9.9.9:53" ]; + description = '' + A list of command-line flags to pass to doh-proxy. For details on the + available options, see <link xlink:href="https://github.com/jedisct1/doh-server#usage"/>. + ''; + }; + + }; + + config = mkIf cfg.enable { + systemd.services.doh-proxy-rust = { + description = "doh-proxy-rust"; + after = [ "network.target" "nss-lookup.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.doh-proxy-rust}/bin/doh-proxy ${escapeShellArgs cfg.flags}"; + Restart = "always"; + RestartSec = 10; + DynamicUser = true; + + CapabilityBoundingSet = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + RemoveIPC = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ "@system-service" "~@privileged @resources" ]; + }; + }; + }; + + meta.maintainers = with maintainers; [ stephank ]; + +} diff --git a/nixos/modules/services/networking/ejabberd.nix b/nixos/modules/services/networking/ejabberd.nix new file mode 100644 index 00000000000..daf8d5c4247 --- /dev/null +++ b/nixos/modules/services/networking/ejabberd.nix @@ -0,0 +1,157 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.ejabberd; + + ctlcfg = pkgs.writeText "ejabberdctl.cfg" '' + ERL_EPMD_ADDRESS=127.0.0.1 + ${cfg.ctlConfig} + ''; + + ectl = ''${cfg.package}/bin/ejabberdctl ${optionalString (cfg.configFile != null) "--config ${cfg.configFile}"} --ctl-config "${ctlcfg}" --spool "${cfg.spoolDir}" --logs "${cfg.logsDir}"''; + + dumps = lib.escapeShellArgs cfg.loadDumps; + +in { + + ###### interface + + options = { + + services.ejabberd = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable ejabberd server"; + }; + + package = mkOption { + type = types.package; + default = pkgs.ejabberd; + defaultText = literalExpression "pkgs.ejabberd"; + description = "ejabberd server package to use"; + }; + + user = mkOption { + type = types.str; + default = "ejabberd"; + description = "User under which ejabberd is ran"; + }; + + group = mkOption { + type = types.str; + default = "ejabberd"; + description = "Group under which ejabberd is ran"; + }; + + spoolDir = mkOption { + type = types.path; + default = "/var/lib/ejabberd"; + description = "Location of the spooldir of ejabberd"; + }; + + logsDir = mkOption { + type = types.path; + default = "/var/log/ejabberd"; + description = "Location of the logfile directory of ejabberd"; + }; + + configFile = mkOption { + type = types.nullOr types.path; + description = "Configuration file for ejabberd in YAML format"; + default = null; + }; + + ctlConfig = mkOption { + type = types.lines; + default = ""; + description = "Configuration of ejabberdctl"; + }; + + loadDumps = mkOption { + type = types.listOf types.path; + default = []; + description = "Configuration dumps that should be loaded on the first startup"; + example = literalExpression "[ ./myejabberd.dump ]"; + }; + + imagemagick = mkOption { + type = types.bool; + default = false; + description = "Add ImageMagick to server's path; allows for image thumbnailing"; + }; + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + users.users = optionalAttrs (cfg.user == "ejabberd") { + ejabberd = { + group = cfg.group; + home = cfg.spoolDir; + createHome = true; + uid = config.ids.uids.ejabberd; + }; + }; + + users.groups = optionalAttrs (cfg.group == "ejabberd") { + ejabberd.gid = config.ids.gids.ejabberd; + }; + + systemd.services.ejabberd = { + description = "ejabberd server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = [ pkgs.findutils pkgs.coreutils ] ++ lib.optional cfg.imagemagick pkgs.imagemagick; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${ectl} foreground"; + ExecStop = "${ectl} stop"; + ExecReload = "${ectl} reload_config"; + }; + + preStart = '' + if [ -z "$(ls -A '${cfg.spoolDir}')" ]; then + touch "${cfg.spoolDir}/.firstRun" + fi + ''; + + postStart = '' + while ! ${ectl} status >/dev/null 2>&1; do + if ! kill -0 "$MAINPID"; then exit 1; fi + sleep 0.1 + done + + if [ -e "${cfg.spoolDir}/.firstRun" ]; then + rm "${cfg.spoolDir}/.firstRun" + for src in ${dumps}; do + find "$src" -type f | while read dump; do + echo "Loading configuration dump at $dump" + ${ectl} load "$dump" + done + done + fi + ''; + }; + + systemd.tmpfiles.rules = [ + "d '${cfg.logsDir}' 0750 ${cfg.user} ${cfg.group} -" + "d '${cfg.spoolDir}' 0700 ${cfg.user} ${cfg.group} -" + ]; + + security.pam.services.ejabberd = {}; + + }; + +} diff --git a/nixos/modules/services/networking/epmd.nix b/nixos/modules/services/networking/epmd.nix new file mode 100644 index 00000000000..75d78476e57 --- /dev/null +++ b/nixos/modules/services/networking/epmd.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.epmd; +in +{ + ###### interface + options.services.epmd = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable socket activation for Erlang Port Mapper Daemon (epmd), + which acts as a name server on all hosts involved in distributed + Erlang computations. + ''; + }; + package = mkOption { + type = types.package; + default = pkgs.erlang; + defaultText = literalExpression "pkgs.erlang"; + description = '' + The Erlang package to use to get epmd binary. That way you can re-use + an Erlang runtime that is already installed for other purposes. + ''; + }; + listenStream = mkOption + { + type = types.str; + default = "[::]:4369"; + description = '' + the listenStream used by the systemd socket. + see https://www.freedesktop.org/software/systemd/man/systemd.socket.html#ListenStream= for more informations. + use this to change the port epmd will run on. + if not defined, epmd will use "[::]:4369" + ''; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + assertions = [{ + assertion = cfg.listenStream == "[::]:4369" -> config.networking.enableIPv6; + message = "epmd listens by default on ipv6, enable ipv6 or change config.services.epmd.listenStream"; + }]; + systemd.sockets.epmd = rec { + description = "Erlang Port Mapper Daemon Activation Socket"; + wantedBy = [ "sockets.target" ]; + before = wantedBy; + socketConfig = { + ListenStream = cfg.listenStream; + Accept = "false"; + }; + }; + + systemd.services.epmd = { + description = "Erlang Port Mapper Daemon"; + after = [ "network.target" ]; + requires = [ "epmd.socket" ]; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${cfg.package}/bin/epmd -systemd"; + Type = "notify"; + }; + }; + }; + + meta.maintainers = teams.beam.members; +} diff --git a/nixos/modules/services/networking/ergo.nix b/nixos/modules/services/networking/ergo.nix new file mode 100644 index 00000000000..6e55a7cfff6 --- /dev/null +++ b/nixos/modules/services/networking/ergo.nix @@ -0,0 +1,143 @@ +{ config, lib, options, pkgs, ... }: + +let + cfg = config.services.ergo; + opt = options.services.ergo; + + inherit (lib) literalExpression mkEnableOption mkIf mkOption optionalString types; + + configFile = pkgs.writeText "ergo.conf" ('' +ergo { + directory = "${cfg.dataDir}" + node { + mining = false + } + wallet.secretStorage.secretDir = "${cfg.dataDir}/wallet/keystore" +} + +scorex { + network { + bindAddress = "${cfg.listen.ip}:${toString cfg.listen.port}" + } +'' + optionalString (cfg.api.keyHash != null) '' + restApi { + apiKeyHash = "${cfg.api.keyHash}" + bindAddress = "${cfg.api.listen.ip}:${toString cfg.api.listen.port}" + } +'' + '' +} +''); + +in { + + options = { + + services.ergo = { + enable = mkEnableOption "Ergo service"; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/ergo"; + description = "The data directory for the Ergo node."; + }; + + listen = { + ip = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IP address on which the Ergo node should listen."; + }; + + port = mkOption { + type = types.port; + default = 9006; + description = "Listen port for the Ergo node."; + }; + }; + + api = { + keyHash = mkOption { + type = types.nullOr types.str; + default = null; + example = "324dcf027dd4a30a932c441f365a25e86b173defa4b8e58948253471b81b72cf"; + description = "Hex-encoded Blake2b256 hash of an API key as a 64-chars long Base16 string."; + }; + + listen = { + ip = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IP address that the Ergo node API should listen on if <option>api.keyHash</option> is defined."; + }; + + port = mkOption { + type = types.port; + default = 9052; + description = "Listen port for the API endpoint if <option>api.keyHash</option> is defined."; + }; + }; + }; + + testnet = mkOption { + type = types.bool; + default = false; + description = "Connect to testnet network instead of the default mainnet."; + }; + + user = mkOption { + type = types.str; + default = "ergo"; + description = "The user as which to run the Ergo node."; + }; + + group = mkOption { + type = types.str; + default = cfg.user; + defaultText = literalExpression "config.${opt.user}"; + description = "The group as which to run the Ergo node."; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Open ports in the firewall for the Ergo node as well as the API."; + }; + }; + }; + + config = mkIf cfg.enable { + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 '${cfg.user}' '${cfg.group}' - -" + ]; + + systemd.services.ergo = { + description = "ergo server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = ''${pkgs.ergo}/bin/ergo \ + ${optionalString (!cfg.testnet) + "--mainnet"} \ + -c ${configFile}''; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.listen.port ] ++ [ cfg.api.listen.port ]; + }; + + users.users.${cfg.user} = { + name = cfg.user; + group = cfg.group; + description = "Ergo daemon user"; + home = cfg.dataDir; + isSystemUser = true; + }; + + users.groups.${cfg.group} = {}; + + }; +} diff --git a/nixos/modules/services/networking/ergochat.nix b/nixos/modules/services/networking/ergochat.nix new file mode 100644 index 00000000000..cfaf69fc613 --- /dev/null +++ b/nixos/modules/services/networking/ergochat.nix @@ -0,0 +1,155 @@ +{ config, lib, options, pkgs, ... }: let + cfg = config.services.ergochat; +in { + options = { + services.ergochat = { + + enable = lib.mkEnableOption "Ergo IRC daemon"; + + openFilesLimit = lib.mkOption { + type = lib.types.int; + default = 1024; + description = '' + Maximum number of open files. Limits the clients and server connections. + ''; + }; + + configFile = lib.mkOption { + type = lib.types.path; + default = (pkgs.formats.yaml {}).generate "ergo.conf" cfg.settings; + defaultText = "generated config file from <literal>.settings</literal>"; + description = '' + Path to configuration file. + Setting this will skip any configuration done via <literal>.settings</literal> + ''; + }; + + settings = lib.mkOption { + type = (pkgs.formats.yaml {}).type; + description = '' + Ergo IRC daemon configuration file. + https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml + ''; + default = { + network = { + name = "testnetwork"; + }; + server = { + name = "example.com"; + listeners = { + ":6667" = {}; + }; + casemapping = "permissive"; + enforce-utf = true; + lookup-hostnames = false; + ip-cloaking = { + enabled = false; + }; + forward-confirm-hostnames = false; + check-ident = false; + relaymsg = { + enabled = false; + }; + max-sendq = "1M"; + ip-limits = { + count = false; + throttle = false; + }; + }; + datastore = { + autoupgrade = true; + # this points to the StateDirectory of the systemd service + path = "/var/lib/ergo/ircd.db"; + }; + accounts = { + authentication-enabled = true; + registration = { + enabled = true; + allow-before-connect = true; + throttling = { + enabled = true; + duration = "10m"; + max-attempts = 30; + }; + bcrypt-cost = 4; + email-verification.enabled = false; + }; + multiclient = { + enabled = true; + allowed-by-default = true; + always-on = "opt-out"; + auto-away = "opt-out"; + }; + }; + channels = { + default-modes = "+ntC"; + registration = { + enabled = true; + }; + }; + limits = { + nicklen = 32; + identlen = 20; + channellen = 64; + awaylen = 390; + kicklen = 390; + topiclen = 390; + }; + history = { + enabled = true; + channel-length = 2048; + client-length = 256; + autoresize-window = "3d"; + autoreplay-on-join = 0; + chathistory-maxmessages = 100; + znc-maxmessages = 2048; + restrictions = { + expire-time = "1w"; + query-cutoff = "none"; + grace-period = "1h"; + }; + retention = { + allow-individual-delete = false; + enable-account-indexing = false; + }; + tagmsg-storage = { + default = false; + whitelist = [ + "+draft/react" + "+react" + ]; + }; + }; + }; + }; + + }; + }; + config = lib.mkIf cfg.enable { + + environment.etc."ergo.yaml".source = cfg.configFile; + + # merge configured values with default values + services.ergochat.settings = + lib.mapAttrsRecursive (_: lib.mkDefault) options.services.ergochat.settings.default; + + systemd.services.ergochat = { + description = "Ergo IRC daemon"; + wantedBy = [ "multi-user.target" ]; + # reload is not applying the changed config. further investigation is needed + # at some point this should be enabled, since we don't want to restart for + # every config change + # reloadIfChanged = true; + restartTriggers = [ cfg.configFile ]; + serviceConfig = { + ExecStart = "${pkgs.ergochat}/bin/ergo run --conf /etc/ergo.yaml"; + ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; + DynamicUser = true; + StateDirectory = "ergo"; + LimitNOFILE = toString cfg.openFilesLimit; + }; + }; + + }; + meta.maintainers = with lib.maintainers; [ lassulus tv ]; +} diff --git a/nixos/modules/services/networking/eternal-terminal.nix b/nixos/modules/services/networking/eternal-terminal.nix new file mode 100644 index 00000000000..0dcf3d28f4e --- /dev/null +++ b/nixos/modules/services/networking/eternal-terminal.nix @@ -0,0 +1,95 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.eternal-terminal; + +in + +{ + + ###### interface + + options = { + + services.eternal-terminal = { + + enable = mkEnableOption "Eternal Terminal server"; + + port = mkOption { + default = 2022; + type = types.int; + description = '' + The port the server should listen on. Will use the server's default (2022) if not specified. + + Make sure to open this port in the firewall if necessary. + ''; + }; + + verbosity = mkOption { + default = 0; + type = types.enum (lib.range 0 9); + description = '' + The verbosity level (0-9). + ''; + }; + + silent = mkOption { + default = false; + type = types.bool; + description = '' + If enabled, disables all logging. + ''; + }; + + logSize = mkOption { + default = 20971520; + type = types.int; + description = '' + The maximum log size. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + # We need to ensure the et package is fully installed because + # the (remote) et client runs the `etterminal` binary when it + # connects. + environment.systemPackages = [ pkgs.eternal-terminal ]; + + systemd.services = { + eternal-terminal = { + description = "Eternal Terminal server."; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.eternal-terminal}/bin/etserver --daemon --cfgfile=${pkgs.writeText "et.cfg" '' + ; et.cfg : Config file for Eternal Terminal + ; + + [Networking] + port = ${toString cfg.port} + + [Debug] + verbose = ${toString cfg.verbosity} + silent = ${if cfg.silent then "1" else "0"} + logsize = ${toString cfg.logSize} + ''}"; + Restart = "on-failure"; + KillMode = "process"; + }; + }; + }; + }; + + meta = { + maintainers = with lib.maintainers; [ ]; + }; +} diff --git a/nixos/modules/services/networking/fakeroute.nix b/nixos/modules/services/networking/fakeroute.nix new file mode 100644 index 00000000000..7916ad4098a --- /dev/null +++ b/nixos/modules/services/networking/fakeroute.nix @@ -0,0 +1,65 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.fakeroute; + routeConf = pkgs.writeText "route.conf" (concatStringsSep "\n" cfg.route); + +in + +{ + + ###### interface + + options = { + + services.fakeroute = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the fakeroute service. + ''; + }; + + route = mkOption { + type = types.listOf types.str; + default = []; + example = [ + "216.102.187.130" + "4.0.1.122" + "198.116.142.34" + "63.199.8.242" + ]; + description = '' + Fake route that will appear after the real + one to any host running a traceroute. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + systemd.services.fakeroute = { + description = "Fakeroute Daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "forking"; + User = "root"; + ExecStart = "${pkgs.fakeroute}/bin/fakeroute -f ${routeConf}"; + }; + }; + + }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + +} diff --git a/nixos/modules/services/networking/ferm.nix b/nixos/modules/services/networking/ferm.nix new file mode 100644 index 00000000000..8e03f30efc0 --- /dev/null +++ b/nixos/modules/services/networking/ferm.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.ferm; + + configFile = pkgs.stdenv.mkDerivation { + name = "ferm.conf"; + text = cfg.config; + preferLocalBuild = true; + buildCommand = '' + echo -n "$text" > $out + ${cfg.package}/bin/ferm --noexec $out + ''; + }; +in { + options = { + services.ferm = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable Ferm Firewall. + *Warning*: Enabling this service WILL disable the existing NixOS + firewall! Default firewall rules provided by packages are not + considered at the moment. + ''; + }; + config = mkOption { + description = "Verbatim ferm.conf configuration."; + default = ""; + defaultText = literalDocBook "empty firewall, allows any traffic"; + type = types.lines; + }; + package = mkOption { + description = "The ferm package."; + type = types.package; + default = pkgs.ferm; + defaultText = literalExpression "pkgs.ferm"; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.firewall.enable = false; + systemd.services.ferm = { + description = "Ferm Firewall"; + after = [ "ipset.target" ]; + before = [ "network-pre.target" ]; + wants = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + serviceConfig = { + Type="oneshot"; + RemainAfterExit = "yes"; + ExecStart = "${cfg.package}/bin/ferm ${configFile}"; + ExecReload = "${cfg.package}/bin/ferm ${configFile}"; + ExecStop = "${cfg.package}/bin/ferm -F ${configFile}"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/fireqos.nix b/nixos/modules/services/networking/fireqos.nix new file mode 100644 index 00000000000..0b34f0b6b8b --- /dev/null +++ b/nixos/modules/services/networking/fireqos.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.fireqos; + fireqosConfig = pkgs.writeText "fireqos.conf" "${cfg.config}"; +in { + options.services.fireqos = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, FireQOS will be launched with the specified + configuration given in `config`. + ''; + }; + + config = mkOption { + type = types.str; + default = ""; + example = '' + interface wlp3s0 world-in input rate 10mbit ethernet + class web commit 50kbit + match tcp ports 80,443 + + interface wlp3s0 world-out input rate 10mbit ethernet + class web commit 50kbit + match tcp ports 80,443 + ''; + description = '' + The FireQOS configuration goes here. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.fireqos = { + description = "FireQOS"; + after = [ "network.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.firehol}/bin/fireqos start ${fireqosConfig}"; + ExecStop = [ + "${pkgs.firehol}/bin/fireqos stop" + "${pkgs.firehol}/bin/fireqos clear_all_qos" + ]; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix new file mode 100644 index 00000000000..c213a5516a4 --- /dev/null +++ b/nixos/modules/services/networking/firewall.nix @@ -0,0 +1,584 @@ +/* This module enables a simple firewall. + + The firewall can be customised in arbitrary ways by setting + ‘networking.firewall.extraCommands’. For modularity, the firewall + uses several chains: + + - ‘nixos-fw’ is the main chain for input packet processing. + + - ‘nixos-fw-accept’ is called for accepted packets. If you want + additional logging, or want to reject certain packets anyway, you + can insert rules at the start of this chain. + + - ‘nixos-fw-log-refuse’ and ‘nixos-fw-refuse’ are called for + refused packets. (The former jumps to the latter after logging + the packet.) If you want additional logging, or want to accept + certain packets anyway, you can insert rules at the start of + this chain. + + - ‘nixos-fw-rpfilter’ is used as the main chain in the raw table, + called from the built-in ‘PREROUTING’ chain. If the kernel + supports it and `cfg.checkReversePath` is set this chain will + perform a reverse path filter test. + + - ‘nixos-drop’ is used while reloading the firewall in order to drop + all traffic. Since reloading isn't implemented in an atomic way + this'll prevent any traffic from leaking through while reloading + the firewall. However, if the reloading fails, the ‘firewall-stop’ + script will be called which in return will effectively disable the + complete firewall (in the default configuration). + +*/ + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.networking.firewall; + + inherit (config.boot.kernelPackages) kernel; + + kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false); + + helpers = import ./helpers.nix { inherit config lib; }; + + writeShScript = name: text: let dir = pkgs.writeScriptBin name '' + #! ${pkgs.runtimeShell} -e + ${text} + ''; in "${dir}/bin/${name}"; + + defaultInterface = { default = mapAttrs (name: value: cfg.${name}) commonOptions; }; + allInterfaces = defaultInterface // cfg.interfaces; + + startScript = writeShScript "firewall-start" '' + ${helpers} + + # Flush the old firewall rules. !!! Ideally, updating the + # firewall would be atomic. Apparently that's possible + # with iptables-restore. + ip46tables -D INPUT -j nixos-fw 2> /dev/null || true + for chain in nixos-fw nixos-fw-accept nixos-fw-log-refuse nixos-fw-refuse; do + ip46tables -F "$chain" 2> /dev/null || true + ip46tables -X "$chain" 2> /dev/null || true + done + + + # The "nixos-fw-accept" chain just accepts packets. + ip46tables -N nixos-fw-accept + ip46tables -A nixos-fw-accept -j ACCEPT + + + # The "nixos-fw-refuse" chain rejects or drops packets. + ip46tables -N nixos-fw-refuse + + ${if cfg.rejectPackets then '' + # Send a reset for existing TCP connections that we've + # somehow forgotten about. Send ICMP "port unreachable" + # for everything else. + ip46tables -A nixos-fw-refuse -p tcp ! --syn -j REJECT --reject-with tcp-reset + ip46tables -A nixos-fw-refuse -j REJECT + '' else '' + ip46tables -A nixos-fw-refuse -j DROP + ''} + + + # The "nixos-fw-log-refuse" chain performs logging, then + # jumps to the "nixos-fw-refuse" chain. + ip46tables -N nixos-fw-log-refuse + + ${optionalString cfg.logRefusedConnections '' + ip46tables -A nixos-fw-log-refuse -p tcp --syn -j LOG --log-level info --log-prefix "refused connection: " + ''} + ${optionalString (cfg.logRefusedPackets && !cfg.logRefusedUnicastsOnly) '' + ip46tables -A nixos-fw-log-refuse -m pkttype --pkt-type broadcast \ + -j LOG --log-level info --log-prefix "refused broadcast: " + ip46tables -A nixos-fw-log-refuse -m pkttype --pkt-type multicast \ + -j LOG --log-level info --log-prefix "refused multicast: " + ''} + ip46tables -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse + ${optionalString cfg.logRefusedPackets '' + ip46tables -A nixos-fw-log-refuse \ + -j LOG --log-level info --log-prefix "refused packet: " + ''} + ip46tables -A nixos-fw-log-refuse -j nixos-fw-refuse + + + # The "nixos-fw" chain does the actual work. + ip46tables -N nixos-fw + + # Clean up rpfilter rules + ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true + ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true + ip46tables -t raw -X nixos-fw-rpfilter 2> /dev/null || true + + ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) '' + # Perform a reverse-path test to refuse spoofers + # For now, we just drop, as the raw table doesn't have a log-refuse yet + ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true + ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter --validmark ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN + + # Allows this host to act as a DHCP4 client without first having to use APIPA + iptables -t raw -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN + + # Allows this host to act as a DHCPv4 server + iptables -t raw -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN + + ${optionalString cfg.logReversePathDrops '' + ip46tables -t raw -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: " + ''} + ip46tables -t raw -A nixos-fw-rpfilter -j DROP + + ip46tables -t raw -A PREROUTING -j nixos-fw-rpfilter + ''} + + # Accept all traffic on the trusted interfaces. + ${flip concatMapStrings cfg.trustedInterfaces (iface: '' + ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept + '')} + + # Accept packets from established or related connections. + ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept + + # Accept connections to the allowed TCP ports. + ${concatStrings (mapAttrsToList (iface: cfg: + concatMapStrings (port: + '' + ip46tables -A nixos-fw -p tcp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} + '' + ) cfg.allowedTCPPorts + ) allInterfaces)} + + # Accept connections to the allowed TCP port ranges. + ${concatStrings (mapAttrsToList (iface: cfg: + concatMapStrings (rangeAttr: + let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in + '' + ip46tables -A nixos-fw -p tcp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} + '' + ) cfg.allowedTCPPortRanges + ) allInterfaces)} + + # Accept packets on the allowed UDP ports. + ${concatStrings (mapAttrsToList (iface: cfg: + concatMapStrings (port: + '' + ip46tables -A nixos-fw -p udp --dport ${toString port} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} + '' + ) cfg.allowedUDPPorts + ) allInterfaces)} + + # Accept packets on the allowed UDP port ranges. + ${concatStrings (mapAttrsToList (iface: cfg: + concatMapStrings (rangeAttr: + let range = toString rangeAttr.from + ":" + toString rangeAttr.to; in + '' + ip46tables -A nixos-fw -p udp --dport ${range} -j nixos-fw-accept ${optionalString (iface != "default") "-i ${iface}"} + '' + ) cfg.allowedUDPPortRanges + ) allInterfaces)} + + # Optionally respond to ICMPv4 pings. + ${optionalString cfg.allowPing '' + iptables -w -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null) + "-m limit ${cfg.pingLimit} " + }-j nixos-fw-accept + ''} + + ${optionalString config.networking.enableIPv6 '' + # Accept all ICMPv6 messages except redirects and node + # information queries (type 139). See RFC 4890, section + # 4.4. + ip6tables -A nixos-fw -p icmpv6 --icmpv6-type redirect -j DROP + ip6tables -A nixos-fw -p icmpv6 --icmpv6-type 139 -j DROP + ip6tables -A nixos-fw -p icmpv6 -j nixos-fw-accept + + # Allow this host to act as a DHCPv6 client + ip6tables -A nixos-fw -d fe80::/64 -p udp --dport 546 -j nixos-fw-accept + ''} + + ${cfg.extraCommands} + + # Reject/drop everything else. + ip46tables -A nixos-fw -j nixos-fw-log-refuse + + + # Enable the firewall. + ip46tables -A INPUT -j nixos-fw + ''; + + stopScript = writeShScript "firewall-stop" '' + ${helpers} + + # Clean up in case reload fails + ip46tables -D INPUT -j nixos-drop 2>/dev/null || true + + # Clean up after added ruleset + ip46tables -D INPUT -j nixos-fw 2>/dev/null || true + + ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) '' + ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2>/dev/null || true + ''} + + ${cfg.extraStopCommands} + ''; + + reloadScript = writeShScript "firewall-reload" '' + ${helpers} + + # Create a unique drop rule + ip46tables -D INPUT -j nixos-drop 2>/dev/null || true + ip46tables -F nixos-drop 2>/dev/null || true + ip46tables -X nixos-drop 2>/dev/null || true + ip46tables -N nixos-drop + ip46tables -A nixos-drop -j DROP + + # Don't allow traffic to leak out until the script has completed + ip46tables -A INPUT -j nixos-drop + + ${cfg.extraStopCommands} + + if ${startScript}; then + ip46tables -D INPUT -j nixos-drop 2>/dev/null || true + else + echo "Failed to reload firewall... Stopping" + ${stopScript} + exit 1 + fi + ''; + + canonicalizePortList = + ports: lib.unique (builtins.sort builtins.lessThan ports); + + commonOptions = { + allowedTCPPorts = mkOption { + type = types.listOf types.port; + default = [ ]; + apply = canonicalizePortList; + example = [ 22 80 ]; + description = + '' + List of TCP ports on which incoming connections are + accepted. + ''; + }; + + allowedTCPPortRanges = mkOption { + type = types.listOf (types.attrsOf types.port); + default = [ ]; + example = [ { from = 8999; to = 9003; } ]; + description = + '' + A range of TCP ports on which incoming connections are + accepted. + ''; + }; + + allowedUDPPorts = mkOption { + type = types.listOf types.port; + default = [ ]; + apply = canonicalizePortList; + example = [ 53 ]; + description = + '' + List of open UDP ports. + ''; + }; + + allowedUDPPortRanges = mkOption { + type = types.listOf (types.attrsOf types.port); + default = [ ]; + example = [ { from = 60000; to = 61000; } ]; + description = + '' + Range of open UDP ports. + ''; + }; + }; + +in + +{ + + ###### interface + + options = { + + networking.firewall = { + enable = mkOption { + type = types.bool; + default = true; + description = + '' + Whether to enable the firewall. This is a simple stateful + firewall that blocks connection attempts to unauthorised TCP + or UDP ports on this machine. It does not affect packet + forwarding. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.iptables; + defaultText = literalExpression "pkgs.iptables"; + example = literalExpression "pkgs.iptables-legacy"; + description = + '' + The iptables package to use for running the firewall service." + ''; + }; + + logRefusedConnections = mkOption { + type = types.bool; + default = true; + description = + '' + Whether to log rejected or dropped incoming connections. + Note: The logs are found in the kernel logs, i.e. dmesg + or journalctl -k. + ''; + }; + + logRefusedPackets = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to log all rejected or dropped incoming packets. + This tends to give a lot of log messages, so it's mostly + useful for debugging. + Note: The logs are found in the kernel logs, i.e. dmesg + or journalctl -k. + ''; + }; + + logRefusedUnicastsOnly = mkOption { + type = types.bool; + default = true; + description = + '' + If <option>networking.firewall.logRefusedPackets</option> + and this option are enabled, then only log packets + specifically directed at this machine, i.e., not broadcasts + or multicasts. + ''; + }; + + rejectPackets = mkOption { + type = types.bool; + default = false; + description = + '' + If set, refused packets are rejected rather than dropped + (ignored). This means that an ICMP "port unreachable" error + message is sent back to the client (or a TCP RST packet in + case of an existing connection). Rejecting packets makes + port scanning somewhat easier. + ''; + }; + + trustedInterfaces = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "enp0s2" ]; + description = + '' + Traffic coming in from these interfaces will be accepted + unconditionally. Traffic from the loopback (lo) interface + will always be accepted. + ''; + }; + + allowPing = mkOption { + type = types.bool; + default = true; + description = + '' + Whether to respond to incoming ICMPv4 echo requests + ("pings"). ICMPv6 pings are always allowed because the + larger address space of IPv6 makes network scanning much + less effective. + ''; + }; + + pingLimit = mkOption { + type = types.nullOr (types.separatedString " "); + default = null; + example = "--limit 1/minute --limit-burst 5"; + description = + '' + If pings are allowed, this allows setting rate limits + on them. If non-null, this option should be in the form of + flags like "--limit 1/minute --limit-burst 5" + ''; + }; + + checkReversePath = mkOption { + type = types.either types.bool (types.enum ["strict" "loose"]); + default = kernelHasRPFilter; + defaultText = literalDocBook "<literal>true</literal> if supported by the chosen kernel"; + example = "loose"; + description = + '' + Performs a reverse path filter test on a packet. If a reply + to the packet would not be sent via the same interface that + the packet arrived on, it is refused. + + If using asymmetric routing or other complicated routing, set + this option to loose mode or disable it and setup your own + counter-measures. + + This option can be either true (or "strict"), "loose" (only + drop the packet if the source address is not reachable via any + interface) or false. Defaults to the value of + kernelHasRPFilter. + ''; + }; + + logReversePathDrops = mkOption { + type = types.bool; + default = false; + description = + '' + Logs dropped packets failing the reverse path filter test if + the option networking.firewall.checkReversePath is enabled. + ''; + }; + + connectionTrackingModules = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; + description = + '' + List of connection-tracking helpers that are auto-loaded. + The complete list of possible values is given in the example. + + As helpers can pose as a security risk, it is advised to + set this to an empty list and disable the setting + networking.firewall.autoLoadConntrackHelpers unless you + know what you are doing. Connection tracking is disabled + by default. + + Loading of helpers is recommended to be done through the + CT target. More info: + https://home.regit.org/netfilter-en/secure-use-of-helpers/ + ''; + }; + + autoLoadConntrackHelpers = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to auto-load connection-tracking helpers. + See the description at networking.firewall.connectionTrackingModules + + (needs kernel 3.5+) + ''; + }; + + extraCommands = mkOption { + type = types.lines; + default = ""; + example = "iptables -A INPUT -p icmp -j ACCEPT"; + description = + '' + Additional shell commands executed as part of the firewall + initialisation script. These are executed just before the + final "reject" firewall rule is added, so they can be used + to allow packets that would otherwise be refused. + ''; + }; + + extraPackages = mkOption { + type = types.listOf types.package; + default = [ ]; + example = literalExpression "[ pkgs.ipset ]"; + description = + '' + Additional packages to be included in the environment of the system + as well as the path of networking.firewall.extraCommands. + ''; + }; + + extraStopCommands = mkOption { + type = types.lines; + default = ""; + example = "iptables -P INPUT ACCEPT"; + description = + '' + Additional shell commands executed as part of the firewall + shutdown script. These are executed just after the removal + of the NixOS input rule, or if the service enters a failed + state. + ''; + }; + + interfaces = mkOption { + default = { }; + type = with types; attrsOf (submodule [ { options = commonOptions; } ]); + description = + '' + Interface-specific open ports. + ''; + }; + } // commonOptions; + + }; + + + ###### implementation + + # FIXME: Maybe if `enable' is false, the firewall should still be + # built but not started by default? + config = mkIf cfg.enable { + + networking.firewall.trustedInterfaces = [ "lo" ]; + + environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages; + + boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") + ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; + boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers '' + options nf_conntrack nf_conntrack_helper=1 + ''; + + assertions = [ + # This is approximately "checkReversePath -> kernelHasRPFilter", + # but the checkReversePath option can include non-boolean + # values. + { assertion = cfg.checkReversePath == false || kernelHasRPFilter; + message = "This kernel does not support rpfilter"; } + ]; + + systemd.services.firewall = { + description = "Firewall"; + wantedBy = [ "sysinit.target" ]; + wants = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = [ cfg.package ] ++ cfg.extraPackages; + + # FIXME: this module may also try to load kernel modules, but + # containers don't have CAP_SYS_MODULE. So the host system had + # better have all necessary modules already loaded. + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + unitConfig.DefaultDependencies = false; + + reloadIfChanged = true; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "@${startScript} firewall-start"; + ExecReload = "@${reloadScript} firewall-reload"; + ExecStop = "@${stopScript} firewall-stop"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/flannel.nix b/nixos/modules/services/networking/flannel.nix new file mode 100644 index 00000000000..ac84b3d35a3 --- /dev/null +++ b/nixos/modules/services/networking/flannel.nix @@ -0,0 +1,192 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.flannel; + + networkConfig = filterAttrs (n: v: v != null) { + Network = cfg.network; + SubnetLen = cfg.subnetLen; + SubnetMin = cfg.subnetMin; + SubnetMax = cfg.subnetMax; + Backend = cfg.backend; + }; +in { + options.services.flannel = { + enable = mkEnableOption "flannel"; + + package = mkOption { + description = "Package to use for flannel"; + type = types.package; + default = pkgs.flannel; + defaultText = literalExpression "pkgs.flannel"; + }; + + publicIp = mkOption { + description = '' + IP accessible by other nodes for inter-host communication. + Defaults to the IP of the interface being used for communication. + ''; + type = types.nullOr types.str; + default = null; + }; + + iface = mkOption { + description = '' + Interface to use (IP or name) for inter-host communication. + Defaults to the interface for the default route on the machine. + ''; + type = types.nullOr types.str; + default = null; + }; + + etcd = { + endpoints = mkOption { + description = "Etcd endpoints"; + type = types.listOf types.str; + default = ["http://127.0.0.1:2379"]; + }; + + prefix = mkOption { + description = "Etcd key prefix"; + type = types.str; + default = "/coreos.com/network"; + }; + + caFile = mkOption { + description = "Etcd certificate authority file"; + type = types.nullOr types.path; + default = null; + }; + + certFile = mkOption { + description = "Etcd cert file"; + type = types.nullOr types.path; + default = null; + }; + + keyFile = mkOption { + description = "Etcd key file"; + type = types.nullOr types.path; + default = null; + }; + }; + + kubeconfig = mkOption { + description = '' + Path to kubeconfig to use for storing flannel config using the + Kubernetes API + ''; + type = types.nullOr types.path; + default = null; + }; + + network = mkOption { + description = " IPv4 network in CIDR format to use for the entire flannel network."; + type = types.str; + }; + + nodeName = mkOption { + description = '' + Needed when running with Kubernetes as backend as this cannot be auto-detected"; + ''; + type = types.nullOr types.str; + default = with config.networking; (hostName + optionalString (domain != null) ".${domain}"); + defaultText = literalExpression '' + with config.networking; (hostName + optionalString (domain != null) ".''${domain}") + ''; + example = "node1.example.com"; + }; + + storageBackend = mkOption { + description = "Determines where flannel stores its configuration at runtime"; + type = types.enum ["etcd" "kubernetes"]; + default = "etcd"; + }; + + subnetLen = mkOption { + description = '' + The size of the subnet allocated to each host. Defaults to 24 (i.e. /24) + unless the Network was configured to be smaller than a /24 in which case + it is one less than the network. + ''; + type = types.int; + default = 24; + }; + + subnetMin = mkOption { + description = '' + The beginning of IP range which the subnet allocation should start with. + Defaults to the first subnet of Network. + ''; + type = types.nullOr types.str; + default = null; + }; + + subnetMax = mkOption { + description = '' + The end of IP range which the subnet allocation should start with. + Defaults to the last subnet of Network. + ''; + type = types.nullOr types.str; + default = null; + }; + + backend = mkOption { + description = "Type of backend to use and specific configurations for that backend."; + type = types.attrs; + default = { + Type = "vxlan"; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.flannel = { + description = "Flannel Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = { + FLANNELD_PUBLIC_IP = cfg.publicIp; + FLANNELD_IFACE = cfg.iface; + } // optionalAttrs (cfg.storageBackend == "etcd") { + FLANNELD_ETCD_ENDPOINTS = concatStringsSep "," cfg.etcd.endpoints; + FLANNELD_ETCD_KEYFILE = cfg.etcd.keyFile; + FLANNELD_ETCD_CERTFILE = cfg.etcd.certFile; + FLANNELD_ETCD_CAFILE = cfg.etcd.caFile; + ETCDCTL_CERT_FILE = cfg.etcd.certFile; + ETCDCTL_KEY_FILE = cfg.etcd.keyFile; + ETCDCTL_CA_FILE = cfg.etcd.caFile; + ETCDCTL_PEERS = concatStringsSep "," cfg.etcd.endpoints; + } // optionalAttrs (cfg.storageBackend == "kubernetes") { + FLANNELD_KUBE_SUBNET_MGR = "true"; + FLANNELD_KUBECONFIG_FILE = cfg.kubeconfig; + NODE_NAME = cfg.nodeName; + }; + path = [ pkgs.iptables ]; + preStart = optionalString (cfg.storageBackend == "etcd") '' + echo "setting network configuration" + until ${pkgs.etcd}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' + do + echo "setting network configuration, retry" + sleep 1 + done + ''; + serviceConfig = { + ExecStart = "${cfg.package}/bin/flannel"; + Restart = "always"; + RestartSec = "10s"; + RuntimeDirectory = "flannel"; + }; + }; + + services.etcd.enable = mkDefault (cfg.storageBackend == "etcd" && cfg.etcd.endpoints == ["http://127.0.0.1:2379"]); + + # for some reason, flannel doesn't let you configure this path + # see: https://github.com/coreos/flannel/blob/master/Documentation/configuration.md#configuration + environment.etc."kube-flannel/net-conf.json" = mkIf (cfg.storageBackend == "kubernetes") { + source = pkgs.writeText "net-conf.json" (builtins.toJSON networkConfig); + }; + }; +} diff --git a/nixos/modules/services/networking/freenet.nix b/nixos/modules/services/networking/freenet.nix new file mode 100644 index 00000000000..3da3ab0c7df --- /dev/null +++ b/nixos/modules/services/networking/freenet.nix @@ -0,0 +1,64 @@ +# NixOS module for Freenet daemon + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.freenet; + varDir = "/var/lib/freenet"; + +in + +{ + + ### configuration + + options = { + + services.freenet = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the Freenet daemon"; + }; + + nice = mkOption { + type = types.int; + default = 10; + description = "Set the nice level for the Freenet daemon"; + }; + + }; + + }; + + ### implementation + + config = mkIf cfg.enable { + + systemd.services.freenet = { + description = "Freenet daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${pkgs.freenet}/bin/freenet"; + serviceConfig.User = "freenet"; + serviceConfig.UMask = "0007"; + serviceConfig.WorkingDirectory = varDir; + serviceConfig.Nice = cfg.nice; + }; + + users.users.freenet = { + group = "freenet"; + description = "Freenet daemon user"; + home = varDir; + createHome = true; + uid = config.ids.uids.freenet; + }; + + users.groups.freenet.gid = config.ids.gids.freenet; + }; + +} diff --git a/nixos/modules/services/networking/freeradius.nix b/nixos/modules/services/networking/freeradius.nix new file mode 100644 index 00000000000..7fa3a8fa17f --- /dev/null +++ b/nixos/modules/services/networking/freeradius.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.freeradius; + + freeradiusService = cfg: + { + description = "FreeRadius server"; + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + wants = ["network.target"]; + preStart = '' + ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout + ''; + + serviceConfig = { + ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout" + + optionalString cfg.debug " -xx"; + ExecReload = [ + "${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout" + "${pkgs.coreutils}/bin/kill -HUP $MAINPID" + ]; + User = "radius"; + ProtectSystem = "full"; + ProtectHome = "on"; + Restart = "on-failure"; + RestartSec = 2; + LogsDirectory = "radius"; + }; + }; + + freeradiusConfig = { + enable = mkEnableOption "the freeradius server"; + + configDir = mkOption { + type = types.path; + default = "/etc/raddb"; + description = '' + The path of the freeradius server configuration directory. + ''; + }; + + debug = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable debug logging for freeradius (-xx + option). This should not be left on, since it includes + sensitive data such as passwords in the logs. + ''; + }; + + }; + +in + +{ + + ###### interface + + options = { + services.freeradius = freeradiusConfig; + }; + + + ###### implementation + + config = mkIf (cfg.enable) { + + users = { + users.radius = { + /*uid = config.ids.uids.radius;*/ + description = "Radius daemon user"; + isSystemUser = true; + }; + }; + + systemd.services.freeradius = freeradiusService cfg; + warnings = optional cfg.debug "Freeradius debug logging is enabled. This will log passwords in plaintext to the journal!"; + + }; + +} diff --git a/nixos/modules/services/networking/frr.nix b/nixos/modules/services/networking/frr.nix new file mode 100644 index 00000000000..45a82b9450a --- /dev/null +++ b/nixos/modules/services/networking/frr.nix @@ -0,0 +1,211 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.frr; + + services = [ + "static" + "bgp" + "ospf" + "ospf6" + "rip" + "ripng" + "isis" + "pim" + "ldp" + "nhrp" + "eigrp" + "babel" + "sharp" + "pbr" + "bfd" + "fabric" + ]; + + allServices = services ++ [ "zebra" ]; + + isEnabled = service: cfg.${service}.enable; + + daemonName = service: if service == "zebra" then service else "${service}d"; + + configFile = service: + let + scfg = cfg.${service}; + in + if scfg.configFile != null then scfg.configFile + else pkgs.writeText "${daemonName service}.conf" + '' + ! FRR ${daemonName service} configuration + ! + hostname ${config.networking.hostName} + log syslog + service password-encryption + ! + ${scfg.config} + ! + end + ''; + + serviceOptions = service: + { + enable = mkEnableOption "the FRR ${toUpper service} routing protocol"; + + configFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/etc/frr/${daemonName service}.conf"; + description = '' + Configuration file to use for FRR ${daemonName service}. + By default the NixOS generated files are used. + ''; + }; + + config = mkOption { + type = types.lines; + default = ""; + example = + let + examples = { + rip = '' + router rip + network 10.0.0.0/8 + ''; + + ospf = '' + router ospf + network 10.0.0.0/8 area 0 + ''; + + bgp = '' + router bgp 65001 + neighbor 10.0.0.1 remote-as 65001 + ''; + }; + in + examples.${service} or ""; + description = '' + ${daemonName service} configuration statements. + ''; + }; + + vtyListenAddress = mkOption { + type = types.str; + default = "localhost"; + description = '' + Address to bind to for the VTY interface. + ''; + }; + + vtyListenPort = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + TCP Port to bind to for the VTY interface. + ''; + }; + }; + +in + +{ + + ###### interface + imports = [ + { + options.services.frr = { + zebra = (serviceOptions "zebra") // { + enable = mkOption { + type = types.bool; + default = any isEnabled services; + description = '' + Whether to enable the Zebra routing manager. + + The Zebra routing manager is automatically enabled + if any routing protocols are configured. + ''; + }; + }; + }; + } + { options.services.frr = (genAttrs services serviceOptions); } + ]; + + ###### implementation + + config = mkIf (any isEnabled allServices) { + + environment.systemPackages = [ + pkgs.frr # for the vtysh tool + ]; + + users.users.frr = { + description = "FRR daemon user"; + isSystemUser = true; + group = "frr"; + }; + + users.groups = { + frr = {}; + # Members of the frrvty group can use vtysh to inspect the FRR daemons + frrvty = { members = [ "frr" ]; }; + }; + + environment.etc = let + mkEtcLink = service: { + name = "frr/${service}.conf"; + value.source = configFile service; + }; + in + (builtins.listToAttrs + (map mkEtcLink (filter isEnabled allServices))) // { + "frr/vtysh.conf".text = ""; + }; + + systemd.tmpfiles.rules = [ + "d /run/frr 0750 frr frr -" + ]; + + systemd.services = + let + frrService = service: + let + scfg = cfg.${service}; + daemon = daemonName service; + in + nameValuePair daemon ({ + wantedBy = [ "multi-user.target" ]; + after = [ "network-pre.target" "systemd-sysctl.service" ] ++ lib.optionals (service != "zebra") [ "zebra.service" ]; + bindsTo = lib.optionals (service != "zebra") [ "zebra.service" ]; + wants = [ "network.target" ]; + + description = if service == "zebra" then "FRR Zebra routing manager" + else "FRR ${toUpper service} routing daemon"; + + unitConfig.Documentation = if service == "zebra" then "man:zebra(8)" + else "man:${daemon}(8) man:zebra(8)"; + + restartTriggers = [ + (configFile service) + ]; + reloadIfChanged = true; + + serviceConfig = { + PIDFile = "frr/${daemon}.pid"; + ExecStart = "${pkgs.frr}/libexec/frr/${daemon} -f /etc/frr/${service}.conf" + + optionalString (scfg.vtyListenAddress != "") " -A ${scfg.vtyListenAddress}" + + optionalString (scfg.vtyListenPort != null) " -P ${toString scfg.vtyListenPort}"; + ExecReload = "${pkgs.python3.interpreter} ${pkgs.frr}/libexec/frr/frr-reload.py --reload --daemon ${daemonName service} --bindir ${pkgs.frr}/bin --rundir /run/frr /etc/frr/${service}.conf"; + Restart = "on-abnormal"; + }; + }); + in + listToAttrs (map frrService (filter isEnabled allServices)); + + }; + + meta.maintainers = with lib.maintainers; [ woffs ]; + +} diff --git a/nixos/modules/services/networking/gateone.nix b/nixos/modules/services/networking/gateone.nix new file mode 100644 index 00000000000..3e3a3c1aa94 --- /dev/null +++ b/nixos/modules/services/networking/gateone.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ...}: +with lib; +let + cfg = config.services.gateone; +in +{ +options = { + services.gateone = { + enable = mkEnableOption "GateOne server"; + pidDir = mkOption { + default = "/run/gateone"; + type = types.path; + description = "Path of pid files for GateOne."; + }; + settingsDir = mkOption { + default = "/var/lib/gateone"; + type = types.path; + description = "Path of configuration files for GateOne."; + }; + }; +}; +config = mkIf cfg.enable { + environment.systemPackages = with pkgs.pythonPackages; [ + gateone pkgs.openssh pkgs.procps pkgs.coreutils pkgs.cacert]; + + users.users.gateone = { + description = "GateOne privilege separation user"; + uid = config.ids.uids.gateone; + home = cfg.settingsDir; + }; + users.groups.gateone.gid = config.ids.gids.gateone; + + systemd.services.gateone = with pkgs; { + description = "GateOne web-based terminal"; + path = [ pythonPackages.gateone nix openssh procps coreutils ]; + preStart = '' + if [ ! -d ${cfg.settingsDir} ] ; then + mkdir -m 0750 -p ${cfg.settingsDir} + chown -R gateone.gateone ${cfg.settingsDir} + fi + if [ ! -d ${cfg.pidDir} ] ; then + mkdir -m 0750 -p ${cfg.pidDir} + chown -R gateone.gateone ${cfg.pidDir} + fi + ''; + #unitConfig.RequiresMountsFor = "${cfg.settingsDir}"; + serviceConfig = { + ExecStart = ''${pythonPackages.gateone}/bin/gateone --settings_dir=${cfg.settingsDir} --pid_file=${cfg.pidDir}/gateone.pid --gid=${toString config.ids.gids.gateone} --uid=${toString config.ids.uids.gateone}''; + User = "gateone"; + Group = "gateone"; + WorkingDirectory = cfg.settingsDir; + }; + + wantedBy = [ "multi-user.target" ]; + requires = [ "network.target" ]; + }; +}; +} + diff --git a/nixos/modules/services/networking/gdomap.nix b/nixos/modules/services/networking/gdomap.nix new file mode 100644 index 00000000000..3d829cb6913 --- /dev/null +++ b/nixos/modules/services/networking/gdomap.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + # + # interface + # + options = { + services.gdomap = { + enable = mkEnableOption "GNUstep Distributed Objects name server"; + }; + }; + + # + # implementation + # + config = mkIf config.services.gdomap.enable { + # NOTE: gdomap runs as root + # TODO: extra user for gdomap? + systemd.services.gdomap = { + description = "gdomap server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = [ pkgs.gnustep.base ]; + serviceConfig.ExecStart = "${pkgs.gnustep.base}/bin/gdomap -f"; + }; + }; +} diff --git a/nixos/modules/services/networking/ghostunnel.nix b/nixos/modules/services/networking/ghostunnel.nix new file mode 100644 index 00000000000..7a62d378e2c --- /dev/null +++ b/nixos/modules/services/networking/ghostunnel.nix @@ -0,0 +1,242 @@ +{ config, lib, pkgs, ... }: +let + inherit (lib) + attrValues + concatMap + concatStringsSep + escapeShellArg + literalExpression + mapAttrs' + mkDefault + mkEnableOption + mkIf + mkOption + nameValuePair + optional + types + ; + + mainCfg = config.services.ghostunnel; + + module = { config, name, ... }: + { + options = { + + listen = mkOption { + description = '' + Address and port to listen on (can be HOST:PORT, unix:PATH). + ''; + type = types.str; + }; + + target = mkOption { + description = '' + Address to forward connections to (can be HOST:PORT or unix:PATH). + ''; + type = types.str; + }; + + keystore = mkOption { + description = '' + Path to keystore (combined PEM with cert/key, or PKCS12 keystore). + + NB: storepass is not supported because it would expose credentials via <code>/proc/*/cmdline</code>. + + Specify this or <code>cert</code> and <code>key</code>. + ''; + type = types.nullOr types.str; + default = null; + }; + + cert = mkOption { + description = '' + Path to certificate (PEM with certificate chain). + + Not required if <code>keystore</code> is set. + ''; + type = types.nullOr types.str; + default = null; + }; + + key = mkOption { + description = '' + Path to certificate private key (PEM with private key). + + Not required if <code>keystore</code> is set. + ''; + type = types.nullOr types.str; + default = null; + }; + + cacert = mkOption { + description = '' + Path to CA bundle file (PEM/X509). Uses system trust store if <code>null</code>. + ''; + type = types.nullOr types.str; + }; + + disableAuthentication = mkOption { + description = '' + Disable client authentication, no client certificate will be required. + ''; + type = types.bool; + default = false; + }; + + allowAll = mkOption { + description = '' + If true, allow all clients, do not check client cert subject. + ''; + type = types.bool; + default = false; + }; + + allowCN = mkOption { + description = '' + Allow client if common name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + allowOU = mkOption { + description = '' + Allow client if organizational unit name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + allowDNS = mkOption { + description = '' + Allow client if DNS subject alternative name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + allowURI = mkOption { + description = '' + Allow client if URI subject alternative name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + extraArguments = mkOption { + description = "Extra arguments to pass to <code>ghostunnel server</code>"; + type = types.separatedString " "; + default = ""; + }; + + unsafeTarget = mkOption { + description = '' + If set, does not limit target to localhost, 127.0.0.1, [::1], or UNIX sockets. + + This is meant to protect against accidental unencrypted traffic on + untrusted networks. + ''; + type = types.bool; + default = false; + }; + + # Definitions to apply at the root of the NixOS configuration. + atRoot = mkOption { + internal = true; + }; + }; + + # Clients should not be authenticated with the public root certificates + # (afaict, it doesn't make sense), so we only provide that default when + # client cert auth is disabled. + config.cacert = mkIf config.disableAuthentication (mkDefault null); + + config.atRoot = { + assertions = [ + { message = '' + services.ghostunnel.servers.${name}: At least one access control flag is required. + Set at least one of: + - services.ghostunnel.servers.${name}.disableAuthentication + - services.ghostunnel.servers.${name}.allowAll + - services.ghostunnel.servers.${name}.allowCN + - services.ghostunnel.servers.${name}.allowOU + - services.ghostunnel.servers.${name}.allowDNS + - services.ghostunnel.servers.${name}.allowURI + ''; + assertion = config.disableAuthentication + || config.allowAll + || config.allowCN != [] + || config.allowOU != [] + || config.allowDNS != [] + || config.allowURI != [] + ; + } + ]; + + systemd.services."ghostunnel-server-${name}" = { + after = [ "network.target" ]; + wants = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Restart = "always"; + AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; + DynamicUser = true; + LoadCredential = optional (config.keystore != null) "keystore:${config.keystore}" + ++ optional (config.cert != null) "cert:${config.cert}" + ++ optional (config.key != null) "key:${config.key}" + ++ optional (config.cacert != null) "cacert:${config.cacert}"; + }; + script = concatStringsSep " " ( + [ "${mainCfg.package}/bin/ghostunnel" ] + ++ optional (config.keystore != null) "--keystore=$CREDENTIALS_DIRECTORY/keystore" + ++ optional (config.cert != null) "--cert=$CREDENTIALS_DIRECTORY/cert" + ++ optional (config.key != null) "--key=$CREDENTIALS_DIRECTORY/key" + ++ optional (config.cacert != null) "--cacert=$CREDENTIALS_DIRECTORY/cacert" + ++ [ + "server" + "--listen ${config.listen}" + "--target ${config.target}" + ] ++ optional config.allowAll "--allow-all" + ++ map (v: "--allow-cn=${escapeShellArg v}") config.allowCN + ++ map (v: "--allow-ou=${escapeShellArg v}") config.allowOU + ++ map (v: "--allow-dns=${escapeShellArg v}") config.allowDNS + ++ map (v: "--allow-uri=${escapeShellArg v}") config.allowURI + ++ optional config.disableAuthentication "--disable-authentication" + ++ optional config.unsafeTarget "--unsafe-target" + ++ [ config.extraArguments ] + ); + }; + }; + }; + +in +{ + + options = { + services.ghostunnel.enable = mkEnableOption "ghostunnel"; + + services.ghostunnel.package = mkOption { + description = "The ghostunnel package to use."; + type = types.package; + default = pkgs.ghostunnel; + defaultText = literalExpression "pkgs.ghostunnel"; + }; + + services.ghostunnel.servers = mkOption { + description = '' + Server mode ghostunnels (TLS listener -> plain TCP/UNIX target) + ''; + type = types.attrsOf (types.submodule module); + default = {}; + }; + }; + + config = mkIf mainCfg.enable { + assertions = lib.mkMerge (map (v: v.atRoot.assertions) (attrValues mainCfg.servers)); + systemd = lib.mkMerge (map (v: v.atRoot.systemd) (attrValues mainCfg.servers)); + }; + + meta.maintainers = with lib.maintainers; [ + roberth + ]; +} diff --git a/nixos/modules/services/networking/git-daemon.nix b/nixos/modules/services/networking/git-daemon.nix new file mode 100644 index 00000000000..6be72505c21 --- /dev/null +++ b/nixos/modules/services/networking/git-daemon.nix @@ -0,0 +1,131 @@ +{ config, lib, pkgs, ... }: +with lib; +let + + cfg = config.services.gitDaemon; + +in +{ + + ###### interface + + options = { + services.gitDaemon = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable Git daemon, which allows public hosting of git repositories + without any access controls. This is mostly intended for read-only access. + + You can allow write access by setting daemon.receivepack configuration + item of the repository to true. This is solely meant for a closed LAN setting + where everybody is friendly. + + If you need any access controls, use something else. + ''; + }; + + basePath = mkOption { + type = types.str; + default = ""; + example = "/srv/git/"; + description = '' + Remap all the path requests as relative to the given path. For example, + if you set base-path to /srv/git, then if you later try to pull + git://example.com/hello.git, Git daemon will interpret the path as /srv/git/hello.git. + ''; + }; + + exportAll = mkOption { + type = types.bool; + default = false; + description = '' + Publish all directories that look like Git repositories (have the objects + and refs subdirectories), even if they do not have the git-daemon-export-ok file. + + If disabled, you need to touch .git/git-daemon-export-ok in each repository + you want the daemon to publish. + + Warning: enabling this without a repository whitelist or basePath + publishes every git repository you have. + ''; + }; + + repositories = mkOption { + type = types.listOf types.str; + default = []; + example = [ "/srv/git" "/home/user/git/repo2" ]; + description = '' + A whitelist of paths of git repositories, or directories containing repositories + all of which would be published. Paths must not end in "/". + + Warning: leaving this empty and enabling exportAll publishes all + repositories in your filesystem or basePath if specified. + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = ""; + example = "example.com"; + description = "Listen on a specific IP address or hostname."; + }; + + port = mkOption { + type = types.port; + default = 9418; + description = "Port to listen on."; + }; + + options = mkOption { + type = types.str; + default = ""; + description = "Extra configuration options to be passed to Git daemon."; + }; + + user = mkOption { + type = types.str; + default = "git"; + description = "User under which Git daemon would be running."; + }; + + group = mkOption { + type = types.str; + default = "git"; + description = "Group under which Git daemon would be running."; + }; + + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + users.users = optionalAttrs (cfg.user == "git") { + git = { + uid = config.ids.uids.git; + group = "git"; + description = "Git daemon user"; + }; + }; + + users.groups = optionalAttrs (cfg.group == "git") { + git.gid = config.ids.gids.git; + }; + + systemd.services.git-daemon = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + script = "${pkgs.git}/bin/git daemon --reuseaddr " + + (optionalString (cfg.basePath != "") "--base-path=${cfg.basePath} ") + + (optionalString (cfg.listenAddress != "") "--listen=${cfg.listenAddress} ") + + "--port=${toString cfg.port} --user=${cfg.user} --group=${cfg.group} ${cfg.options} " + + "--verbose " + (optionalString cfg.exportAll "--export-all ") + concatStringsSep " " cfg.repositories; + }; + + }; + +} diff --git a/nixos/modules/services/networking/globalprotect-vpn.nix b/nixos/modules/services/networking/globalprotect-vpn.nix new file mode 100644 index 00000000000..976fdf2b962 --- /dev/null +++ b/nixos/modules/services/networking/globalprotect-vpn.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.globalprotect; + + execStart = if cfg.csdWrapper == null then + "${pkgs.globalprotect-openconnect}/bin/gpservice" + else + "${pkgs.globalprotect-openconnect}/bin/gpservice --csd-wrapper=${cfg.csdWrapper}"; +in + +{ + options.services.globalprotect = { + enable = mkEnableOption "globalprotect"; + + csdWrapper = mkOption { + description = '' + A script that will produce a Host Integrity Protection (HIP) report, + as described at <link xlink:href="https://www.infradead.org/openconnect/hip.html" /> + ''; + default = null; + example = literalExpression ''"''${pkgs.openconnect}/libexec/openconnect/hipreport.sh"''; + type = types.nullOr types.path; + }; + }; + + config = mkIf cfg.enable { + services.dbus.packages = [ pkgs.globalprotect-openconnect ]; + + systemd.services.gpservice = { + description = "GlobalProtect openconnect DBus service"; + serviceConfig = { + Type="dbus"; + BusName="com.yuezk.qt.GPService"; + ExecStart=execStart; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + }; + }; +} diff --git a/nixos/modules/services/networking/gnunet.nix b/nixos/modules/services/networking/gnunet.nix new file mode 100644 index 00000000000..5c41967d279 --- /dev/null +++ b/nixos/modules/services/networking/gnunet.nix @@ -0,0 +1,170 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.gnunet; + + stateDir = "/var/lib/gnunet"; + + configFile = with cfg; + '' + [PATHS] + GNUNET_HOME = ${stateDir} + GNUNET_RUNTIME_DIR = /run/gnunet + GNUNET_USER_RUNTIME_DIR = /run/gnunet + GNUNET_DATA_HOME = ${stateDir}/data + + [ats] + WAN_QUOTA_IN = ${toString load.maxNetDownBandwidth} b + WAN_QUOTA_OUT = ${toString load.maxNetUpBandwidth} b + + [datastore] + QUOTA = ${toString fileSharing.quota} MB + + [transport-udp] + PORT = ${toString udp.port} + ADVERTISED_PORT = ${toString udp.port} + + [transport-tcp] + PORT = ${toString tcp.port} + ADVERTISED_PORT = ${toString tcp.port} + + ${extraOptions} + ''; + +in + +{ + + ###### interface + + options = { + + services.gnunet = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run the GNUnet daemon. GNUnet is GNU's anonymous + peer-to-peer communication and file sharing framework. + ''; + }; + + fileSharing = { + quota = mkOption { + type = types.int; + default = 1024; + description = '' + Maximum file system usage (in MiB) for file sharing. + ''; + }; + }; + + udp = { + port = mkOption { + type = types.port; + default = 2086; # assigned by IANA + description = '' + The UDP port for use by GNUnet. + ''; + }; + }; + + tcp = { + port = mkOption { + type = types.port; + default = 2086; # assigned by IANA + description = '' + The TCP port for use by GNUnet. + ''; + }; + }; + + load = { + maxNetDownBandwidth = mkOption { + type = types.int; + default = 50000; + description = '' + Maximum bandwidth usage (in bits per second) for GNUnet + when downloading data. + ''; + }; + + maxNetUpBandwidth = mkOption { + type = types.int; + default = 50000; + description = '' + Maximum bandwidth usage (in bits per second) for GNUnet + when downloading data. + ''; + }; + + hardNetUpBandwidth = mkOption { + type = types.int; + default = 0; + description = '' + Hard bandwidth limit (in bits per second) when uploading + data. + ''; + }; + }; + + package = mkOption { + type = types.package; + default = pkgs.gnunet; + defaultText = literalExpression "pkgs.gnunet"; + description = "Overridable attribute of the gnunet package to use."; + example = literalExpression "pkgs.gnunet_git"; + }; + + extraOptions = mkOption { + type = types.lines; + default = ""; + description = '' + Additional options that will be copied verbatim in `gnunet.conf'. + See `gnunet.conf(5)' for details. + ''; + }; + }; + + }; + + + ###### implementation + + config = mkIf config.services.gnunet.enable { + + users.users.gnunet = { + group = "gnunet"; + description = "GNUnet User"; + uid = config.ids.uids.gnunet; + }; + + users.groups.gnunet.gid = config.ids.gids.gnunet; + + # The user tools that talk to `gnunetd' should come from the same source, + # so install them globally. + environment.systemPackages = [ cfg.package ]; + + environment.etc."gnunet.conf".text = configFile; + + systemd.services.gnunet = { + description = "GNUnet"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ configFile ]; + path = [ cfg.package pkgs.miniupnpc ]; + serviceConfig.ExecStart = "${cfg.package}/lib/gnunet/libexec/gnunet-service-arm -c /etc/gnunet.conf"; + serviceConfig.User = "gnunet"; + serviceConfig.UMask = "0007"; + serviceConfig.WorkingDirectory = stateDir; + serviceConfig.RuntimeDirectory = "gnunet"; + serviceConfig.StateDirectory = "gnunet"; + }; + + }; + +} diff --git a/nixos/modules/services/networking/go-neb.nix b/nixos/modules/services/networking/go-neb.nix new file mode 100644 index 00000000000..765834fad83 --- /dev/null +++ b/nixos/modules/services/networking/go-neb.nix @@ -0,0 +1,79 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.go-neb; + + settingsFormat = pkgs.formats.yaml {}; + configFile = settingsFormat.generate "config.yaml" cfg.config; +in { + options.services.go-neb = { + enable = mkEnableOption "Extensible matrix bot written in Go"; + + bindAddress = mkOption { + type = types.str; + description = "Port (and optionally address) to listen on."; + default = ":4050"; + }; + + secretFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/go-neb.env"; + description = '' + Environment variables from this file will be interpolated into the + final config file using envsubst with this syntax: <literal>$ENVIRONMENT</literal> + or <literal>''${VARIABLE}</literal>. + The file should contain lines formatted as <literal>SECRET_VAR=SECRET_VALUE</literal>. + This is useful to avoid putting secrets into the nix store. + ''; + }; + + baseUrl = mkOption { + type = types.str; + description = "Public-facing endpoint that can receive webhooks."; + }; + + config = mkOption { + inherit (settingsFormat) type; + description = '' + Your <filename>config.yaml</filename> as a Nix attribute set. + See <link xlink:href="https://github.com/matrix-org/go-neb/blob/master/config.sample.yaml">config.sample.yaml</link> + for possible options. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.go-neb = let + finalConfigFile = if cfg.secretFile == null then configFile else "/var/run/go-neb/config.yaml"; + in { + description = "Extensible matrix bot written in Go"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + BASE_URL = cfg.baseUrl; + BIND_ADDRESS = cfg.bindAddress; + CONFIG_FILE = finalConfigFile; + }; + + serviceConfig = { + ExecStartPre = lib.optional (cfg.secretFile != null) + (pkgs.writeShellScript "pre-start" '' + umask 077 + export $(xargs < ${cfg.secretFile}) + ${pkgs.envsubst}/bin/envsubst -i "${configFile}" > ${finalConfigFile} + chown go-neb ${finalConfigFile} + ''); + PermissionsStartOnly = true; + RuntimeDirectory = "go-neb"; + ExecStart = "${pkgs.go-neb}/bin/go-neb"; + User = "go-neb"; + DynamicUser = true; + }; + }; + }; + + meta.maintainers = with maintainers; [ hexa maralorn ]; +} diff --git a/nixos/modules/services/networking/go-shadowsocks2.nix b/nixos/modules/services/networking/go-shadowsocks2.nix new file mode 100644 index 00000000000..afbd7ea27c6 --- /dev/null +++ b/nixos/modules/services/networking/go-shadowsocks2.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.go-shadowsocks2.server; +in { + options.services.go-shadowsocks2.server = { + enable = mkEnableOption "go-shadowsocks2 server"; + + listenAddress = mkOption { + type = types.str; + description = "Server listen address or URL"; + example = "ss://AEAD_CHACHA20_POLY1305:your-password@:8488"; + }; + }; + + config = mkIf cfg.enable { + systemd.services.go-shadowsocks2-server = { + description = "go-shadowsocks2 server"; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.go-shadowsocks2}/bin/go-shadowsocks2 -s '${cfg.listenAddress}'"; + DynamicUser = true; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/gobgpd.nix b/nixos/modules/services/networking/gobgpd.nix new file mode 100644 index 00000000000..29ef9a5cf1e --- /dev/null +++ b/nixos/modules/services/networking/gobgpd.nix @@ -0,0 +1,64 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.gobgpd; + format = pkgs.formats.toml { }; + confFile = format.generate "gobgpd.conf" cfg.settings; +in { + options.services.gobgpd = { + enable = mkEnableOption "GoBGP Routing Daemon"; + + settings = mkOption { + type = format.type; + default = { }; + description = '' + GoBGP configuration. Refer to + <link xlink:href="https://github.com/osrg/gobgp#documentation"/> + for details on supported values. + ''; + example = literalExpression '' + { + global = { + config = { + as = 64512; + router-id = "192.168.255.1"; + }; + }; + neighbors = [ + { + config = { + neighbor-address = "10.0.255.1"; + peer-as = 65001; + }; + } + { + config = { + neighbor-address = "10.0.255.2"; + peer-as = 65002; + }; + } + ]; + } + ''; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.gobgpd ]; + systemd.services.gobgpd = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "GoBGP Routing Daemon"; + serviceConfig = { + Type = "notify"; + ExecStartPre = "${pkgs.gobgpd}/bin/gobgpd -f ${confFile} -d"; + ExecStart = "${pkgs.gobgpd}/bin/gobgpd -f ${confFile} --sdnotify"; + ExecReload = "${pkgs.gobgpd}/bin/gobgpd -r"; + DynamicUser = true; + AmbientCapabilities = "cap_net_bind_service"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/gvpe.nix b/nixos/modules/services/networking/gvpe.nix new file mode 100644 index 00000000000..4fad37ba15e --- /dev/null +++ b/nixos/modules/services/networking/gvpe.nix @@ -0,0 +1,130 @@ +# GNU Virtual Private Ethernet + +{config, pkgs, lib, ...}: + +let + inherit (lib) mkOption mkIf types; + + cfg = config.services.gvpe; + + finalConfig = if cfg.configFile != null then + cfg.configFile + else if cfg.configText != null then + pkgs.writeTextFile { + name = "gvpe.conf"; + text = cfg.configText; + } + else + throw "You must either specify contents of the config file or the config file itself for GVPE"; + + ifupScript = if cfg.ipAddress == null || cfg.subnet == null then + throw "Specify IP address and subnet (with mask) for GVPE" + else if cfg.nodename == null then + throw "You must set node name for GVPE" + else + (pkgs.writeTextFile { + name = "gvpe-if-up"; + text = '' + #! /bin/sh + + export PATH=$PATH:${pkgs.iproute2}/sbin + + ip link set $IFNAME up + ip address add ${cfg.ipAddress} dev $IFNAME + ip route add ${cfg.subnet} dev $IFNAME + + ${cfg.customIFSetup} + ''; + executable = true; + }); +in + +{ + options = { + services.gvpe = { + enable = lib.mkEnableOption "gvpe"; + + nodename = mkOption { + default = null; + type = types.nullOr types.str; + description ='' + GVPE node name + ''; + }; + configText = mkOption { + default = null; + type = types.nullOr types.lines; + example = '' + tcp-port = 655 + udp-port = 655 + mtu = 1480 + ifname = vpn0 + + node = alpha + hostname = alpha.example.org + connect = always + enable-udp = true + enable-tcp = true + on alpha if-up = if-up-0 + on alpha pid-file = /var/gvpe/gvpe.pid + ''; + description = '' + GVPE config contents + ''; + }; + configFile = mkOption { + default = null; + type = types.nullOr types.path; + example = "/root/my-gvpe-conf"; + description = '' + GVPE config file, if already present + ''; + }; + ipAddress = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + IP address to assign to GVPE interface + ''; + }; + subnet = mkOption { + default = null; + type = types.nullOr types.str; + example = "10.0.0.0/8"; + description = '' + IP subnet assigned to GVPE network + ''; + }; + customIFSetup = mkOption { + default = ""; + type = types.lines; + description = '' + Additional commands to apply in ifup script + ''; + }; + }; + }; + config = mkIf cfg.enable { + systemd.services.gvpe = { + description = "GNU Virtual Private Ethernet node"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + preStart = '' + mkdir -p /var/gvpe + mkdir -p /var/gvpe/pubkey + chown root /var/gvpe + chmod 700 /var/gvpe + cp ${finalConfig} /var/gvpe/gvpe.conf + cp ${ifupScript} /var/gvpe/if-up + ''; + + script = "${pkgs.gvpe}/sbin/gvpe -c /var/gvpe -D ${cfg.nodename} " + + " ${cfg.nodename}.pid-file=/var/gvpe/gvpe.pid" + + " ${cfg.nodename}.if-up=if-up" + + " &> /var/log/gvpe"; + + serviceConfig.Restart = "always"; + }; + }; +} diff --git a/nixos/modules/services/networking/hans.nix b/nixos/modules/services/networking/hans.nix new file mode 100644 index 00000000000..2639b4b6800 --- /dev/null +++ b/nixos/modules/services/networking/hans.nix @@ -0,0 +1,145 @@ +# NixOS module for hans, ip over icmp daemon + +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.hans; + + hansUser = "hans"; + +in +{ + + ### configuration + + options = { + + services.hans = { + clients = mkOption { + default = {}; + description = '' + Each attribute of this option defines a systemd service that + runs hans. Many or none may be defined. + The name of each service is + <literal>hans-<replaceable>name</replaceable></literal> + where <replaceable>name</replaceable> is the name of the + corresponding attribute name. + ''; + example = literalExpression '' + { + foo = { + server = "192.0.2.1"; + extraConfig = "-v"; + } + } + ''; + type = types.attrsOf (types.submodule ( + { + options = { + server = mkOption { + type = types.str; + default = ""; + description = "IP address of server running hans"; + example = "192.0.2.1"; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Additional command line parameters"; + example = "-v"; + }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "File that containts password"; + }; + + }; + })); + }; + + server = { + enable = mkOption { + type = types.bool; + default = false; + description = "enable hans server"; + }; + + ip = mkOption { + type = types.str; + default = ""; + description = "The assigned ip range"; + example = "198.51.100.0"; + }; + + respondToSystemPings = mkOption { + type = types.bool; + default = false; + description = "Force hans respond to ordinary pings"; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Additional command line parameters"; + example = "-v"; + }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "File that containts password"; + }; + }; + + }; + }; + + ### implementation + + config = mkIf (cfg.server.enable || cfg.clients != {}) { + boot.kernel.sysctl = optionalAttrs cfg.server.respondToSystemPings { + "net.ipv4.icmp_echo_ignore_all" = 1; + }; + + boot.kernelModules = [ "tun" ]; + + systemd.services = + let + createHansClientService = name: cfg: + { + description = "hans client - ${name}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + script = "${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.extraConfig} -c ${cfg.server} ${optionalString (cfg.passwordFile != "") "-p $(cat \"${cfg.passwordFile}\")"}"; + serviceConfig = { + RestartSec = "30s"; + Restart = "always"; + }; + }; + in + listToAttrs ( + mapAttrsToList + (name: value: nameValuePair "hans-${name}" (createHansClientService name value)) + cfg.clients + ) // { + hans = mkIf (cfg.server.enable) { + description = "hans, ip over icmp server daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + script = "${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.server.extraConfig} -s ${cfg.server.ip} ${optionalString cfg.server.respondToSystemPings "-r"} ${optionalString (cfg.server.passwordFile != "") "-p $(cat \"${cfg.server.passwordFile}\")"}"; + }; + }; + + users.users.${hansUser} = { + description = "Hans daemon user"; + isSystemUser = true; + }; + }; + + meta.maintainers = with maintainers; [ ]; +} diff --git a/nixos/modules/services/networking/haproxy.nix b/nixos/modules/services/networking/haproxy.nix new file mode 100644 index 00000000000..e9d72b35499 --- /dev/null +++ b/nixos/modules/services/networking/haproxy.nix @@ -0,0 +1,112 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.haproxy; + + haproxyCfg = pkgs.writeText "haproxy.conf" '' + global + # needed for hot-reload to work without dropping packets in multi-worker mode + stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level user + + ${cfg.config} + ''; + +in +with lib; +{ + options = { + services.haproxy = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable HAProxy, the reliable, high performance TCP/HTTP + load balancer. + ''; + }; + + user = mkOption { + type = types.str; + default = "haproxy"; + description = "User account under which haproxy runs."; + }; + + group = mkOption { + type = types.str; + default = "haproxy"; + description = "Group account under which haproxy runs."; + }; + + config = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Contents of the HAProxy configuration file, + <filename>haproxy.conf</filename>. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + assertions = [{ + assertion = cfg.config != null; + message = "You must provide services.haproxy.config."; + }]; + + # configuration file indirection is needed to support reloading + environment.etc."haproxy.cfg".source = haproxyCfg; + + systemd.services.haproxy = { + description = "HAProxy"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "notify"; + ExecStartPre = [ + # when the master process receives USR2, it reloads itself using exec(argv[0]), + # so we create a symlink there and update it before reloading + "${pkgs.coreutils}/bin/ln -sf ${pkgs.haproxy}/sbin/haproxy /run/haproxy/haproxy" + # when running the config test, don't be quiet so we can see what goes wrong + "/run/haproxy/haproxy -c -f ${haproxyCfg}" + ]; + ExecStart = "/run/haproxy/haproxy -Ws -f /etc/haproxy.cfg -p /run/haproxy/haproxy.pid"; + # support reloading + ExecReload = [ + "${pkgs.haproxy}/sbin/haproxy -c -f ${haproxyCfg}" + "${pkgs.coreutils}/bin/ln -sf ${pkgs.haproxy}/sbin/haproxy /run/haproxy/haproxy" + "${pkgs.coreutils}/bin/kill -USR2 $MAINPID" + ]; + KillMode = "mixed"; + SuccessExitStatus = "143"; + Restart = "always"; + RuntimeDirectory = "haproxy"; + # upstream hardening options + NoNewPrivileges = true; + ProtectHome = true; + ProtectSystem = "strict"; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + SystemCallFilter= "~@cpu-emulation @keyring @module @obsolete @raw-io @reboot @swap @sync"; + # needed in case we bind to port < 1024 + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + }; + }; + + users.users = optionalAttrs (cfg.user == "haproxy") { + haproxy = { + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = optionalAttrs (cfg.group == "haproxy") { + haproxy = {}; + }; + }; +} diff --git a/nixos/modules/services/networking/headscale.nix b/nixos/modules/services/networking/headscale.nix new file mode 100644 index 00000000000..091d2a938cd --- /dev/null +++ b/nixos/modules/services/networking/headscale.nix @@ -0,0 +1,490 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.headscale; + + dataDir = "/var/lib/headscale"; + runDir = "/run/headscale"; + + settingsFormat = pkgs.formats.yaml { }; + configFile = settingsFormat.generate "headscale.yaml" cfg.settings; +in +{ + options = { + services.headscale = { + enable = mkEnableOption "headscale, Open Source coordination server for Tailscale"; + + package = mkOption { + type = types.package; + default = pkgs.headscale; + defaultText = literalExpression "pkgs.headscale"; + description = '' + Which headscale package to use for the running server. + ''; + }; + + user = mkOption { + default = "headscale"; + type = types.str; + description = '' + User account under which headscale runs. + <note><para> + If left as the default value this user will automatically be created + on system activation, otherwise you are responsible for + ensuring the user exists before the headscale service starts. + </para></note> + ''; + }; + + group = mkOption { + default = "headscale"; + type = types.str; + description = '' + Group under which headscale runs. + <note><para> + If left as the default value this group will automatically be created + on system activation, otherwise you are responsible for + ensuring the user exists before the headscale service starts. + </para></note> + ''; + }; + + serverUrl = mkOption { + type = types.str; + default = "http://127.0.0.1:8080"; + description = '' + The url clients will connect to. + ''; + example = "https://myheadscale.example.com:443"; + }; + + address = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + Listening address of headscale. + ''; + example = "0.0.0.0"; + }; + + port = mkOption { + type = types.port; + default = 8080; + description = '' + Listening port of headscale. + ''; + example = 443; + }; + + privateKeyFile = mkOption { + type = types.path; + default = "${dataDir}/private.key"; + description = '' + Path to private key file, generated automatically if it does not exist. + ''; + }; + + derp = { + urls = mkOption { + type = types.listOf types.str; + default = [ "https://controlplane.tailscale.com/derpmap/default" ]; + description = '' + List of urls containing DERP maps. + See <link xlink:href="https://tailscale.com/blog/how-tailscale-works/">How Tailscale works</link> for more information on DERP maps. + ''; + }; + + paths = mkOption { + type = types.listOf types.path; + default = [ ]; + description = '' + List of file paths containing DERP maps. + See <link xlink:href="https://tailscale.com/blog/how-tailscale-works/">How Tailscale works</link> for more information on DERP maps. + ''; + }; + + + autoUpdate = mkOption { + type = types.bool; + default = true; + description = '' + Whether to automatically update DERP maps on a set frequency. + ''; + example = false; + }; + + updateFrequency = mkOption { + type = types.str; + default = "24h"; + description = '' + Frequency to update DERP maps. + ''; + example = "5m"; + }; + + }; + + ephemeralNodeInactivityTimeout = mkOption { + type = types.str; + default = "30m"; + description = '' + Time before an inactive ephemeral node is deleted. + ''; + example = "5m"; + }; + + database = { + type = mkOption { + type = types.enum [ "sqlite3" "postgres" ]; + example = "postgres"; + default = "sqlite3"; + description = "Database engine to use."; + }; + + host = mkOption { + type = types.nullOr types.str; + default = null; + example = "127.0.0.1"; + description = "Database host address."; + }; + + port = mkOption { + type = types.nullOr types.port; + default = null; + example = 3306; + description = "Database host port."; + }; + + name = mkOption { + type = types.nullOr types.str; + default = null; + example = "headscale"; + description = "Database name."; + }; + + user = mkOption { + type = types.nullOr types.str; + default = null; + example = "headscale"; + description = "Database user."; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/headscale-dbpassword"; + description = '' + A file containing the password corresponding to + <option>database.user</option>. + ''; + }; + + path = mkOption { + type = types.nullOr types.str; + default = "${dataDir}/db.sqlite"; + description = "Path to the sqlite3 database file."; + }; + }; + + logLevel = mkOption { + type = types.str; + default = "info"; + description = '' + headscale log level. + ''; + example = "debug"; + }; + + dns = { + nameservers = mkOption { + type = types.listOf types.str; + default = [ "1.1.1.1" ]; + description = '' + List of nameservers to pass to Tailscale clients. + ''; + }; + + domains = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Search domains to inject to Tailscale clients. + ''; + example = [ "mydomain.internal" ]; + }; + + magicDns = mkOption { + type = types.bool; + default = true; + description = '' + Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). + Only works if there is at least a nameserver defined. + ''; + example = false; + }; + + baseDomain = mkOption { + type = types.str; + default = ""; + description = '' + Defines the base domain to create the hostnames for MagicDNS. + <option>baseDomain</option> must be a FQDNs, without the trailing dot. + The FQDN of the hosts will be + <literal>hostname.namespace.base_domain</literal> (e.g. + <literal>myhost.mynamespace.example.com</literal>). + ''; + }; + }; + + openIdConnect = { + issuer = mkOption { + type = types.str; + default = ""; + description = '' + URL to OpenID issuer. + ''; + example = "https://openid.example.com"; + }; + + clientId = mkOption { + type = types.str; + default = ""; + description = '' + OpenID Connect client ID. + ''; + }; + + clientSecretFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to OpenID Connect client secret file. + ''; + }; + + domainMap = mkOption { + type = types.attrsOf types.str; + default = { }; + description = '' + Domain map is used to map incomming users (by their email) to + a namespace. The key can be a string, or regex. + ''; + example = { + ".*" = "default-namespace"; + }; + }; + + }; + + tls = { + letsencrypt = { + hostname = mkOption { + type = types.nullOr types.str; + default = ""; + description = '' + Domain name to request a TLS certificate for. + ''; + }; + challengeType = mkOption { + type = types.enum [ "TLS_ALPN-01" "HTTP-01" ]; + default = "HTTP-01"; + description = '' + Type of ACME challenge to use, currently supported types: + <literal>HTTP-01</literal> or <literal>TLS_ALPN-01</literal>. + ''; + }; + httpListen = mkOption { + type = types.nullOr types.str; + default = ":http"; + description = '' + When HTTP-01 challenge is chosen, letsencrypt must set up a + verification endpoint, and it will be listening on: + <literal>:http = port 80</literal>. + ''; + }; + }; + + certFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to already created certificate. + ''; + }; + keyFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to key for already created certificate. + ''; + }; + }; + + aclPolicyFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to a file containg ACL policies. + ''; + }; + + settings = mkOption { + type = settingsFormat.type; + default = { }; + description = '' + Overrides to <filename>config.yaml</filename> as a Nix attribute set. + This option is ideal for overriding settings not exposed as Nix options. + Check the <link xlink:href="https://github.com/juanfont/headscale/blob/main/config-example.yaml">example config</link> + for possible options. + ''; + }; + + + }; + + }; + config = mkIf cfg.enable { + + services.headscale.settings = { + server_url = mkDefault cfg.serverUrl; + listen_addr = mkDefault "${cfg.address}:${toString cfg.port}"; + + private_key_path = mkDefault cfg.privateKeyFile; + + derp = { + urls = mkDefault cfg.derp.urls; + paths = mkDefault cfg.derp.paths; + auto_update_enable = mkDefault cfg.derp.autoUpdate; + update_frequency = mkDefault cfg.derp.updateFrequency; + }; + + # Turn off update checks since the origin of our package + # is nixpkgs and not Github. + disable_check_updates = true; + + ephemeral_node_inactivity_timeout = mkDefault cfg.ephemeralNodeInactivityTimeout; + + db_type = mkDefault cfg.database.type; + db_path = mkDefault cfg.database.path; + + log_level = mkDefault cfg.logLevel; + + dns_config = { + nameservers = mkDefault cfg.dns.nameservers; + domains = mkDefault cfg.dns.domains; + magic_dns = mkDefault cfg.dns.magicDns; + base_domain = mkDefault cfg.dns.baseDomain; + }; + + unix_socket = "${runDir}/headscale.sock"; + + # OpenID Connect + oidc = { + issuer = mkDefault cfg.openIdConnect.issuer; + client_id = mkDefault cfg.openIdConnect.clientId; + domain_map = mkDefault cfg.openIdConnect.domainMap; + }; + + tls_letsencrypt_cache_dir = "${dataDir}/.cache"; + + } // optionalAttrs (cfg.database.host != null) { + db_host = mkDefault cfg.database.host; + } // optionalAttrs (cfg.database.port != null) { + db_port = mkDefault cfg.database.port; + } // optionalAttrs (cfg.database.name != null) { + db_name = mkDefault cfg.database.name; + } // optionalAttrs (cfg.database.user != null) { + db_user = mkDefault cfg.database.user; + } // optionalAttrs (cfg.tls.letsencrypt.hostname != null) { + tls_letsencrypt_hostname = mkDefault cfg.tls.letsencrypt.hostname; + } // optionalAttrs (cfg.tls.letsencrypt.challengeType != null) { + tls_letsencrypt_challenge_type = mkDefault cfg.tls.letsencrypt.challengeType; + } // optionalAttrs (cfg.tls.letsencrypt.httpListen != null) { + tls_letsencrypt_listen = mkDefault cfg.tls.letsencrypt.httpListen; + } // optionalAttrs (cfg.tls.certFile != null) { + tls_cert_path = mkDefault cfg.tls.certFile; + } // optionalAttrs (cfg.tls.keyFile != null) { + tls_key_path = mkDefault cfg.tls.keyFile; + } // optionalAttrs (cfg.aclPolicyFile != null) { + acl_policy_path = mkDefault cfg.aclPolicyFile; + }; + + # Setup the headscale configuration in a known path in /etc to + # allow both the Server and the Client use it to find the socket + # for communication. + environment.etc."headscale/config.yaml".source = configFile; + + users.groups.headscale = mkIf (cfg.group == "headscale") { }; + + users.users.headscale = mkIf (cfg.user == "headscale") { + description = "headscale user"; + home = dataDir; + group = cfg.group; + isSystemUser = true; + }; + + systemd.services.headscale = { + description = "headscale coordination server for Tailscale"; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ configFile ]; + + script = '' + ${optionalString (cfg.database.passwordFile != null) '' + export HEADSCALE_DB_PASS="$(head -n1 ${escapeShellArg cfg.database.passwordFile})" + ''} + + export HEADSCALE_OIDC_CLIENT_SECRET="$(head -n1 ${escapeShellArg cfg.openIdConnect.clientSecretFile})" + exec ${cfg.package}/bin/headscale serve + ''; + + serviceConfig = + let + capabilityBoundingSet = [ "CAP_CHOWN" ] ++ optional (cfg.port < 1024) "CAP_NET_BIND_SERVICE"; + in + { + Restart = "always"; + Type = "simple"; + User = cfg.user; + Group = cfg.group; + + # Hardening options + RuntimeDirectory = "headscale"; + # Allow headscale group access so users can be added and use the CLI. + RuntimeDirectoryMode = "0750"; + + StateDirectory = "headscale"; + StateDirectoryMode = "0750"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectHostname = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RestrictNamespaces = true; + RemoveIPC = true; + UMask = "0077"; + + CapabilityBoundingSet = capabilityBoundingSet; + AmbientCapabilities = capabilityBoundingSet; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + SystemCallFilter = [ "@system-service" "~@priviledged" "@chown" ]; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX"; + }; + }; + }; + + meta.maintainers = with maintainers; [ kradalby ]; +} diff --git a/nixos/modules/services/networking/helpers.nix b/nixos/modules/services/networking/helpers.nix new file mode 100644 index 00000000000..d7d42de0e3a --- /dev/null +++ b/nixos/modules/services/networking/helpers.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: '' + # Helper command to manipulate both the IPv4 and IPv6 tables. + ip46tables() { + iptables -w "$@" + ${ + lib.optionalString config.networking.enableIPv6 '' + ip6tables -w "$@" + '' + } + } +'' diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix new file mode 100644 index 00000000000..f719ff59cc7 --- /dev/null +++ b/nixos/modules/services/networking/hostapd.nix @@ -0,0 +1,219 @@ +{ config, lib, pkgs, utils, ... }: + +# TODO: +# +# asserts +# ensure that the nl80211 module is loaded/compiled in the kernel +# wpa_supplicant and hostapd on the same wireless interface doesn't make any sense + +with lib; + +let + + cfg = config.services.hostapd; + + escapedInterface = utils.escapeSystemdPath cfg.interface; + + configFile = pkgs.writeText "hostapd.conf" '' + interface=${cfg.interface} + driver=${cfg.driver} + ssid=${cfg.ssid} + hw_mode=${cfg.hwMode} + channel=${toString cfg.channel} + ${optionalString (cfg.countryCode != null) "country_code=${cfg.countryCode}"} + ${optionalString (cfg.countryCode != null) "ieee80211d=1"} + + # logging (debug level) + logger_syslog=-1 + logger_syslog_level=${toString cfg.logLevel} + logger_stdout=-1 + logger_stdout_level=${toString cfg.logLevel} + + ctrl_interface=/run/hostapd + ctrl_interface_group=${cfg.group} + + ${optionalString cfg.wpa '' + wpa=2 + wpa_passphrase=${cfg.wpaPassphrase} + ''} + ${optionalString cfg.noScan "noscan=1"} + + ${cfg.extraConfig} + '' ; + +in + +{ + ###### interface + + options = { + + services.hostapd = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable putting a wireless interface into infrastructure mode, + allowing other wireless devices to associate with the wireless + interface and do wireless networking. A simple access point will + <option>enable hostapd.wpa</option>, + <option>hostapd.wpaPassphrase</option>, and + <option>hostapd.ssid</option>, as well as DHCP on the wireless + interface to provide IP addresses to the associated stations, and + NAT (from the wireless interface to an upstream interface). + ''; + }; + + interface = mkOption { + default = ""; + example = "wlp2s0"; + type = types.str; + description = '' + The interfaces <command>hostapd</command> will use. + ''; + }; + + noScan = mkOption { + type = types.bool; + default = false; + description = '' + Do not scan for overlapping BSSs in HT40+/- mode. + Caution: turning this on will violate regulatory requirements! + ''; + }; + + driver = mkOption { + default = "nl80211"; + example = "hostapd"; + type = types.str; + description = '' + Which driver <command>hostapd</command> will use. + Most applications will probably use the default. + ''; + }; + + ssid = mkOption { + default = "nixos"; + example = "mySpecialSSID"; + type = types.str; + description = "SSID to be used in IEEE 802.11 management frames."; + }; + + hwMode = mkOption { + default = "g"; + type = types.enum [ "a" "b" "g" ]; + description = '' + Operation mode. + (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g). + ''; + }; + + channel = mkOption { + default = 7; + example = 11; + type = types.int; + description = '' + Channel number (IEEE 802.11) + Please note that some drivers do not use this value from + <command>hostapd</command> and the channel will need to be configured + separately with <command>iwconfig</command>. + ''; + }; + + group = mkOption { + default = "wheel"; + example = "network"; + type = types.str; + description = '' + Members of this group can control <command>hostapd</command>. + ''; + }; + + wpa = mkOption { + type = types.bool; + default = true; + description = '' + Enable WPA (IEEE 802.11i/D3.0) to authenticate with the access point. + ''; + }; + + wpaPassphrase = mkOption { + default = "my_sekret"; + example = "any_64_char_string"; + type = types.str; + description = '' + WPA-PSK (pre-shared-key) passphrase. Clients will need this + passphrase to associate with this access point. + Warning: This passphrase will get put into a world-readable file in + the Nix store! + ''; + }; + + logLevel = mkOption { + default = 2; + type = types.int; + description = '' + Levels (minimum value for logged events): + 0 = verbose debugging + 1 = debugging + 2 = informational messages + 3 = notification + 4 = warning + ''; + }; + + countryCode = mkOption { + default = null; + example = "US"; + type = with types; nullOr str; + description = '' + Country code (ISO/IEC 3166-1). Used to set regulatory domain. + Set as needed to indicate country in which device is operating. + This can limit available channels and transmit power. + These two octets are used as the first two octets of the Country String + (dot11CountryString). + If set this enables IEEE 802.11d. This advertises the countryCode and + the set of allowed channels and transmit power levels based on the + regulatory limits. + ''; + }; + + extraConfig = mkOption { + default = ""; + example = '' + auth_algo=0 + ieee80211n=1 + ht_capab=[HT40-][SHORT-GI-40][DSSS_CCK-40] + ''; + type = types.lines; + description = "Extra configuration options to put in hostapd.conf."; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.hostapd ]; + + services.udev.packages = optional (cfg.countryCode != null) [ pkgs.crda ]; + + systemd.services.hostapd = + { description = "hostapd wireless AP"; + + path = [ pkgs.hostapd ]; + after = [ "sys-subsystem-net-devices-${escapedInterface}.device" ]; + bindsTo = [ "sys-subsystem-net-devices-${escapedInterface}.device" ]; + requiredBy = [ "network-link-${cfg.interface}.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = + { ExecStart = "${pkgs.hostapd}/bin/hostapd ${configFile}"; + Restart = "always"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/htpdate.nix b/nixos/modules/services/networking/htpdate.nix new file mode 100644 index 00000000000..6954e5b060c --- /dev/null +++ b/nixos/modules/services/networking/htpdate.nix @@ -0,0 +1,80 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + inherit (pkgs) htpdate; + + cfg = config.services.htpdate; +in + +{ + + ###### interface + + options = { + + services.htpdate = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable htpdate daemon. + ''; + }; + + extraOptions = mkOption { + type = types.str; + default = ""; + description = '' + Additional command line arguments to pass to htpdate. + ''; + }; + + servers = mkOption { + type = types.listOf types.str; + default = [ "www.google.com" ]; + description = '' + HTTP servers to use for time synchronization. + ''; + }; + + proxy = mkOption { + type = types.str; + default = ""; + example = "127.0.0.1:8118"; + description = '' + HTTP proxy used for requests. + ''; + }; + + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.htpdate = { + description = "htpdate daemon"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "forking"; + PIDFile = "/run/htpdate.pid"; + ExecStart = concatStringsSep " " [ + "${htpdate}/bin/htpdate" + "-D -u nobody" + "-a -s" + "-l" + "${optionalString (cfg.proxy != "") "-P ${cfg.proxy}"}" + "${cfg.extraOptions}" + "${concatStringsSep " " cfg.servers}" + ]; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/hylafax/default.nix b/nixos/modules/services/networking/hylafax/default.nix new file mode 100644 index 00000000000..d8ffa3fc04d --- /dev/null +++ b/nixos/modules/services/networking/hylafax/default.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +{ + + imports = [ + ./options.nix + ./systemd.nix + ]; + + config = lib.modules.mkIf config.services.hylafax.enable { + environment.systemPackages = [ pkgs.hylafaxplus ]; + users.users.uucp = { + uid = config.ids.uids.uucp; + group = "uucp"; + description = "Unix-to-Unix CoPy system"; + isSystemUser = true; + inherit (config.users.users.nobody) home; + }; + assertions = [{ + assertion = config.services.hylafax.modems != {}; + message = '' + HylaFAX cannot be used without modems. + Please define at least one modem with + <option>config.services.hylafax.modems</option>. + ''; + }]; + }; + + meta.maintainers = [ lib.maintainers.yarny ]; + +} diff --git a/nixos/modules/services/networking/hylafax/faxq-default.nix b/nixos/modules/services/networking/hylafax/faxq-default.nix new file mode 100644 index 00000000000..9b634650cf7 --- /dev/null +++ b/nixos/modules/services/networking/hylafax/faxq-default.nix @@ -0,0 +1,12 @@ +{ ... }: + +# see man:hylafax-config(5) + +{ + + ModemGroup = [ ''"any:0:.*"'' ]; + ServerTracing = "0x78701"; + SessionTracing = "0x78701"; + UUCPLockDir = "/var/lock"; + +} diff --git a/nixos/modules/services/networking/hylafax/faxq-wait.sh b/nixos/modules/services/networking/hylafax/faxq-wait.sh new file mode 100755 index 00000000000..1826aa30e62 --- /dev/null +++ b/nixos/modules/services/networking/hylafax/faxq-wait.sh @@ -0,0 +1,29 @@ +#! @runtimeShell@ -e + +# skip this if there are no modems at all +if ! stat -t "@spoolAreaPath@"/etc/config.* >/dev/null 2>&1 +then + exit 0 +fi + +echo "faxq started, waiting for modem(s) to initialize..." + +for i in `seq @timeoutSec@0 -1 0` # gracefully timeout +do + sleep 0.1 + # done if status files exist, but don't mention initialization + if \ + stat -t "@spoolAreaPath@"/status/* >/dev/null 2>&1 \ + && \ + ! grep --silent --ignore-case 'initializing server' \ + "@spoolAreaPath@"/status/* + then + echo "modem(s) apparently ready" + exit 0 + fi + # if i reached 0, modems probably failed to initialize + if test $i -eq 0 + then + echo "warning: modem initialization timed out" + fi +done diff --git a/nixos/modules/services/networking/hylafax/hfaxd-default.nix b/nixos/modules/services/networking/hylafax/hfaxd-default.nix new file mode 100644 index 00000000000..8999dae57f4 --- /dev/null +++ b/nixos/modules/services/networking/hylafax/hfaxd-default.nix @@ -0,0 +1,10 @@ +{ ... }: + +# see man:hfaxd(8) + +{ + + ServerTracing = "0x91"; + XferLogFile = "/clientlog"; + +} diff --git a/nixos/modules/services/networking/hylafax/modem-default.nix b/nixos/modules/services/networking/hylafax/modem-default.nix new file mode 100644 index 00000000000..707b8209282 --- /dev/null +++ b/nixos/modules/services/networking/hylafax/modem-default.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: + +# see man:hylafax-config(5) + +{ + + TagLineFont = "etc/LiberationSans-25.pcf"; + TagLineLocale = "en_US.UTF-8"; + + AdminGroup = "root"; # groups that can change server config + AnswerRotary = "fax"; # don't accept anything else but faxes + LogFileMode = "0640"; + PriorityScheduling = true; + RecvFileMode = "0640"; + ServerTracing = "0x78701"; + SessionTracing = "0x78701"; + UUCPLockDir = "/var/lock"; + + SendPageCmd = "${pkgs.coreutils}/bin/false"; # prevent pager transmit + SendUUCPCmd = "${pkgs.coreutils}/bin/false"; # prevent UUCP transmit + +} diff --git a/nixos/modules/services/networking/hylafax/options.nix b/nixos/modules/services/networking/hylafax/options.nix new file mode 100644 index 00000000000..8f621b61002 --- /dev/null +++ b/nixos/modules/services/networking/hylafax/options.nix @@ -0,0 +1,372 @@ +{ config, lib, pkgs, ... }: + +let + + inherit (lib.options) literalExpression mkEnableOption mkOption; + inherit (lib.types) bool enum ints lines attrsOf nonEmptyStr nullOr path str submodule; + inherit (lib.modules) mkDefault mkIf mkMerge; + + commonDescr = '' + Values can be either strings or integers + (which will be added to the config file verbatimly) + or lists thereof + (which will be translated to multiple + lines with the same configuration key). + Boolean values are translated to "Yes" or "No". + The default contains some reasonable + configuration to yield an operational system. + ''; + + configAttrType = + # Options in HylaFAX configuration files can be + # booleans, strings, integers, or list thereof + # representing multiple config directives with the same key. + # This type definition resolves all + # those types into a list of strings. + let + inherit (lib.types) attrsOf coercedTo int listOf; + innerType = coercedTo bool (x: if x then "Yes" else "No") + (coercedTo int (toString) str); + in + attrsOf (coercedTo innerType lib.singleton (listOf innerType)); + + cfg = config.services.hylafax; + + modemConfigOptions = { name, config, ... }: { + options = { + name = mkOption { + type = nonEmptyStr; + example = "ttyS1"; + description = '' + Name of modem device, + will be searched for in <filename>/dev</filename>. + ''; + }; + type = mkOption { + type = nonEmptyStr; + example = "cirrus"; + description = '' + Name of modem configuration file, + will be searched for in <filename>config</filename> + in the spooling area directory. + ''; + }; + config = mkOption { + type = configAttrType; + example = { + AreaCode = "49"; + LocalCode = "30"; + FAXNumber = "123456"; + LocalIdentifier = "LostInBerlin"; + }; + description = '' + Attribute set of values for the given modem. + ${commonDescr} + Options defined here override options in + <option>commonModemConfig</option> for this modem. + ''; + }; + }; + config.name = mkDefault name; + config.config.Include = [ "config/${config.type}" ]; + }; + + defaultConfig = + let + inherit (config.security) wrapperDir; + inherit (config.services.mail.sendmailSetuidWrapper) program; + mkIfDefault = cond: value: mkIf cond (mkDefault value); + noWrapper = config.services.mail.sendmailSetuidWrapper==null; + # If a sendmail setuid wrapper exists, + # we add the path to the default configuration file. + # Otherwise, we use `false` to provoke + # an error if hylafax tries to use it. + c.sendmailPath = mkMerge [ + (mkIfDefault noWrapper "${pkgs.coreutils}/bin/false") + (mkIfDefault (!noWrapper) "${wrapperDir}/${program}") + ]; + importDefaultConfig = file: + lib.attrsets.mapAttrs + (lib.trivial.const mkDefault) + (import file { inherit pkgs; }); + c.commonModemConfig = importDefaultConfig ./modem-default.nix; + c.faxqConfig = importDefaultConfig ./faxq-default.nix; + c.hfaxdConfig = importDefaultConfig ./hfaxd-default.nix; + in + c; + + localConfig = + let + c.hfaxdConfig.UserAccessFile = cfg.userAccessFile; + c.faxqConfig = lib.attrsets.mapAttrs + (lib.trivial.const (v: mkIf (v!=null) v)) + { + AreaCode = cfg.areaCode; + CountryCode = cfg.countryCode; + LongDistancePrefix = cfg.longDistancePrefix; + InternationalPrefix = cfg.internationalPrefix; + }; + c.commonModemConfig = c.faxqConfig; + in + c; + +in + + +{ + + + options.services.hylafax = { + + enable = mkEnableOption "HylaFAX server"; + + autostart = mkOption { + type = bool; + default = true; + example = false; + description = '' + Autostart the HylaFAX queue manager at system start. + If this is <literal>false</literal>, the queue manager + will still be started if there are pending + jobs or if a user tries to connect to it. + ''; + }; + + countryCode = mkOption { + type = nullOr nonEmptyStr; + default = null; + example = "49"; + description = "Country code for server and all modems."; + }; + + areaCode = mkOption { + type = nullOr nonEmptyStr; + default = null; + example = "30"; + description = "Area code for server and all modems."; + }; + + longDistancePrefix = mkOption { + type = nullOr str; + default = null; + example = "0"; + description = "Long distance prefix for server and all modems."; + }; + + internationalPrefix = mkOption { + type = nullOr str; + default = null; + example = "00"; + description = "International prefix for server and all modems."; + }; + + spoolAreaPath = mkOption { + type = path; + default = "/var/spool/fax"; + description = '' + The spooling area will be created/maintained + at the location given here. + ''; + }; + + userAccessFile = mkOption { + type = path; + default = "/etc/hosts.hfaxd"; + description = '' + The <filename>hosts.hfaxd</filename> + file entry in the spooling area + will be symlinked to the location given here. + This file must exist and be + readable only by the <literal>uucp</literal> user. + See hosts.hfaxd(5) for details. + This configuration permits access for all users: + <literal> + environment.etc."hosts.hfaxd" = { + mode = "0600"; + user = "uucp"; + text = ".*"; + }; + </literal> + Note that host-based access can be controlled with + <option>config.systemd.sockets.hylafax-hfaxd.listenStreams</option>; + by default, only 127.0.0.1 is permitted to connect. + ''; + }; + + sendmailPath = mkOption { + type = path; + example = literalExpression ''"''${pkgs.postfix}/bin/sendmail"''; + # '' ; # fix vim + description = '' + Path to <filename>sendmail</filename> program. + The default uses the local sendmail wrapper + (see <option>config.services.mail.sendmailSetuidWrapper</option>), + otherwise the <filename>false</filename> + binary to cause an error if used. + ''; + }; + + hfaxdConfig = mkOption { + type = configAttrType; + example.RecvqProtection = "0400"; + description = '' + Attribute set of lines for the global + hfaxd config file <filename>etc/hfaxd.conf</filename>. + ${commonDescr} + ''; + }; + + faxqConfig = mkOption { + type = configAttrType; + example = { + InternationalPrefix = "00"; + LongDistancePrefix = "0"; + }; + description = '' + Attribute set of lines for the global + faxq config file <filename>etc/config</filename>. + ${commonDescr} + ''; + }; + + commonModemConfig = mkOption { + type = configAttrType; + example = { + InternationalPrefix = "00"; + LongDistancePrefix = "0"; + }; + description = '' + Attribute set of default values for + modem config files <filename>etc/config.*</filename>. + ${commonDescr} + Think twice before changing + paths of fax-processing scripts. + ''; + }; + + modems = mkOption { + type = attrsOf (submodule [ modemConfigOptions ]); + default = {}; + example.ttyS1 = { + type = "cirrus"; + config = { + FAXNumber = "123456"; + LocalIdentifier = "Smith"; + }; + }; + description = '' + Description of installed modems. + At least on modem must be defined + to enable the HylaFAX server. + ''; + }; + + spoolExtraInit = mkOption { + type = lines; + default = ""; + example = "chmod 0755 . # everyone may read my faxes"; + description = '' + Additional shell code that is executed within the + spooling area directory right after its setup. + ''; + }; + + faxcron.enable.spoolInit = mkEnableOption '' + Purge old files from the spooling area with + <filename>faxcron</filename> + each time the spooling area is initialized. + ''; + faxcron.enable.frequency = mkOption { + type = nullOr nonEmptyStr; + default = null; + example = "daily"; + description = '' + Purge old files from the spooling area with + <filename>faxcron</filename> with the given frequency + (see systemd.time(7)). + ''; + }; + faxcron.infoDays = mkOption { + type = ints.positive; + default = 30; + description = '' + Set the expiration time for data in the + remote machine information directory in days. + ''; + }; + faxcron.logDays = mkOption { + type = ints.positive; + default = 30; + description = '' + Set the expiration time for + session trace log files in days. + ''; + }; + faxcron.rcvDays = mkOption { + type = ints.positive; + default = 7; + description = '' + Set the expiration time for files in + the received facsimile queue in days. + ''; + }; + + faxqclean.enable.spoolInit = mkEnableOption '' + Purge old files from the spooling area with + <filename>faxqclean</filename> + each time the spooling area is initialized. + ''; + faxqclean.enable.frequency = mkOption { + type = nullOr nonEmptyStr; + default = null; + example = "daily"; + description = '' + Purge old files from the spooling area with + <filename>faxcron</filename> with the given frequency + (see systemd.time(7)). + ''; + }; + faxqclean.archiving = mkOption { + type = enum [ "never" "as-flagged" "always" ]; + default = "as-flagged"; + example = "always"; + description = '' + Enable or suppress job archiving: + <literal>never</literal> disables job archiving, + <literal>as-flagged</literal> archives jobs that + have been flagged for archiving by sendfax, + <literal>always</literal> forces archiving of all jobs. + See also sendfax(1) and faxqclean(8). + ''; + }; + faxqclean.doneqMinutes = mkOption { + type = ints.positive; + default = 15; + example = literalExpression "24*60"; + description = '' + Set the job + age threshold (in minutes) that controls how long + jobs may reside in the doneq directory. + ''; + }; + faxqclean.docqMinutes = mkOption { + type = ints.positive; + default = 60; + example = literalExpression "24*60"; + description = '' + Set the document + age threshold (in minutes) that controls how long + unreferenced files may reside in the docq directory. + ''; + }; + + }; + + + config.services.hylafax = + mkIf + (config.services.hylafax.enable) + (mkMerge [ defaultConfig localConfig ]) + ; + +} diff --git a/nixos/modules/services/networking/hylafax/spool.sh b/nixos/modules/services/networking/hylafax/spool.sh new file mode 100755 index 00000000000..8b723df77df --- /dev/null +++ b/nixos/modules/services/networking/hylafax/spool.sh @@ -0,0 +1,111 @@ +#! @runtimeShell@ -e + +# The following lines create/update the HylaFAX spool directory: +# Subdirectories/files with persistent data are kept, +# other directories/files are removed/recreated, +# mostly from the template spool +# directory in the HylaFAX package. + +# This block explains how the spool area is +# derived from the spool template in the HylaFAX package: +# +# + capital letter: directory; file otherwise +# + P/p: persistent directory +# + F/f: directory with symlinks per entry +# + T/t: temporary data +# + S/s: single symlink into package +# | +# | + u: change ownership to uucp:uucp +# | + U: ..also change access mode to user-only +# | | +# archive P U +# bin S +# client T u (client connection info) +# config S +# COPYRIGHT s +# dev T u (maybe some FIFOs) +# docq P U +# doneq P U +# etc F contains customized config files! +# etc/hosts.hfaxd f +# etc/xferfaxlog f +# info P u (database of called devices) +# log P u (communication logs) +# pollq P U +# recvq P u +# sendq P U +# status T u (modem status info files) +# tmp T U + + +shopt -s dotglob # if bash sees "*", it also includes dot files +lnsym () { ln --symbol "$@" ; } +lnsymfrc () { ln --symbolic --force "$@" ; } +cprd () { cp --remove-destination "$@" ; } +update () { install --owner=@faxuser@ --group=@faxgroup@ "$@" ; } + + +## create/update spooling area + +update --mode=0750 -d "@spoolAreaPath@" +cd "@spoolAreaPath@" + +persist=(archive docq doneq info log pollq recvq sendq) + +# remove entries that don't belong here +touch dummy # ensure "*" resolves to something +for k in * +do + keep=0 + for j in "${persist[@]}" xferfaxlog clientlog faxcron.lastrun + do + if test "$k" == "$j" + then + keep=1 + break + fi + done + if test "$keep" == "0" + then + rm --recursive "$k" + fi +done + +# create persistent data directories (unless they exist already) +update --mode=0700 -d "${persist[@]}" +chmod 0755 info log recvq + +# create ``xferfaxlog``, ``faxcron.lastrun``, ``clientlog`` +touch clientlog faxcron.lastrun xferfaxlog +chown @faxuser@:@faxgroup@ clientlog faxcron.lastrun xferfaxlog + +# create symlinks for frozen directories/files +lnsym --target-directory=. "@hylafaxplus@"/spool/{COPYRIGHT,bin,config} + +# create empty temporary directories +update --mode=0700 -d client dev status +update -d tmp + + +## create and fill etc + +install -d "@spoolAreaPath@/etc" +cd "@spoolAreaPath@/etc" + +# create symlinks to all files in template's etc +lnsym --target-directory=. "@hylafaxplus@/spool/etc"/* + +# set LOCKDIR in setup.cache +sed --regexp-extended 's|^(UUCP_LOCKDIR=).*$|\1'"'@lockPath@'|g" --in-place setup.cache + +# etc/{xferfaxlog,lastrun} are stored in the spool root +lnsymfrc --target-directory=. ../xferfaxlog +lnsymfrc --no-target-directory ../faxcron.lastrun lastrun + +# etc/hosts.hfaxd is provided by the NixOS configuration +lnsymfrc --no-target-directory "@userAccessFile@" hosts.hfaxd + +# etc/config and etc/config.${DEVID} must be copied: +# hfaxd reads these file after locking itself up in a chroot +cprd --no-target-directory "@globalConfigPath@" config +cprd --target-directory=. "@modemConfigPath@"/* diff --git a/nixos/modules/services/networking/hylafax/systemd.nix b/nixos/modules/services/networking/hylafax/systemd.nix new file mode 100644 index 00000000000..4506bbbc5eb --- /dev/null +++ b/nixos/modules/services/networking/hylafax/systemd.nix @@ -0,0 +1,249 @@ +{ config, lib, pkgs, ... }: + + +let + + inherit (lib) mkIf mkMerge; + inherit (lib) concatStringsSep optionalString; + + cfg = config.services.hylafax; + mapModems = lib.forEach (lib.attrValues cfg.modems); + + mkConfigFile = name: conf: + # creates hylafax config file, + # makes sure "Include" is listed *first* + let + mkLines = lib.flip lib.pipe [ + (lib.mapAttrsToList (key: map (val: "${key}: ${val}"))) + lib.concatLists + ]; + include = mkLines { Include = conf.Include or []; }; + other = mkLines ( conf // { Include = []; } ); + in + pkgs.writeText "hylafax-config${name}" + (concatStringsSep "\n" (include ++ other)); + + globalConfigPath = mkConfigFile "" cfg.faxqConfig; + + modemConfigPath = + let + mkModemConfigFile = { config, name, ... }: + mkConfigFile ".${name}" + (cfg.commonModemConfig // config); + mkLine = { name, type, ... }@modem: '' + # check if modem config file exists: + test -f "${pkgs.hylafaxplus}/spool/config/${type}" + ln \ + --symbolic \ + --no-target-directory \ + "${mkModemConfigFile modem}" \ + "$out/config.${name}" + ''; + in + pkgs.runCommand "hylafax-config-modems" { preferLocalBuild = true; } + ''mkdir --parents "$out/" ${concatStringsSep "\n" (mapModems mkLine)}''; + + setupSpoolScript = pkgs.substituteAll { + name = "hylafax-setup-spool.sh"; + src = ./spool.sh; + isExecutable = true; + faxuser = "uucp"; + faxgroup = "uucp"; + lockPath = "/var/lock"; + inherit globalConfigPath modemConfigPath; + inherit (cfg) sendmailPath spoolAreaPath userAccessFile; + inherit (pkgs) hylafaxplus runtimeShell; + }; + + waitFaxqScript = pkgs.substituteAll { + # This script checks the modems status files + # and waits until all modems report readiness. + name = "hylafax-faxq-wait-start.sh"; + src = ./faxq-wait.sh; + isExecutable = true; + timeoutSec = toString 10; + inherit (cfg) spoolAreaPath; + inherit (pkgs) runtimeShell; + }; + + sockets.hylafax-hfaxd = { + description = "HylaFAX server socket"; + documentation = [ "man:hfaxd(8)" ]; + wantedBy = [ "multi-user.target" ]; + listenStreams = [ "127.0.0.1:4559" ]; + socketConfig.FreeBind = true; + socketConfig.Accept = true; + }; + + paths.hylafax-faxq = { + description = "HylaFAX queue manager sendq watch"; + documentation = [ "man:faxq(8)" "man:sendq(5)" ]; + wantedBy = [ "multi-user.target" ]; + pathConfig.PathExistsGlob = [ "${cfg.spoolAreaPath}/sendq/q*" ]; + }; + + timers = mkMerge [ + ( + mkIf (cfg.faxcron.enable.frequency!=null) + { hylafax-faxcron.timerConfig.Persistent = true; } + ) + ( + mkIf (cfg.faxqclean.enable.frequency!=null) + { hylafax-faxqclean.timerConfig.Persistent = true; } + ) + ]; + + hardenService = + # Add some common systemd service hardening settings, + # but allow each service (here) to override + # settings by explicitely setting those to `null`. + # More hardening would be nice but makes + # customizing hylafax setups very difficult. + # If at all, it should only be added along + # with some options to customize it. + let + hardening = { + PrivateDevices = true; # breaks /dev/tty... + PrivateNetwork = true; + PrivateTmp = true; + #ProtectClock = true; # breaks /dev/tty... (why?) + ProtectControlGroups = true; + #ProtectHome = true; # breaks custom spool dirs + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + #ProtectSystem = "strict"; # breaks custom spool dirs + RestrictNamespaces = true; + RestrictRealtime = true; + }; + filter = key: value: (value != null) || ! (lib.hasAttr key hardening); + apply = service: lib.filterAttrs filter (hardening // (service.serviceConfig or {})); + in + service: service // { serviceConfig = apply service; }; + + services.hylafax-spool = { + description = "HylaFAX spool area preparation"; + documentation = [ "man:hylafax-server(4)" ]; + script = '' + ${setupSpoolScript} + cd "${cfg.spoolAreaPath}" + ${cfg.spoolExtraInit} + if ! test -f "${cfg.spoolAreaPath}/etc/hosts.hfaxd" + then + echo hosts.hfaxd is missing + exit 1 + fi + ''; + serviceConfig.ExecStop = "${setupSpoolScript}"; + serviceConfig.RemainAfterExit = true; + serviceConfig.Type = "oneshot"; + unitConfig.RequiresMountsFor = [ cfg.spoolAreaPath ]; + }; + + services.hylafax-faxq = { + description = "HylaFAX queue manager"; + documentation = [ "man:faxq(8)" ]; + requires = [ "hylafax-spool.service" ]; + after = [ "hylafax-spool.service" ]; + wants = mapModems ( { name, ... }: "hylafax-faxgetty@${name}.service" ); + wantedBy = mkIf cfg.autostart [ "multi-user.target" ]; + serviceConfig.Type = "forking"; + serviceConfig.ExecStart = ''${pkgs.hylafaxplus}/spool/bin/faxq -q "${cfg.spoolAreaPath}"''; + # This delays the "readiness" of this service until + # all modems are initialized (or a timeout is reached). + # Otherwise, sending a fax with the fax service + # stopped will always yield a failed send attempt: + # The fax service is started when the job is created with + # `sendfax`, but modems need some time to initialize. + serviceConfig.ExecStartPost = [ "${waitFaxqScript}" ]; + # faxquit fails if the pipe is already gone + # (e.g. the service is already stopping) + serviceConfig.ExecStop = ''-${pkgs.hylafaxplus}/spool/bin/faxquit -q "${cfg.spoolAreaPath}"''; + # disable some systemd hardening settings + serviceConfig.PrivateDevices = null; + serviceConfig.RestrictRealtime = null; + }; + + services."hylafax-hfaxd@" = { + description = "HylaFAX server"; + documentation = [ "man:hfaxd(8)" ]; + after = [ "hylafax-faxq.service" ]; + requires = [ "hylafax-faxq.service" ]; + serviceConfig.StandardInput = "socket"; + serviceConfig.StandardOutput = "socket"; + serviceConfig.ExecStart = ''${pkgs.hylafaxplus}/spool/bin/hfaxd -q "${cfg.spoolAreaPath}" -d -I''; + unitConfig.RequiresMountsFor = [ cfg.userAccessFile ]; + # disable some systemd hardening settings + serviceConfig.PrivateDevices = null; + serviceConfig.PrivateNetwork = null; + }; + + services.hylafax-faxcron = rec { + description = "HylaFAX spool area maintenance"; + documentation = [ "man:faxcron(8)" ]; + after = [ "hylafax-spool.service" ]; + requires = [ "hylafax-spool.service" ]; + wantedBy = mkIf cfg.faxcron.enable.spoolInit requires; + startAt = mkIf (cfg.faxcron.enable.frequency!=null) cfg.faxcron.enable.frequency; + serviceConfig.ExecStart = concatStringsSep " " [ + "${pkgs.hylafaxplus}/spool/bin/faxcron" + ''-q "${cfg.spoolAreaPath}"'' + ''-info ${toString cfg.faxcron.infoDays}'' + ''-log ${toString cfg.faxcron.logDays}'' + ''-rcv ${toString cfg.faxcron.rcvDays}'' + ]; + }; + + services.hylafax-faxqclean = rec { + description = "HylaFAX spool area queue cleaner"; + documentation = [ "man:faxqclean(8)" ]; + after = [ "hylafax-spool.service" ]; + requires = [ "hylafax-spool.service" ]; + wantedBy = mkIf cfg.faxqclean.enable.spoolInit requires; + startAt = mkIf (cfg.faxqclean.enable.frequency!=null) cfg.faxqclean.enable.frequency; + serviceConfig.ExecStart = concatStringsSep " " [ + "${pkgs.hylafaxplus}/spool/bin/faxqclean" + ''-q "${cfg.spoolAreaPath}"'' + "-v" + (optionalString (cfg.faxqclean.archiving!="never") "-a") + (optionalString (cfg.faxqclean.archiving=="always") "-A") + ''-j ${toString (cfg.faxqclean.doneqMinutes*60)}'' + ''-d ${toString (cfg.faxqclean.docqMinutes*60)}'' + ]; + }; + + mkFaxgettyService = { name, ... }: + lib.nameValuePair "hylafax-faxgetty@${name}" rec { + description = "HylaFAX faxgetty for %I"; + documentation = [ "man:faxgetty(8)" ]; + bindsTo = [ "dev-%i.device" ]; + requires = [ "hylafax-spool.service" ]; + after = bindsTo ++ requires; + before = [ "hylafax-faxq.service" "getty.target" ]; + unitConfig.StopWhenUnneeded = true; + unitConfig.AssertFileNotEmpty = "${cfg.spoolAreaPath}/etc/config.%I"; + serviceConfig.UtmpIdentifier = "%I"; + serviceConfig.TTYPath = "/dev/%I"; + serviceConfig.Restart = "always"; + serviceConfig.KillMode = "process"; + serviceConfig.IgnoreSIGPIPE = false; + serviceConfig.ExecStart = ''-${pkgs.hylafaxplus}/spool/bin/faxgetty -q "${cfg.spoolAreaPath}" /dev/%I''; + # faxquit fails if the pipe is already gone + # (e.g. the service is already stopping) + serviceConfig.ExecStop = ''-${pkgs.hylafaxplus}/spool/bin/faxquit -q "${cfg.spoolAreaPath}" %I''; + # disable some systemd hardening settings + serviceConfig.PrivateDevices = null; + serviceConfig.RestrictRealtime = null; + }; + + modemServices = + lib.listToAttrs (mapModems mkFaxgettyService); + +in + +{ + config.systemd = mkIf cfg.enable { + inherit sockets timers paths; + services = lib.mapAttrs (lib.const hardenService) (services // modemServices); + }; +} diff --git a/nixos/modules/services/networking/i2p.nix b/nixos/modules/services/networking/i2p.nix new file mode 100644 index 00000000000..3b6010531f1 --- /dev/null +++ b/nixos/modules/services/networking/i2p.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.i2p; + homeDir = "/var/lib/i2p"; +in { + ###### interface + options.services.i2p.enable = mkEnableOption "I2P router"; + + ###### implementation + config = mkIf cfg.enable { + users.users.i2p = { + group = "i2p"; + description = "i2p User"; + home = homeDir; + createHome = true; + uid = config.ids.uids.i2p; + }; + users.groups.i2p.gid = config.ids.gids.i2p; + systemd.services.i2p = { + description = "I2P router with administration interface for hidden services"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "i2p"; + WorkingDirectory = homeDir; + Restart = "on-abort"; + ExecStart = "${pkgs.i2p}/bin/i2prouter-plain"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/i2pd.nix b/nixos/modules/services/networking/i2pd.nix new file mode 100644 index 00000000000..34fda57b23d --- /dev/null +++ b/nixos/modules/services/networking/i2pd.nix @@ -0,0 +1,691 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.i2pd; + + homeDir = "/var/lib/i2pd"; + + strOpt = k: v: k + " = " + v; + boolOpt = k: v: k + " = " + boolToString v; + intOpt = k: v: k + " = " + toString v; + lstOpt = k: xs: k + " = " + concatStringsSep "," xs; + optionalNullString = o: s: optional (s != null) (strOpt o s); + optionalNullBool = o: b: optional (b != null) (boolOpt o b); + optionalNullInt = o: i: optional (i != null) (intOpt o i); + optionalEmptyList = o: l: optional ([] != l) (lstOpt o l); + + mkEnableTrueOption = name: mkEnableOption name // { default = true; }; + + mkEndpointOpt = name: addr: port: { + enable = mkEnableOption name; + name = mkOption { + type = types.str; + default = name; + description = "The endpoint name."; + }; + address = mkOption { + type = types.str; + default = addr; + description = "Bind address for ${name} endpoint."; + }; + port = mkOption { + type = types.port; + default = port; + description = "Bind port for ${name} endpoint."; + }; + }; + + i2cpOpts = name: { + length = mkOption { + type = types.int; + description = "Guaranteed minimum hops for ${name} tunnels."; + default = 3; + }; + quantity = mkOption { + type = types.int; + description = "Number of simultaneous ${name} tunnels."; + default = 5; + }; + }; + + mkKeyedEndpointOpt = name: addr: port: keyloc: + (mkEndpointOpt name addr port) // { + keys = mkOption { + type = with types; nullOr str; + default = keyloc; + description = '' + File to persist ${lib.toUpper name} keys. + ''; + }; + inbound = i2cpOpts name; + outbound = i2cpOpts name; + latency.min = mkOption { + type = with types; nullOr int; + description = "Min latency for tunnels."; + default = null; + }; + latency.max = mkOption { + type = with types; nullOr int; + description = "Max latency for tunnels."; + default = null; + }; + }; + + commonTunOpts = name: { + outbound = i2cpOpts name; + inbound = i2cpOpts name; + crypto.tagsToSend = mkOption { + type = types.int; + description = "Number of ElGamal/AES tags to send."; + default = 40; + }; + destination = mkOption { + type = types.str; + description = "Remote endpoint, I2P hostname or b32.i2p address."; + }; + keys = mkOption { + type = types.str; + default = name + "-keys.dat"; + description = "Keyset used for tunnel identity."; + }; + } // mkEndpointOpt name "127.0.0.1" 0; + + sec = name: "\n[" + name + "]"; + notice = "# DO NOT EDIT -- this file has been generated automatically."; + i2pdConf = let + opts = [ + notice + (strOpt "loglevel" cfg.logLevel) + (boolOpt "logclftime" cfg.logCLFTime) + (boolOpt "ipv4" cfg.enableIPv4) + (boolOpt "ipv6" cfg.enableIPv6) + (boolOpt "notransit" cfg.notransit) + (boolOpt "floodfill" cfg.floodfill) + (intOpt "netid" cfg.netid) + ] ++ (optionalNullInt "bandwidth" cfg.bandwidth) + ++ (optionalNullInt "port" cfg.port) + ++ (optionalNullString "family" cfg.family) + ++ (optionalNullString "datadir" cfg.dataDir) + ++ (optionalNullInt "share" cfg.share) + ++ (optionalNullBool "ssu" cfg.ssu) + ++ (optionalNullBool "ntcp" cfg.ntcp) + ++ (optionalNullString "ntcpproxy" cfg.ntcpProxy) + ++ (optionalNullString "ifname" cfg.ifname) + ++ (optionalNullString "ifname4" cfg.ifname4) + ++ (optionalNullString "ifname6" cfg.ifname6) + ++ [ + (sec "limits") + (intOpt "transittunnels" cfg.limits.transittunnels) + (intOpt "coresize" cfg.limits.coreSize) + (intOpt "openfiles" cfg.limits.openFiles) + (intOpt "ntcphard" cfg.limits.ntcpHard) + (intOpt "ntcpsoft" cfg.limits.ntcpSoft) + (intOpt "ntcpthreads" cfg.limits.ntcpThreads) + (sec "upnp") + (boolOpt "enabled" cfg.upnp.enable) + (sec "precomputation") + (boolOpt "elgamal" cfg.precomputation.elgamal) + (sec "reseed") + (boolOpt "verify" cfg.reseed.verify) + ] ++ (optionalNullString "file" cfg.reseed.file) + ++ (optionalEmptyList "urls" cfg.reseed.urls) + ++ (optionalNullString "floodfill" cfg.reseed.floodfill) + ++ (optionalNullString "zipfile" cfg.reseed.zipfile) + ++ (optionalNullString "proxy" cfg.reseed.proxy) + ++ [ + (sec "trust") + (boolOpt "enabled" cfg.trust.enable) + (boolOpt "hidden" cfg.trust.hidden) + ] ++ (optionalEmptyList "routers" cfg.trust.routers) + ++ (optionalNullString "family" cfg.trust.family) + ++ [ + (sec "websockets") + (boolOpt "enabled" cfg.websocket.enable) + (strOpt "address" cfg.websocket.address) + (intOpt "port" cfg.websocket.port) + (sec "exploratory") + (intOpt "inbound.length" cfg.exploratory.inbound.length) + (intOpt "inbound.quantity" cfg.exploratory.inbound.quantity) + (intOpt "outbound.length" cfg.exploratory.outbound.length) + (intOpt "outbound.quantity" cfg.exploratory.outbound.quantity) + (sec "ntcp2") + (boolOpt "enabled" cfg.ntcp2.enable) + (boolOpt "published" cfg.ntcp2.published) + (intOpt "port" cfg.ntcp2.port) + (sec "addressbook") + (strOpt "defaulturl" cfg.addressbook.defaulturl) + ] ++ (optionalEmptyList "subscriptions" cfg.addressbook.subscriptions) + ++ (flip map + (collect (proto: proto ? port && proto ? address) cfg.proto) + (proto: let protoOpts = [ + (sec proto.name) + (boolOpt "enabled" proto.enable) + (strOpt "address" proto.address) + (intOpt "port" proto.port) + ] ++ (if proto ? keys then optionalNullString "keys" proto.keys else []) + ++ (if proto ? auth then optionalNullBool "auth" proto.auth else []) + ++ (if proto ? user then optionalNullString "user" proto.user else []) + ++ (if proto ? pass then optionalNullString "pass" proto.pass else []) + ++ (if proto ? strictHeaders then optionalNullBool "strictheaders" proto.strictHeaders else []) + ++ (if proto ? hostname then optionalNullString "hostname" proto.hostname else []) + ++ (if proto ? outproxy then optionalNullString "outproxy" proto.outproxy else []) + ++ (if proto ? outproxyPort then optionalNullInt "outproxyport" proto.outproxyPort else []) + ++ (if proto ? outproxyEnable then optionalNullBool "outproxy.enabled" proto.outproxyEnable else []); + in (concatStringsSep "\n" protoOpts) + )); + in + pkgs.writeText "i2pd.conf" (concatStringsSep "\n" opts); + + tunnelConf = let opts = [ + notice + (flip map + (collect (tun: tun ? port && tun ? destination) cfg.outTunnels) + (tun: let outTunOpts = [ + (sec tun.name) + "type = client" + (intOpt "port" tun.port) + (strOpt "destination" tun.destination) + ] ++ (if tun ? destinationPort then optionalNullInt "destinationport" tun.destinationPort else []) + ++ (if tun ? keys then + optionalNullString "keys" tun.keys else []) + ++ (if tun ? address then + optionalNullString "address" tun.address else []) + ++ (if tun ? inbound.length then + optionalNullInt "inbound.length" tun.inbound.length else []) + ++ (if tun ? inbound.quantity then + optionalNullInt "inbound.quantity" tun.inbound.quantity else []) + ++ (if tun ? outbound.length then + optionalNullInt "outbound.length" tun.outbound.length else []) + ++ (if tun ? outbound.quantity then + optionalNullInt "outbound.quantity" tun.outbound.quantity else []) + ++ (if tun ? crypto.tagsToSend then + optionalNullInt "crypto.tagstosend" tun.crypto.tagsToSend else []); + in concatStringsSep "\n" outTunOpts)) + (flip map + (collect (tun: tun ? port && tun ? address) cfg.inTunnels) + (tun: let inTunOpts = [ + (sec tun.name) + "type = server" + (intOpt "port" tun.port) + (strOpt "host" tun.address) + ] ++ (if tun ? destination then + optionalNullString "destination" tun.destination else []) + ++ (if tun ? keys then + optionalNullString "keys" tun.keys else []) + ++ (if tun ? inPort then + optionalNullInt "inport" tun.inPort else []) + ++ (if tun ? accessList then + optionalEmptyList "accesslist" tun.accessList else []); + in concatStringsSep "\n" inTunOpts))]; + in pkgs.writeText "i2pd-tunnels.conf" opts; + + i2pdFlags = concatStringsSep " " ( + optional (cfg.address != null) ("--host=" + cfg.address) ++ [ + "--service" + ("--conf=" + i2pdConf) + ("--tunconf=" + tunnelConf) + ]); + +in + +{ + + imports = [ + (mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ]) + ]; + + ###### interface + + options = { + + services.i2pd = { + + enable = mkEnableOption "I2Pd daemon" // { + description = '' + Enables I2Pd as a running service upon activation. + Please read http://i2pd.readthedocs.io/en/latest/ for further + configuration help. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.i2pd; + defaultText = literalExpression "pkgs.i2pd"; + description = '' + i2pd package to use. + ''; + }; + + logLevel = mkOption { + type = types.enum ["debug" "info" "warn" "error"]; + default = "error"; + description = '' + The log level. <command>i2pd</command> defaults to "info" + but that generates copious amounts of log messages. + + We default to "error" which is similar to the default log + level of <command>tor</command>. + ''; + }; + + logCLFTime = mkEnableOption "Full CLF-formatted date and time to log"; + + address = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Your external IP or hostname. + ''; + }; + + family = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Specify a family the router belongs to. + ''; + }; + + dataDir = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Alternative path to storage of i2pd data (RI, keys, peer profiles, ...) + ''; + }; + + share = mkOption { + type = types.int; + default = 100; + description = '' + Limit of transit traffic from max bandwidth in percents. + ''; + }; + + ifname = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Network interface to bind to. + ''; + }; + + ifname4 = mkOption { + type = with types; nullOr str; + default = null; + description = '' + IPv4 interface to bind to. + ''; + }; + + ifname6 = mkOption { + type = with types; nullOr str; + default = null; + description = '' + IPv6 interface to bind to. + ''; + }; + + ntcpProxy = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Proxy URL for NTCP transport. + ''; + }; + + ntcp = mkEnableTrueOption "ntcp"; + ssu = mkEnableTrueOption "ssu"; + + notransit = mkEnableOption "notransit" // { + description = '' + Tells the router to not accept transit tunnels during startup. + ''; + }; + + floodfill = mkEnableOption "floodfill" // { + description = '' + If the router is declared to be unreachable and needs introduction nodes. + ''; + }; + + netid = mkOption { + type = types.int; + default = 2; + description = '' + I2P overlay netid. + ''; + }; + + bandwidth = mkOption { + type = with types; nullOr int; + default = null; + description = '' + Set a router bandwidth limit integer in KBps. + If not set, <command>i2pd</command> defaults to 32KBps. + ''; + }; + + port = mkOption { + type = with types; nullOr int; + default = null; + description = '' + I2P listen port. If no one is given the router will pick between 9111 and 30777. + ''; + }; + + enableIPv4 = mkEnableTrueOption "IPv4 connectivity"; + enableIPv6 = mkEnableOption "IPv6 connectivity"; + nat = mkEnableTrueOption "NAT bypass"; + + upnp.enable = mkEnableOption "UPnP service discovery"; + upnp.name = mkOption { + type = types.str; + default = "I2Pd"; + description = '' + Name i2pd appears in UPnP forwardings list. + ''; + }; + + precomputation.elgamal = mkEnableTrueOption "Precomputed ElGamal tables" // { + description = '' + Whenever to use precomputated tables for ElGamal. + <command>i2pd</command> defaults to <literal>false</literal> + to save 64M of memory (and looses some performance). + + We default to <literal>true</literal> as that is what most + users want anyway. + ''; + }; + + reseed.verify = mkEnableOption "SU3 signature verification"; + + reseed.file = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Full path to SU3 file to reseed from. + ''; + }; + + reseed.urls = mkOption { + type = with types; listOf str; + default = []; + description = '' + Reseed URLs. + ''; + }; + + reseed.floodfill = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Path to router info of floodfill to reseed from. + ''; + }; + + reseed.zipfile = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Path to local .zip file to reseed from. + ''; + }; + + reseed.proxy = mkOption { + type = with types; nullOr str; + default = null; + description = '' + URL for reseed proxy, supports http/socks. + ''; + }; + + addressbook.defaulturl = mkOption { + type = types.str; + default = "http://joajgazyztfssty4w2on5oaqksz6tqoxbduy553y34mf4byv6gpq.b32.i2p/export/alive-hosts.txt"; + description = '' + AddressBook subscription URL for initial setup + ''; + }; + addressbook.subscriptions = mkOption { + type = with types; listOf str; + default = [ + "http://inr.i2p/export/alive-hosts.txt" + "http://i2p-projekt.i2p/hosts.txt" + "http://stats.i2p/cgi-bin/newhosts.txt" + ]; + description = '' + AddressBook subscription URLs + ''; + }; + + trust.enable = mkEnableOption "Explicit trust options"; + + trust.family = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Router Familiy to trust for first hops. + ''; + }; + + trust.routers = mkOption { + type = with types; listOf str; + default = []; + description = '' + Only connect to the listed routers. + ''; + }; + + trust.hidden = mkEnableOption "Router concealment"; + + websocket = mkEndpointOpt "websockets" "127.0.0.1" 7666; + + exploratory.inbound = i2cpOpts "exploratory"; + exploratory.outbound = i2cpOpts "exploratory"; + + ntcp2.enable = mkEnableTrueOption "NTCP2"; + ntcp2.published = mkEnableOption "NTCP2 publication"; + ntcp2.port = mkOption { + type = types.int; + default = 0; + description = '' + Port to listen for incoming NTCP2 connections (0=auto). + ''; + }; + + limits.transittunnels = mkOption { + type = types.int; + default = 2500; + description = '' + Maximum number of active transit sessions. + ''; + }; + + limits.coreSize = mkOption { + type = types.int; + default = 0; + description = '' + Maximum size of corefile in Kb (0 - use system limit). + ''; + }; + + limits.openFiles = mkOption { + type = types.int; + default = 0; + description = '' + Maximum number of open files (0 - use system default). + ''; + }; + + limits.ntcpHard = mkOption { + type = types.int; + default = 0; + description = '' + Maximum number of active transit sessions. + ''; + }; + + limits.ntcpSoft = mkOption { + type = types.int; + default = 0; + description = '' + Threshold to start probabalistic backoff with ntcp sessions (default: use system limit). + ''; + }; + + limits.ntcpThreads = mkOption { + type = types.int; + default = 1; + description = '' + Maximum number of threads used by NTCP DH worker. + ''; + }; + + proto.http = (mkEndpointOpt "http" "127.0.0.1" 7070) // { + + auth = mkEnableOption "Webconsole authentication"; + + user = mkOption { + type = types.str; + default = "i2pd"; + description = '' + Username for webconsole access + ''; + }; + + pass = mkOption { + type = types.str; + default = "i2pd"; + description = '' + Password for webconsole access. + ''; + }; + + strictHeaders = mkOption { + type = with types; nullOr bool; + default = null; + description = '' + Enable strict host checking on WebUI. + ''; + }; + + hostname = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Expected hostname for WebUI. + ''; + }; + }; + + proto.httpProxy = (mkKeyedEndpointOpt "httpproxy" "127.0.0.1" 4444 "httpproxy-keys.dat") + // { + outproxy = mkOption { + type = with types; nullOr str; + default = null; + description = "Upstream outproxy bind address."; + }; + }; + proto.socksProxy = (mkKeyedEndpointOpt "socksproxy" "127.0.0.1" 4447 "socksproxy-keys.dat") + // { + outproxyEnable = mkEnableOption "SOCKS outproxy"; + outproxy = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "Upstream outproxy bind address."; + }; + outproxyPort = mkOption { + type = types.int; + default = 4444; + description = "Upstream outproxy bind port."; + }; + }; + + proto.sam = mkEndpointOpt "sam" "127.0.0.1" 7656; + proto.bob = mkEndpointOpt "bob" "127.0.0.1" 2827; + proto.i2cp = mkEndpointOpt "i2cp" "127.0.0.1" 7654; + proto.i2pControl = mkEndpointOpt "i2pcontrol" "127.0.0.1" 7650; + + outTunnels = mkOption { + default = {}; + type = with types; attrsOf (submodule ( + { name, ... }: { + options = { + destinationPort = mkOption { + type = with types; nullOr int; + default = null; + description = "Connect to particular port at destination."; + }; + } // commonTunOpts name; + config = { + name = mkDefault name; + }; + } + )); + description = '' + Connect to someone as a client and establish a local accept endpoint + ''; + }; + + inTunnels = mkOption { + default = {}; + type = with types; attrsOf (submodule ( + { name, ... }: { + options = { + inPort = mkOption { + type = types.int; + default = 0; + description = "Service port. Default to the tunnel's listen port."; + }; + accessList = mkOption { + type = with types; listOf str; + default = []; + description = "I2P nodes that are allowed to connect to this service."; + }; + } // commonTunOpts name; + config = { + name = mkDefault name; + }; + } + )); + description = '' + Serve something on I2P network at port and delegate requests to address inPort. + ''; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + users.users.i2pd = { + group = "i2pd"; + description = "I2Pd User"; + home = homeDir; + createHome = true; + uid = config.ids.uids.i2pd; + }; + + users.groups.i2pd.gid = config.ids.gids.i2pd; + + systemd.services.i2pd = { + description = "Minimal I2P router"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = + { + User = "i2pd"; + WorkingDirectory = homeDir; + Restart = "on-abort"; + ExecStart = "${cfg.package}/bin/i2pd ${i2pdFlags}"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/icecream/daemon.nix b/nixos/modules/services/networking/icecream/daemon.nix new file mode 100644 index 00000000000..8593c94e34d --- /dev/null +++ b/nixos/modules/services/networking/icecream/daemon.nix @@ -0,0 +1,155 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.icecream.daemon; +in { + + ###### interface + + options = { + + services.icecream.daemon = { + + enable = mkEnableOption "Icecream Daemon"; + + openFirewall = mkOption { + type = types.bool; + description = '' + Whether to automatically open receive port in the firewall. + ''; + }; + + openBroadcast = mkOption { + type = types.bool; + description = '' + Whether to automatically open the firewall for scheduler discovery. + ''; + }; + + cacheLimit = mkOption { + type = types.ints.u16; + default = 256; + description = '' + Maximum size in Megabytes of cache used to store compile environments of compile clients. + ''; + }; + + netName = mkOption { + type = types.str; + default = "ICECREAM"; + description = '' + Network name to connect to. A scheduler with the same name needs to be running. + ''; + }; + + noRemote = mkOption { + type = types.bool; + default = false; + description = '' + Prevent jobs from other nodes being scheduled on this daemon. + ''; + }; + + schedulerHost = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Explicit scheduler hostname, useful in firewalled environments. + + Uses scheduler autodiscovery via broadcast if set to null. + ''; + }; + + maxProcesses = mkOption { + type = types.nullOr types.ints.u16; + default = null; + description = '' + Maximum number of compile jobs started in parallel for this daemon. + + Uses the number of CPUs if set to null. + ''; + }; + + nice = mkOption { + type = types.int; + default = 5; + description = '' + The level of niceness to use. + ''; + }; + + hostname = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Hostname of the daemon in the icecream infrastructure. + + Uses the hostname retrieved via uname if set to null. + ''; + }; + + user = mkOption { + type = types.str; + default = "icecc"; + description = '' + User to run the icecream daemon as. Set to root to enable receive of + remote compile environments. + ''; + }; + + package = mkOption { + default = pkgs.icecream; + defaultText = literalExpression "pkgs.icecream"; + type = types.package; + description = "Icecream package to use."; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = "Additional command line parameters."; + example = [ "-v" ]; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ 10245 ]; + networking.firewall.allowedUDPPorts = mkIf cfg.openBroadcast [ 8765 ]; + + systemd.services.icecc-daemon = { + description = "Icecream compile daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = escapeShellArgs ([ + "${getBin cfg.package}/bin/iceccd" + "-b" "$STATE_DIRECTORY" + "-u" "icecc" + (toString cfg.nice) + ] + ++ optionals (cfg.schedulerHost != null) ["-s" cfg.schedulerHost] + ++ optionals (cfg.netName != null) [ "-n" cfg.netName ] + ++ optionals (cfg.cacheLimit != null) [ "--cache-limit" (toString cfg.cacheLimit) ] + ++ optionals (cfg.maxProcesses != null) [ "-m" (toString cfg.maxProcesses) ] + ++ optionals (cfg.hostname != null) [ "-N" (cfg.hostname) ] + ++ optional cfg.noRemote "--no-remote" + ++ cfg.extraArgs); + DynamicUser = true; + User = "icecc"; + Group = "icecc"; + StateDirectory = "icecc"; + RuntimeDirectory = "icecc"; + AmbientCapabilities = "CAP_SYS_CHROOT"; + CapabilityBoundingSet = "CAP_SYS_CHROOT"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ emantor ]; +} diff --git a/nixos/modules/services/networking/icecream/scheduler.nix b/nixos/modules/services/networking/icecream/scheduler.nix new file mode 100644 index 00000000000..14fbc966b98 --- /dev/null +++ b/nixos/modules/services/networking/icecream/scheduler.nix @@ -0,0 +1,101 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.icecream.scheduler; +in { + + ###### interface + + options = { + + services.icecream.scheduler = { + enable = mkEnableOption "Icecream Scheduler"; + + netName = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Network name for the icecream scheduler. + + Uses the default ICECREAM if null. + ''; + }; + + port = mkOption { + type = types.port; + default = 8765; + description = '' + Server port to listen for icecream daemon requests. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + description = '' + Whether to automatically open the daemon port in the firewall. + ''; + }; + + openTelnet = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the telnet TCP port on 8766. + ''; + }; + + persistentClientConnection = mkOption { + type = types.bool; + default = false; + description = '' + Whether to prevent clients from connecting to a better scheduler. + ''; + }; + + package = mkOption { + default = pkgs.icecream; + defaultText = literalExpression "pkgs.icecream"; + type = types.package; + description = "Icecream package to use."; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = "Additional command line parameters"; + example = [ "-v" ]; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkMerge [ + (mkIf cfg.openFirewall [ cfg.port ]) + (mkIf cfg.openTelnet [ 8766 ]) + ]; + + systemd.services.icecc-scheduler = { + description = "Icecream scheduling server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = escapeShellArgs ([ + "${getBin cfg.package}/bin/icecc-scheduler" + "-p" (toString cfg.port) + ] + ++ optionals (cfg.netName != null) [ "-n" (toString cfg.netName) ] + ++ optional cfg.persistentClientConnection "-r" + ++ cfg.extraArgs); + + DynamicUser = true; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ emantor ]; +} diff --git a/nixos/modules/services/networking/inspircd.nix b/nixos/modules/services/networking/inspircd.nix new file mode 100644 index 00000000000..81c367ec8f7 --- /dev/null +++ b/nixos/modules/services/networking/inspircd.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.inspircd; + + configFile = pkgs.writeText "inspircd.conf" cfg.config; + +in { + meta = { + maintainers = [ lib.maintainers.sternenseemann ]; + }; + + options = { + services.inspircd = { + enable = lib.mkEnableOption "InspIRCd"; + + package = lib.mkOption { + type = lib.types.package; + default = pkgs.inspircd; + defaultText = lib.literalExpression "pkgs.inspircd"; + example = lib.literalExpression "pkgs.inspircdMinimal"; + description = '' + The InspIRCd package to use. This is mainly useful + to specify an overridden version of the + <literal>pkgs.inspircd</literal> dervivation, for + example if you want to use a more minimal InspIRCd + distribution with less modules enabled or with + modules enabled which can't be distributed in binary + form due to licensing issues. + ''; + }; + + config = lib.mkOption { + type = lib.types.lines; + description = '' + Verbatim <literal>inspircd.conf</literal> file. + For a list of options, consult the + <link xlink:href="https://docs.inspircd.org/3/configuration/">InspIRCd documentation</link>, the + <link xlink:href="https://docs.inspircd.org/3/modules/">Module documentation</link> + and the example configuration files distributed + with <literal>pkgs.inspircd.doc</literal> + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.inspircd = { + description = "InspIRCd - the stable, high-performance and modular Internet Relay Chat Daemon"; + wantedBy = [ "multi-user.target" ]; + requires = [ "network.target" ]; + + serviceConfig = { + Type = "simple"; + ExecStart = '' + ${lib.getBin cfg.package}/bin/inspircd start --config ${configFile} --nofork --nopid + ''; + DynamicUser = true; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/iodine.nix b/nixos/modules/services/networking/iodine.nix new file mode 100644 index 00000000000..e241afe3269 --- /dev/null +++ b/nixos/modules/services/networking/iodine.nix @@ -0,0 +1,198 @@ +# NixOS module for iodine, ip over dns daemon + +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.iodine; + + iodinedUser = "iodined"; + + /* is this path made unreadable by ProtectHome = true ? */ + isProtected = x: hasPrefix "/root" x || hasPrefix "/home" x; +in +{ + imports = [ + (mkRenamedOptionModule [ "services" "iodined" "enable" ] [ "services" "iodine" "server" "enable" ]) + (mkRenamedOptionModule [ "services" "iodined" "domain" ] [ "services" "iodine" "server" "domain" ]) + (mkRenamedOptionModule [ "services" "iodined" "ip" ] [ "services" "iodine" "server" "ip" ]) + (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ]) + (mkRemovedOptionModule [ "services" "iodined" "client" ] "") + ]; + + ### configuration + + options = { + + services.iodine = { + clients = mkOption { + default = {}; + description = '' + Each attribute of this option defines a systemd service that + runs iodine. Many or none may be defined. + The name of each service is + <literal>iodine-<replaceable>name</replaceable></literal> + where <replaceable>name</replaceable> is the name of the + corresponding attribute name. + ''; + example = literalExpression '' + { + foo = { + server = "tunnel.mdomain.com"; + relay = "8.8.8.8"; + extraConfig = "-v"; + } + } + ''; + type = types.attrsOf ( + types.submodule ( + { + options = { + server = mkOption { + type = types.str; + default = ""; + description = "Hostname of server running iodined"; + example = "tunnel.mydomain.com"; + }; + + relay = mkOption { + type = types.str; + default = ""; + description = "DNS server to use as an intermediate relay to the iodined server"; + example = "8.8.8.8"; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Additional command line parameters"; + example = "-l 192.168.1.10 -p 23"; + }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "Path to a file containing the password."; + }; + }; + } + ) + ); + }; + + server = { + enable = mkOption { + type = types.bool; + default = false; + description = "enable iodined server"; + }; + + ip = mkOption { + type = types.str; + default = ""; + description = "The assigned ip address or ip range"; + example = "172.16.10.1/24"; + }; + + domain = mkOption { + type = types.str; + default = ""; + description = "Domain or subdomain of which nameservers point to us"; + example = "tunnel.mydomain.com"; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Additional command line parameters"; + example = "-l 192.168.1.10 -p 23"; + }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "File that contains password"; + }; + }; + + }; + }; + + ### implementation + + config = mkIf (cfg.server.enable || cfg.clients != {}) { + environment.systemPackages = [ pkgs.iodine ]; + boot.kernelModules = [ "tun" ]; + + systemd.services = + let + createIodineClientService = name: cfg: + { + description = "iodine client - ${name}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + script = "exec ${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "< \"${builtins.toString cfg.passwordFile}\""} ${cfg.relay} ${cfg.server}"; + serviceConfig = { + RestartSec = "30s"; + Restart = "always"; + + # hardening : + # Filesystem access + ProtectSystem = "strict"; + ProtectHome = if isProtected cfg.passwordFile then "read-only" else "true" ; + PrivateTmp = true; + ReadWritePaths = "/dev/net/tun"; + PrivateDevices = false; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + # Caps + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + MemoryDenyWriteExecute = true; + }; + }; + in + listToAttrs ( + mapAttrsToList + (name: value: nameValuePair "iodine-${name}" (createIodineClientService name value)) + cfg.clients + ) // { + iodined = mkIf (cfg.server.enable) { + description = "iodine, ip over dns server daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + script = "exec ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "< \"${builtins.toString cfg.server.passwordFile}\""} ${cfg.server.ip} ${cfg.server.domain}"; + serviceConfig = { + # Filesystem access + ProtectSystem = "strict"; + ProtectHome = if isProtected cfg.server.passwordFile then "read-only" else "true" ; + PrivateTmp = true; + ReadWritePaths = "/dev/net/tun"; + PrivateDevices = false; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + # Caps + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + MemoryDenyWriteExecute = true; + }; + }; + }; + + users.users.${iodinedUser} = { + uid = config.ids.uids.iodined; + group = "iodined"; + description = "Iodine daemon user"; + }; + users.groups.iodined.gid = config.ids.gids.iodined; + }; +} diff --git a/nixos/modules/services/networking/iperf3.nix b/nixos/modules/services/networking/iperf3.nix new file mode 100644 index 00000000000..0fe378b225d --- /dev/null +++ b/nixos/modules/services/networking/iperf3.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: with lib; +let + cfg = config.services.iperf3; + + api = { + enable = mkEnableOption "iperf3 network throughput testing server"; + port = mkOption { + type = types.ints.u16; + default = 5201; + description = "Server port to listen on for iperf3 client requsts."; + }; + affinity = mkOption { + type = types.nullOr types.ints.unsigned; + default = null; + description = "CPU affinity for the process."; + }; + bind = mkOption { + type = types.nullOr types.str; + default = null; + description = "Bind to the specific interface associated with the given address."; + }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Open ports in the firewall for iperf3."; + }; + verbose = mkOption { + type = types.bool; + default = false; + description = "Give more detailed output."; + }; + forceFlush = mkOption { + type = types.bool; + default = false; + description = "Force flushing output at every interval."; + }; + debug = mkOption { + type = types.bool; + default = false; + description = "Emit debugging output."; + }; + rsaPrivateKey = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to the RSA private key (not password-protected) used to decrypt authentication credentials from the client."; + }; + authorizedUsersFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to the configuration file containing authorized users credentials to run iperf tests."; + }; + extraFlags = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "Extra flags to pass to iperf3(1)."; + }; + }; + + imp = { + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + + systemd.services.iperf3 = { + description = "iperf3 daemon"; + unitConfig.Documentation = "man:iperf3(1) https://iperf.fr/iperf-doc.php"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + Restart = "on-failure"; + RestartSec = 2; + DynamicUser = true; + PrivateDevices = true; + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + ExecStart = '' + ${pkgs.iperf3}/bin/iperf \ + --server \ + --port ${toString cfg.port} \ + ${optionalString (cfg.affinity != null) "--affinity ${toString cfg.affinity}"} \ + ${optionalString (cfg.bind != null) "--bind ${cfg.bind}"} \ + ${optionalString (cfg.rsaPrivateKey != null) "--rsa-private-key-path ${cfg.rsaPrivateKey}"} \ + ${optionalString (cfg.authorizedUsersFile != null) "--authorized-users-path ${cfg.authorizedUsersFile}"} \ + ${optionalString cfg.verbose "--verbose"} \ + ${optionalString cfg.debug "--debug"} \ + ${optionalString cfg.forceFlush "--forceflush"} \ + ${escapeShellArgs cfg.extraFlags} + ''; + }; + }; + }; +in { + options.services.iperf3 = api; + config = mkIf cfg.enable imp; +} diff --git a/nixos/modules/services/networking/ircd-hybrid/builder.sh b/nixos/modules/services/networking/ircd-hybrid/builder.sh new file mode 100644 index 00000000000..38312210df2 --- /dev/null +++ b/nixos/modules/services/networking/ircd-hybrid/builder.sh @@ -0,0 +1,31 @@ +source $stdenv/setup + +doSub() { + local src=$1 + local dst=$2 + mkdir -p $(dirname $dst) + substituteAll $src $dst +} + +subDir=/ +for i in $scripts; do + if test "$(echo $i | cut -c1-2)" = "=>"; then + subDir=$(echo $i | cut -c3-) + else + dst=$out/$subDir/$(stripHash $i | sed 's/\.in//') + doSub $i $dst + chmod +x $dst # !!! + fi +done + +subDir=/ +for i in $substFiles; do + if test "$(echo $i | cut -c1-2)" = "=>"; then + subDir=$(echo $i | cut -c3-) + else + dst=$out/$subDir/$(stripHash $i | sed 's/\.in//') + doSub $i $dst + fi +done + +mkdir -p $out/bin diff --git a/nixos/modules/services/networking/ircd-hybrid/control.in b/nixos/modules/services/networking/ircd-hybrid/control.in new file mode 100644 index 00000000000..312dfaada32 --- /dev/null +++ b/nixos/modules/services/networking/ircd-hybrid/control.in @@ -0,0 +1,26 @@ +#! @shell@ -e + +# Make sure that the environment is deterministic. +export PATH=@coreutils@/bin + +if test "$1" = "start"; then + if ! @procps@/bin/pgrep ircd; then + if @ipv6Enabled@; then + while ! @iproute@/sbin/ip addr | + @gnugrep@/bin/grep inet6 | + @gnugrep@/bin/grep global; do + sleep 1; + done; + fi; + rm -rf /home/ircd + mkdir -p /home/ircd + chown ircd: /home/ircd + cd /home/ircd + env - HOME=/homeless-shelter $extraEnv \ + @su@/bin/su ircd --shell=/bin/sh -c ' @ircdHybrid@/bin/ircd -configfile @out@/conf/ircd.conf </dev/null -logfile /home/ircd/ircd.log' 2>&1 >/var/log/ircd-hybrid.out + fi; +fi + +if test "$1" = "stop" ; then + @procps@/bin/pkill ircd; +fi; diff --git a/nixos/modules/services/networking/ircd-hybrid/default.nix b/nixos/modules/services/networking/ircd-hybrid/default.nix new file mode 100644 index 00000000000..f659f3f3e8c --- /dev/null +++ b/nixos/modules/services/networking/ircd-hybrid/default.nix @@ -0,0 +1,133 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.ircdHybrid; + + ircdService = pkgs.stdenv.mkDerivation rec { + name = "ircd-hybrid-service"; + scripts = [ "=>/bin" ./control.in ]; + substFiles = [ "=>/conf" ./ircd.conf ]; + inherit (pkgs) ircdHybrid coreutils su iproute2 gnugrep procps; + + ipv6Enabled = boolToString config.networking.enableIPv6; + + inherit (cfg) serverName sid description adminEmail + extraPort; + + cryptoSettings = + (optionalString (cfg.rsaKey != null) "rsa_private_key_file = \"${cfg.rsaKey}\";\n") + + (optionalString (cfg.certificate != null) "ssl_certificate_file = \"${cfg.certificate}\";\n"); + + extraListen = map (ip: "host = \""+ip+"\";\nport = 6665 .. 6669, "+extraPort+"; ") cfg.extraIPs; + + builder = ./builder.sh; + }; + +in + +{ + + ###### interface + + options = { + + services.ircdHybrid = { + + enable = mkEnableOption "IRCD"; + + serverName = mkOption { + default = "hades.arpa"; + type = types.str; + description = " + IRCD server name. + "; + }; + + sid = mkOption { + default = "0NL"; + type = types.str; + description = " + IRCD server unique ID in a net of servers. + "; + }; + + description = mkOption { + default = "Hybrid-7 IRC server."; + type = types.str; + description = " + IRCD server description. + "; + }; + + rsaKey = mkOption { + default = null; + example = literalExpression "/root/certificates/irc.key"; + type = types.nullOr types.path; + description = " + IRCD server RSA key. + "; + }; + + certificate = mkOption { + default = null; + example = literalExpression "/root/certificates/irc.pem"; + type = types.nullOr types.path; + description = " + IRCD server SSL certificate. There are some limitations - read manual. + "; + }; + + adminEmail = mkOption { + default = "<bit-bucket@example.com>"; + type = types.str; + example = "<name@domain.tld>"; + description = " + IRCD server administrator e-mail. + "; + }; + + extraIPs = mkOption { + default = []; + example = ["127.0.0.1"]; + type = types.listOf types.str; + description = " + Extra IP's to bind. + "; + }; + + extraPort = mkOption { + default = "7117"; + type = types.str; + description = " + Extra port to avoid filtering. + "; + }; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.ircdHybrid.enable { + + users.users.ircd = + { description = "IRCD owner"; + group = "ircd"; + uid = config.ids.uids.ircd; + }; + + users.groups.ircd.gid = config.ids.gids.ircd; + + systemd.services.ircd-hybrid = { + description = "IRCD Hybrid server"; + after = [ "started networking" ]; + wantedBy = [ "multi-user.target" ]; + script = "${ircdService}/bin/control start"; + }; + }; +} diff --git a/nixos/modules/services/networking/ircd-hybrid/ircd.conf b/nixos/modules/services/networking/ircd-hybrid/ircd.conf new file mode 100644 index 00000000000..17ef203840a --- /dev/null +++ b/nixos/modules/services/networking/ircd-hybrid/ircd.conf @@ -0,0 +1,1051 @@ +/* doc/example.conf - ircd-hybrid-7 Example configuration file + * Copyright (C) 2000-2006 Hybrid Development Team + * + * Written by ejb, wcampbel, db, leeh and others + * Other example configurations can be found in the source dir under + * etc/. + * + * $Id: example.conf 639 2006-06-01 14:12:21Z michael $ + */ + +/* IMPORTANT NOTES: + * + * auth {} blocks MUST be specified in order of precedence. The first one + * that matches a user will be used. So place spoofs first, then specials, + * then general access. + * + * Shell style (#), C++ style (//) and C style comments are supported. + * + * Files may be included by either: + * .include "filename" + * .include <filename> + * + * Times/durations are written as: + * 12 hours 30 minutes 1 second + * + * Valid units of time: + * month, week, day, hour, minute, second + * + * Valid units of size: + * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte + * + * Sizes and times may be singular or plural. + */ + +/* EFNET NOTE: + * + * This config file is NOT suitable for EFNet. EFNet admins should use + * example.efnet.conf + */ + +/* + * serverinfo {}: contains information about the server. (OLD M:) + */ +serverinfo { + /* + * name: the name of our server. This cannot be changed at runtime. + */ + name = "@serverName@"; + + /* + * sid: a server's unique ID. This is three characters long and must + * be in the form [0-9][A-Z0-9][A-Z0-9]. The first character must be + * a digit, followed by 2 alpha-numerical letters. + * NOTE: The letters must be capitalized. This cannot be changed at runtime. + */ + sid = "@sid@"; + + /* + * description: the description of the server. '[' and ']' may not + * be used here for compatibility with older servers. + */ + description = "@description@"; + + /* + * network info: the name and description of the network this server + * is on. Shown in the 005 reply and used with serverhiding. + */ + network_name = "JustIRCNetwork"; + network_desc = "This is My Network"; + + /* + * hub: allow this server to act as a hub and have multiple servers + * connected to it. This may not be changed if there are active + * LazyLink servers. + */ + hub = no; + + /* + * vhost: the IP to bind to when we connect outward to ipv4 servers. + * This should be an ipv4 IP only, or "* for INADDR_ANY. + */ + #vhost = "192.169.0.1"; + + /* + * vhost6: the IP to bind to when we connect outward to ipv6 servers. + * This should be an ipv6 IP only, or "* for INADDR_ANY. + */ + #vhost6 = "3ffe:80e8:546::2"; + + /* max_clients: the maximum number of clients allowed to connect */ + max_clients = 512; + + /* + * rsa key: the path to the file containing our rsa key for cryptlink. + * + * Example command to store a 2048 bit RSA keypair in + * rsa.key, and the public key in rsa.pub: + * + * openssl genrsa -out rsa.key 2048 + * openssl rsa -in rsa.key -pubout -out rsa.pub + * chown <ircd-user>.<ircd.group> rsa.key rsa.pub + * chmod 0600 rsa.key + * chmod 0644 rsa.pub + */ + #rsa_private_key_file = "/usr/local/ircd/etc/rsa.key"; + + /* + * ssl certificate: the path to the file containing our ssl certificate + * for encrypted client connection. + * + * This assumes your private RSA key is stored in rsa.key. You + * MUST have an RSA key in order to generate the certificate + * + * openssl req -new -days 365 -x509 -key rsa.key -out cert.pem + * + * See http://www.openssl.org/docs/HOWTO/certificates.txt + * + * Please use the following values when generating the cert + * + * Organization Name: Network Name + * Organization Unit Name: changme.someirc.net + * Common Name: irc.someirc.net + * E-mail: you@domain.com + */ + #ssl_certificate_file = "/usr/local/ircd/etc/cert.pem"; + + @cryptoSettings@ +}; + +/* + * admin {}: contains admin information about the server. (OLD A:) + */ +admin { + name = "Anonymous Hero"; + description = "Main Server Administrator"; + email = "@adminEmail@"; +}; + +/* + * log {}: contains information about logfiles. + */ +log { + /* Do you want to enable logging to ircd.log? */ + use_logging = yes; + + /* + * logfiles: the logfiles to use for user connects, /oper uses, + * and failed /oper. These files must exist for logging to be used. + */ + fname_userlog = "/home/ircd/logs/userlog"; + fname_operlog = "/home/ircd/logs/operlog"; + fname_killlog = "/home/ircd/logs/kill"; + fname_klinelog = "/home/ircd/logs/kline"; + fname_glinelog = "/home/ircd/logs/gline"; + + /* + * log_level: the amount of detail to log in ircd.log. The + * higher, the more information is logged. May be changed + * once the server is running via /quote SET LOG. Either: + * L_CRIT, L_ERROR, L_WARN, L_NOTICE, L_TRACE, L_INFO or L_DEBUG + */ + log_level = L_INFO; +}; + +/* + * class {}: contains information about classes for users (OLD Y:) + */ +class { + /* name: the name of the class. classes are text now */ + name = "users"; + + /* + * ping_time: how often a client must reply to a PING from the + * server before they are dropped. + */ + ping_time = 90 seconds; + + /* + * number_per_ip: how many local users are allowed to connect + * from one IP (optional) + */ + number_per_ip = 10; + + /* + * max_local: how many local users are allowed to connect + * from one ident@host (optional) + */ + max_local = 50; + + /* + * max_global: network-wide limit of users per ident@host (optional) + */ + max_global = 50; + + /* + * max_number: the maximum number of users allowed in this class (optional) + */ + max_number = 10000; + + /* + * the following lines are optional and allow you to define + * how many users can connect from one /NN subnet + */ + /*cidr_bitlen_ipv4 = 24; + *cidr_bitlen_ipv6 = 120; + *number_per_cidr = 16;*/ + + /* + * sendq: the amount of data allowed in a clients queue before + * they are dropped. + */ + sendq = 100 kbytes; +}; + +class { + name = "opers"; + ping_time = 90 seconds; + number_per_ip = 10; + max_number = 100; + sendq = 100kbytes; +}; + +class { + name = "server"; + ping_time = 90 seconds; + + /* + * ping_warning: how fast a server must reply to a PING before + * a warning to opers is generated. + */ + ping_warning = 15 seconds; + + /* + * connectfreq: only used in server classes. Specifies the delay + * between autoconnecting to servers. + */ + connectfreq = 5 minutes; + + /* max number: the amount of servers to autoconnect to */ + max_number = 1; + + /* sendq: servers need a higher sendq as they send more data */ + sendq = 2 megabytes; +}; + +/* + * listen {}: contains information about the ports ircd listens on (OLD P:) + */ +listen { + /* + * port: the specific port to listen on. If no host is specified + * before, it will listen on all available IPs. + * + * Ports are separated via a comma, a range may be specified using ".." + */ + + /* port: listen on all available IPs, ports 6665 to 6669 */ + port = 6665 .. 6669; + + /* + * Listen on 192.168.0.1/6697 with ssl enabled and hidden from STATS P + * unless you are an administrator. + * + * NOTE: The "flags" directive has to come before "port". Always! + */ + #flags = hidden, ssl; + #host = "192.168.0.1"; + #port = 6697; + + /* + * host: set a specific IP/host the ports after the line will listen + * on. This may be ipv4 or ipv6. + */ + #host = "1.2.3.4"; + #port = 7000, 7001; + + #host = "3ffe:1234:a:b:c::d"; + #port = 7002; + + @extraListen@ +}; + +auth { + user = "*@*"; + class = "users"; + #flags = need_ident; +}; + +/* + * operator {}: defines ircd operators. (OLD O:) + * + * ircd-hybrid no longer supports local operators, privileges are + * controlled via flags. + */ +operator { + /* name: the name of the oper */ + /* NOTE: operator "opername"{} is also supported */ + name = "god"; + + /* + * user: the user@host required for this operator. CIDR is not + * supported. Multiple user="" lines are supported. + */ + user = "*god@*"; + user = "*@127.0.0.1"; + + /* + * password: the password required to oper. By default this will + * need to be encrypted using 'mkpasswd'. MD5 is supported. + */ + password = "iamoperator"; + + /* + * encrypted: controls whether the oper password above has been + * encrypted. (OLD CRYPT_OPER_PASSWORD now optional per operator) + */ + encrypted = no; + + /* + * rsa_public_key_file: the public key for this oper when using Challenge. + * A password should not be defined when this is used, see + * doc/challenge.txt for more information. + */ +# rsa_public_key_file = "/usr/local/ircd/etc/oper.pub"; + + /* class: the class the oper joins when they successfully /oper */ + class = "opers"; + + /* + * umodes: default usermodes opers get when they /oper. If defined, + * it will override oper_umodes settings in general {}. + * Available usermodes: + * + * +b - bots - See bot and drone flooding notices + * +c - cconn - Client connection/quit notices + * +D - deaf - Don't receive channel messages + * +d - debug - See debugging notices + * +f - full - See I: line full notices + * +G - softcallerid - Server Side Ignore for users not on your channels + * +g - callerid - Server Side Ignore (for privmsgs etc) + * +i - invisible - Not shown in NAMES or WHO unless you share a + * a channel + * +k - skill - See server generated KILL messages + * +l - locops - See LOCOPS messages + * +n - nchange - See client nick changes + * +r - rej - See rejected client notices + * +s - servnotice - See general server notices + * +u - unauth - See unauthorized client notices + * +w - wallop - See server generated WALLOPS + * +x - external - See remote server connection and split notices + * +y - spy - See LINKS, STATS, TRACE notices etc. + * +z - operwall - See oper generated WALLOPS + */ +# umodes = locops, servnotice, operwall, wallop; + + /* + * privileges: controls the activities and commands an oper is + * allowed to do on the server. All options default to no. + * Available options: + * + * global_kill: allows remote users to be /KILL'd (OLD 'O' flag) + * remote: allows remote SQUIT and CONNECT (OLD 'R' flag) + * remoteban: allows remote KLINE/UNKLINE + * kline: allows KILL, KLINE and DLINE (OLD 'K' flag) + * unkline: allows UNKLINE and UNDLINE (OLD 'U' flag) + * gline: allows GLINE (OLD 'G' flag) + * xline: allows XLINE (OLD 'X' flag) + * operwall: allows OPERWALL + * nick_changes: allows oper to see nickchanges (OLD 'N' flag) + * via usermode +n + * rehash: allows oper to REHASH config (OLD 'H' flag) + * die: allows DIE and RESTART (OLD 'D' flag) + * admin: gives admin privileges. admins + * may (un)load modules and see the + * real IPs of servers. + * hidden_admin: same as 'admin', but noone can recognize you as + * being an admin + * hidden_oper: not shown in /stats p (except for other operators) + */ + /* You can either use + * die = yes; + * rehash = yes; + * + * or in a flags statement i.e. + * flags = die, rehash; + * + * You can also negate a flag with ~ i.e. + * flags = ~remote; + * + */ + flags = global_kill, remote, kline, unkline, xline, + die, rehash, nick_changes, admin, operwall; +}; + +/* + * shared {}: users that are allowed to remote kline (OLD U:) + * + * NOTE: This can be effectively used for remote klines. + * Please note that there is no password authentication + * for users setting remote klines. You must also be + * /oper'd in order to issue a remote kline. + */ +shared { + /* + * name: the server the user must be on to set klines. If this is not + * specified, the user will be allowed to kline from all servers. + */ + name = "irc2.some.server"; + + /* + * user: the user@host mask that is allowed to set klines. If this is + * not specified, all users on the server above will be allowed to set + * a remote kline. + */ + user = "oper@my.host.is.spoofed"; + + /* + * type: list of what to share, options are as follows: + * kline - allow oper/server to kline + * tkline - allow temporary klines + * unkline - allow oper/server to unkline + * xline - allow oper/server to xline + * txline - allow temporary xlines + * unxline - allow oper/server to unxline + * resv - allow oper/server to resv + * tresv - allow temporary resvs + * unresv - allow oper/server to unresv + * locops - allow oper/server to locops - only used for servers that cluster + * all - allow oper/server to do all of the above (default) + */ + type = kline, unkline, resv; +}; + +/* + * kill {}: users that are not allowed to connect (OLD K:) + * Oper issued klines will be added to the specified kline config + */ +kill { + user = "bad@*.hacked.edu"; + reason = "Obviously hacked account"; +}; + +kill { + user = "^O[[:alpha:]]?[[:digit:]]+(x\.o|\.xo)$@^[[:alnum:]]{4}\.evilnet.org$"; + type = regex; +}; + +/* + * deny {}: IPs that are not allowed to connect (before DNS/ident lookup) + * Oper issued dlines will be added to the specified dline config + */ +deny { + ip = "10.0.1.0/24"; + reason = "Reconnecting vhosted bots"; +}; + +/* + * exempt {}: IPs that are exempt from deny {} and Dlines. (OLD d:) + */ +exempt { + ip = "192.168.0.0/16"; +}; + +/* + * resv {}: nicks and channels users may not use/join (OLD Q:) + */ +resv { + /* reason: the reason for the proceeding resv's */ + reason = "There are no services on this network"; + + /* resv: the nicks and channels users may not join/use */ + nick = "nickserv"; + nick = "chanserv"; + channel = "#services"; + + /* resv: wildcard masks are also supported in nicks only */ + reason = "Clone bots"; + nick = "clone*"; +}; + +/* + * gecos {}: The X: replacement, used for banning users based on + * their "realname". + */ +gecos { + name = "*sex*"; + reason = "Possible spambot"; +}; + +gecos { + name = "sub7server"; + reason = "Trojan drone"; +}; + +gecos { + name = "*http*"; + reason = "Spambot"; +}; + +gecos { + name = "^\[J[0o]hn Do[3e]\]-[0-9]{2,5}$"; + type = regex; +}; + +/* + * channel {}: The channel block contains options pertaining to channels + */ +channel { + /* + * disable_fake_channels: this option, if set to 'yes', will + * disallow clients to create or join channels that have one + * of the following ASCII characters in their name: + * + * 2 | bold + * 3 | mirc color + * 15 | plain text + * 22 | reverse + * 31 | underline + * 160 | non-breaking space + */ + disable_fake_channels = yes; + + /* + * restrict_channels: reverse channel RESVs logic, only reserved + * channels are allowed + */ + restrict_channels = no; + + /* + * disable_local_channels: prevent users from joining &channels. + */ + disable_local_channels = no; + + /* + * use_invex: Enable/disable channel mode +I, a n!u@h list of masks + * that can join a +i channel without an invite. + */ + use_invex = yes; + + /* + * use_except: Enable/disable channel mode +e, a n!u@h list of masks + * that can join a channel through a ban (+b). + */ + use_except = yes; + + /* + * use_knock: Allows users to request an invite to a channel that + * is locked somehow (+ikl). If the channel is +p or you are banned + * the knock will not be sent. + */ + use_knock = yes; + + /* + * knock_delay: The amount of time a user must wait between issuing + * the knock command. + */ + knock_delay = 1 minutes; + + /* + * knock_delay_channel: How often a knock to any specific channel + * is permitted, regardless of the user sending the knock. + */ + knock_delay_channel = 1 minute; + + /* + * burst_topicwho: enable sending of who set topic on topicburst + * default is yes + */ + burst_topicwho = yes; + + /* + * max_chans_per_user: The maximum number of channels a user can + * join/be on. + */ + max_chans_per_user = 25; + + /* quiet_on_ban: stop banned people talking in channels. */ + quiet_on_ban = yes; + + /* max_bans: maximum number of +b/e/I modes in a channel */ + max_bans = 1000; + + /* + * how many joins in how many seconds constitute a flood, use 0 to + * disable. +b opers will be notified (changeable via /set) + */ + join_flood_count = 100; + join_flood_time = 10 seconds; + + /* + * splitcode: The ircd will now check splitmode every few seconds. + * + * Either split users or split servers can activate splitmode, but + * both conditions must be met for the ircd to deactivate splitmode. + * + * You may force splitmode to be permanent by /quote set splitmode on + */ + + /* + * default_split_user_count: when the usercount is lower than this level, + * consider ourselves split. This must be set for automatic splitmode. + */ + default_split_user_count = 0; + + /* + * default_split_server_count: when the servercount is lower than this, + * consider ourselves split. This must be set for automatic splitmode. + */ + default_split_server_count = 0; + + /* split no create: disallow users creating channels on split. */ + no_create_on_split = yes; + + /* split: no join: disallow users joining channels at all on a split */ + no_join_on_split = no; +}; + +/* + * serverhide {}: The serverhide block contains the options regarding + * serverhiding + */ +serverhide { + /* + * flatten_links: this option will show all servers in /links appear + * that they are linked to this current server + */ + flatten_links = no; + + /* + * links_delay: how often to update the links file when it is + * flattened. + */ + links_delay = 5 minutes; + + /* + * hidden: hide this server from a /links output on servers that + * support it. This allows hub servers to be hidden etc. + */ + hidden = no; + + /* + * disable_hidden: prevent servers hiding themselves from a + * /links output. + */ + disable_hidden = no; + + /* + * hide_servers: hide remote servernames everywhere and instead use + * hidden_name and network_desc. + */ + hide_servers = no; + + /* + * Use this as the servername users see if hide_servers = yes. + */ + hidden_name = "*.hidden.com"; + + /* + * hide_server_ips: If this is disabled, opers will be unable to see servers + * ips and will be shown a masked ip, admins will be shown the real ip. + * + * If this is enabled, nobody can see a servers ip. *This is a kludge*, it + * has the side effect of hiding the ips everywhere, including logfiles. + * + * We recommend you leave this disabled, and just take care with who you + * give admin=yes; to. + */ + hide_server_ips = no; +}; + +/* + * general {}: The general block contains many of the options that were once + * compiled in options in config.h. The general block is read at start time. + */ +general { + /* + * gline_min_cidr: the minimum required length of a CIDR bitmask + * for IPv4 based glines + */ + gline_min_cidr = 16; + + /* + * gline_min_cidr6: the minimum required length of a CIDR bitmask + * for IPv6 based glines + */ + gline_min_cidr6 = 48; + + /* + * Whether to automatically set mode +i on connecting users. + */ + invisible_on_connect = yes; + + /* + * If you don't explicitly specify burst_away in your connect blocks, then + * they will default to the burst_away value below. + */ + burst_away = no; + + /* + * Show "actually using host <ip>" on /whois when possible. + */ + use_whois_actually = yes; + + /* + * Max time from the nickname change that still causes KILL + * automatically to switch for the current nick of that user. (seconds) + */ + kill_chase_time_limit = 90; + + /* + * If hide_spoof_ips is disabled, opers will be allowed to see the real IP of spoofed + * users in /trace etc. If this is defined they will be shown a masked IP. + */ + hide_spoof_ips = yes; + + /* + * Ignore bogus timestamps from other servers. Yes, this will desync + * the network, but it will allow chanops to resync with a valid non TS 0 + * + * This should be enabled network wide, or not at all. + */ + ignore_bogus_ts = no; + + /* + * disable_auth: completely disable ident lookups; if you enable this, + * be careful of what you set need_ident to in your auth {} blocks + */ + disable_auth = no; + + /* disable_remote_commands: disable users doing commands on remote servers */ + disable_remote_commands = no; + + /* + * tkline_expire_notices: enables or disables temporary kline/xline + * expire notices. + */ + tkline_expire_notices = no; + + /* + * default_floodcount: the default value of floodcount that is configurable + * via /quote set floodcount. This is the amount of lines a user + * may send to any other user/channel in one second. + */ + default_floodcount = 10; + + /* + * failed_oper_notice: send a notice to all opers on the server when + * someone tries to OPER and uses the wrong password, host or ident. + */ + failed_oper_notice = yes; + + /* + * dots_in_ident: the amount of '.' characters permitted in an ident + * reply before the user is rejected. + */ + dots_in_ident = 2; + + /* + * dot_in_ip6_addr: ircd-hybrid-6.0 and earlier will disallow hosts + * without a '.' in them. This will add one to the end. Only needed + * for older servers. + */ + dot_in_ip6_addr = no; + + /* + * min_nonwildcard: the minimum non wildcard characters in k/d/g lines + * placed via the server. klines hand placed are exempt from limits. + * wildcard chars: '.' ':' '*' '?' '@' '!' '#' + */ + min_nonwildcard = 4; + + /* + * min_nonwildcard_simple: the minimum non wildcard characters in + * gecos bans. wildcard chars: '*' '?' '#' + */ + min_nonwildcard_simple = 3; + + /* max_accept: maximum allowed /accept's for +g usermode */ + max_accept = 20; + + /* anti_nick_flood: enable the nickflood control code */ + anti_nick_flood = yes; + + /* nick flood: the nick changes allowed in the specified period */ + max_nick_time = 20 seconds; + max_nick_changes = 5; + + /* + * anti_spam_exit_message_time: the minimum time a user must be connected + * before custom quit messages are allowed. + */ + anti_spam_exit_message_time = 5 minutes; + + /* + * ts delta: the time delta allowed between server clocks before + * a warning is given, or before the link is dropped. all servers + * should run ntpdate/rdate to keep clocks in sync + */ + ts_warn_delta = 30 seconds; + ts_max_delta = 5 minutes; + + /* + * kline_with_reason: show the user the reason why they are k/d/glined + * on exit. May give away who set k/dline when set via tcm. + */ + kline_with_reason = yes; + + /* + * kline_reason: show this message to users on channel + * instead of the oper reason. + */ + kline_reason = "Connection closed"; + + /* + * reject_hold_time: wait this amount of time before disconnecting + * a rejected client. Use 0 to disable. + */ + reject_hold_time = 0; + + /* + * warn_no_nline: warn opers about servers that try to connect but + * we don't have a connect {} block for. Twits with misconfigured + * servers can get really annoying with this enabled. + */ + warn_no_nline = yes; + + /* + * stats_e_disabled: set this to 'yes' to disable "STATS e" for both + * operators and administrators. Doing so is a good idea in case + * there are any exempted (exempt{}) server IPs you don't want to + * see leaked. + */ + stats_e_disabled = no; + + /* stats_o_oper only: make stats o (opers) oper only */ + stats_o_oper_only = yes; + + /* stats_P_oper_only: make stats P (ports) oper only */ + stats_P_oper_only = yes; + + /* + * stats i oper only: make stats i (auth {}) oper only. set to: + * yes: show users no auth blocks, made oper only. + * masked: show users first matching auth block + * no: show users all auth blocks. + */ + stats_i_oper_only = yes; + + /* + * stats_k_oper_only: make stats k/K (klines) oper only. set to: + * yes: show users no auth blocks, made oper only + * masked: show users first matching auth block + * no: show users all auth blocks. + */ + stats_k_oper_only = yes; + + /* + * caller_id_wait: time between notifying a +g user that somebody + * is messaging them. + */ + caller_id_wait = 1 minute; + + /* + * opers_bypass_callerid: allows operators to bypass +g and message + * anyone who has it set (useful if you use services). + */ + opers_bypass_callerid = no; + + /* + * pace_wait_simple: time between use of less intensive commands + * (ADMIN, HELP, (L)USERS, VERSION, remote WHOIS) + */ + pace_wait_simple = 1 second; + + /* + * pace_wait: time between more intensive commands + * (INFO, LINKS, LIST, MAP, MOTD, STATS, WHO, wildcard WHOIS, WHOWAS) + */ + pace_wait = 10 seconds; + + /* + * short_motd: send clients a notice telling them to read the motd + * instead of forcing a motd to clients who may simply ignore it. + */ + short_motd = no; + + /* + * ping_cookie: require clients to respond exactly to a ping command, + * can help block certain types of drones and FTP PASV mode spoofing. + */ + ping_cookie = no; + + /* no_oper_flood: increase flood limits for opers. */ + no_oper_flood = yes; + + /* + * true_no_oper_flood: completely eliminate flood limits for opers + * and for clients with can_flood = yes in their auth {} blocks + */ + true_no_oper_flood = yes; + + /* oper_pass_resv: allow opers to over-ride RESVs on nicks/channels */ + oper_pass_resv = yes; + + /* + * idletime: the maximum amount of time a user may idle before + * they are disconnected + */ + idletime = 0; + + /* REMOVE ME. The following line checks you've been reading. */ + #havent_read_conf = 1; + + /* + * max_targets: the maximum amount of targets in a single + * PRIVMSG/NOTICE. Set to 999 NOT 0 for unlimited. + */ + max_targets = 4; + + /* + * client_flood: maximum amount of data in a clients queue before + * they are dropped for flooding. + */ + client_flood = 2560 bytes; + + /* + * message_locale: the default message locale + * Use "standard" for the compiled in defaults. + * To install the translated messages, go into messages/ in the + * source directory and run `make install'. + */ + message_locale = "standard"; + + /* + * usermodes configurable: a list of usermodes for the options below + * + * +b - bots - See bot and drone flooding notices + * +c - cconn - Client connection/quit notices + * +D - deaf - Don't receive channel messages + * +d - debug - See debugging notices + * +f - full - See I: line full notices + * +G - softcallerid - Server Side Ignore for users not on your channels + * +g - callerid - Server Side Ignore (for privmsgs etc) + * +i - invisible - Not shown in NAMES or WHO unless you share a + * a channel + * +k - skill - See server generated KILL messages + * +l - locops - See LOCOPS messages + * +n - nchange - See client nick changes + * +r - rej - See rejected client notices + * +s - servnotice - See general server notices + * +u - unauth - See unauthorized client notices + * +w - wallop - See server generated WALLOPS + * +x - external - See remote server connection and split notices + * +y - spy - See LINKS, STATS, TRACE notices etc. + * +z - operwall - See oper generated WALLOPS + */ + + /* oper_only_umodes: usermodes only opers may set */ + oper_only_umodes = bots, cconn, debug, full, skill, nchange, + rej, spy, external, operwall, locops, unauth; + + /* oper_umodes: default usermodes opers get when they /oper */ + oper_umodes = bots, locops, servnotice, operwall, wallop; + + /* + * servlink_path: path to 'servlink' program used by ircd to handle + * encrypted/compressed server <-> server links. + * + * only define if servlink is not in same directory as ircd itself. + */ + #servlink_path = "/usr/local/ircd/bin/servlink"; + + /* + * default_cipher_preference: default cipher to use for cryptlink when none is + * specified in connect block. + */ + #default_cipher_preference = "BF/168"; + + /* + * use_egd: if your system does not have *random devices yet you + * want to use OpenSSL and encrypted links, enable this. Beware - + * EGD is *very* CPU intensive when gathering data for its pool + */ +# use_egd = yes; + + /* + * egdpool_path: path to EGD pool. Not necessary for OpenSSL >= 0.9.7 + * which automatically finds the path. + */ +# egdpool_path = "/run/egd-pool"; + + + /* + * compression_level: level of compression for compressed links between + * servers. + * + * values are between: 1 (least compression, fastest) + * and: 9 (most compression, slowest). + */ +# compression_level = 6; + + /* + * throttle_time: the minimum amount of time between connections from + * the same ip. exempt {} blocks are excluded from this throttling. + * Offers protection against flooders who reconnect quickly. + * Set to 0 to disable. + */ + throttle_time = 10; +}; + +glines { + /* enable: enable glines, network wide temp klines */ + enable = yes; + + /* + * duration: the amount of time a gline will remain on your + * server before expiring + */ + duration = 1 day; + + /* + * logging: which types of rules you want to log when triggered + * (choose reject or block) + */ + logging = reject, block; + + /* + * NOTE: gline ACLs can cause a desync of glines throughout the + * network, meaning some servers may have a gline triggered, and + * others may not. Also, you only need insert rules for glines + * that you want to block and/or reject. If you want to accept and + * propagate the gline, do NOT put a rule for it. + */ + + /* user@host for rule to apply to */ + user = "god@I.still.hate.packets"; + /* server for rule to apply to */ + name = "hades.arpa"; + + /* + * action: action to take when a matching gline is found. options are: + * reject - do not apply the gline locally + * block - do not propagate the gline + */ + action = reject, block; + + user = "god@*"; + name = "*"; + action = block; +}; + diff --git a/nixos/modules/services/networking/iscsi/initiator.nix b/nixos/modules/services/networking/iscsi/initiator.nix new file mode 100644 index 00000000000..051c9c7bff3 --- /dev/null +++ b/nixos/modules/services/networking/iscsi/initiator.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: with lib; +let + cfg = config.services.openiscsi; +in +{ + options.services.openiscsi = with types; { + enable = mkEnableOption "the openiscsi iscsi daemon"; + enableAutoLoginOut = mkEnableOption '' + automatic login and logout of all automatic targets. + You probably do not want this. + ''; + discoverPortal = mkOption { + type = nullOr str; + default = null; + description = "Portal to discover targets on"; + }; + name = mkOption { + type = str; + description = "Name of this iscsi initiator"; + example = "iqn.2020-08.org.linux-iscsi.initiatorhost:example"; + }; + package = mkOption { + type = package; + description = "openiscsi package to use"; + default = pkgs.openiscsi; + defaultText = literalExpression "pkgs.openiscsi"; + }; + + extraConfig = mkOption { + type = str; + default = ""; + description = "Lines to append to default iscsid.conf"; + }; + + extraConfigFile = mkOption { + description = '' + Append an additional file's contents to /etc/iscsid.conf. Use a non-store path + and store passwords in this file. + ''; + default = null; + type = nullOr str; + }; + }; + + config = mkIf cfg.enable { + environment.etc."iscsi/iscsid.conf.fragment".source = pkgs.runCommand "iscsid.conf" {} '' + cat "${cfg.package}/etc/iscsi/iscsid.conf" > $out + cat << 'EOF' >> $out + ${cfg.extraConfig} + ${optionalString cfg.enableAutoLoginOut "node.startup = automatic"} + EOF + ''; + environment.etc."iscsi/initiatorname.iscsi".text = "InitiatorName=${cfg.name}"; + + system.activationScripts.iscsid = let + extraCfgDumper = optionalString (cfg.extraConfigFile != null) '' + if [ -f "${cfg.extraConfigFile}" ]; then + printf "\n# The following is from ${cfg.extraConfigFile}:\n" + cat "${cfg.extraConfigFile}" + else + echo "Warning: services.openiscsi.extraConfigFile ${cfg.extraConfigFile} does not exist!" >&2 + fi + ''; + in '' + ( + cat ${config.environment.etc."iscsi/iscsid.conf.fragment".source} + ${extraCfgDumper} + ) > /etc/iscsi/iscsid.conf + ''; + + systemd.packages = [ cfg.package ]; + + systemd.services."iscsid".wantedBy = [ "multi-user.target" ]; + systemd.sockets."iscsid".wantedBy = [ "sockets.target" ]; + + systemd.services."iscsi" = mkIf cfg.enableAutoLoginOut { + wantedBy = [ "remote-fs.target" ]; + serviceConfig.ExecStartPre = mkIf (cfg.discoverPortal != null) "${cfg.package}/bin/iscsiadm --mode discoverydb --type sendtargets --portal ${escapeShellArg cfg.discoverPortal} --discover"; + }; + + environment.systemPackages = [ cfg.package ]; + boot.kernelModules = [ "iscsi_tcp" ]; + }; +} diff --git a/nixos/modules/services/networking/iscsi/root-initiator.nix b/nixos/modules/services/networking/iscsi/root-initiator.nix new file mode 100644 index 00000000000..c12aca1bc24 --- /dev/null +++ b/nixos/modules/services/networking/iscsi/root-initiator.nix @@ -0,0 +1,190 @@ +{ config, lib, pkgs, ... }: with lib; +let + cfg = config.boot.iscsi-initiator; +in +{ + # If you're booting entirely off another machine you may want to add + # this snippet to always boot the latest "system" version. It is not + # enabled by default in case you have an initrd on a local disk: + # + # boot.initrd.postMountCommands = '' + # ln -sfn /nix/var/nix/profiles/system/init /mnt-root/init + # stage2Init=/init + # ''; + # + # Note: Theoretically you might want to connect to multiple portals and + # log in to multiple targets, however the authors of this module so far + # don't have the need or expertise to reasonably implement it. Also, + # consider carefully before making your boot chain depend on multiple + # machines to be up. + options.boot.iscsi-initiator = with types; { + name = mkOption { + description = '' + Name of the iSCSI initiator to boot from. Note, booting from iscsi + requires networkd based networking. + ''; + default = null; + example = "iqn.2020-08.org.linux-iscsi.initiatorhost:example"; + type = nullOr str; + }; + + discoverPortal = mkOption { + description = '' + iSCSI portal to boot from. + ''; + default = null; + example = "192.168.1.1:3260"; + type = nullOr str; + }; + + target = mkOption { + description = '' + Name of the iSCSI target to boot from. + ''; + default = null; + example = "iqn.2020-08.org.linux-iscsi.targethost:example"; + type = nullOr str; + }; + + logLevel = mkOption { + description = '' + Higher numbers elicits more logs. + ''; + default = 1; + example = 8; + type = int; + }; + + loginAll = mkOption { + description = '' + Do not log into a specific target on the portal, but to all that we discover. + This overrides setting target. + ''; + type = bool; + default = false; + }; + + extraIscsiCommands = mkOption { + description = "Extra iscsi commands to run in the initrd."; + default = ""; + type = lines; + }; + + extraConfig = mkOption { + description = "Extra lines to append to /etc/iscsid.conf"; + default = null; + type = nullOr lines; + }; + + extraConfigFile = mkOption { + description = '' + Append an additional file's contents to `/etc/iscsid.conf`. Use a non-store path + and store passwords in this file. Note: the file specified here must be available + in the initrd, see: `boot.initrd.secrets`. + ''; + default = null; + type = nullOr str; + }; + }; + + config = mkIf (cfg.name != null) { + # The "scripted" networking configuration (ie: non-networkd) + # doesn't properly order the start and stop of the interfaces, and the + # network interfaces are torn down before unmounting disks. Since this + # module is specifically for very-early-boot network mounts, we need + # the network to stay on. + # + # We could probably fix the scripted options to properly order, but I'm + # not inclined to invest that time today. Hopefully this gets users far + # enough along and they can just use networkd. + networking.useNetworkd = true; + networking.useDHCP = false; # Required to set useNetworkd = true + + boot.initrd = { + network.enable = true; + + # By default, the stage-1 disables the network and resets the interfaces + # on startup. Since our startup disks are on the network, we can't let + # the network not work. + network.flushBeforeStage2 = false; + + kernelModules = [ "iscsi_tcp" ]; + + extraUtilsCommands = '' + copy_bin_and_libs ${pkgs.openiscsi}/bin/iscsid + copy_bin_and_libs ${pkgs.openiscsi}/bin/iscsiadm + ${optionalString (!config.boot.initrd.network.ssh.enable) "cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib"} + + mkdir -p $out/etc/iscsi + cp ${config.environment.etc.hosts.source} $out/etc/hosts + cp ${pkgs.openiscsi}/etc/iscsi/iscsid.conf $out/etc/iscsi/iscsid.fragment.conf + chmod +w $out/etc/iscsi/iscsid.fragment.conf + cat << 'EOF' >> $out/etc/iscsi/iscsid.fragment.conf + ${optionalString (cfg.extraConfig != null) cfg.extraConfig} + EOF + ''; + + extraUtilsCommandsTest = '' + $out/bin/iscsiadm --version + ''; + + preLVMCommands = let + extraCfgDumper = optionalString (cfg.extraConfigFile != null) '' + if [ -f "${cfg.extraConfigFile}" ]; then + printf "\n# The following is from ${cfg.extraConfigFile}:\n" + cat "${cfg.extraConfigFile}" + else + echo "Warning: boot.iscsi-initiator.extraConfigFile ${cfg.extraConfigFile} does not exist!" >&2 + fi + ''; + in '' + ${optionalString (!config.boot.initrd.network.ssh.enable) '' + # stolen from initrd-ssh.nix + echo 'root:x:0:0:root:/root:/bin/ash' > /etc/passwd + echo 'passwd: files' > /etc/nsswitch.conf + ''} + + cp -f $extraUtils/etc/hosts /etc/hosts + + mkdir -p /etc/iscsi /run/lock/iscsi + echo "InitiatorName=${cfg.name}" > /etc/iscsi/initiatorname.iscsi + + ( + cat "$extraUtils/etc/iscsi/iscsid.fragment.conf" + printf "\n" + ${optionalString cfg.loginAll ''echo "node.startup = automatic"''} + ${extraCfgDumper} + ) > /etc/iscsi/iscsid.conf + + iscsid --foreground --no-pid-file --debug ${toString cfg.logLevel} & + iscsiadm --mode discoverydb \ + --type sendtargets \ + --discover \ + --portal ${escapeShellArg cfg.discoverPortal} \ + --debug ${toString cfg.logLevel} + + ${if cfg.loginAll then '' + iscsiadm --mode node --loginall all + '' else '' + iscsiadm --mode node --targetname ${escapeShellArg cfg.target} --login + ''} + + ${cfg.extraIscsiCommands} + + pkill -9 iscsid + ''; + }; + + services.openiscsi = { + enable = true; + inherit (cfg) name; + }; + + assertions = [ + { + assertion = cfg.loginAll -> cfg.target == null; + message = "iSCSI target name is set while login on all portals is enabled."; + } + ]; + }; +} diff --git a/nixos/modules/services/networking/iscsi/target.nix b/nixos/modules/services/networking/iscsi/target.nix new file mode 100644 index 00000000000..8a10e7d346a --- /dev/null +++ b/nixos/modules/services/networking/iscsi/target.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.target; +in +{ + ###### interface + options = { + services.target = with types; { + enable = mkEnableOption "the kernel's LIO iscsi target"; + + config = mkOption { + type = attrs; + default = {}; + description = '' + Content of /etc/target/saveconfig.json + This file is normally read and written by targetcli + ''; + }; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + environment.etc."target/saveconfig.json" = { + text = builtins.toJSON cfg.config; + mode = "0600"; + }; + + environment.systemPackages = with pkgs; [ targetcli ]; + + boot.kernelModules = [ "configfs" "target_core_mod" "iscsi_target_mod" ]; + + systemd.services.iscsi-target = { + enable = true; + after = [ "network.target" "local-fs.target" ]; + requires = [ "sys-kernel-config.mount" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.python3.pkgs.rtslib}/bin/targetctl restore"; + ExecStop = "${pkgs.python3.pkgs.rtslib}/bin/targetctl clear"; + RemainAfterExit = "yes"; + }; + }; + + systemd.tmpfiles.rules = [ + "d /etc/target 0700 root root - -" + ]; + }; +} diff --git a/nixos/modules/services/networking/iwd.nix b/nixos/modules/services/networking/iwd.nix new file mode 100644 index 00000000000..8835f7f9372 --- /dev/null +++ b/nixos/modules/services/networking/iwd.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.networking.wireless.iwd; + ini = pkgs.formats.ini { }; + configFile = ini.generate "main.conf" cfg.settings; +in { + options.networking.wireless.iwd = { + enable = mkEnableOption "iwd"; + + settings = mkOption { + type = ini.type; + default = { }; + + example = { + Settings.AutoConnect = true; + + Network = { + EnableIPv6 = true; + RoutePriorityOffset = 300; + }; + }; + + description = '' + Options passed to iwd. + See <link xlink:href="https://iwd.wiki.kernel.org/networkconfigurationsettings">here</link> for supported options. + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = [{ + assertion = !config.networking.wireless.enable; + message = '' + Only one wireless daemon is allowed at the time: networking.wireless.enable and networking.wireless.iwd.enable are mutually exclusive. + ''; + }]; + + environment.etc."iwd/main.conf".source = configFile; + + # for iwctl + environment.systemPackages = [ pkgs.iwd ]; + + services.dbus.packages = [ pkgs.iwd ]; + + systemd.packages = [ pkgs.iwd ]; + + systemd.network.links."80-iwd" = { + matchConfig.Type = "wlan"; + linkConfig.NamePolicy = "keep kernel"; + }; + + systemd.services.iwd = { + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ configFile ]; + }; + }; + + meta.maintainers = with lib.maintainers; [ mic92 dtzWill ]; +} diff --git a/nixos/modules/services/networking/jibri/default.nix b/nixos/modules/services/networking/jibri/default.nix new file mode 100644 index 00000000000..113a7aa4384 --- /dev/null +++ b/nixos/modules/services/networking/jibri/default.nix @@ -0,0 +1,417 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.jibri; + + # Copied from the jitsi-videobridge.nix file. + toHOCON = x: + if isAttrs x && x ? __hocon_envvar then ("\${" + x.__hocon_envvar + "}") + else if isAttrs x then "{${ concatStringsSep "," (mapAttrsToList (k: v: ''"${k}":${toHOCON v}'') x) }}" + else if isList x then "[${ concatMapStringsSep "," toHOCON x }]" + else builtins.toJSON x; + + # We're passing passwords in environment variables that have names generated + # from an attribute name, which may not be a valid bash identifier. + toVarName = s: "XMPP_PASSWORD_" + stringAsChars (c: if builtins.match "[A-Za-z0-9]" c != null then c else "_") s; + + defaultJibriConfig = { + id = ""; + single-use-mode = false; + + api = { + http.external-api-port = 2222; + http.internal-api-port = 3333; + + xmpp.environments = flip mapAttrsToList cfg.xmppEnvironments (name: env: { + inherit name; + + xmpp-server-hosts = env.xmppServerHosts; + xmpp-domain = env.xmppDomain; + control-muc = { + domain = env.control.muc.domain; + room-name = env.control.muc.roomName; + nickname = env.control.muc.nickname; + }; + + control-login = { + domain = env.control.login.domain; + username = env.control.login.username; + password.__hocon_envvar = toVarName "${name}_control"; + }; + + call-login = { + domain = env.call.login.domain; + username = env.call.login.username; + password.__hocon_envvar = toVarName "${name}_call"; + }; + + strip-from-room-domain = env.stripFromRoomDomain; + usage-timeout = env.usageTimeout; + trust-all-xmpp-certs = env.disableCertificateVerification; + }); + }; + + recording = { + recordings-directory = "/tmp/recordings"; + finalize-script = "${cfg.finalizeScript}"; + }; + + streaming.rtmp-allow-list = [ ".*" ]; + + chrome.flags = [ + "--use-fake-ui-for-media-stream" + "--start-maximized" + "--kiosk" + "--enabled" + "--disable-infobars" + "--autoplay-policy=no-user-gesture-required" + ] + ++ lists.optional cfg.ignoreCert + "--ignore-certificate-errors"; + + + stats.enable-stats-d = true; + webhook.subscribers = [ ]; + + jwt-info = { }; + + call-status-checks = { + no-media-timout = "30 seconds"; + all-muted-timeout = "10 minutes"; + default-call-empty-timout = "30 seconds"; + }; + }; + # Allow overriding leaves of the default config despite types.attrs not doing any merging. + jibriConfig = recursiveUpdate defaultJibriConfig cfg.config; + configFile = pkgs.writeText "jibri.conf" (toHOCON { jibri = jibriConfig; }); +in +{ + options.services.jibri = with types; { + enable = mkEnableOption "Jitsi BRoadcasting Infrastructure. Currently Jibri must be run on a host that is also running <option>services.jitsi-meet.enable</option>, so for most use cases it will be simpler to run <option>services.jitsi-meet.jibri.enable</option>"; + config = mkOption { + type = attrs; + default = { }; + description = '' + Jibri configuration. + See <link xlink:href="https://github.com/jitsi/jibri/blob/master/src/main/resources/reference.conf" /> + for default configuration with comments. + ''; + }; + + finalizeScript = mkOption { + type = types.path; + default = pkgs.writeScript "finalize_recording.sh" '' + #!/bin/sh + + RECORDINGS_DIR=$1 + + echo "This is a dummy finalize script" > /tmp/finalize.out + echo "The script was invoked with recordings directory $RECORDINGS_DIR." >> /tmp/finalize.out + echo "You should put any finalize logic (renaming, uploading to a service" >> /tmp/finalize.out + echo "or storage provider, etc.) in this script" >> /tmp/finalize.out + + exit 0 + ''; + defaultText = literalExpression '' + pkgs.writeScript "finalize_recording.sh" '''''' + #!/bin/sh + + RECORDINGS_DIR=$1 + + echo "This is a dummy finalize script" > /tmp/finalize.out + echo "The script was invoked with recordings directory $RECORDINGS_DIR." >> /tmp/finalize.out + echo "You should put any finalize logic (renaming, uploading to a service" >> /tmp/finalize.out + echo "or storage provider, etc.) in this script" >> /tmp/finalize.out + + exit 0 + ''''''; + ''; + example = literalExpression '' + pkgs.writeScript "finalize_recording.sh" '''''' + #!/bin/sh + RECORDINGS_DIR=$1 + ''${pkgs.rclone}/bin/rclone copy $RECORDINGS_DIR RCLONE_REMOTE:jibri-recordings/ -v --log-file=/var/log/jitsi/jibri/recording-upload.txt + exit 0 + ''''''; + ''; + description = '' + This script runs when jibri finishes recording a video of a conference. + ''; + }; + + ignoreCert = mkOption { + type = bool; + default = false; + example = true; + description = '' + Whether to enable the flag "--ignore-certificate-errors" for the Chromium browser opened by Jibri. + Intended for use in automated tests or anywhere else where using a verified cert for Jitsi-Meet is not possible. + ''; + }; + + xmppEnvironments = mkOption { + description = '' + XMPP servers to connect to. + ''; + example = literalExpression '' + "jitsi-meet" = { + xmppServerHosts = [ "localhost" ]; + xmppDomain = config.services.jitsi-meet.hostName; + + control.muc = { + domain = "internal.''${config.services.jitsi-meet.hostName}"; + roomName = "JibriBrewery"; + nickname = "jibri"; + }; + + control.login = { + domain = "auth.''${config.services.jitsi-meet.hostName}"; + username = "jibri"; + passwordFile = "/var/lib/jitsi-meet/jibri-auth-secret"; + }; + + call.login = { + domain = "recorder.''${config.services.jitsi-meet.hostName}"; + username = "recorder"; + passwordFile = "/var/lib/jitsi-meet/jibri-recorder-secret"; + }; + + usageTimeout = "0"; + disableCertificateVerification = true; + stripFromRoomDomain = "conference."; + }; + ''; + default = { }; + type = attrsOf (submodule ({ name, ... }: { + options = { + xmppServerHosts = mkOption { + type = listOf str; + example = [ "xmpp.example.org" ]; + description = '' + Hostnames of the XMPP servers to connect to. + ''; + }; + xmppDomain = mkOption { + type = str; + example = "xmpp.example.org"; + description = '' + The base XMPP domain. + ''; + }; + control.muc.domain = mkOption { + type = str; + description = '' + The domain part of the MUC to connect to for control. + ''; + }; + control.muc.roomName = mkOption { + type = str; + default = "JibriBrewery"; + description = '' + The room name of the MUC to connect to for control. + ''; + }; + control.muc.nickname = mkOption { + type = str; + default = "jibri"; + description = '' + The nickname for this Jibri instance in the MUC. + ''; + }; + control.login.domain = mkOption { + type = str; + description = '' + The domain part of the JID for this Jibri instance. + ''; + }; + control.login.username = mkOption { + type = str; + default = "jvb"; + description = '' + User part of the JID. + ''; + }; + control.login.passwordFile = mkOption { + type = str; + example = "/run/keys/jibri-xmpp1"; + description = '' + File containing the password for the user. + ''; + }; + + call.login.domain = mkOption { + type = str; + example = "recorder.xmpp.example.org"; + description = '' + The domain part of the JID for the recorder. + ''; + }; + call.login.username = mkOption { + type = str; + default = "recorder"; + description = '' + User part of the JID for the recorder. + ''; + }; + call.login.passwordFile = mkOption { + type = str; + example = "/run/keys/jibri-recorder-xmpp1"; + description = '' + File containing the password for the user. + ''; + }; + disableCertificateVerification = mkOption { + type = bool; + default = false; + description = '' + Whether to skip validation of the server's certificate. + ''; + }; + + stripFromRoomDomain = mkOption { + type = str; + default = "0"; + example = "conference."; + description = '' + The prefix to strip from the room's JID domain to derive the call URL. + ''; + }; + usageTimeout = mkOption { + type = str; + default = "0"; + example = "1 hour"; + description = '' + The duration that the Jibri session can be. + A value of zero means indefinitely. + ''; + }; + }; + + config = + let + nick = mkDefault (builtins.replaceStrings [ "." ] [ "-" ] ( + config.networking.hostName + optionalString (config.networking.domain != null) ".${config.networking.domain}" + )); + in + { + call.login.username = nick; + control.muc.nickname = nick; + }; + })); + }; + }; + + config = mkIf cfg.enable { + users.groups.jibri = { }; + users.groups.plugdev = { }; + users.users.jibri = { + isSystemUser = true; + group = "jibri"; + home = "/var/lib/jibri"; + extraGroups = [ "jitsi-meet" "adm" "audio" "video" "plugdev" ]; + }; + + systemd.services.jibri-xorg = { + description = "Jitsi Xorg Process"; + + after = [ "network.target" ]; + wantedBy = [ "jibri.service" "jibri-icewm.service" ]; + + preStart = '' + cp --no-preserve=mode,ownership ${pkgs.jibri}/etc/jitsi/jibri/* /var/lib/jibri + mv /var/lib/jibri/{,.}asoundrc + ''; + + environment.DISPLAY = ":0"; + serviceConfig = { + Type = "simple"; + + User = "jibri"; + Group = "jibri"; + KillMode = "process"; + Restart = "on-failure"; + RestartPreventExitStatus = 255; + + StateDirectory = "jibri"; + + ExecStart = "${pkgs.xorg.xorgserver}/bin/Xorg -nocursor -noreset +extension RANDR +extension RENDER -config ${pkgs.jibri}/etc/jitsi/jibri/xorg-video-dummy.conf -logfile /dev/null :0"; + }; + }; + + systemd.services.jibri-icewm = { + description = "Jitsi Window Manager"; + + requires = [ "jibri-xorg.service" ]; + after = [ "jibri-xorg.service" ]; + wantedBy = [ "jibri.service" ]; + + environment.DISPLAY = ":0"; + serviceConfig = { + Type = "simple"; + + User = "jibri"; + Group = "jibri"; + Restart = "on-failure"; + RestartPreventExitStatus = 255; + + StateDirectory = "jibri"; + + ExecStart = "${pkgs.icewm}/bin/icewm-session"; + }; + }; + + systemd.services.jibri = { + description = "Jibri Process"; + + requires = [ "jibri-icewm.service" "jibri-xorg.service" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + path = with pkgs; [ chromedriver chromium ffmpeg-full ]; + + script = (concatStrings (mapAttrsToList + (name: env: '' + export ${toVarName "${name}_control"}=$(cat ${env.control.login.passwordFile}) + export ${toVarName "${name}_call"}=$(cat ${env.call.login.passwordFile}) + '') + cfg.xmppEnvironments)) + + '' + ${pkgs.jre8_headless}/bin/java -Djava.util.logging.config.file=${./logging.properties-journal} -Dconfig.file=${configFile} -jar ${pkgs.jibri}/opt/jitsi/jibri/jibri.jar --config /var/lib/jibri/jibri.json + ''; + + environment.HOME = "/var/lib/jibri"; + + serviceConfig = { + Type = "simple"; + + User = "jibri"; + Group = "jibri"; + Restart = "always"; + RestartPreventExitStatus = 255; + + StateDirectory = "jibri"; + }; + }; + + systemd.tmpfiles.rules = [ + "d /var/log/jitsi/jibri 755 jibri jibri" + ]; + + + + # Configure Chromium to not show the "Chrome is being controlled by automatic test software" message. + environment.etc."chromium/policies/managed/managed_policies.json".text = builtins.toJSON { CommandLineFlagSecurityWarningsEnabled = false; }; + warnings = [ "All security warnings for Chromium have been disabled. This is necessary for Jibri, but it also impacts all other uses of Chromium on this system." ]; + + boot = { + extraModprobeConfig = '' + options snd-aloop enable=1,1,1,1,1,1,1,1 + ''; + kernelModules = [ "snd-aloop" ]; + }; + }; + + meta.maintainers = lib.teams.jitsi.members; +} diff --git a/nixos/modules/services/networking/jibri/logging.properties-journal b/nixos/modules/services/networking/jibri/logging.properties-journal new file mode 100644 index 00000000000..61eadbfddcb --- /dev/null +++ b/nixos/modules/services/networking/jibri/logging.properties-journal @@ -0,0 +1,32 @@ +handlers = java.util.logging.FileHandler + +java.util.logging.FileHandler.level = FINE +java.util.logging.FileHandler.pattern = /var/log/jitsi/jibri/log.%g.txt +java.util.logging.FileHandler.formatter = net.java.sip.communicator.util.ScLogFormatter +java.util.logging.FileHandler.count = 10 +java.util.logging.FileHandler.limit = 10000000 + +org.jitsi.jibri.capture.ffmpeg.util.FfmpegFileHandler.level = FINE +org.jitsi.jibri.capture.ffmpeg.util.FfmpegFileHandler.pattern = /var/log/jitsi/jibri/ffmpeg.%g.txt +org.jitsi.jibri.capture.ffmpeg.util.FfmpegFileHandler.formatter = net.java.sip.communicator.util.ScLogFormatter +org.jitsi.jibri.capture.ffmpeg.util.FfmpegFileHandler.count = 10 +org.jitsi.jibri.capture.ffmpeg.util.FfmpegFileHandler.limit = 10000000 + +org.jitsi.jibri.sipgateway.pjsua.util.PjsuaFileHandler.level = FINE +org.jitsi.jibri.sipgateway.pjsua.util.PjsuaFileHandler.pattern = /var/log/jitsi/jibri/pjsua.%g.txt +org.jitsi.jibri.sipgateway.pjsua.util.PjsuaFileHandler.formatter = net.java.sip.communicator.util.ScLogFormatter +org.jitsi.jibri.sipgateway.pjsua.util.PjsuaFileHandler.count = 10 +org.jitsi.jibri.sipgateway.pjsua.util.PjsuaFileHandler.limit = 10000000 + +org.jitsi.jibri.selenium.util.BrowserFileHandler.level = FINE +org.jitsi.jibri.selenium.util.BrowserFileHandler.pattern = /var/log/jitsi/jibri/browser.%g.txt +org.jitsi.jibri.selenium.util.BrowserFileHandler.formatter = net.java.sip.communicator.util.ScLogFormatter +org.jitsi.jibri.selenium.util.BrowserFileHandler.count = 10 +org.jitsi.jibri.selenium.util.BrowserFileHandler.limit = 10000000 + +org.jitsi.level = FINE +org.jitsi.jibri.config.level = INFO + +org.glassfish.level = INFO +org.osgi.level = INFO +org.jitsi.xmpp.level = INFO diff --git a/nixos/modules/services/networking/jicofo.nix b/nixos/modules/services/networking/jicofo.nix new file mode 100644 index 00000000000..647119b9039 --- /dev/null +++ b/nixos/modules/services/networking/jicofo.nix @@ -0,0 +1,152 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.jicofo; +in +{ + options.services.jicofo = with types; { + enable = mkEnableOption "Jitsi Conference Focus - component of Jitsi Meet"; + + xmppHost = mkOption { + type = str; + example = "localhost"; + description = '' + Hostname of the XMPP server to connect to. + ''; + }; + + xmppDomain = mkOption { + type = nullOr str; + example = "meet.example.org"; + description = '' + Domain name of the XMMP server to which to connect as a component. + + If null, <option>xmppHost</option> is used. + ''; + }; + + componentPasswordFile = mkOption { + type = str; + example = "/run/keys/jicofo-component"; + description = '' + Path to file containing component secret. + ''; + }; + + userName = mkOption { + type = str; + default = "focus"; + description = '' + User part of the JID for XMPP user connection. + ''; + }; + + userDomain = mkOption { + type = str; + example = "auth.meet.example.org"; + description = '' + Domain part of the JID for XMPP user connection. + ''; + }; + + userPasswordFile = mkOption { + type = str; + example = "/run/keys/jicofo-user"; + description = '' + Path to file containing password for XMPP user connection. + ''; + }; + + bridgeMuc = mkOption { + type = str; + example = "jvbbrewery@internal.meet.example.org"; + description = '' + JID of the internal MUC used to communicate with Videobridges. + ''; + }; + + config = mkOption { + type = attrsOf str; + default = { }; + example = literalExpression '' + { + "org.jitsi.jicofo.auth.URL" = "XMPP:jitsi-meet.example.com"; + } + ''; + description = '' + Contents of the <filename>sip-communicator.properties</filename> configuration file for jicofo. + ''; + }; + }; + + config = mkIf cfg.enable { + services.jicofo.config = mapAttrs (_: v: mkDefault v) { + "org.jitsi.jicofo.BRIDGE_MUC" = cfg.bridgeMuc; + }; + + users.groups.jitsi-meet = {}; + + systemd.services.jicofo = let + jicofoProps = { + "-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION" = "/etc/jitsi"; + "-Dnet.java.sip.communicator.SC_HOME_DIR_NAME" = "jicofo"; + "-Djava.util.logging.config.file" = "/etc/jitsi/jicofo/logging.properties"; + }; + in + { + description = "JItsi COnference FOcus"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + restartTriggers = [ + config.environment.etc."jitsi/jicofo/sip-communicator.properties".source + ]; + environment.JAVA_SYS_PROPS = concatStringsSep " " (mapAttrsToList (k: v: "${k}=${toString v}") jicofoProps); + + script = '' + ${pkgs.jicofo}/bin/jicofo \ + --host=${cfg.xmppHost} \ + --domain=${if cfg.xmppDomain == null then cfg.xmppHost else cfg.xmppDomain} \ + --secret=$(cat ${cfg.componentPasswordFile}) \ + --user_name=${cfg.userName} \ + --user_domain=${cfg.userDomain} \ + --user_password=$(cat ${cfg.userPasswordFile}) + ''; + + serviceConfig = { + Type = "exec"; + + DynamicUser = true; + User = "jicofo"; + Group = "jitsi-meet"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + + environment.etc."jitsi/jicofo/sip-communicator.properties".source = + pkgs.writeText "sip-communicator.properties" ( + generators.toKeyValue {} cfg.config + ); + environment.etc."jitsi/jicofo/logging.properties".source = + mkDefault "${pkgs.jicofo}/etc/jitsi/jicofo/logging.properties-journal"; + }; + + meta.maintainers = lib.teams.jitsi.members; +} diff --git a/nixos/modules/services/networking/jitsi-videobridge.nix b/nixos/modules/services/networking/jitsi-videobridge.nix new file mode 100644 index 00000000000..abb0bd0a25e --- /dev/null +++ b/nixos/modules/services/networking/jitsi-videobridge.nix @@ -0,0 +1,288 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.jitsi-videobridge; + attrsToArgs = a: concatStringsSep " " (mapAttrsToList (k: v: "${k}=${toString v}") a); + + # HOCON is a JSON superset that videobridge2 uses for configuration. + # It can substitute environment variables which we use for passwords here. + # https://github.com/lightbend/config/blob/master/README.md + # + # Substitution for environment variable FOO is represented as attribute set + # { __hocon_envvar = "FOO"; } + toHOCON = x: if isAttrs x && x ? __hocon_envvar then ("\${" + x.__hocon_envvar + "}") + else if isAttrs x then "{${ concatStringsSep "," (mapAttrsToList (k: v: ''"${k}":${toHOCON v}'') x) }}" + else if isList x then "[${ concatMapStringsSep "," toHOCON x }]" + else builtins.toJSON x; + + # We're passing passwords in environment variables that have names generated + # from an attribute name, which may not be a valid bash identifier. + toVarName = s: "XMPP_PASSWORD_" + stringAsChars (c: if builtins.match "[A-Za-z0-9]" c != null then c else "_") s; + + defaultJvbConfig = { + videobridge = { + ice = { + tcp = { + enabled = true; + port = 4443; + }; + udp.port = 10000; + }; + stats = { + enabled = true; + transports = [ { type = "muc"; } ]; + }; + apis.xmpp-client.configs = flip mapAttrs cfg.xmppConfigs (name: xmppConfig: { + hostname = xmppConfig.hostName; + domain = xmppConfig.domain; + username = xmppConfig.userName; + password = { __hocon_envvar = toVarName name; }; + muc_jids = xmppConfig.mucJids; + muc_nickname = xmppConfig.mucNickname; + disable_certificate_verification = xmppConfig.disableCertificateVerification; + }); + }; + }; + + # Allow overriding leaves of the default config despite types.attrs not doing any merging. + jvbConfig = recursiveUpdate defaultJvbConfig cfg.config; +in +{ + options.services.jitsi-videobridge = with types; { + enable = mkEnableOption "Jitsi Videobridge, a WebRTC compatible video router"; + + config = mkOption { + type = attrs; + default = { }; + example = literalExpression '' + { + videobridge = { + ice.udp.port = 5000; + websockets = { + enabled = true; + server-id = "jvb1"; + }; + }; + } + ''; + description = '' + Videobridge configuration. + + See <link xlink:href="https://github.com/jitsi/jitsi-videobridge/blob/master/src/main/resources/reference.conf" /> + for default configuration with comments. + ''; + }; + + xmppConfigs = mkOption { + description = '' + XMPP servers to connect to. + + See <link xlink:href="https://github.com/jitsi/jitsi-videobridge/blob/master/doc/muc.md" /> for more information. + ''; + default = { }; + example = literalExpression '' + { + "localhost" = { + hostName = "localhost"; + userName = "jvb"; + domain = "auth.xmpp.example.org"; + passwordFile = "/var/lib/jitsi-meet/videobridge-secret"; + mucJids = "jvbbrewery@internal.xmpp.example.org"; + }; + } + ''; + type = attrsOf (submodule ({ name, ... }: { + options = { + hostName = mkOption { + type = str; + example = "xmpp.example.org"; + description = '' + Hostname of the XMPP server to connect to. Name of the attribute set is used by default. + ''; + }; + domain = mkOption { + type = nullOr str; + default = null; + example = "auth.xmpp.example.org"; + description = '' + Domain part of JID of the XMPP user, if it is different from hostName. + ''; + }; + userName = mkOption { + type = str; + default = "jvb"; + description = '' + User part of the JID. + ''; + }; + passwordFile = mkOption { + type = str; + example = "/run/keys/jitsi-videobridge-xmpp1"; + description = '' + File containing the password for the user. + ''; + }; + mucJids = mkOption { + type = str; + example = "jvbbrewery@internal.xmpp.example.org"; + description = '' + JID of the MUC to join. JiCoFo needs to be configured to join the same MUC. + ''; + }; + mucNickname = mkOption { + # Upstream DEBs use UUID, let's use hostname instead. + type = str; + description = '' + Videobridges use the same XMPP account and need to be distinguished by the + nickname (aka resource part of the JID). By default, system hostname is used. + ''; + }; + disableCertificateVerification = mkOption { + type = bool; + default = false; + description = '' + Whether to skip validation of the server's certificate. + ''; + }; + }; + config = { + hostName = mkDefault name; + mucNickname = mkDefault (builtins.replaceStrings [ "." ] [ "-" ] ( + config.networking.hostName + optionalString (config.networking.domain != null) ".${config.networking.domain}" + )); + }; + })); + }; + + nat = { + localAddress = mkOption { + type = nullOr str; + default = null; + example = "192.168.1.42"; + description = '' + Local address when running behind NAT. + ''; + }; + + publicAddress = mkOption { + type = nullOr str; + default = null; + example = "1.2.3.4"; + description = '' + Public address when running behind NAT. + ''; + }; + }; + + extraProperties = mkOption { + type = attrsOf str; + default = { }; + description = '' + Additional Java properties passed to jitsi-videobridge. + ''; + }; + + openFirewall = mkOption { + type = bool; + default = false; + description = '' + Whether to open ports in the firewall for the videobridge. + ''; + }; + + apis = mkOption { + type = with types; listOf str; + description = '' + What is passed as --apis= parameter. If this is empty, "none" is passed. + Needed for monitoring jitsi. + ''; + default = []; + example = literalExpression "[ \"colibri\" \"rest\" ]"; + }; + }; + + config = mkIf cfg.enable { + users.groups.jitsi-meet = {}; + + services.jitsi-videobridge.extraProperties = optionalAttrs (cfg.nat.localAddress != null) { + "org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS" = cfg.nat.localAddress; + "org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS" = cfg.nat.publicAddress; + }; + + systemd.services.jitsi-videobridge2 = let + jvbProps = { + "-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION" = "/etc/jitsi"; + "-Dnet.java.sip.communicator.SC_HOME_DIR_NAME" = "videobridge"; + "-Djava.util.logging.config.file" = "/etc/jitsi/videobridge/logging.properties"; + "-Dconfig.file" = pkgs.writeText "jvb.conf" (toHOCON jvbConfig); + # Mitigate CVE-2021-44228 + "-Dlog4j2.formatMsgNoLookups" = true; + } // (mapAttrs' (k: v: nameValuePair "-D${k}" v) cfg.extraProperties); + in + { + aliases = [ "jitsi-videobridge.service" ]; + description = "Jitsi Videobridge"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment.JAVA_SYS_PROPS = attrsToArgs jvbProps; + + script = (concatStrings (mapAttrsToList (name: xmppConfig: + "export ${toVarName name}=$(cat ${xmppConfig.passwordFile})\n" + ) cfg.xmppConfigs)) + + '' + ${pkgs.jitsi-videobridge}/bin/jitsi-videobridge --apis=${if (cfg.apis == []) then "none" else concatStringsSep "," cfg.apis} + ''; + + serviceConfig = { + Type = "exec"; + + DynamicUser = true; + User = "jitsi-videobridge"; + Group = "jitsi-meet"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + TasksMax = 65000; + LimitNPROC = 65000; + LimitNOFILE = 65000; + }; + }; + + environment.etc."jitsi/videobridge/logging.properties".source = + mkDefault "${pkgs.jitsi-videobridge}/etc/jitsi/videobridge/logging.properties-journal"; + + # (from videobridge2 .deb) + # this sets the max, so that we can bump the JVB UDP single port buffer size. + boot.kernel.sysctl."net.core.rmem_max" = mkDefault 10485760; + boot.kernel.sysctl."net.core.netdev_max_backlog" = mkDefault 100000; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall + [ jvbConfig.videobridge.ice.tcp.port ]; + networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall + [ jvbConfig.videobridge.ice.udp.port ]; + + assertions = [{ + message = "publicAddress must be set if and only if localAddress is set"; + assertion = (cfg.nat.publicAddress == null) == (cfg.nat.localAddress == null); + }]; + }; + + meta.maintainers = lib.teams.jitsi.members; +} diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix new file mode 100644 index 00000000000..17b4eb2e283 --- /dev/null +++ b/nixos/modules/services/networking/kea.nix @@ -0,0 +1,383 @@ +{ config +, lib +, pkgs +, ... +}: + +with lib; + +let + cfg = config.services.kea; + + format = pkgs.formats.json {}; + + ctrlAgentConfig = format.generate "kea-ctrl-agent.conf" { + Control-agent = cfg.ctrl-agent.settings; + }; + dhcp4Config = format.generate "kea-dhcp4.conf" { + Dhcp4 = cfg.dhcp4.settings; + }; + dhcp6Config = format.generate "kea-dhcp6.conf" { + Dhcp6 = cfg.dhcp6.settings; + }; + dhcpDdnsConfig = format.generate "kea-dhcp-ddns.conf" { + DhcpDdns = cfg.dhcp-ddns.settings; + }; + + package = pkgs.kea; +in +{ + options.services.kea = with types; { + ctrl-agent = mkOption { + description = '' + Kea Control Agent configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea Control Agent"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + description = '' + Kea Control Agent configuration as an attribute set, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html"/>. + ''; + }; + }; + }; + }; + + dhcp4 = mkOption { + description = '' + DHCP4 Server configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea DHCP4 server"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + example = { + valid-lifetime = 4000; + renew-timer = 1000; + rebind-timer = 2000; + interfaces-config = { + interfaces = [ + "eth0" + ]; + }; + lease-database = { + type = "memfile"; + persist = true; + name = "/var/lib/kea/dhcp4.leases"; + }; + subnet4 = [ { + subnet = "192.0.2.0/24"; + pools = [ { + pool = "192.0.2.100 - 192.0.2.240"; + } ]; + } ]; + }; + description = '' + Kea DHCP4 configuration as an attribute set, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html"/>. + ''; + }; + }; + }; + }; + + dhcp6 = mkOption { + description = '' + DHCP6 Server configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea DHCP6 server"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + example = { + valid-lifetime = 4000; + renew-timer = 1000; + rebind-timer = 2000; + preferred-lifetime = 3000; + interfaces-config = { + interfaces = [ + "eth0" + ]; + }; + lease-database = { + type = "memfile"; + persist = true; + name = "/var/lib/kea/dhcp6.leases"; + }; + subnet6 = [ { + subnet = "2001:db8:1::/64"; + pools = [ { + pool = "2001:db8:1::1-2001:db8:1::ffff"; + } ]; + } ]; + }; + description = '' + Kea DHCP6 configuration as an attribute set, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html"/>. + ''; + }; + }; + }; + }; + + dhcp-ddns = mkOption { + description = '' + Kea DHCP-DDNS configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea DDNS server"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + example = { + ip-address = "127.0.0.1"; + port = 53001; + dns-server-timeout = 100; + ncr-protocol = "UDP"; + ncr-format = "JSON"; + tsig-keys = [ ]; + forward-ddns = { + ddns-domains = [ ]; + }; + reverse-ddns = { + ddns-domains = [ ]; + }; + }; + description = '' + Kea DHCP-DDNS configuration as an attribute set, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html"/>. + ''; + }; + }; + }; + }; + }; + + config = let + commonServiceConfig = { + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + DynamicUser = true; + User = "kea"; + ConfigurationDirectory = "kea"; + RuntimeDirectory = "kea"; + StateDirectory = "kea"; + UMask = "0077"; + }; + in mkIf (cfg.ctrl-agent.enable || cfg.dhcp4.enable || cfg.dhcp6.enable || cfg.dhcp-ddns.enable) (mkMerge [ + { + environment.systemPackages = [ package ]; + } + + (mkIf cfg.ctrl-agent.enable { + + environment.etc."kea/ctrl-agent.conf".source = ctrlAgentConfig; + + systemd.services.kea-ctrl-agent = { + description = "Kea Control Agent"; + documentation = [ + "man:kea-ctrl-agent(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "kea-dhcp4-server.service" + "kea-dhcp6-server.service" + "kea-dhcp-ddns-server.service" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + KEA_LOCKFILE_DIR = "/run/kea"; + }; + + restartTriggers = [ + ctrlAgentConfig + ]; + + serviceConfig = { + ExecStart = "${package}/bin/kea-ctrl-agent -c /etc/kea/ctrl-agent.conf ${lib.escapeShellArgs cfg.dhcp4.extraArgs}"; + KillMode = "process"; + Restart = "on-failure"; + } // commonServiceConfig; + }; + }) + + (mkIf cfg.dhcp4.enable { + + environment.etc."kea/dhcp4-server.conf".source = dhcp4Config; + + systemd.services.kea-dhcp4-server = { + description = "Kea DHCP4 Server"; + documentation = [ + "man:kea-dhcp4(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + KEA_LOCKFILE_DIR = "/run/kea"; + }; + + restartTriggers = [ + dhcp4Config + ]; + + serviceConfig = { + ExecStart = "${package}/bin/kea-dhcp4 -c /etc/kea/dhcp4-server.conf ${lib.escapeShellArgs cfg.dhcp4.extraArgs}"; + # Kea does not request capabilities by itself + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ]; + } // commonServiceConfig; + }; + }) + + (mkIf cfg.dhcp6.enable { + + environment.etc."kea/dhcp6-server.conf".source = dhcp6Config; + + systemd.services.kea-dhcp6-server = { + description = "Kea DHCP6 Server"; + documentation = [ + "man:kea-dhcp6(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + KEA_LOCKFILE_DIR = "/run/kea"; + }; + + restartTriggers = [ + dhcp6Config + ]; + + serviceConfig = { + ExecStart = "${package}/bin/kea-dhcp6 -c /etc/kea/dhcp6-server.conf ${lib.escapeShellArgs cfg.dhcp6.extraArgs}"; + # Kea does not request capabilities by itself + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + ]; + } // commonServiceConfig; + }; + }) + + (mkIf cfg.dhcp-ddns.enable { + + environment.etc."kea/dhcp-ddns.conf".source = dhcpDdnsConfig; + + systemd.services.kea-dhcp-ddns-server = { + description = "Kea DHCP-DDNS Server"; + documentation = [ + "man:kea-dhcp-ddns(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + KEA_LOCKFILE_DIR = "/run/kea"; + }; + + restartTriggers = [ + dhcpDdnsConfig + ]; + + serviceConfig = { + ExecStart = "${package}/bin/kea-dhcp-ddns -c /etc/kea/dhcp-ddns.conf ${lib.escapeShellArgs cfg.dhcp-ddns.extraArgs}"; + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + ]; + } // commonServiceConfig; + }; + }) + + ]); + + meta.maintainers = with maintainers; [ hexa ]; + # uses attributes of the linked package + meta.buildDocsInSandbox = false; +} diff --git a/nixos/modules/services/networking/keepalived/default.nix b/nixos/modules/services/networking/keepalived/default.nix new file mode 100644 index 00000000000..c9ac2ee2599 --- /dev/null +++ b/nixos/modules/services/networking/keepalived/default.nix @@ -0,0 +1,303 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.keepalived; + + keepalivedConf = pkgs.writeText "keepalived.conf" '' + global_defs { + ${optionalString cfg.enableScriptSecurity "enable_script_security"} + ${snmpGlobalDefs} + ${cfg.extraGlobalDefs} + } + + ${vrrpScriptStr} + ${vrrpInstancesStr} + ${cfg.extraConfig} + ''; + + snmpGlobalDefs = with cfg.snmp; optionalString enable ( + optionalString (socket != null) "snmp_socket ${socket}\n" + + optionalString enableKeepalived "enable_snmp_keepalived\n" + + optionalString enableChecker "enable_snmp_checker\n" + + optionalString enableRfc "enable_snmp_rfc\n" + + optionalString enableRfcV2 "enable_snmp_rfcv2\n" + + optionalString enableRfcV3 "enable_snmp_rfcv3\n" + + optionalString enableTraps "enable_traps" + ); + + vrrpScriptStr = concatStringsSep "\n" (map (s: + '' + vrrp_script ${s.name} { + script "${s.script}" + interval ${toString s.interval} + fall ${toString s.fall} + rise ${toString s.rise} + timeout ${toString s.timeout} + weight ${toString s.weight} + user ${s.user} ${optionalString (s.group != null) s.group} + + ${s.extraConfig} + } + '' + ) vrrpScripts); + + vrrpInstancesStr = concatStringsSep "\n" (map (i: + '' + vrrp_instance ${i.name} { + interface ${i.interface} + state ${i.state} + virtual_router_id ${toString i.virtualRouterId} + priority ${toString i.priority} + ${optionalString i.noPreempt "nopreempt"} + + ${optionalString i.useVmac ( + "use_vmac" + optionalString (i.vmacInterface != null) " ${i.vmacInterface}" + )} + ${optionalString i.vmacXmitBase "vmac_xmit_base"} + + ${optionalString (i.unicastSrcIp != null) "unicast_src_ip ${i.unicastSrcIp}"} + unicast_peer { + ${concatStringsSep "\n" i.unicastPeers} + } + + virtual_ipaddress { + ${concatMapStringsSep "\n" virtualIpLine i.virtualIps} + } + + ${optionalString (builtins.length i.trackScripts > 0) '' + track_script { + ${concatStringsSep "\n" i.trackScripts} + } + ''} + + ${optionalString (builtins.length i.trackInterfaces > 0) '' + track_interface { + ${concatStringsSep "\n" i.trackInterfaces} + } + ''} + + ${i.extraConfig} + } + '' + ) vrrpInstances); + + virtualIpLine = (ip: + ip.addr + + optionalString (notNullOrEmpty ip.brd) " brd ${ip.brd}" + + optionalString (notNullOrEmpty ip.dev) " dev ${ip.dev}" + + optionalString (notNullOrEmpty ip.scope) " scope ${ip.scope}" + + optionalString (notNullOrEmpty ip.label) " label ${ip.label}" + ); + + notNullOrEmpty = s: !(s == null || s == ""); + + vrrpScripts = mapAttrsToList (name: config: + { + inherit name; + } // config + ) cfg.vrrpScripts; + + vrrpInstances = mapAttrsToList (iName: iConfig: + { + name = iName; + } // iConfig + ) cfg.vrrpInstances; + + vrrpInstanceAssertions = i: [ + { assertion = i.interface != ""; + message = "services.keepalived.vrrpInstances.${i.name}.interface option cannot be empty."; + } + { assertion = i.virtualRouterId >= 0 && i.virtualRouterId <= 255; + message = "services.keepalived.vrrpInstances.${i.name}.virtualRouterId must be an integer between 0..255."; + } + { assertion = i.priority >= 0 && i.priority <= 255; + message = "services.keepalived.vrrpInstances.${i.name}.priority must be an integer between 0..255."; + } + { assertion = i.vmacInterface == null || i.useVmac; + message = "services.keepalived.vrrpInstances.${i.name}.vmacInterface has no effect when services.keepalived.vrrpInstances.${i.name}.useVmac is not set."; + } + { assertion = !i.vmacXmitBase || i.useVmac; + message = "services.keepalived.vrrpInstances.${i.name}.vmacXmitBase has no effect when services.keepalived.vrrpInstances.${i.name}.useVmac is not set."; + } + ] ++ flatten (map (virtualIpAssertions i.name) i.virtualIps) + ++ flatten (map (vrrpScriptAssertion i.name) i.trackScripts); + + virtualIpAssertions = vrrpName: ip: [ + { assertion = ip.addr != ""; + message = "The 'addr' option for an services.keepalived.vrrpInstances.${vrrpName}.virtualIps entry cannot be empty."; + } + ]; + + vrrpScriptAssertion = vrrpName: scriptName: { + assertion = builtins.hasAttr scriptName cfg.vrrpScripts; + message = "services.keepalived.vrrpInstances.${vrrpName} trackscript ${scriptName} is not defined in services.keepalived.vrrpScripts."; + }; + + pidFile = "/run/keepalived.pid"; + +in +{ + + options = { + services.keepalived = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Keepalived. + ''; + }; + + enableScriptSecurity = mkOption { + type = types.bool; + default = false; + description = '' + Don't run scripts configured to be run as root if any part of the path is writable by a non-root user. + ''; + }; + + snmp = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the builtin AgentX subagent. + ''; + }; + + socket = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Socket to use for connecting to SNMP master agent. If this value is + set to null, keepalived's default will be used, which is + unix:/var/agentx/master, unless using a network namespace, when the + default is udp:localhost:705. + ''; + }; + + enableKeepalived = mkOption { + type = types.bool; + default = false; + description = '' + Enable SNMP handling of vrrp element of KEEPALIVED MIB. + ''; + }; + + enableChecker = mkOption { + type = types.bool; + default = false; + description = '' + Enable SNMP handling of checker element of KEEPALIVED MIB. + ''; + }; + + enableRfc = mkOption { + type = types.bool; + default = false; + description = '' + Enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs. + ''; + }; + + enableRfcV2 = mkOption { + type = types.bool; + default = false; + description = '' + Enable SNMP handling of RFC2787 VRRP MIB. + ''; + }; + + enableRfcV3 = mkOption { + type = types.bool; + default = false; + description = '' + Enable SNMP handling of RFC6527 VRRP MIB. + ''; + }; + + enableTraps = mkOption { + type = types.bool; + default = false; + description = '' + Enable SNMP traps. + ''; + }; + + }; + + vrrpScripts = mkOption { + type = types.attrsOf (types.submodule (import ./vrrp-script-options.nix { + inherit lib; + })); + default = {}; + description = "Declarative vrrp script config"; + }; + + vrrpInstances = mkOption { + type = types.attrsOf (types.submodule (import ./vrrp-instance-options.nix { + inherit lib; + })); + default = {}; + description = "Declarative vhost config"; + }; + + extraGlobalDefs = mkOption { + type = types.lines; + default = ""; + description = '' + Extra lines to be added verbatim to the 'global_defs' block of the + configuration file + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra lines to be added verbatim to the configuration file. + ''; + }; + + }; + }; + + config = mkIf cfg.enable { + + assertions = flatten (map vrrpInstanceAssertions vrrpInstances); + + systemd.timers.keepalived-boot-delay = { + description = "Keepalive Daemon delay to avoid instant transition to MASTER state"; + after = [ "network.target" "network-online.target" "syslog.target" ]; + requires = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + timerConfig = { + OnActiveSec = "5s"; + Unit = "keepalived.service"; + }; + }; + + systemd.services.keepalived = { + description = "Keepalive Daemon (LVS and VRRP)"; + after = [ "network.target" "network-online.target" "syslog.target" ]; + wants = [ "network-online.target" ]; + serviceConfig = { + Type = "forking"; + PIDFile = pidFile; + KillMode = "process"; + ExecStart = "${pkgs.keepalived}/sbin/keepalived" + + " -f ${keepalivedConf}" + + " -p ${pidFile}" + + optionalString cfg.snmp.enable " --snmp"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = "1s"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/keepalived/virtual-ip-options.nix b/nixos/modules/services/networking/keepalived/virtual-ip-options.nix new file mode 100644 index 00000000000..1b8889b1b47 --- /dev/null +++ b/nixos/modules/services/networking/keepalived/virtual-ip-options.nix @@ -0,0 +1,50 @@ +{ lib } : + +with lib; +{ + options = { + + addr = mkOption { + type = types.str; + description = '' + IP address, optionally with a netmask: IPADDR[/MASK] + ''; + }; + + brd = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The broadcast address on the interface. + ''; + }; + + dev = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The name of the device to add the address to. + ''; + }; + + scope = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The scope of the area where this address is valid. + ''; + }; + + label = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Each address may be tagged with a label string. In order to preserve + compatibility with Linux-2.0 net aliases, this string must coincide with + the name of the device or must be prefixed with the device name followed + by colon. + ''; + }; + + }; +} diff --git a/nixos/modules/services/networking/keepalived/vrrp-instance-options.nix b/nixos/modules/services/networking/keepalived/vrrp-instance-options.nix new file mode 100644 index 00000000000..e96dde5fa89 --- /dev/null +++ b/nixos/modules/services/networking/keepalived/vrrp-instance-options.nix @@ -0,0 +1,133 @@ +{ lib } : + +with lib; +{ + options = { + + interface = mkOption { + type = types.str; + description = '' + Interface for inside_network, bound by vrrp. + ''; + }; + + state = mkOption { + type = types.enum [ "MASTER" "BACKUP" ]; + default = "BACKUP"; + description = '' + Initial state. As soon as the other machine(s) come up, an election will + be held and the machine with the highest "priority" will become MASTER. + So the entry here doesn't matter a whole lot. + ''; + }; + + virtualRouterId = mkOption { + type = types.int; + description = '' + Arbitrary unique number 0..255. Used to differentiate multiple instances + of vrrpd running on the same NIC (and hence same socket). + ''; + }; + + priority = mkOption { + type = types.int; + default = 100; + description = '' + For electing MASTER, highest priority wins. To be MASTER, make 50 more + than other machines. + ''; + }; + + noPreempt = mkOption { + type = types.bool; + default = false; + description = '' + VRRP will normally preempt a lower priority machine when a higher + priority machine comes online. "nopreempt" allows the lower priority + machine to maintain the master role, even when a higher priority machine + comes back online. NOTE: For this to work, the initial state of this + entry must be BACKUP. + ''; + }; + + useVmac = mkOption { + type = types.bool; + default = false; + description = '' + Use VRRP Virtual MAC. + ''; + }; + + vmacInterface = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Name of the vmac interface to use. keepalived will come up with a name + if you don't specify one. + ''; + }; + + vmacXmitBase = mkOption { + type = types.bool; + default = false; + description = '' + Send/Recv VRRP messages from base interface instead of VMAC interface. + ''; + }; + + unicastSrcIp = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Default IP for binding vrrpd is the primary IP on interface. If you + want to hide location of vrrpd, use this IP as src_addr for unicast + vrrp packets. + ''; + }; + + unicastPeers = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Do not send VRRP adverts over VRRP multicast group. Instead it sends + adverts to the following list of ip addresses using unicast design + fashion. It can be cool to use VRRP FSM and features in a networking + environment where multicast is not supported! IP Addresses specified can + IPv4 as well as IPv6. + ''; + }; + + virtualIps = mkOption { + type = types.listOf (types.submodule (import ./virtual-ip-options.nix { + inherit lib; + })); + default = []; + # TODO: example + description = "Declarative vhost config"; + }; + + trackScripts = mkOption { + type = types.listOf types.str; + default = []; + example = [ "chk_cmd1" "chk_cmd2" ]; + description = "List of script names to invoke for health tracking."; + }; + + trackInterfaces = mkOption { + type = types.listOf types.str; + default = []; + example = [ "eth0" "eth1" ]; + description = "List of network interfaces to monitor for health tracking."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra lines to be added verbatim to the vrrp_instance section. + ''; + }; + + }; + +} diff --git a/nixos/modules/services/networking/keepalived/vrrp-script-options.nix b/nixos/modules/services/networking/keepalived/vrrp-script-options.nix new file mode 100644 index 00000000000..df7a89cff8c --- /dev/null +++ b/nixos/modules/services/networking/keepalived/vrrp-script-options.nix @@ -0,0 +1,64 @@ +{ lib } : + +with lib; +with lib.types; +{ + options = { + + script = mkOption { + type = str; + example = literalExpression ''"''${pkgs.curl} -f http://localhost:80"''; + description = "(Path of) Script command to execute followed by args, i.e. cmd [args]..."; + }; + + interval = mkOption { + type = int; + default = 1; + description = "Seconds between script invocations."; + }; + + timeout = mkOption { + type = int; + default = 5; + description = "Seconds after which script is considered to have failed."; + }; + + weight = mkOption { + type = int; + default = 0; + description = "Following a failure, adjust the priority by this weight."; + }; + + rise = mkOption { + type = int; + default = 5; + description = "Required number of successes for OK transition."; + }; + + fall = mkOption { + type = int; + default = 3; + description = "Required number of failures for KO transition."; + }; + + user = mkOption { + type = str; + default = "keepalived_script"; + description = "Name of user to run the script under."; + }; + + group = mkOption { + type = nullOr str; + default = null; + description = "Name of group to run the script under. Defaults to user group."; + }; + + extraConfig = mkOption { + type = lines; + default = ""; + description = "Extra lines to be added verbatim to the vrrp_script section."; + }; + + }; + +} diff --git a/nixos/modules/services/networking/keybase.nix b/nixos/modules/services/networking/keybase.nix new file mode 100644 index 00000000000..495102cb7ee --- /dev/null +++ b/nixos/modules/services/networking/keybase.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.keybase; + +in { + + ###### interface + + options = { + + services.keybase = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to start the Keybase service."; + }; + + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + # Upstream: https://github.com/keybase/client/blob/master/packaging/linux/systemd/keybase.service + systemd.user.services.keybase = { + description = "Keybase service"; + unitConfig.ConditionUser = "!@system"; + environment.KEYBASE_SERVICE_TYPE = "systemd"; + serviceConfig = { + Type = "notify"; + EnvironmentFile = [ + "-%E/keybase/keybase.autogen.env" + "-%E/keybase/keybase.env" + ]; + ExecStart = "${pkgs.keybase}/bin/keybase service"; + Restart = "on-failure"; + PrivateTmp = true; + }; + wantedBy = [ "default.target" ]; + }; + + environment.systemPackages = [ pkgs.keybase ]; + }; +} diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix new file mode 100644 index 00000000000..a58a03997b3 --- /dev/null +++ b/nixos/modules/services/networking/knot.nix @@ -0,0 +1,152 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.knot; + + configFile = pkgs.writeTextFile { + name = "knot.conf"; + text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" + + cfg.extraConfig; + checkPhase = lib.optionalString (cfg.keyFiles == []) '' + ${cfg.package}/bin/knotc --config=$out conf-check + ''; + }; + + socketFile = "/run/knot/knot.sock"; + + knot-cli-wrappers = pkgs.stdenv.mkDerivation { + name = "knot-cli-wrappers"; + buildInputs = [ pkgs.makeWrapper ]; + buildCommand = '' + mkdir -p $out/bin + makeWrapper ${cfg.package}/bin/knotc "$out/bin/knotc" \ + --add-flags "--config=${configFile}" \ + --add-flags "--socket=${socketFile}" + makeWrapper ${cfg.package}/bin/keymgr "$out/bin/keymgr" \ + --add-flags "--config=${configFile}" + for executable in kdig khost kjournalprint knsec3hash knsupdate kzonecheck + do + ln -s "${cfg.package}/bin/$executable" "$out/bin/$executable" + done + mkdir -p "$out/share" + ln -s '${cfg.package}/share/man' "$out/share/" + ''; + }; +in { + options = { + services.knot = { + enable = mkEnableOption "Knot authoritative-only DNS server"; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of additional command line paramters for knotd + ''; + }; + + keyFiles = mkOption { + type = types.listOf types.path; + default = []; + description = '' + A list of files containing additional configuration + to be included using the include directive. This option + allows to include configuration like TSIG keys without + exposing them to the nix store readable to any process. + Note that using this option will also disable configuration + checks at build time. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra lines to be added verbatim to knot.conf + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.knot-dns; + defaultText = literalExpression "pkgs.knot-dns"; + description = '' + Which Knot DNS package to use + ''; + }; + }; + }; + + config = mkIf config.services.knot.enable { + users.groups.knot = {}; + users.users.knot = { + isSystemUser = true; + group = "knot"; + description = "Knot daemon user"; + }; + + systemd.services.knot = { + unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/"; + description = cfg.package.meta.description; + wantedBy = [ "multi-user.target" ]; + wants = [ "network.target" ]; + after = ["network.target" ]; + + serviceConfig = { + Type = "notify"; + ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}"; + ExecReload = "${knot-cli-wrappers}/bin/knotc reload"; + User = "knot"; + Group = "knot"; + + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + ]; + DeviceAllow = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = false; # breaks capability passing + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + Restart = "on-abort"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime =true; + RestrictSUIDSGID = true; + RuntimeDirectory = "knot"; + StateDirectory = "knot"; + StateDirectoryMode = "0700"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + }; + }; + + environment.systemPackages = [ knot-cli-wrappers ]; + }; +} diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix new file mode 100644 index 00000000000..28b8be7a9a0 --- /dev/null +++ b/nixos/modules/services/networking/kresd.nix @@ -0,0 +1,151 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.kresd; + + # Convert systemd-style address specification to kresd config line(s). + # On Nix level we don't attempt to precisely validate the address specifications. + # The optional IPv6 scope spec comes *after* port, perhaps surprisingly. + mkListen = kind: addr: let + al_v4 = builtins.match "([0-9.]+):([0-9]+)($)" addr; + al_v6 = builtins.match "\\[(.+)]:([0-9]+)(%.*|$)" addr; + al_portOnly = builtins.match "([0-9]+)" addr; + al = findFirst (a: a != null) + (throw "services.kresd.*: incorrect address specification '${addr}'") + [ al_v4 al_v6 al_portOnly ]; + port = elemAt al 1; + addrSpec = if al_portOnly == null then "'${head al}${elemAt al 2}'" else "{'::', '0.0.0.0'}"; + in # freebind is set for compatibility with earlier kresd services; + # it could be configurable, for example. + '' + net.listen(${addrSpec}, ${port}, { kind = '${kind}', freebind = true }) + ''; + + configFile = pkgs.writeText "kresd.conf" ( + "" + + concatMapStrings (mkListen "dns") cfg.listenPlain + + concatMapStrings (mkListen "tls") cfg.listenTLS + + concatMapStrings (mkListen "doh2") cfg.listenDoH + + cfg.extraConfig + ); +in { + meta.maintainers = [ maintainers.vcunat /* upstream developer */ ]; + + imports = [ + (mkChangedOptionModule [ "services" "kresd" "interfaces" ] [ "services" "kresd" "listenPlain" ] + (config: + let value = getAttrFromPath [ "services" "kresd" "interfaces" ] config; + in map + (iface: if elem ":" (stringToCharacters iface) then "[${iface}]:53" else "${iface}:53") # Syntax depends on being IPv6 or IPv4. + value + ) + ) + (mkRemovedOptionModule [ "services" "kresd" "cacheDir" ] "Please use (bind-)mounting instead.") + ]; + + ###### interface + options.services.kresd = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable knot-resolver domain name server. + DNSSEC validation is turned on by default. + You can run <literal>sudo nc -U /run/knot-resolver/control/1</literal> + and give commands interactively to kresd@1.service. + ''; + }; + package = mkOption { + type = types.package; + description = " + knot-resolver package to use. + "; + default = pkgs.knot-resolver; + defaultText = literalExpression "pkgs.knot-resolver"; + example = literalExpression "pkgs.knot-resolver.override { extraFeatures = true; }"; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra lines to be added verbatim to the generated configuration file. + ''; + }; + listenPlain = mkOption { + type = with types; listOf str; + default = [ "[::1]:53" "127.0.0.1:53" ]; + example = [ "53" ]; + description = '' + What addresses and ports the server should listen on. + For detailed syntax see ListenStream in man systemd.socket. + ''; + }; + listenTLS = mkOption { + type = with types; listOf str; + default = []; + example = [ "198.51.100.1:853" "[2001:db8::1]:853" "853" ]; + description = '' + Addresses and ports on which kresd should provide DNS over TLS (see RFC 7858). + For detailed syntax see ListenStream in man systemd.socket. + ''; + }; + listenDoH = mkOption { + type = with types; listOf str; + default = []; + example = [ "198.51.100.1:443" "[2001:db8::1]:443" "443" ]; + description = '' + Addresses and ports on which kresd should provide DNS over HTTPS/2 (see RFC 8484). + For detailed syntax see ListenStream in man systemd.socket. + ''; + }; + instances = mkOption { + type = types.ints.unsigned; + default = 1; + description = '' + The number of instances to start. They will be called kresd@{1,2,...}.service. + Knot Resolver uses no threads, so this is the way to scale. + You can dynamically start/stop them at will, so this is just system default. + ''; + }; + # TODO: perhaps options for more common stuff like cache size or forwarding + }; + + ###### implementation + config = mkIf cfg.enable { + environment.etc."knot-resolver/kresd.conf".source = configFile; # not required + + networking.resolvconf.useLocalResolver = mkDefault true; + + users.users.knot-resolver = + { isSystemUser = true; + group = "knot-resolver"; + description = "Knot-resolver daemon user"; + }; + users.groups.knot-resolver.gid = null; + + systemd.packages = [ cfg.package ]; # the units are patched inside the package a bit + + systemd.targets.kresd = { # configure units started by default + wantedBy = [ "multi-user.target" ]; + wants = [ "kres-cache-gc.service" ] + ++ map (i: "kresd@${toString i}.service") (range 1 cfg.instances); + }; + systemd.services."kresd@".serviceConfig = { + ExecStart = "${cfg.package}/bin/kresd --noninteractive " + + "-c ${cfg.package}/lib/knot-resolver/distro-preconfig.lua -c ${configFile}"; + # Ensure /run/knot-resolver exists + RuntimeDirectory = "knot-resolver"; + RuntimeDirectoryMode = "0770"; + # Ensure /var/lib/knot-resolver exists + StateDirectory = "knot-resolver"; + StateDirectoryMode = "0770"; + # Ensure /var/cache/knot-resolver exists + CacheDirectory = "knot-resolver"; + CacheDirectoryMode = "0770"; + }; + # We don't mind running stop phase from wrong version. It seems less racy. + systemd.services."kresd@".stopIfChanged = false; + }; +} diff --git a/nixos/modules/services/networking/lambdabot.nix b/nixos/modules/services/networking/lambdabot.nix new file mode 100644 index 00000000000..3005e582455 --- /dev/null +++ b/nixos/modules/services/networking/lambdabot.nix @@ -0,0 +1,82 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.lambdabot; + + rc = builtins.toFile "script.rc" cfg.script; + +in + +{ + + ### configuration + + options = { + + services.lambdabot = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the Lambdabot IRC bot"; + }; + + package = mkOption { + type = types.package; + default = pkgs.lambdabot; + defaultText = literalExpression "pkgs.lambdabot"; + description = "Used lambdabot package"; + }; + + script = mkOption { + type = types.str; + default = ""; + description = "Lambdabot script"; + }; + + }; + + }; + + ### implementation + + config = mkIf cfg.enable { + + systemd.services.lambdabot = { + description = "Lambdabot daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + # Workaround for https://github.com/lambdabot/lambdabot/issues/117 + script = '' + mkdir -p ~/.lambdabot + cd ~/.lambdabot + mkfifo /run/lambdabot/offline + ( + echo 'rc ${rc}' + while true; do + cat /run/lambdabot/offline + done + ) | ${cfg.package}/bin/lambdabot + ''; + serviceConfig = { + User = "lambdabot"; + RuntimeDirectory = [ "lambdabot" ]; + }; + }; + + users.users.lambdabot = { + group = "lambdabot"; + description = "Lambdabot daemon user"; + home = "/var/lib/lambdabot"; + createHome = true; + uid = config.ids.uids.lambdabot; + }; + + users.groups.lambdabot.gid = config.ids.gids.lambdabot; + + }; + +} diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix new file mode 100644 index 00000000000..429167aed9d --- /dev/null +++ b/nixos/modules/services/networking/libreswan.nix @@ -0,0 +1,160 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.libreswan; + + libexec = "${pkgs.libreswan}/libexec/ipsec"; + ipsec = "${pkgs.libreswan}/sbin/ipsec"; + + trim = chars: str: + let + nonchars = filter (x : !(elem x.value chars)) + (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); + in + if length nonchars == 0 then "" + else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; + indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str)); + configText = indent (toString cfg.configSetup); + connectionText = concatStrings (mapAttrsToList (n: v: + '' + conn ${n} + ${indent v} + '') cfg.connections); + + configFile = pkgs.writeText "ipsec-nixos.conf" + '' + config setup + ${configText} + + ${connectionText} + ''; + + policyFiles = mapAttrs' (name: text: + { name = "ipsec.d/policies/${name}"; + value.source = pkgs.writeText "ipsec-policy-${name}" text; + }) cfg.policies; + +in + +{ + + ###### interface + + options = { + + services.libreswan = { + + enable = mkEnableOption "Libreswan IPsec service"; + + configSetup = mkOption { + type = types.lines; + default = '' + protostack=netkey + virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 + ''; + example = '' + secretsfile=/root/ipsec.secrets + protostack=netkey + virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 + ''; + description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration"; + }; + + connections = mkOption { + type = types.attrsOf types.lines; + default = {}; + example = literalExpression '' + { myconnection = ''' + auto=add + left=%defaultroute + leftid=@user + + right=my.vpn.com + + ikev2=no + ikelifetime=8h + '''; + } + ''; + description = "A set of connections to define for the Libreswan IPsec service"; + }; + + policies = mkOption { + type = types.attrsOf types.lines; + default = {}; + example = literalExpression '' + { private-or-clear = ''' + # Attempt opportunistic IPsec for the entire Internet + 0.0.0.0/0 + ::/0 + '''; + } + ''; + description = '' + A set of policies to apply to the IPsec connections. + + <note><para> + The policy name must match the one of connection it needs to apply to. + </para></note> + ''; + }; + + disableRedirects = mkOption { + type = types.bool; + default = true; + description = '' + Whether to disable send and accept redirects for all nework interfaces. + See the Libreswan <link xlink:href="https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F"> + FAQ</link> page for why this is recommended. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + # Install package, systemd units, etc. + environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ]; + systemd.packages = [ pkgs.libreswan ]; + systemd.tmpfiles.packages = [ pkgs.libreswan ]; + + # Install configuration files + environment.etc = { + "ipsec.secrets".source = "${pkgs.libreswan}/etc/ipsec.secrets"; + "ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf"; + "ipsec.d/01-nixos.conf".source = configFile; + } // policyFiles; + + # Create NSS database directory + systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ]; + + systemd.services.ipsec = { + description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ configFile ] ++ mapAttrsToList (n: v: v.source) policyFiles; + path = with pkgs; [ + libreswan + iproute2 + procps + nssTools + iptables + nettools + ]; + preStart = optionalString cfg.disableRedirects '' + # Disable send/receive redirects + echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects + echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects + ''; + }; + + }; + +} diff --git a/nixos/modules/services/networking/lldpd.nix b/nixos/modules/services/networking/lldpd.nix new file mode 100644 index 00000000000..d5de9c45d84 --- /dev/null +++ b/nixos/modules/services/networking/lldpd.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.lldpd; + +in + +{ + options.services.lldpd = { + enable = mkEnableOption "Link Layer Discovery Protocol Daemon"; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + example = [ "-c" "-k" "-I eth0" ]; + description = "List of command line parameters for lldpd"; + }; + }; + + config = mkIf cfg.enable { + users.users._lldpd = { + description = "lldpd user"; + group = "_lldpd"; + home = "/run/lldpd"; + isSystemUser = true; + }; + users.groups._lldpd = {}; + + environment.systemPackages = [ pkgs.lldpd ]; + systemd.packages = [ pkgs.lldpd ]; + + systemd.services.lldpd = { + wantedBy = [ "multi-user.target" ]; + environment.LLDPD_OPTIONS = concatStringsSep " " cfg.extraArgs; + }; + }; +} diff --git a/nixos/modules/services/networking/logmein-hamachi.nix b/nixos/modules/services/networking/logmein-hamachi.nix new file mode 100644 index 00000000000..11cbdda2f84 --- /dev/null +++ b/nixos/modules/services/networking/logmein-hamachi.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.logmein-hamachi; + +in + +{ + + ###### interface + + options = { + + services.logmein-hamachi.enable = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to enable LogMeIn Hamachi, a proprietary + (closed source) commercial VPN software. + ''; + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.logmein-hamachi = { + description = "LogMeIn Hamachi Daemon"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.logmein-hamachi}/bin/hamachid"; + }; + }; + + environment.systemPackages = [ pkgs.logmein-hamachi ]; + + }; + +} diff --git a/nixos/modules/services/networking/lxd-image-server.nix b/nixos/modules/services/networking/lxd-image-server.nix new file mode 100644 index 00000000000..b119ba8acf6 --- /dev/null +++ b/nixos/modules/services/networking/lxd-image-server.nix @@ -0,0 +1,137 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.lxd-image-server; + format = pkgs.formats.toml {}; + + location = "/var/www/simplestreams"; +in +{ + options = { + services.lxd-image-server = { + enable = mkEnableOption "lxd-image-server"; + + group = mkOption { + type = types.str; + description = "Group assigned to the user and the webroot directory."; + default = "nginx"; + example = "www-data"; + }; + + settings = mkOption { + type = format.type; + description = '' + Configuration for lxd-image-server. + + Example see <link xlink:href="https://github.com/Avature/lxd-image-server/blob/master/config.toml"/>. + ''; + default = {}; + }; + + nginx = { + enable = mkEnableOption "nginx"; + domain = mkOption { + type = types.str; + description = "Domain to use for nginx virtual host."; + example = "images.example.org"; + }; + }; + }; + }; + + config = mkMerge [ + (mkIf (cfg.enable) { + users.users.lxd-image-server = { + isSystemUser = true; + group = cfg.group; + }; + users.groups.${cfg.group} = {}; + + environment.etc."lxd-image-server/config.toml".source = format.generate "config.toml" cfg.settings; + + services.logrotate.paths.lxd-image-server = { + path = "/var/log/lxd-image-server/lxd-image-server.log"; + frequency = "daily"; + keep = 21; + extraConfig = '' + create 755 lxd-image-server ${cfg.group} + missingok + compress + delaycompress + copytruncate + notifempty + ''; + }; + + systemd.tmpfiles.rules = [ + "d /var/www/simplestreams 0755 lxd-image-server ${cfg.group}" + ]; + + systemd.services.lxd-image-server = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + description = "LXD Image Server"; + + script = '' + ${pkgs.lxd-image-server}/bin/lxd-image-server init + ${pkgs.lxd-image-server}/bin/lxd-image-server watch + ''; + + serviceConfig = { + User = "lxd-image-server"; + Group = cfg.group; + DynamicUser = true; + LogsDirectory = "lxd-image-server"; + RuntimeDirectory = "lxd-image-server"; + ExecReload = "${pkgs.lxd-image-server}/bin/lxd-image-server reload"; + ReadWritePaths = [ location ]; + }; + }; + }) + # this is seperate so it can be enabled on mirrored hosts + (mkIf (cfg.nginx.enable) { + # https://github.com/Avature/lxd-image-server/blob/master/resources/nginx/includes/lxd-image-server.pkg.conf + services.nginx.virtualHosts = { + "${cfg.nginx.domain}" = { + forceSSL = true; + enableACME = mkDefault true; + + root = location; + + locations = { + "/streams/v1/" = { + index = "index.json"; + }; + + # Serve json files with content type header application/json + "~ \.json$" = { + extraConfig = '' + add_header Content-Type application/json; + ''; + }; + + "~ \.tar.xz$" = { + extraConfig = '' + add_header Content-Type application/octet-stream; + ''; + }; + + "~ \.tar.gz$" = { + extraConfig = '' + add_header Content-Type application/octet-stream; + ''; + }; + + # Deny access to document root and the images folder + "~ ^/(images/)?$" = { + return = "403"; + }; + }; + }; + }; + }) + ]; +} diff --git a/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix b/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix new file mode 100644 index 00000000000..09d357cd2b6 --- /dev/null +++ b/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.magic-wormhole-mailbox-server; + dataDir = "/var/lib/magic-wormhole-mailbox-server;"; + python = pkgs.python3.withPackages (py: [ py.magic-wormhole-mailbox-server py.twisted ]); +in +{ + options.services.magic-wormhole-mailbox-server = { + enable = mkEnableOption "Enable Magic Wormhole Mailbox Server"; + }; + + config = mkIf cfg.enable { + systemd.services.magic-wormhole-mailbox-server = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + ExecStart = "${python}/bin/twistd --nodaemon wormhole-mailbox"; + WorkingDirectory = dataDir; + StateDirectory = baseNameOf dataDir; + }; + }; + + }; +} diff --git a/nixos/modules/services/networking/matterbridge.nix b/nixos/modules/services/networking/matterbridge.nix new file mode 100644 index 00000000000..9186eee26ab --- /dev/null +++ b/nixos/modules/services/networking/matterbridge.nix @@ -0,0 +1,120 @@ +{ options, config, pkgs, lib, ... }: + +with lib; + +let + + cfg = config.services.matterbridge; + + matterbridgeConfToml = + if cfg.configPath == null then + pkgs.writeText "matterbridge.toml" (cfg.configFile) + else + cfg.configPath; + +in + +{ + options = { + services.matterbridge = { + enable = mkEnableOption "Matterbridge chat platform bridge"; + + configPath = mkOption { + type = with types; nullOr str; + default = null; + example = "/etc/nixos/matterbridge.toml"; + description = '' + The path to the matterbridge configuration file. + ''; + }; + + configFile = mkOption { + type = types.str; + example = '' + # WARNING: as this file contains credentials, do not use this option! + # It is kept only for backwards compatibility, and would cause your + # credentials to be in the nix-store, thus with the world-readable + # permission bits. + # Use services.matterbridge.configPath instead. + + [irc] + [irc.libera] + Server="irc.libera.chat:6667" + Nick="matterbot" + + [mattermost] + [mattermost.work] + # Do not prefix it with http:// or https:// + Server="yourmattermostserver.domain" + Team="yourteam" + Login="yourlogin" + Password="yourpass" + PrefixMessagesWithNick=true + + [[gateway]] + name="gateway1" + enable=true + [[gateway.inout]] + account="irc.libera" + channel="#testing" + + [[gateway.inout]] + account="mattermost.work" + channel="off-topic" + ''; + description = '' + WARNING: THIS IS INSECURE, as your password will end up in + <filename>/nix/store</filename>, thus publicly readable. Use + <literal>services.matterbridge.configPath</literal> instead. + + The matterbridge configuration file in the TOML file format. + ''; + }; + user = mkOption { + type = types.str; + default = "matterbridge"; + description = '' + User which runs the matterbridge service. + ''; + }; + + group = mkOption { + type = types.str; + default = "matterbridge"; + description = '' + Group which runs the matterbridge service. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + warnings = optional options.services.matterbridge.configFile.isDefined + "The option services.matterbridge.configFile is insecure and should be replaced with services.matterbridge.configPath"; + + users.users = optionalAttrs (cfg.user == "matterbridge") + { matterbridge = { + group = "matterbridge"; + isSystemUser = true; + }; + }; + + users.groups = optionalAttrs (cfg.group == "matterbridge") + { matterbridge = { }; + }; + + systemd.services.matterbridge = { + description = "Matterbridge chat platform bridge"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${pkgs.matterbridge}/bin/matterbridge -conf ${matterbridgeConfToml}"; + Restart = "always"; + RestartSec = "10"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/minidlna.nix b/nixos/modules/services/networking/minidlna.nix new file mode 100644 index 00000000000..c860f63efa6 --- /dev/null +++ b/nixos/modules/services/networking/minidlna.nix @@ -0,0 +1,193 @@ +# Module for MiniDLNA, a simple DLNA server. +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.minidlna; + port = 8200; +in + +{ + ###### interface + options = { + services.minidlna.enable = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to enable MiniDLNA, a simple DLNA server. It serves + media files such as video and music to DLNA client devices + such as televisions and media players. + ''; + }; + + services.minidlna.mediaDirs = mkOption { + type = types.listOf types.str; + default = []; + example = [ "/data/media" "V,/home/alice/video" ]; + description = + '' + Directories to be scanned for media files. The prefixes + <literal>A,</literal>, <literal>V,</literal> and + <literal>P,</literal> restrict a directory to audio, video + or image files. The directories must be accessible to the + <literal>minidlna</literal> user account. + ''; + }; + + services.minidlna.friendlyName = mkOption { + type = types.str; + default = "${config.networking.hostName} MiniDLNA"; + defaultText = literalExpression ''"''${config.networking.hostName} MiniDLNA"''; + example = "rpi3"; + description = + '' + Name that the DLNA server presents to clients. + ''; + }; + + services.minidlna.rootContainer = mkOption { + type = types.str; + default = "."; + example = "B"; + description = + '' + Use a different container as the root of the directory tree presented + to clients. The possible values are: + - "." - standard container + - "B" - "Browse Directory" + - "M" - "Music" + - "P" - "Pictures" + - "V" - "Video" + - Or, you can specify the ObjectID of your desired root container + (eg. 1$F for Music/Playlists) + If you specify "B" and the client device is audio-only then + "Music/Folders" will be used as root. + ''; + }; + + services.minidlna.loglevel = mkOption { + type = types.str; + default = "warn"; + example = "general,artwork,database,inotify,scanner,metadata,http,ssdp,tivo=warn"; + description = + '' + Defines the type of messages that should be logged, and down to + which level of importance they should be considered. + + The possible types are “artwork”, “database”, “general”, “http”, + “inotify”, “metadata”, “scanner”, “ssdp” and “tivo”. + + The levels are “off”, “fatal”, “error”, “warn”, “info” and + “debug”, listed here in order of decreasing importance. “off” + turns off logging messages entirely, “fatal” logs the most + critical messages only, and so on down to “debug” that logs every + single messages. + + The types are comma-separated, followed by an equal sign (‘=’), + followed by a level that applies to the preceding types. This can + be repeated, separating each of these constructs with a comma. + + Defaults to “general,artwork,database,inotify,scanner,metadata, + http,ssdp,tivo=warn” which logs every type of message at the + “warn” level. + ''; + }; + + services.minidlna.announceInterval = mkOption { + type = types.int; + default = 895; + description = + '' + The interval between announces (in seconds). + + By default miniDLNA will announce its presence on the network + approximately every 15 minutes. + + Many people prefer shorter announce intervals (e.g. 60 seconds) + on their home networks, especially when DLNA clients are + started on demand. + ''; + }; + + services.minidlna.config = mkOption { + type = types.lines; + description = + '' + The contents of MiniDLNA's configuration file. + When the service is activated, a basic template is generated + from the current options opened here. + ''; + }; + + services.minidlna.extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + # Not exhaustive example + # Support for streaming .jpg and .mp3 files to a TiVo supporting HMO. + enable_tivo=no + # SSDP notify interval, in seconds. + notify_interval=10 + # maximum number of simultaneous connections + # note: many clients open several simultaneous connections while + # streaming + max_connections=50 + # set this to yes to allow symlinks that point outside user-defined + # media_dirs. + wide_links=yes + ''; + description = + '' + Extra minidlna options not yet opened for configuration here + (strict_dlna, model_number, model_name, etc...). This is appended + to the current service already provided. + ''; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + services.minidlna.config = + '' + port=${toString port} + friendly_name=${cfg.friendlyName} + db_dir=/var/cache/minidlna + log_level=${cfg.loglevel} + inotify=yes + root_container=${cfg.rootContainer} + ${concatMapStrings (dir: '' + media_dir=${dir} + '') cfg.mediaDirs} + notify_interval=${toString cfg.announceInterval} + ${cfg.extraConfig} + ''; + + users.users.minidlna = { + description = "MiniDLNA daemon user"; + group = "minidlna"; + uid = config.ids.uids.minidlna; + }; + + users.groups.minidlna.gid = config.ids.gids.minidlna; + + systemd.services.minidlna = + { description = "MiniDLNA Server"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = + { User = "minidlna"; + Group = "minidlna"; + CacheDirectory = "minidlna"; + RuntimeDirectory = "minidlna"; + PIDFile = "/run/minidlna/pid"; + ExecStart = + "${pkgs.minidlna}/sbin/minidlnad -S -P /run/minidlna/pid" + + " -f ${pkgs.writeText "minidlna.conf" cfg.config}"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/miniupnpd.nix b/nixos/modules/services/networking/miniupnpd.nix new file mode 100644 index 00000000000..c095d994854 --- /dev/null +++ b/nixos/modules/services/networking/miniupnpd.nix @@ -0,0 +1,79 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.miniupnpd; + configFile = pkgs.writeText "miniupnpd.conf" '' + ext_ifname=${cfg.externalInterface} + enable_natpmp=${if cfg.natpmp then "yes" else "no"} + enable_upnp=${if cfg.upnp then "yes" else "no"} + + ${concatMapStrings (range: '' + listening_ip=${range} + '') cfg.internalIPs} + + ${cfg.appendConfig} + ''; +in +{ + options = { + services.miniupnpd = { + enable = mkEnableOption "MiniUPnP daemon"; + + externalInterface = mkOption { + type = types.str; + description = '' + Name of the external interface. + ''; + }; + + internalIPs = mkOption { + type = types.listOf types.str; + example = [ "192.168.1.1/24" "enp1s0" ]; + description = '' + The IP address ranges to listen on. + ''; + }; + + natpmp = mkEnableOption "NAT-PMP support"; + + upnp = mkOption { + default = true; + type = types.bool; + description = '' + Whether to enable UPNP support. + ''; + }; + + appendConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Configuration lines appended to the MiniUPnP config. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.extraCommands = '' + ${pkgs.bash}/bin/bash -x ${pkgs.miniupnpd}/etc/miniupnpd/iptables_init.sh -i ${cfg.externalInterface} + ''; + + networking.firewall.extraStopCommands = '' + ${pkgs.bash}/bin/bash -x ${pkgs.miniupnpd}/etc/miniupnpd/iptables_removeall.sh -i ${cfg.externalInterface} + ''; + + systemd.services.miniupnpd = { + description = "MiniUPnP daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.miniupnpd}/bin/miniupnpd -f ${configFile}"; + PIDFile = "/run/miniupnpd.pid"; + Type = "forking"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/miredo.nix b/nixos/modules/services/networking/miredo.nix new file mode 100644 index 00000000000..b7f657efb71 --- /dev/null +++ b/nixos/modules/services/networking/miredo.nix @@ -0,0 +1,92 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.miredo; + pidFile = "/run/miredo.pid"; + miredoConf = pkgs.writeText "miredo.conf" '' + InterfaceName ${cfg.interfaceName} + ServerAddress ${cfg.serverAddress} + ${optionalString (cfg.bindAddress != null) "BindAddress ${cfg.bindAddress}"} + ${optionalString (cfg.bindPort != null) "BindPort ${cfg.bindPort}"} + ''; +in +{ + + ###### interface + + options = { + + services.miredo = { + + enable = mkEnableOption "the Miredo IPv6 tunneling service"; + + package = mkOption { + type = types.package; + default = pkgs.miredo; + defaultText = literalExpression "pkgs.miredo"; + description = '' + The package to use for the miredo daemon's binary. + ''; + }; + + serverAddress = mkOption { + default = "teredo.remlab.net"; + type = types.str; + description = '' + The hostname or primary IPv4 address of the Teredo server. + This setting is required if Miredo runs as a Teredo client. + "teredo.remlab.net" is an experimental service for testing only. + Please use another server for production and/or large scale deployments. + ''; + }; + + interfaceName = mkOption { + default = "teredo"; + type = types.str; + description = '' + Name of the network tunneling interface. + ''; + }; + + bindAddress = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + Depending on the local firewall/NAT rules, you might need to force + Miredo to use a fixed UDP port and or IPv4 address. + ''; + }; + + bindPort = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + Depending on the local firewall/NAT rules, you might need to force + Miredo to use a fixed UDP port and or IPv4 address. + ''; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.miredo = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "Teredo IPv6 Tunneling Daemon"; + serviceConfig = { + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${cfg.package}/bin/miredo -c ${miredoConf} -p ${pidFile} -f"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/mjpg-streamer.nix b/nixos/modules/services/networking/mjpg-streamer.nix new file mode 100644 index 00000000000..dbc35e2e71c --- /dev/null +++ b/nixos/modules/services/networking/mjpg-streamer.nix @@ -0,0 +1,80 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.mjpg-streamer; + +in { + + options = { + + services.mjpg-streamer = { + + enable = mkEnableOption "mjpg-streamer webcam streamer"; + + inputPlugin = mkOption { + type = types.str; + default = "input_uvc.so"; + description = '' + Input plugin. See plugins documentation for more information. + ''; + }; + + outputPlugin = mkOption { + type = types.str; + default = "output_http.so -w @www@ -n -p 5050"; + description = '' + Output plugin. <literal>@www@</literal> is substituted for default mjpg-streamer www directory. + See plugins documentation for more information. + ''; + }; + + user = mkOption { + type = types.str; + default = "mjpg-streamer"; + description = "mjpg-streamer user name."; + }; + + group = mkOption { + type = types.str; + default = "video"; + description = "mjpg-streamer group name."; + }; + + }; + + }; + + config = mkIf cfg.enable { + + users.users = optionalAttrs (cfg.user == "mjpg-streamer") { + mjpg-streamer = { + uid = config.ids.uids.mjpg-streamer; + group = cfg.group; + }; + }; + + systemd.services.mjpg-streamer = { + description = "mjpg-streamer webcam streamer"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Restart = "on-failure"; + RestartSec = 1; + }; + + script = '' + IPLUGIN="${cfg.inputPlugin}" + OPLUGIN="${cfg.outputPlugin}" + OPLUGIN="''${OPLUGIN//@www@/${pkgs.mjpg-streamer}/share/mjpg-streamer/www}" + exec ${pkgs.mjpg-streamer}/bin/mjpg_streamer -i "$IPLUGIN" -o "$OPLUGIN" + ''; + }; + + }; + +} diff --git a/nixos/modules/services/networking/monero.nix b/nixos/modules/services/networking/monero.nix new file mode 100644 index 00000000000..8bed89917c8 --- /dev/null +++ b/nixos/modules/services/networking/monero.nix @@ -0,0 +1,244 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.monero; + + listToConf = option: list: + concatMapStrings (value: "${option}=${value}\n") list; + + login = (cfg.rpc.user != null && cfg.rpc.password != null); + + configFile = with cfg; pkgs.writeText "monero.conf" '' + log-file=/dev/stdout + data-dir=${dataDir} + + ${optionalString mining.enable '' + start-mining=${mining.address} + mining-threads=${toString mining.threads} + ''} + + rpc-bind-ip=${rpc.address} + rpc-bind-port=${toString rpc.port} + ${optionalString login '' + rpc-login=${rpc.user}:${rpc.password} + ''} + ${optionalString rpc.restricted '' + restricted-rpc=1 + ''} + + limit-rate-up=${toString limits.upload} + limit-rate-down=${toString limits.download} + max-concurrency=${toString limits.threads} + block-sync-size=${toString limits.syncSize} + + ${listToConf "add-peer" extraNodes} + ${listToConf "add-priority-node" priorityNodes} + ${listToConf "add-exclusive-node" exclusiveNodes} + + ${extraConfig} + ''; + +in + +{ + + ###### interface + + options = { + + services.monero = { + + enable = mkEnableOption "Monero node daemon"; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/monero"; + description = '' + The directory where Monero stores its data files. + ''; + }; + + mining.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to mine monero. + ''; + }; + + mining.address = mkOption { + type = types.str; + default = ""; + description = '' + Monero address where to send mining rewards. + ''; + }; + + mining.threads = mkOption { + type = types.addCheck types.int (x: x>=0); + default = 0; + description = '' + Number of threads used for mining. + Set to <literal>0</literal> to use all available. + ''; + }; + + rpc.user = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + User name for RPC connections. + ''; + }; + + rpc.password = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Password for RPC connections. + ''; + }; + + rpc.address = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + IP address the RPC server will bind to. + ''; + }; + + rpc.port = mkOption { + type = types.port; + default = 18081; + description = '' + Port the RPC server will bind to. + ''; + }; + + rpc.restricted = mkOption { + type = types.bool; + default = false; + description = '' + Whether to restrict RPC to view only commands. + ''; + }; + + limits.upload = mkOption { + type = types.addCheck types.int (x: x>=-1); + default = -1; + description = '' + Limit of the upload rate in kB/s. + Set to <literal>-1</literal> to leave unlimited. + ''; + }; + + limits.download = mkOption { + type = types.addCheck types.int (x: x>=-1); + default = -1; + description = '' + Limit of the download rate in kB/s. + Set to <literal>-1</literal> to leave unlimited. + ''; + }; + + limits.threads = mkOption { + type = types.addCheck types.int (x: x>=0); + default = 0; + description = '' + Maximum number of threads used for a parallel job. + Set to <literal>0</literal> to leave unlimited. + ''; + }; + + limits.syncSize = mkOption { + type = types.addCheck types.int (x: x>=0); + default = 0; + description = '' + Maximum number of blocks to sync at once. + Set to <literal>0</literal> for adaptive. + ''; + }; + + extraNodes = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + List of additional peer IP addresses to add to the local list. + ''; + }; + + priorityNodes = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + List of peer IP addresses to connect to and + attempt to keep the connection open. + ''; + }; + + exclusiveNodes = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + List of peer IP addresses to connect to *only*. + If given the other peer options will be ignored. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra lines to be added verbatim to monerod configuration. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + users.users.monero = { + isSystemUser = true; + group = "monero"; + description = "Monero daemon user"; + home = cfg.dataDir; + createHome = true; + }; + + users.groups.monero = { }; + + systemd.services.monero = { + description = "monero daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "monero"; + Group = "monero"; + ExecStart = "${pkgs.monero-cli}/bin/monerod --config-file=${configFile} --non-interactive"; + Restart = "always"; + SuccessExitStatus = [ 0 1 ]; + }; + }; + + assertions = singleton { + assertion = cfg.mining.enable -> cfg.mining.address != ""; + message = '' + You need a Monero address to receive mining rewards: + specify one using option monero.mining.address. + ''; + }; + + }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + +} + diff --git a/nixos/modules/services/networking/morty.nix b/nixos/modules/services/networking/morty.nix new file mode 100644 index 00000000000..dff2f482ca6 --- /dev/null +++ b/nixos/modules/services/networking/morty.nix @@ -0,0 +1,98 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.morty; + +in + +{ + + ###### interface + + options = { + + services.morty = { + + enable = mkEnableOption + "Morty proxy server. See https://github.com/asciimoo/morty"; + + ipv6 = mkOption { + type = types.bool; + default = true; + description = "Allow IPv6 HTTP requests?"; + }; + + key = mkOption { + type = types.str; + default = ""; + description = '' + HMAC url validation key (hexadecimal encoded). + Leave blank to disable. Without validation key, anyone can + submit proxy requests. Leave blank to disable. + Generate with <literal>printf %s somevalue | openssl dgst -sha1 -hmac somekey</literal> + ''; + }; + + timeout = mkOption { + type = types.int; + default = 2; + description = "Request timeout in seconds."; + }; + + package = mkOption { + type = types.package; + default = pkgs.morty; + defaultText = literalExpression "pkgs.morty"; + description = "morty package to use."; + }; + + port = mkOption { + type = types.int; + default = 3000; + description = "Listing port"; + }; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "The address on which the service listens"; + }; + + }; + + }; + + ###### Service definition + + config = mkIf config.services.morty.enable { + + users.users.morty = + { description = "Morty user"; + createHome = true; + home = "/var/lib/morty"; + isSystemUser = true; + group = "morty"; + }; + users.groups.morty = {}; + + systemd.services.morty = + { + description = "Morty sanitizing proxy server."; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "morty"; + ExecStart = ''${cfg.package}/bin/morty \ + -listen ${cfg.listenAddress}:${toString cfg.port} \ + ${optionalString cfg.ipv6 "-ipv6"} \ + ${optionalString (cfg.key != "") "-key " + cfg.key} \ + ''; + }; + }; + environment.systemPackages = [ cfg.package ]; + + }; +} diff --git a/nixos/modules/services/networking/mosquitto.md b/nixos/modules/services/networking/mosquitto.md new file mode 100644 index 00000000000..5cdb598151e --- /dev/null +++ b/nixos/modules/services/networking/mosquitto.md @@ -0,0 +1,102 @@ +# Mosquitto {#module-services-mosquitto} + +Mosquitto is a MQTT broker often used for IoT or home automation data transport. + +## Quickstart {#module-services-mosquitto-quickstart} + +A minimal configuration for Mosquitto is + +```nix +services.mosquitto = { + enable = true; + listeners = [ { + acl = [ "pattern readwrite #" ]; + omitPasswordAuth = true; + settings.allow_anonymous = true; + } ]; +}; +``` + +This will start a broker on port 1883, listening on all interfaces of the machine, allowing +read/write access to all topics to any user without password requirements. + +User authentication can be configured with the `users` key of listeners. A config that gives +full read access to a user `monitor` and restricted write access to a user `service` could look +like + +```nix +services.mosquitto = { + enable = true; + listeners = [ { + users = { + monitor = { + acl = [ "read #" ]; + password = "monitor"; + }; + service = { + acl = [ "write service/#" ]; + password = "service"; + }; + }; + } ]; +}; +``` + +TLS authentication is configured by setting TLS-related options of the listener: + +```nix +services.mosquitto = { + enable = true; + listeners = [ { + port = 8883; # port change is not required, but helpful to avoid mistakes + # ... + settings = { + cafile = "/path/to/mqtt.ca.pem"; + certfile = "/path/to/mqtt.pem"; + keyfile = "/path/to/mqtt.key"; + }; + } ]; +``` + +## Configuration {#module-services-mosquitto-config} + +The Mosquitto configuration has four distinct types of settings: +the global settings of the daemon, listeners, plugins, and bridges. +Bridges and listeners are part of the global configuration, plugins are part of listeners. +Users of the broker are configured as parts of listeners rather than globally, allowing +configurations in which a given user is only allowed to log in to the broker using specific +listeners (eg to configure an admin user with full access to all topics, but restricted to +localhost). + +Almost all options of Mosquitto are available for configuration at their appropriate levels, some +as NixOS options written in camel case, the remainders under `settings` with their exact names in +the Mosquitto config file. The exceptions are `acl_file` (which is always set according to the +`acl` attributes of a listener and its users) and `per_listener_settings` (which is always set to +`true`). + +### Password authentication {#module-services-mosquitto-config-passwords} + +Mosquitto can be run in two modes, with a password file or without. Each listener has its own +password file, and different listeners may use different password files. Password file generation +can be disabled by setting `omitPasswordAuth = true` for a listener; in this case it is necessary +to either set `settings.allow_anonymous = true` to allow all logins, or to configure other +authentication methods like TLS client certificates with `settings.use_identity_as_username = true`. + +The default is to generate a password file for each listener from the users configured to that +listener. Users with no configured password will not be added to the password file and thus +will not be able to use the broker. + +### ACL format {#module-services-mosquitto-config-acl} + +Every listener has a Mosquitto `acl_file` attached to it. This ACL is configured via two +attributes of the config: + + * the `acl` attribute of the listener configures pattern ACL entries and topic ACL entries + for anonymous users. Each entry must be prefixed with `pattern` or `topic` to distinguish + between these two cases. + * the `acl` attribute of every user configures in the listener configured the ACL for that + given user. Only topic ACLs are supported by Mosquitto in this setting, so no prefix is + required or allowed. + +The default ACL for a listener is empty, disallowing all accesses from all clients. To configure +a completely open ACL, set `acl = [ "pattern readwrite #" ]` in the listener. diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix new file mode 100644 index 00000000000..b41a2fd27be --- /dev/null +++ b/nixos/modules/services/networking/mosquitto.nix @@ -0,0 +1,673 @@ +{ config, lib, pkgs, ...}: + +with lib; + +let + cfg = config.services.mosquitto; + + # note that mosquitto config parsing is very simplistic as of may 2021. + # often times they'll e.g. strtok() a line, check the first two tokens, and ignore the rest. + # there's no escaping available either, so we have to prevent any being necessary. + str = types.strMatching "[^\r\n]*" // { + description = "single-line string"; + }; + path = types.addCheck types.path (p: str.check "${p}"); + configKey = types.strMatching "[^\r\n\t ]+"; + optionType = with types; oneOf [ str path bool int ] // { + description = "string, path, bool, or integer"; + }; + optionToString = v: + if isBool v then boolToString v + else if path.check v then "${v}" + else toString v; + + assertKeysValid = prefix: valid: config: + mapAttrsToList + (n: _: { + assertion = valid ? ${n}; + message = "Invalid config key ${prefix}.${n}."; + }) + config; + + formatFreeform = { prefix ? "" }: mapAttrsToList (n: v: "${prefix}${n} ${optionToString v}"); + + userOptions = with types; submodule { + options = { + password = mkOption { + type = uniq (nullOr str); + default = null; + description = '' + Specifies the (clear text) password for the MQTT User. + ''; + }; + + passwordFile = mkOption { + type = uniq (nullOr types.path); + example = "/path/to/file"; + default = null; + description = '' + Specifies the path to a file containing the + clear text password for the MQTT user. + ''; + }; + + hashedPassword = mkOption { + type = uniq (nullOr str); + default = null; + description = '' + Specifies the hashed password for the MQTT User. + To generate hashed password install <literal>mosquitto</literal> + package and use <literal>mosquitto_passwd</literal>. + ''; + }; + + hashedPasswordFile = mkOption { + type = uniq (nullOr types.path); + example = "/path/to/file"; + default = null; + description = '' + Specifies the path to a file containing the + hashed password for the MQTT user. + To generate hashed password install <literal>mosquitto</literal> + package and use <literal>mosquitto_passwd</literal>. + ''; + }; + + acl = mkOption { + type = listOf str; + example = [ "read A/B" "readwrite A/#" ]; + default = []; + description = '' + Control client access to topics on the broker. + ''; + }; + }; + }; + + userAsserts = prefix: users: + mapAttrsToList + (n: _: { + assertion = builtins.match "[^:\r\n]+" n != null; + message = "Invalid user name ${n} in ${prefix}"; + }) + users + ++ mapAttrsToList + (n: u: { + assertion = count (s: s != null) [ + u.password u.passwordFile u.hashedPassword u.hashedPasswordFile + ] <= 1; + message = "Cannot set more than one password option for user ${n} in ${prefix}"; + }) users; + + makePasswordFile = users: path: + let + makeLines = store: file: + mapAttrsToList + (n: u: "addLine ${escapeShellArg n} ${escapeShellArg u.${store}}") + (filterAttrs (_: u: u.${store} != null) users) + ++ mapAttrsToList + (n: u: "addFile ${escapeShellArg n} ${escapeShellArg "${u.${file}}"}") + (filterAttrs (_: u: u.${file} != null) users); + plainLines = makeLines "password" "passwordFile"; + hashedLines = makeLines "hashedPassword" "hashedPasswordFile"; + in + pkgs.writeScript "make-mosquitto-passwd" + ('' + #! ${pkgs.runtimeShell} + + set -eu + + file=${escapeShellArg path} + + rm -f "$file" + touch "$file" + + addLine() { + echo "$1:$2" >> "$file" + } + addFile() { + if [ $(wc -l <"$2") -gt 1 ]; then + echo "invalid mosquitto password file $2" >&2 + return 1 + fi + echo "$1:$(cat "$2")" >> "$file" + } + '' + + concatStringsSep "\n" + (plainLines + ++ optional (plainLines != []) '' + ${cfg.package}/bin/mosquitto_passwd -U "$file" + '' + ++ hashedLines)); + + makeACLFile = idx: users: supplement: + pkgs.writeText "mosquitto-acl-${toString idx}.conf" + (concatStringsSep + "\n" + (flatten [ + supplement + (mapAttrsToList + (n: u: [ "user ${n}" ] ++ map (t: "topic ${t}") u.acl) + users) + ])); + + authPluginOptions = with types; submodule { + options = { + plugin = mkOption { + type = path; + description = '' + Plugin path to load, should be a <literal>.so</literal> file. + ''; + }; + + denySpecialChars = mkOption { + type = bool; + description = '' + Automatically disallow all clients using <literal>#</literal> + or <literal>+</literal> in their name/id. + ''; + default = true; + }; + + options = mkOption { + type = attrsOf optionType; + description = '' + Options for the auth plugin. Each key turns into a <literal>auth_opt_*</literal> + line in the config. + ''; + default = {}; + }; + }; + }; + + authAsserts = prefix: auth: + mapAttrsToList + (n: _: { + assertion = configKey.check n; + message = "Invalid auth plugin key ${prefix}.${n}"; + }) + auth; + + formatAuthPlugin = plugin: + [ + "auth_plugin ${plugin.plugin}" + "auth_plugin_deny_special_chars ${optionToString plugin.denySpecialChars}" + ] + ++ formatFreeform { prefix = "auth_opt_"; } plugin.options; + + freeformListenerKeys = { + allow_anonymous = 1; + allow_zero_length_clientid = 1; + auto_id_prefix = 1; + cafile = 1; + capath = 1; + certfile = 1; + ciphers = 1; + "ciphers_tls1.3" = 1; + crlfile = 1; + dhparamfile = 1; + http_dir = 1; + keyfile = 1; + max_connections = 1; + max_qos = 1; + max_topic_alias = 1; + mount_point = 1; + protocol = 1; + psk_file = 1; + psk_hint = 1; + require_certificate = 1; + socket_domain = 1; + tls_engine = 1; + tls_engine_kpass_sha1 = 1; + tls_keyform = 1; + tls_version = 1; + use_identity_as_username = 1; + use_subject_as_username = 1; + use_username_as_clientid = 1; + }; + + listenerOptions = with types; submodule { + options = { + port = mkOption { + type = port; + description = '' + Port to listen on. Must be set to 0 to listen on a unix domain socket. + ''; + default = 1883; + }; + + address = mkOption { + type = nullOr str; + description = '' + Address to listen on. Listen on <literal>0.0.0.0</literal>/<literal>::</literal> + when unset. + ''; + default = null; + }; + + authPlugins = mkOption { + type = listOf authPluginOptions; + description = '' + Authentication plugin to attach to this listener. + Refer to the <link xlink:href="https://mosquitto.org/man/mosquitto-conf-5.html"> + mosquitto.conf documentation</link> for details on authentication plugins. + ''; + default = []; + }; + + users = mkOption { + type = attrsOf userOptions; + example = { john = { password = "123456"; acl = [ "readwrite john/#" ]; }; }; + description = '' + A set of users and their passwords and ACLs. + ''; + default = {}; + }; + + omitPasswordAuth = mkOption { + type = bool; + description = '' + Omits password checking, allowing anyone to log in with any user name unless + other mandatory authentication methods (eg TLS client certificates) are configured. + ''; + default = false; + }; + + acl = mkOption { + type = listOf str; + description = '' + Additional ACL items to prepend to the generated ACL file. + ''; + example = [ "pattern read #" "topic readwrite anon/report/#" ]; + default = []; + }; + + settings = mkOption { + type = submodule { + freeformType = attrsOf optionType; + }; + description = '' + Additional settings for this listener. + ''; + default = {}; + }; + }; + }; + + listenerAsserts = prefix: listener: + assertKeysValid prefix freeformListenerKeys listener.settings + ++ userAsserts prefix listener.users + ++ imap0 + (i: v: authAsserts "${prefix}.authPlugins.${toString i}" v) + listener.authPlugins; + + formatListener = idx: listener: + [ + "listener ${toString listener.port} ${toString listener.address}" + "acl_file ${makeACLFile idx listener.users listener.acl}" + ] + ++ optional (! listener.omitPasswordAuth) "password_file ${cfg.dataDir}/passwd-${toString idx}" + ++ formatFreeform {} listener.settings + ++ concatMap formatAuthPlugin listener.authPlugins; + + freeformBridgeKeys = { + bridge_alpn = 1; + bridge_attempt_unsubscribe = 1; + bridge_bind_address = 1; + bridge_cafile = 1; + bridge_capath = 1; + bridge_certfile = 1; + bridge_identity = 1; + bridge_insecure = 1; + bridge_keyfile = 1; + bridge_max_packet_size = 1; + bridge_outgoing_retain = 1; + bridge_protocol_version = 1; + bridge_psk = 1; + bridge_require_ocsp = 1; + bridge_tls_version = 1; + cleansession = 1; + idle_timeout = 1; + keepalive_interval = 1; + local_cleansession = 1; + local_clientid = 1; + local_password = 1; + local_username = 1; + notification_topic = 1; + notifications = 1; + notifications_local_only = 1; + remote_clientid = 1; + remote_password = 1; + remote_username = 1; + restart_timeout = 1; + round_robin = 1; + start_type = 1; + threshold = 1; + try_private = 1; + }; + + bridgeOptions = with types; submodule { + options = { + addresses = mkOption { + type = listOf (submodule { + options = { + address = mkOption { + type = str; + description = '' + Address of the remote MQTT broker. + ''; + }; + + port = mkOption { + type = port; + description = '' + Port of the remote MQTT broker. + ''; + default = 1883; + }; + }; + }); + default = []; + description = '' + Remote endpoints for the bridge. + ''; + }; + + topics = mkOption { + type = listOf str; + description = '' + Topic patterns to be shared between the two brokers. + Refer to the <link xlink:href="https://mosquitto.org/man/mosquitto-conf-5.html"> + mosquitto.conf documentation</link> for details on the format. + ''; + default = []; + example = [ "# both 2 local/topic/ remote/topic/" ]; + }; + + settings = mkOption { + type = submodule { + freeformType = attrsOf optionType; + }; + description = '' + Additional settings for this bridge. + ''; + default = {}; + }; + }; + }; + + bridgeAsserts = prefix: bridge: + assertKeysValid prefix freeformBridgeKeys bridge.settings + ++ [ { + assertion = length bridge.addresses > 0; + message = "Bridge ${prefix} needs remote broker addresses"; + } ]; + + formatBridge = name: bridge: + [ + "connection ${name}" + "addresses ${concatMapStringsSep " " (a: "${a.address}:${toString a.port}") bridge.addresses}" + ] + ++ map (t: "topic ${t}") bridge.topics + ++ formatFreeform {} bridge.settings; + + freeformGlobalKeys = { + allow_duplicate_messages = 1; + autosave_interval = 1; + autosave_on_changes = 1; + check_retain_source = 1; + connection_messages = 1; + log_facility = 1; + log_timestamp = 1; + log_timestamp_format = 1; + max_inflight_bytes = 1; + max_inflight_messages = 1; + max_keepalive = 1; + max_packet_size = 1; + max_queued_bytes = 1; + max_queued_messages = 1; + memory_limit = 1; + message_size_limit = 1; + persistence_file = 1; + persistence_location = 1; + persistent_client_expiration = 1; + pid_file = 1; + queue_qos0_messages = 1; + retain_available = 1; + set_tcp_nodelay = 1; + sys_interval = 1; + upgrade_outgoing_qos = 1; + websockets_headers_size = 1; + websockets_log_level = 1; + }; + + globalOptions = with types; { + enable = mkEnableOption "the MQTT Mosquitto broker"; + + package = mkOption { + type = package; + default = pkgs.mosquitto; + defaultText = literalExpression "pkgs.mosquitto"; + description = '' + Mosquitto package to use. + ''; + }; + + bridges = mkOption { + type = attrsOf bridgeOptions; + default = {}; + description = '' + Bridges to build to other MQTT brokers. + ''; + }; + + listeners = mkOption { + type = listOf listenerOptions; + default = {}; + description = '' + Listeners to configure on this broker. + ''; + }; + + includeDirs = mkOption { + type = listOf path; + description = '' + Directories to be scanned for further config files to include. + Directories will processed in the order given, + <literal>*.conf</literal> files in the directory will be + read in case-sensistive alphabetical order. + ''; + default = []; + }; + + logDest = mkOption { + type = listOf (either path (enum [ "stdout" "stderr" "syslog" "topic" "dlt" ])); + description = '' + Destinations to send log messages to. + ''; + default = [ "stderr" ]; + }; + + logType = mkOption { + type = listOf (enum [ "debug" "error" "warning" "notice" "information" + "subscribe" "unsubscribe" "websockets" "none" "all" ]); + description = '' + Types of messages to log. + ''; + default = []; + }; + + persistence = mkOption { + type = bool; + description = '' + Enable persistent storage of subscriptions and messages. + ''; + default = true; + }; + + dataDir = mkOption { + default = "/var/lib/mosquitto"; + type = types.path; + description = '' + The data directory. + ''; + }; + + settings = mkOption { + type = submodule { + freeformType = attrsOf optionType; + }; + description = '' + Global configuration options for the mosquitto broker. + ''; + default = {}; + }; + }; + + globalAsserts = prefix: cfg: + flatten [ + (assertKeysValid prefix freeformGlobalKeys cfg.settings) + (imap0 (n: l: listenerAsserts "${prefix}.listener.${toString n}" l) cfg.listeners) + (mapAttrsToList (n: b: bridgeAsserts "${prefix}.bridge.${n}" b) cfg.bridges) + ]; + + formatGlobal = cfg: + [ + "per_listener_settings true" + "persistence ${optionToString cfg.persistence}" + ] + ++ map + (d: if path.check d then "log_dest file ${d}" else "log_dest ${d}") + cfg.logDest + ++ map (t: "log_type ${t}") cfg.logType + ++ formatFreeform {} cfg.settings + ++ concatLists (imap0 formatListener cfg.listeners) + ++ concatLists (mapAttrsToList formatBridge cfg.bridges) + ++ map (d: "include_dir ${d}") cfg.includeDirs; + + configFile = pkgs.writeText "mosquitto.conf" + (concatStringsSep "\n" (formatGlobal cfg)); + +in + +{ + + ###### Interface + + options.services.mosquitto = globalOptions; + + ###### Implementation + + config = mkIf cfg.enable { + + assertions = globalAsserts "services.mosquitto" cfg; + + systemd.services.mosquitto = { + description = "Mosquitto MQTT Broker Daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + Type = "notify"; + NotifyAccess = "main"; + User = "mosquitto"; + Group = "mosquitto"; + RuntimeDirectory = "mosquitto"; + WorkingDirectory = cfg.dataDir; + Restart = "on-failure"; + ExecStart = "${cfg.package}/bin/mosquitto -c ${configFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + # Hardening + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + ReadWritePaths = [ + cfg.dataDir + "/tmp" # mosquitto_passwd creates files in /tmp before moving them + ] ++ filter path.check cfg.logDest; + ReadOnlyPaths = + map (p: "${p}") + (cfg.includeDirs + ++ filter + (v: v != null) + (flatten [ + (map + (l: [ + (l.settings.psk_file or null) + (l.settings.http_dir or null) + (l.settings.cafile or null) + (l.settings.capath or null) + (l.settings.certfile or null) + (l.settings.crlfile or null) + (l.settings.dhparamfile or null) + (l.settings.keyfile or null) + ]) + cfg.listeners) + (mapAttrsToList + (_: b: [ + (b.settings.bridge_cafile or null) + (b.settings.bridge_capath or null) + (b.settings.bridge_certfile or null) + (b.settings.bridge_keyfile or null) + ]) + cfg.bridges) + ])); + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_UNIX" # for sd_notify() call + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; + }; + preStart = + concatStringsSep + "\n" + (imap0 + (idx: listener: makePasswordFile listener.users "${cfg.dataDir}/passwd-${toString idx}") + cfg.listeners); + }; + + users.users.mosquitto = { + description = "Mosquitto MQTT Broker Daemon owner"; + group = "mosquitto"; + uid = config.ids.uids.mosquitto; + home = cfg.dataDir; + createHome = true; + }; + + users.groups.mosquitto.gid = config.ids.gids.mosquitto; + + }; + + meta = { + maintainers = with lib.maintainers; [ pennae ]; + # Don't edit the docbook xml directly, edit the md and generate it: + # `pandoc mosquitto.md -t docbook --top-level-division=chapter --extract-media=media -f markdown+smart > mosquitto.xml` + doc = ./mosquitto.xml; + }; +} diff --git a/nixos/modules/services/networking/mosquitto.xml b/nixos/modules/services/networking/mosquitto.xml new file mode 100644 index 00000000000..d16ab28c026 --- /dev/null +++ b/nixos/modules/services/networking/mosquitto.xml @@ -0,0 +1,147 @@ +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="module-services-mosquitto"> + <title>Mosquitto</title> + <para> + Mosquitto is a MQTT broker often used for IoT or home automation + data transport. + </para> + <section xml:id="module-services-mosquitto-quickstart"> + <title>Quickstart</title> + <para> + A minimal configuration for Mosquitto is + </para> + <programlisting language="bash"> +services.mosquitto = { + enable = true; + listeners = [ { + acl = [ "pattern readwrite #" ]; + omitPasswordAuth = true; + settings.allow_anonymous = true; + } ]; +}; +</programlisting> + <para> + This will start a broker on port 1883, listening on all interfaces + of the machine, allowing read/write access to all topics to any + user without password requirements. + </para> + <para> + User authentication can be configured with the + <literal>users</literal> key of listeners. A config that gives + full read access to a user <literal>monitor</literal> and + restricted write access to a user <literal>service</literal> could + look like + </para> + <programlisting language="bash"> +services.mosquitto = { + enable = true; + listeners = [ { + users = { + monitor = { + acl = [ "read #" ]; + password = "monitor"; + }; + service = { + acl = [ "write service/#" ]; + password = "service"; + }; + }; + } ]; +}; +</programlisting> + <para> + TLS authentication is configured by setting TLS-related options of + the listener: + </para> + <programlisting language="bash"> +services.mosquitto = { + enable = true; + listeners = [ { + port = 8883; # port change is not required, but helpful to avoid mistakes + # ... + settings = { + cafile = "/path/to/mqtt.ca.pem"; + certfile = "/path/to/mqtt.pem"; + keyfile = "/path/to/mqtt.key"; + }; + } ]; +</programlisting> + </section> + <section xml:id="module-services-mosquitto-config"> + <title>Configuration</title> + <para> + The Mosquitto configuration has four distinct types of settings: + the global settings of the daemon, listeners, plugins, and + bridges. Bridges and listeners are part of the global + configuration, plugins are part of listeners. Users of the broker + are configured as parts of listeners rather than globally, + allowing configurations in which a given user is only allowed to + log in to the broker using specific listeners (eg to configure an + admin user with full access to all topics, but restricted to + localhost). + </para> + <para> + Almost all options of Mosquitto are available for configuration at + their appropriate levels, some as NixOS options written in camel + case, the remainders under <literal>settings</literal> with their + exact names in the Mosquitto config file. The exceptions are + <literal>acl_file</literal> (which is always set according to the + <literal>acl</literal> attributes of a listener and its users) and + <literal>per_listener_settings</literal> (which is always set to + <literal>true</literal>). + </para> + <section xml:id="module-services-mosquitto-config-passwords"> + <title>Password authentication</title> + <para> + Mosquitto can be run in two modes, with a password file or + without. Each listener has its own password file, and different + listeners may use different password files. Password file + generation can be disabled by setting + <literal>omitPasswordAuth = true</literal> for a listener; in + this case it is necessary to either set + <literal>settings.allow_anonymous = true</literal> to allow all + logins, or to configure other authentication methods like TLS + client certificates with + <literal>settings.use_identity_as_username = true</literal>. + </para> + <para> + The default is to generate a password file for each listener + from the users configured to that listener. Users with no + configured password will not be added to the password file and + thus will not be able to use the broker. + </para> + </section> + <section xml:id="module-services-mosquitto-config-acl"> + <title>ACL format</title> + <para> + Every listener has a Mosquitto <literal>acl_file</literal> + attached to it. This ACL is configured via two attributes of the + config: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + the <literal>acl</literal> attribute of the listener + configures pattern ACL entries and topic ACL entries for + anonymous users. Each entry must be prefixed with + <literal>pattern</literal> or <literal>topic</literal> to + distinguish between these two cases. + </para> + </listitem> + <listitem> + <para> + the <literal>acl</literal> attribute of every user + configures in the listener configured the ACL for that given + user. Only topic ACLs are supported by Mosquitto in this + setting, so no prefix is required or allowed. + </para> + </listitem> + </itemizedlist> + <para> + The default ACL for a listener is empty, disallowing all + accesses from all clients. To configure a completely open ACL, + set <literal>acl = [ "pattern readwrite #" ]</literal> + in the listener. + </para> + </section> + </section> +</chapter> diff --git a/nixos/modules/services/networking/mstpd.nix b/nixos/modules/services/networking/mstpd.nix new file mode 100644 index 00000000000..bd71010ce54 --- /dev/null +++ b/nixos/modules/services/networking/mstpd.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.mstpd; +in +with lib; +{ + options.services.mstpd = { + + enable = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable the multiple spanning tree protocol daemon. + ''; + }; + + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.mstpd ]; + + systemd.services.mstpd = { + description = "Multiple Spanning Tree Protocol Daemon"; + wantedBy = [ "network.target" ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + serviceConfig = { + Type = "forking"; + ExecStart = "@${pkgs.mstpd}/bin/mstpd mstpd"; + PIDFile = "/run/mstpd.pid"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/mtprotoproxy.nix b/nixos/modules/services/networking/mtprotoproxy.nix new file mode 100644 index 00000000000..d896f227b82 --- /dev/null +++ b/nixos/modules/services/networking/mtprotoproxy.nix @@ -0,0 +1,110 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.mtprotoproxy; + + configOpts = { + PORT = cfg.port; + USERS = cfg.users; + SECURE_ONLY = cfg.secureOnly; + } // lib.optionalAttrs (cfg.adTag != null) { AD_TAG = cfg.adTag; } + // cfg.extraConfig; + + convertOption = opt: + if isString opt || isInt opt then + builtins.toJSON opt + else if isBool opt then + if opt then "True" else "False" + else if isList opt then + "[" + concatMapStringsSep "," convertOption opt + "]" + else if isAttrs opt then + "{" + concatStringsSep "," (mapAttrsToList (name: opt: "${builtins.toJSON name}: ${convertOption opt}") opt) + "}" + else + throw "Invalid option type"; + + configFile = pkgs.writeText "config.py" (concatStringsSep "\n" (mapAttrsToList (name: opt: "${name} = ${convertOption opt}") configOpts)); + +in + +{ + + ###### interface + + options = { + + services.mtprotoproxy = { + + enable = mkEnableOption "mtprotoproxy"; + + port = mkOption { + type = types.int; + default = 3256; + description = '' + TCP port to accept mtproto connections on. + ''; + }; + + users = mkOption { + type = types.attrsOf types.str; + example = { + tg = "00000000000000000000000000000000"; + tg2 = "0123456789abcdef0123456789abcdef"; + }; + description = '' + Allowed users and their secrets. A secret is a 32 characters long hex string. + ''; + }; + + secureOnly = mkOption { + type = types.bool; + default = true; + description = '' + Don't allow users to connect in non-secure mode (without random padding). + ''; + }; + + adTag = mkOption { + type = types.nullOr types.str; + default = null; + # Taken from mtproxyproto's repo. + example = "3c09c680b76ee91a4c25ad51f742267d"; + description = '' + Tag for advertising that can be obtained from @MTProxybot. + ''; + }; + + extraConfig = mkOption { + type = types.attrs; + default = {}; + example = { + STATS_PRINT_PERIOD = 600; + }; + description = '' + Extra configuration options for mtprotoproxy. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.mtprotoproxy = { + description = "MTProto Proxy Daemon"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.mtprotoproxy}/bin/mtprotoproxy ${configFile}"; + DynamicUser = true; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/mtr-exporter.nix b/nixos/modules/services/networking/mtr-exporter.nix new file mode 100644 index 00000000000..ca261074ebd --- /dev/null +++ b/nixos/modules/services/networking/mtr-exporter.nix @@ -0,0 +1,87 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) + maintainers types mkEnableOption mkOption mkIf + literalExpression escapeShellArg escapeShellArgs; + cfg = config.services.mtr-exporter; +in { + options = { + services = { + mtr-exporter = { + enable = mkEnableOption "a Prometheus exporter for MTR"; + + target = mkOption { + type = types.str; + example = "example.org"; + description = "Target to check using MTR."; + }; + + interval = mkOption { + type = types.int; + default = 60; + description = "Interval between MTR checks in seconds."; + }; + + port = mkOption { + type = types.port; + default = 8080; + description = "Listen port for MTR exporter."; + }; + + address = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "Listen address for MTR exporter."; + }; + + mtrFlags = mkOption { + type = with types; listOf str; + default = []; + example = ["-G1"]; + description = "Additional flags to pass to MTR."; + }; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.mtr-exporter = { + script = '' + exec ${pkgs.mtr-exporter}/bin/mtr-exporter \ + -mtr ${pkgs.mtr}/bin/mtr \ + -schedule '@every ${toString cfg.interval}s' \ + -bind ${escapeShellArg cfg.address}:${toString cfg.port} \ + -- \ + ${escapeShellArgs (cfg.mtrFlags ++ [ cfg.target ])} + ''; + wantedBy = [ "multi-user.target" ]; + requires = [ "network.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Restart = "on-failure"; + # Hardening + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + LockPersonality = true; + ProcSubset = "pid"; + PrivateDevices = true; + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = true; + RestrictRealtime = true; + }; + }; + }; + + meta.maintainers = with maintainers; [ jakubgs ]; +} diff --git a/nixos/modules/services/networking/mullvad-vpn.nix b/nixos/modules/services/networking/mullvad-vpn.nix new file mode 100644 index 00000000000..9ec1ddc929e --- /dev/null +++ b/nixos/modules/services/networking/mullvad-vpn.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.mullvad-vpn; +in +with lib; +{ + options.services.mullvad-vpn.enable = mkOption { + type = types.bool; + default = false; + description = '' + This option enables Mullvad VPN daemon. + This sets <option>networking.firewall.checkReversePath</option> to "loose", which might be undesirable for security. + ''; + }; + + config = mkIf cfg.enable { + boot.kernelModules = [ "tun" ]; + + # mullvad-daemon writes to /etc/iproute2/rt_tables + networking.iproute2.enable = true; + + # See https://github.com/NixOS/nixpkgs/issues/113589 + networking.firewall.checkReversePath = "loose"; + + systemd.services.mullvad-daemon = { + description = "Mullvad VPN daemon"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network.target" ]; + after = [ + "network-online.target" + "NetworkManager.service" + "systemd-resolved.service" + ]; + path = [ + pkgs.iproute2 + # Needed for ping + "/run/wrappers" + ]; + startLimitBurst = 5; + startLimitIntervalSec = 20; + serviceConfig = { + ExecStart = "${pkgs.mullvad-vpn}/bin/mullvad-daemon -v --disable-stdout-timestamps"; + Restart = "always"; + RestartSec = 1; + }; + }; + }; + + meta.maintainers = with maintainers; [ ymarkus ]; +} diff --git a/nixos/modules/services/networking/multipath.nix b/nixos/modules/services/networking/multipath.nix new file mode 100644 index 00000000000..1a44184ff6d --- /dev/null +++ b/nixos/modules/services/networking/multipath.nix @@ -0,0 +1,557 @@ +{ config, lib, pkgs, ... }: with lib; + +# See http://christophe.varoqui.free.fr/usage.html and +# https://github.com/opensvc/multipath-tools/blob/master/multipath/multipath.conf.5 + +let + cfg = config.services.multipath; + + indentLines = n: str: concatStringsSep "\n" ( + map (line: "${fixedWidthString n " " " "}${line}") ( + filter ( x: x != "" ) ( splitString "\n" str ) + ) + ); + + addCheckDesc = desc: elemType: check: types.addCheck elemType check + // { description = "${elemType.description} (with check: ${desc})"; }; + hexChars = stringToCharacters "0123456789abcdef"; + isHexString = s: all (c: elem c hexChars) (stringToCharacters (toLower s)); + hexStr = addCheckDesc "hexadecimal string" types.str isHexString; + +in { + + options.services.multipath = with types; { + + enable = mkEnableOption "the device mapper multipath (DM-MP) daemon"; + + package = mkOption { + type = package; + description = "multipath-tools package to use"; + default = pkgs.multipath-tools; + defaultText = "pkgs.multipath-tools"; + }; + + devices = mkOption { + default = [ ]; + example = literalExpression '' + [ + { + vendor = "\"COMPELNT\""; + product = "\"Compellent Vol\""; + path_checker = "tur"; + no_path_retry = "queue"; + max_sectors_kb = 256; + }, ... + ] + ''; + description = '' + This option allows you to define arrays for use in multipath + groups. + ''; + type = listOf (submodule { + options = { + + vendor = mkOption { + type = str; + example = "COMPELNT"; + description = "Regular expression to match the vendor name"; + }; + + product = mkOption { + type = str; + example = "Compellent Vol"; + description = "Regular expression to match the product name"; + }; + + revision = mkOption { + type = nullOr str; + default = null; + description = "Regular expression to match the product revision"; + }; + + product_blacklist = mkOption { + type = nullOr str; + default = null; + description = "Products with the given vendor matching this string are blacklisted"; + }; + + alias_prefix = mkOption { + type = nullOr str; + default = null; + description = "The user_friendly_names prefix to use for this device type, instead of the default mpath"; + }; + + vpd_vendor = mkOption { + type = nullOr str; + default = null; + description = "The vendor specific vpd page information, using the vpd page abbreviation"; + }; + + hardware_handler = mkOption { + type = nullOr (enum [ "emc" "rdac" "hp_sw" "alua" "ana" ]); + default = null; + description = "The hardware handler to use for this device type"; + }; + + # Optional arguments + path_grouping_policy = mkOption { + type = nullOr (enum [ "failover" "multibus" "group_by_serial" "group_by_prio" "group_by_node_name" ]); + default = null; # real default: "failover" + description = "The default path grouping policy to apply to unspecified multipaths"; + }; + + uid_attribute = mkOption { + type = nullOr str; + default = null; + description = "The udev attribute providing a unique path identifier (WWID)"; + }; + + getuid_callout = mkOption { + type = nullOr str; + default = null; + description = '' + (Superseded by uid_attribute) The default program and args to callout + to obtain a unique path identifier. Should be specified with an absolute path. + ''; + }; + + path_selector = mkOption { + type = nullOr (enum [ + ''"round-robin 0"'' + ''"queue-length 0"'' + ''"service-time 0"'' + ''"historical-service-time 0"'' + ]); + default = null; # real default: "service-time 0" + description = "The default path selector algorithm to use; they are offered by the kernel multipath target"; + }; + + path_checker = mkOption { + type = enum [ "readsector0" "tur" "emc_clariion" "hp_sw" "rdac" "directio" "cciss_tur" "none" ]; + default = "tur"; + description = "The default method used to determine the paths state"; + }; + + prio = mkOption { + type = nullOr (enum [ + "none" "const" "sysfs" "emc" "alua" "ontap" "rdac" "hp_sw" "hds" + "random" "weightedpath" "path_latency" "ana" "datacore" "iet" + ]); + default = null; # real default: "const" + description = "The name of the path priority routine"; + }; + + prio_args = mkOption { + type = nullOr str; + default = null; + description = "Arguments to pass to to the prio function"; + }; + + features = mkOption { + type = nullOr str; + default = null; + description = "Specify any device-mapper features to be used"; + }; + + failback = mkOption { + type = nullOr str; + default = null; # real default: "manual" + description = "Tell multipathd how to manage path group failback. Quote integers as strings"; + }; + + rr_weight = mkOption { + type = nullOr (enum [ "priorities" "uniform" ]); + default = null; # real default: "uniform" + description = '' + If set to priorities the multipath configurator will assign path weights + as "path prio * rr_min_io". + ''; + }; + + no_path_retry = mkOption { + type = nullOr str; + default = null; # real default: "fail" + description = "Specify what to do when all paths are down. Quote integers as strings"; + }; + + rr_min_io = mkOption { + type = nullOr int; + default = null; # real default: 1000 + description = '' + Number of I/O requests to route to a path before switching to the next in the + same path group. This is only for Block I/O (BIO) based multipath and + only apply to round-robin path_selector. + ''; + }; + + rr_min_io_rq = mkOption { + type = nullOr int; + default = null; # real default: 1 + description = '' + Number of I/O requests to route to a path before switching to the next in the + same path group. This is only for Request based multipath and + only apply to round-robin path_selector. + ''; + }; + + fast_io_fail_tmo = mkOption { + type = nullOr str; + default = null; # real default: 5 + description = '' + Specify the number of seconds the SCSI layer will wait after a problem has been + detected on a FC remote port before failing I/O to devices on that remote port. + This should be smaller than dev_loss_tmo. Setting this to "off" will disable + the timeout. Quote integers as strings. + ''; + }; + + dev_loss_tmo = mkOption { + type = nullOr str; + default = null; # real default: 600 + description = '' + Specify the number of seconds the SCSI layer will wait after a problem has + been detected on a FC remote port before removing it from the system. This + can be set to "infinity" which sets it to the max value of 2147483647 + seconds, or 68 years. It will be automatically adjusted to the overall + retry interval no_path_retry * polling_interval + if a number of retries is given with no_path_retry and the + overall retry interval is longer than the specified dev_loss_tmo value. + The Linux kernel will cap this value to 600 if fast_io_fail_tmo + is not set. + ''; + }; + + flush_on_last_del = mkOption { + type = nullOr (enum [ "yes" "no" ]); + default = null; # real default: "no" + description = '' + If set to "yes" multipathd will disable queueing when the last path to a + device has been deleted. + ''; + }; + + user_friendly_names = mkOption { + type = nullOr (enum [ "yes" "no" ]); + default = null; # real default: "no" + description = '' + If set to "yes", using the bindings file /etc/multipath/bindings + to assign a persistent and unique alias to the multipath, in the + form of mpath. If set to "no" use the WWID as the alias. In either + case this be will be overridden by any specific aliases in the + multipaths section. + ''; + }; + + detect_prio = mkOption { + type = nullOr (enum [ "yes" "no" ]); + default = null; # real default: "yes" + description = '' + If set to "yes", multipath will try to detect if the device supports + SCSI-3 ALUA. If so, the device will automatically use the sysfs + prioritizer if the required sysf attributes access_state and + preferred_path are supported, or the alua prioritizer if not. If set + to "no", the prioritizer will be selected as usual. + ''; + }; + + detect_checker = mkOption { + type = nullOr (enum [ "yes" "no" ]); + default = null; # real default: "yes" + description = '' + If set to "yes", multipath will try to detect if the device supports + SCSI-3 ALUA. If so, the device will automatically use the tur checker. + If set to "no", the checker will be selected as usual. + ''; + }; + + deferred_remove = mkOption { + type = nullOr (enum [ "yes" "no" ]); + default = null; # real default: "no" + description = '' + If set to "yes", multipathd will do a deferred remove instead of a + regular remove when the last path device has been deleted. This means + that if the multipath device is still in use, it will be freed when + the last user closes it. If path is added to the multipath device + before the last user closes it, the deferred remove will be canceled. + ''; + }; + + san_path_err_threshold = mkOption { + type = nullOr str; + default = null; + description = '' + If set to a value greater than 0, multipathd will watch paths and check + how many times a path has been failed due to errors.If the number of + failures on a particular path is greater then the san_path_err_threshold, + then the path will not reinstate till san_path_err_recovery_time. These + path failures should occur within a san_path_err_forget_rate checks, if + not we will consider the path is good enough to reinstantate. + ''; + }; + + san_path_err_forget_rate = mkOption { + type = nullOr str; + default = null; + description = '' + If set to a value greater than 0, multipathd will check whether the path + failures has exceeded the san_path_err_threshold within this many checks + i.e san_path_err_forget_rate. If so we will not reinstante the path till + san_path_err_recovery_time. + ''; + }; + + san_path_err_recovery_time = mkOption { + type = nullOr str; + default = null; + description = '' + If set to a value greater than 0, multipathd will make sure that when + path failures has exceeded the san_path_err_threshold within + san_path_err_forget_rate then the path will be placed in failed state + for san_path_err_recovery_time duration. Once san_path_err_recovery_time + has timeout we will reinstante the failed path. san_path_err_recovery_time + value should be in secs. + ''; + }; + + marginal_path_err_sample_time = mkOption { + type = nullOr int; + default = null; + description = "One of the four parameters of supporting path check based on accounting IO error such as intermittent error"; + }; + + marginal_path_err_rate_threshold = mkOption { + type = nullOr int; + default = null; + description = "The error rate threshold as a permillage (1/1000)"; + }; + + marginal_path_err_recheck_gap_time = mkOption { + type = nullOr str; + default = null; + description = "One of the four parameters of supporting path check based on accounting IO error such as intermittent error"; + }; + + marginal_path_double_failed_time = mkOption { + type = nullOr str; + default = null; + description = "One of the four parameters of supporting path check based on accounting IO error such as intermittent error"; + }; + + delay_watch_checks = mkOption { + type = nullOr str; + default = null; + description = "This option is deprecated, and mapped to san_path_err_forget_rate"; + }; + + delay_wait_checks = mkOption { + type = nullOr str; + default = null; + description = "This option is deprecated, and mapped to san_path_err_recovery_time"; + }; + + skip_kpartx = mkOption { + type = nullOr (enum [ "yes" "no" ]); + default = null; # real default: "no" + description = "If set to yes, kpartx will not automatically create partitions on the device"; + }; + + max_sectors_kb = mkOption { + type = nullOr int; + default = null; + description = "Sets the max_sectors_kb device parameter on all path devices and the multipath device to the specified value"; + }; + + ghost_delay = mkOption { + type = nullOr int; + default = null; + description = "Sets the number of seconds that multipath will wait after creating a device with only ghost paths before marking it ready for use in systemd"; + }; + + all_tg_pt = mkOption { + type = nullOr str; + default = null; + description = "Set the 'all targets ports' flag when registering keys with mpathpersist"; + }; + + }; + }); + }; + + defaults = mkOption { + type = nullOr str; + default = null; + description = '' + This section defines default values for attributes which are used + whenever no values are given in the appropriate device or multipath + sections. + ''; + }; + + blacklist = mkOption { + type = nullOr str; + default = null; + description = '' + This section defines which devices should be excluded from the + multipath topology discovery. + ''; + }; + + blacklist_exceptions = mkOption { + type = nullOr str; + default = null; + description = '' + This section defines which devices should be included in the + multipath topology discovery, despite being listed in the + blacklist section. + ''; + }; + + overrides = mkOption { + type = nullOr str; + default = null; + description = '' + This section defines values for attributes that should override the + device-specific settings for all devices. + ''; + }; + + extraConfig = mkOption { + type = nullOr str; + default = null; + description = "Lines to append to default multipath.conf"; + }; + + extraConfigFile = mkOption { + type = nullOr str; + default = null; + description = "Append an additional file's contents to /etc/multipath.conf"; + }; + + pathGroups = mkOption { + example = literalExpression '' + [ + { + wwid = "360080e500043b35c0123456789abcdef"; + alias = 10001234; + array = "bigarray.example.com"; + fsType = "zfs"; # optional + options = "ro"; # optional + }, ... + ] + ''; + description = '' + This option allows you to define multipath groups as described + in http://christophe.varoqui.free.fr/usage.html. + ''; + type = listOf (submodule { + options = { + + alias = mkOption { + type = int; + example = 1001234; + description = "The name of the multipath device"; + }; + + wwid = mkOption { + type = hexStr; + example = "360080e500043b35c0123456789abcdef"; + description = "The identifier for the multipath device"; + }; + + array = mkOption { + type = str; + default = null; + example = "bigarray.example.com"; + description = "The DNS name of the storage array"; + }; + + fsType = mkOption { + type = nullOr str; + default = null; + example = "zfs"; + description = "Type of the filesystem"; + }; + + options = mkOption { + type = nullOr str; + default = null; + example = "ro"; + description = "Options used to mount the file system"; + }; + + }; + }); + }; + + }; + + config = mkIf cfg.enable { + environment.etc."multipath.conf".text = + let + inherit (cfg) defaults blacklist blacklist_exceptions overrides; + + mkDeviceBlock = cfg: let + nonNullCfg = lib.filterAttrs (k: v: v != null) cfg; + attrs = lib.mapAttrsToList (name: value: " ${name} ${toString value}") nonNullCfg; + in '' + device { + ${lib.concatStringsSep "\n" attrs} + } + ''; + devices = lib.concatMapStringsSep "\n" mkDeviceBlock cfg.devices; + + mkMultipathBlock = m: '' + multipath { + wwid ${m.wwid} + alias ${toString m.alias} + } + ''; + multipaths = lib.concatMapStringsSep "\n" mkMultipathBlock cfg.pathGroups; + + in '' + devices { + ${indentLines 2 devices} + } + + ${optionalString (!isNull defaults) '' + defaults { + ${indentLines 2 defaults} + multipath_dir ${cfg.package}/lib/multipath + } + ''} + ${optionalString (!isNull blacklist) '' + blacklist { + ${indentLines 2 blacklist} + } + ''} + ${optionalString (!isNull blacklist_exceptions) '' + blacklist_exceptions { + ${indentLines 2 blacklist_exceptions} + } + ''} + ${optionalString (!isNull overrides) '' + overrides { + ${indentLines 2 overrides} + } + ''} + multipaths { + ${indentLines 2 multipaths} + } + ''; + + systemd.packages = [ cfg.package ]; + + environment.systemPackages = [ cfg.package ]; + boot.kernelModules = [ "dm-multipath" "dm-service-time" ]; + + # We do not have systemd in stage-1 boot so must invoke `multipathd` + # with the `-1` argument which disables systemd calls. Invoke `multipath` + # to display the multipath mappings in the output of `journalctl -b`. + boot.initrd.kernelModules = [ "dm-multipath" "dm-service-time" ]; + boot.initrd.postDeviceCommands = '' + modprobe -a dm-multipath dm-service-time + multipathd -s + (set -x && sleep 1 && multipath -ll) + ''; + }; +} diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix new file mode 100644 index 00000000000..06ec04dbbf1 --- /dev/null +++ b/nixos/modules/services/networking/murmur.nix @@ -0,0 +1,318 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.murmur; + forking = cfg.logFile != null; + configFile = pkgs.writeText "murmurd.ini" '' + database=/var/lib/murmur/murmur.sqlite + dbDriver=QSQLITE + + autobanAttempts=${toString cfg.autobanAttempts} + autobanTimeframe=${toString cfg.autobanTimeframe} + autobanTime=${toString cfg.autobanTime} + + logfile=${optionalString (cfg.logFile != null) cfg.logFile} + ${optionalString forking "pidfile=/run/murmur/murmurd.pid"} + + welcometext="${cfg.welcometext}" + port=${toString cfg.port} + + ${if cfg.hostName == "" then "" else "host="+cfg.hostName} + ${if cfg.password == "" then "" else "serverpassword="+cfg.password} + + bandwidth=${toString cfg.bandwidth} + users=${toString cfg.users} + + textmessagelength=${toString cfg.textMsgLength} + imagemessagelength=${toString cfg.imgMsgLength} + allowhtml=${boolToString cfg.allowHtml} + logdays=${toString cfg.logDays} + bonjour=${boolToString cfg.bonjour} + sendversion=${boolToString cfg.sendVersion} + + ${if cfg.registerName == "" then "" else "registerName="+cfg.registerName} + ${if cfg.registerPassword == "" then "" else "registerPassword="+cfg.registerPassword} + ${if cfg.registerUrl == "" then "" else "registerUrl="+cfg.registerUrl} + ${if cfg.registerHostname == "" then "" else "registerHostname="+cfg.registerHostname} + + certrequired=${boolToString cfg.clientCertRequired} + ${if cfg.sslCert == "" then "" else "sslCert="+cfg.sslCert} + ${if cfg.sslKey == "" then "" else "sslKey="+cfg.sslKey} + ${if cfg.sslCa == "" then "" else "sslCA="+cfg.sslCa} + + ${cfg.extraConfig} + ''; +in +{ + imports = [ + (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ]) + (mkRemovedOptionModule [ "services" "murmur" "pidfile" ] "Hardcoded to /run/murmur/murmurd.pid now") + ]; + + options = { + services.murmur = { + enable = mkOption { + type = types.bool; + default = false; + description = "If enabled, start the Murmur Mumble server."; + }; + + autobanAttempts = mkOption { + type = types.int; + default = 10; + description = '' + Number of attempts a client is allowed to make in + <literal>autobanTimeframe</literal> seconds, before being + banned for <literal>autobanTime</literal>. + ''; + }; + + autobanTimeframe = mkOption { + type = types.int; + default = 120; + description = '' + Timeframe in which a client can connect without being banned + for repeated attempts (in seconds). + ''; + }; + + autobanTime = mkOption { + type = types.int; + default = 300; + description = "The amount of time an IP ban lasts (in seconds)."; + }; + + logFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/log/murmur/murmurd.log"; + description = "Path to the log file for Murmur daemon. Empty means log to journald."; + }; + + welcometext = mkOption { + type = types.str; + default = ""; + description = "Welcome message for connected clients."; + }; + + port = mkOption { + type = types.port; + default = 64738; + description = "Ports to bind to (UDP and TCP)."; + }; + + hostName = mkOption { + type = types.str; + default = ""; + description = "Host to bind to. Defaults binding on all addresses."; + }; + + package = mkOption { + type = types.package; + default = pkgs.murmur; + defaultText = literalExpression "pkgs.murmur"; + description = "Overridable attribute of the murmur package to use."; + }; + + password = mkOption { + type = types.str; + default = ""; + description = "Required password to join server, if specified."; + }; + + bandwidth = mkOption { + type = types.int; + default = 72000; + description = '' + Maximum bandwidth (in bits per second) that clients may send + speech at. + ''; + }; + + users = mkOption { + type = types.int; + default = 100; + description = "Maximum number of concurrent clients allowed."; + }; + + textMsgLength = mkOption { + type = types.int; + default = 5000; + description = "Max length of text messages. Set 0 for no limit."; + }; + + imgMsgLength = mkOption { + type = types.int; + default = 131072; + description = "Max length of image messages. Set 0 for no limit."; + }; + + allowHtml = mkOption { + type = types.bool; + default = true; + description = '' + Allow HTML in client messages, comments, and channel + descriptions. + ''; + }; + + logDays = mkOption { + type = types.int; + default = 31; + description = '' + How long to store RPC logs for in the database. Set 0 to + keep logs forever, or -1 to disable DB logging. + ''; + }; + + bonjour = mkOption { + type = types.bool; + default = false; + description = '' + Enable Bonjour auto-discovery, which allows clients over + your LAN to automatically discover Murmur servers. + ''; + }; + + sendVersion = mkOption { + type = types.bool; + default = true; + description = "Send Murmur version in UDP response."; + }; + + registerName = mkOption { + type = types.str; + default = ""; + description = '' + Public server registration name, and also the name of the + Root channel. Even if you don't publicly register your + server, you probably still want to set this. + ''; + }; + + registerPassword = mkOption { + type = types.str; + default = ""; + description = '' + Public server registry password, used authenticate your + server to the registry to prevent impersonation; required for + subsequent registry updates. + ''; + }; + + registerUrl = mkOption { + type = types.str; + default = ""; + description = "URL website for your server."; + }; + + registerHostname = mkOption { + type = types.str; + default = ""; + description = '' + DNS hostname where your server can be reached. This is only + needed if you want your server to be accessed by its + hostname and not IP - but the name *must* resolve on the + internet properly. + ''; + }; + + clientCertRequired = mkOption { + type = types.bool; + default = false; + description = "Require clients to authenticate via certificates."; + }; + + sslCert = mkOption { + type = types.str; + default = ""; + description = "Path to your SSL certificate."; + }; + + sslKey = mkOption { + type = types.str; + default = ""; + description = "Path to your SSL key."; + }; + + sslCa = mkOption { + type = types.str; + default = ""; + description = "Path to your SSL CA certificate."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Extra configuration to put into murmur.ini."; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/murmur/murmurd.env"; + description = '' + Environment file as defined in <citerefentry> + <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>. + + Secrets may be passed to the service without adding them to the world-readable + Nix store, by specifying placeholder variables as the option value in Nix and + setting these variables accordingly in the environment file. + + <programlisting> + # snippet of murmur-related config + services.murmur.password = "$MURMURD_PASSWORD"; + </programlisting> + + <programlisting> + # content of the environment file + MURMURD_PASSWORD=verysecretpassword + </programlisting> + + Note that this file needs to be available on the host on which + <literal>murmur</literal> is running. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + users.users.murmur = { + description = "Murmur Service user"; + home = "/var/lib/murmur"; + createHome = true; + uid = config.ids.uids.murmur; + group = "murmur"; + }; + users.groups.murmur = { + gid = config.ids.gids.murmur; + }; + + systemd.services.murmur = { + description = "Murmur Chat Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + preStart = '' + ${pkgs.envsubst}/bin/envsubst \ + -o /run/murmur/murmurd.ini \ + -i ${configFile} + ''; + + serviceConfig = { + # murmurd doesn't fork when logging to the console. + Type = if forking then "forking" else "simple"; + PIDFile = mkIf forking "/run/murmur/murmurd.pid"; + EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile; + ExecStart = "${cfg.package}/bin/mumble-server -ini /run/murmur/murmurd.ini"; + Restart = "always"; + RuntimeDirectory = "murmur"; + RuntimeDirectoryMode = "0700"; + User = "murmur"; + Group = "murmur"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/mxisd.nix b/nixos/modules/services/networking/mxisd.nix new file mode 100644 index 00000000000..803f0689d1f --- /dev/null +++ b/nixos/modules/services/networking/mxisd.nix @@ -0,0 +1,127 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + isMa1sd = + package: + lib.hasPrefix "ma1sd" package.name; + + isMxisd = + package: + lib.hasPrefix "mxisd" package.name; + + cfg = config.services.mxisd; + + server = optionalAttrs (cfg.server.name != null) { inherit (cfg.server) name; } + // optionalAttrs (cfg.server.port != null) { inherit (cfg.server) port; }; + + baseConfig = { + matrix.domain = cfg.matrix.domain; + key.path = "${cfg.dataDir}/signing.key"; + storage = { + provider.sqlite.database = if isMa1sd cfg.package + then "${cfg.dataDir}/ma1sd.db" + else "${cfg.dataDir}/mxisd.db"; + }; + } // optionalAttrs (server != {}) { inherit server; }; + + # merges baseConfig and extraConfig into a single file + fullConfig = recursiveUpdate baseConfig cfg.extraConfig; + + configFile = if isMa1sd cfg.package + then pkgs.writeText "ma1sd-config.yaml" (builtins.toJSON fullConfig) + else pkgs.writeText "mxisd-config.yaml" (builtins.toJSON fullConfig); + +in { + options = { + services.mxisd = { + enable = mkEnableOption "matrix federated identity server"; + + package = mkOption { + type = types.package; + default = pkgs.ma1sd; + defaultText = literalExpression "pkgs.ma1sd"; + description = "The mxisd/ma1sd package to use"; + }; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/mxisd"; + description = "Where data mxisd/ma1sd uses resides"; + }; + + extraConfig = mkOption { + type = types.attrs; + default = {}; + description = "Extra options merged into the mxisd/ma1sd configuration"; + }; + + matrix = { + + domain = mkOption { + type = types.str; + description = '' + the domain of the matrix homeserver + ''; + }; + + }; + + server = { + + name = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Public hostname of mxisd/ma1sd, if different from the Matrix domain. + ''; + }; + + port = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + HTTP port to listen on (unencrypted) + ''; + }; + + }; + + }; + }; + + config = mkIf cfg.enable { + users.users.mxisd = + { + group = "mxisd"; + home = cfg.dataDir; + createHome = true; + shell = "${pkgs.bash}/bin/bash"; + uid = config.ids.uids.mxisd; + }; + + users.groups.mxisd = + { + gid = config.ids.gids.mxisd; + }; + + systemd.services.mxisd = { + description = "a federated identity server for the matrix ecosystem"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = let + executable = if isMa1sd cfg.package then "ma1sd" else "mxisd"; + in { + Type = "simple"; + User = "mxisd"; + Group = "mxisd"; + ExecStart = "${cfg.package}/bin/${executable} -c ${configFile}"; + WorkingDirectory = cfg.dataDir; + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/namecoind.nix b/nixos/modules/services/networking/namecoind.nix new file mode 100644 index 00000000000..8f7a5123f7e --- /dev/null +++ b/nixos/modules/services/networking/namecoind.nix @@ -0,0 +1,199 @@ + +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.namecoind; + dataDir = "/var/lib/namecoind"; + useSSL = (cfg.rpc.certificate != null) && (cfg.rpc.key != null); + useRPC = (cfg.rpc.user != null) && (cfg.rpc.password != null); + + listToConf = option: list: + concatMapStrings (value :"${option}=${value}\n") list; + + configFile = pkgs.writeText "namecoin.conf" ('' + server=1 + daemon=0 + txindex=1 + txprevcache=1 + walletpath=${cfg.wallet} + gen=${if cfg.generate then "1" else "0"} + ${listToConf "addnode" cfg.extraNodes} + ${listToConf "connect" cfg.trustedNodes} + '' + optionalString useRPC '' + rpcbind=${cfg.rpc.address} + rpcport=${toString cfg.rpc.port} + rpcuser=${cfg.rpc.user} + rpcpassword=${cfg.rpc.password} + ${listToConf "rpcallowip" cfg.rpc.allowFrom} + '' + optionalString useSSL '' + rpcssl=1 + rpcsslcertificatechainfile=${cfg.rpc.certificate} + rpcsslprivatekeyfile=${cfg.rpc.key} + rpcsslciphers=TLSv1.2+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH + ''); + +in + +{ + + ###### interface + + options = { + + services.namecoind = { + + enable = mkEnableOption "namecoind, Namecoin client"; + + wallet = mkOption { + type = types.path; + default = "${dataDir}/wallet.dat"; + description = '' + Wallet file. The ownership of the file has to be + namecoin:namecoin, and the permissions must be 0640. + ''; + }; + + generate = mkOption { + type = types.bool; + default = false; + description = '' + Whether to generate (mine) Namecoins. + ''; + }; + + extraNodes = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + List of additional peer IP addresses to connect to. + ''; + }; + + trustedNodes = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + List of the only peer IP addresses to connect to. If specified + no other connection will be made. + ''; + }; + + rpc.user = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + User name for RPC connections. + ''; + }; + + rpc.password = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Password for RPC connections. + ''; + }; + + rpc.address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + IP address the RPC server will bind to. + ''; + }; + + rpc.port = mkOption { + type = types.port; + default = 8332; + description = '' + Port the RPC server will bind to. + ''; + }; + + rpc.certificate = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/namecoind/server.cert"; + description = '' + Certificate file for securing RPC connections. + ''; + }; + + rpc.key = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/namecoind/server.pem"; + description = '' + Key file for securing RPC connections. + ''; + }; + + + rpc.allowFrom = mkOption { + type = types.listOf types.str; + default = [ "127.0.0.1" ]; + description = '' + List of IP address ranges allowed to use the RPC API. + Wiledcards (*) can be user to specify a range. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + users.users.namecoin = { + uid = config.ids.uids.namecoin; + description = "Namecoin daemon user"; + home = dataDir; + createHome = true; + }; + + users.groups.namecoin = { + gid = config.ids.gids.namecoin; + }; + + systemd.services.namecoind = { + description = "Namecoind daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + startLimitIntervalSec = 120; + startLimitBurst = 5; + serviceConfig = { + User = "namecoin"; + Group = "namecoin"; + ExecStart = "${pkgs.namecoind}/bin/namecoind -conf=${configFile} -datadir=${dataDir} -printtoconsole"; + ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Nice = "10"; + PrivateTmp = true; + TimeoutStopSec = "60s"; + TimeoutStartSec = "2s"; + Restart = "always"; + }; + + preStart = optionalString (cfg.wallet != "${dataDir}/wallet.dat") '' + # check wallet file permissions + if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \ + -o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \ + -o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then + echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2 + exit 1 + fi + ''; + + }; + + }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + +} diff --git a/nixos/modules/services/networking/nar-serve.nix b/nixos/modules/services/networking/nar-serve.nix new file mode 100644 index 00000000000..745138186a2 --- /dev/null +++ b/nixos/modules/services/networking/nar-serve.nix @@ -0,0 +1,55 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + cfg = config.services.nar-serve; +in +{ + meta = { + maintainers = [ maintainers.rizary ]; + }; + options = { + services.nar-serve = { + enable = mkEnableOption "Serve NAR file contents via HTTP"; + + port = mkOption { + type = types.port; + default = 8383; + description = '' + Port number where nar-serve will listen on. + ''; + }; + + cacheURL = mkOption { + type = types.str; + default = "https://cache.nixos.org/"; + description = '' + Binary cache URL to connect to. + + The URL format is compatible with the nix remote url style, such as: + - http://, https:// for binary caches via HTTP or HTTPS + - s3:// for binary caches stored in Amazon S3 + - gs:// for binary caches stored in Google Cloud Storage + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.nar-serve = { + description = "NAR server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment.PORT = toString cfg.port; + environment.NAR_CACHE_URL = cfg.cacheURL; + + serviceConfig = { + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.nar-serve}/bin/nar-serve"; + DynamicUser = true; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix new file mode 100644 index 00000000000..2e58cd699b2 --- /dev/null +++ b/nixos/modules/services/networking/nat.nix @@ -0,0 +1,364 @@ +# This module enables Network Address Translation (NAT). +# XXX: todo: support multiple upstream links +# see http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html + +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.networking.nat; + + mkDest = externalIP: if externalIP == null + then "-j MASQUERADE" + else "-j SNAT --to-source ${externalIP}"; + dest = mkDest cfg.externalIP; + destIPv6 = mkDest cfg.externalIPv6; + + # Whether given IP (plus optional port) is an IPv6. + isIPv6 = ip: builtins.length (lib.splitString ":" ip) > 2; + + helpers = import ./helpers.nix { inherit config lib; }; + + flushNat = '' + ${helpers} + ip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true + ip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true + ip46tables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -F nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-post 2>/dev/null || true + ip46tables -w -t nat -D OUTPUT -j nixos-nat-out 2>/dev/null || true + ip46tables -w -t nat -F nixos-nat-out 2>/dev/null || true + ip46tables -w -t nat -X nixos-nat-out 2>/dev/null || true + + ${cfg.extraStopCommands} + ''; + + mkSetupNat = { iptables, dest, internalIPs, forwardPorts }: '' + # We can't match on incoming interface in POSTROUTING, so + # mark packets coming from the internal interfaces. + ${concatMapStrings (iface: '' + ${iptables} -w -t nat -A nixos-nat-pre \ + -i '${iface}' -j MARK --set-mark 1 + '') cfg.internalInterfaces} + + # NAT the marked packets. + ${optionalString (cfg.internalInterfaces != []) '' + ${iptables} -w -t nat -A nixos-nat-post -m mark --mark 1 \ + ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest} + ''} + + # NAT packets coming from the internal IPs. + ${concatMapStrings (range: '' + ${iptables} -w -t nat -A nixos-nat-post \ + -s '${range}' ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest} + '') internalIPs} + + # NAT from external ports to internal ports. + ${concatMapStrings (fwd: '' + ${iptables} -w -t nat -A nixos-nat-pre \ + -i ${toString cfg.externalInterface} -p ${fwd.proto} \ + --dport ${builtins.toString fwd.sourcePort} \ + -j DNAT --to-destination ${fwd.destination} + + ${concatMapStrings (loopbackip: + let + matchIP = if isIPv6 fwd.destination then "[[]([0-9a-fA-F:]+)[]]" else "([0-9.]+)"; + m = builtins.match "${matchIP}:([0-9-]+)" fwd.destination; + destinationIP = if m == null then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0; + destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (elemAt m 1); + in '' + # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from the host itself + ${iptables} -w -t nat -A nixos-nat-out \ + -d ${loopbackip} -p ${fwd.proto} \ + --dport ${builtins.toString fwd.sourcePort} \ + -j DNAT --to-destination ${fwd.destination} + + # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from other hosts behind NAT + ${iptables} -w -t nat -A nixos-nat-pre \ + -d ${loopbackip} -p ${fwd.proto} \ + --dport ${builtins.toString fwd.sourcePort} \ + -j DNAT --to-destination ${fwd.destination} + + ${iptables} -w -t nat -A nixos-nat-post \ + -d ${destinationIP} -p ${fwd.proto} \ + --dport ${destinationPorts} \ + -j SNAT --to-source ${loopbackip} + '') fwd.loopbackIPs} + '') forwardPorts} + ''; + + setupNat = '' + ${helpers} + # Create subchains where we store rules + ip46tables -w -t nat -N nixos-nat-pre + ip46tables -w -t nat -N nixos-nat-post + ip46tables -w -t nat -N nixos-nat-out + + ${mkSetupNat { + iptables = "iptables"; + inherit dest; + inherit (cfg) internalIPs; + forwardPorts = filter (x: !(isIPv6 x.destination)) cfg.forwardPorts; + }} + + ${optionalString cfg.enableIPv6 (mkSetupNat { + iptables = "ip6tables"; + dest = destIPv6; + internalIPs = cfg.internalIPv6s; + forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts; + })} + + ${optionalString (cfg.dmzHost != null) '' + iptables -w -t nat -A nixos-nat-pre \ + -i ${toString cfg.externalInterface} -j DNAT \ + --to-destination ${cfg.dmzHost} + ''} + + ${cfg.extraCommands} + + # Append our chains to the nat tables + ip46tables -w -t nat -A PREROUTING -j nixos-nat-pre + ip46tables -w -t nat -A POSTROUTING -j nixos-nat-post + ip46tables -w -t nat -A OUTPUT -j nixos-nat-out + ''; + +in + +{ + + ###### interface + + options = { + + networking.nat.enable = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to enable Network Address Translation (NAT). + ''; + }; + + networking.nat.enableIPv6 = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to enable IPv6 NAT. + ''; + }; + + networking.nat.internalInterfaces = mkOption { + type = types.listOf types.str; + default = []; + example = [ "eth0" ]; + description = + '' + The interfaces for which to perform NAT. Packets coming from + these interface and destined for the external interface will + be rewritten. + ''; + }; + + networking.nat.internalIPs = mkOption { + type = types.listOf types.str; + default = []; + example = [ "192.168.1.0/24" ]; + description = + '' + The IP address ranges for which to perform NAT. Packets + coming from these addresses (on any interface) and destined + for the external interface will be rewritten. + ''; + }; + + networking.nat.internalIPv6s = mkOption { + type = types.listOf types.str; + default = []; + example = [ "fc00::/64" ]; + description = + '' + The IPv6 address ranges for which to perform NAT. Packets + coming from these addresses (on any interface) and destined + for the external interface will be rewritten. + ''; + }; + + networking.nat.externalInterface = mkOption { + type = types.nullOr types.str; + default = null; + example = "eth1"; + description = + '' + The name of the external network interface. + ''; + }; + + networking.nat.externalIP = mkOption { + type = types.nullOr types.str; + default = null; + example = "203.0.113.123"; + description = + '' + The public IP address to which packets from the local + network are to be rewritten. If this is left empty, the + IP address associated with the external interface will be + used. + ''; + }; + + networking.nat.externalIPv6 = mkOption { + type = types.nullOr types.str; + default = null; + example = "2001:dc0:2001:11::175"; + description = + '' + The public IPv6 address to which packets from the local + network are to be rewritten. If this is left empty, the + IP address associated with the external interface will be + used. + ''; + }; + + networking.nat.forwardPorts = mkOption { + type = with types; listOf (submodule { + options = { + sourcePort = mkOption { + type = types.either types.int (types.strMatching "[[:digit:]]+:[[:digit:]]+"); + example = 8080; + description = "Source port of the external interface; to specify a port range, use a string with a colon (e.g. \"60000:61000\")"; + }; + + destination = mkOption { + type = types.str; + example = "10.0.0.1:80"; + description = "Forward connection to destination ip:port (or [ipv6]:port); to specify a port range, use ip:start-end"; + }; + + proto = mkOption { + type = types.str; + default = "tcp"; + example = "udp"; + description = "Protocol of forwarded connection"; + }; + + loopbackIPs = mkOption { + type = types.listOf types.str; + default = []; + example = literalExpression ''[ "55.1.2.3" ]''; + description = "Public IPs for NAT reflection; for connections to `loopbackip:sourcePort' from the host itself and from other hosts behind NAT"; + }; + }; + }); + default = []; + example = [ + { sourcePort = 8080; destination = "10.0.0.1:80"; proto = "tcp"; } + { sourcePort = 8080; destination = "[fc00::2]:80"; proto = "tcp"; } + ]; + description = + '' + List of forwarded ports from the external interface to + internal destinations by using DNAT. Destination can be + IPv6 if IPv6 NAT is enabled. + ''; + }; + + networking.nat.dmzHost = mkOption { + type = types.nullOr types.str; + default = null; + example = "10.0.0.1"; + description = + '' + The local IP address to which all traffic that does not match any + forwarding rule is forwarded. + ''; + }; + + networking.nat.extraCommands = mkOption { + type = types.lines; + default = ""; + example = "iptables -A INPUT -p icmp -j ACCEPT"; + description = + '' + Additional shell commands executed as part of the nat + initialisation script. + ''; + }; + + networking.nat.extraStopCommands = mkOption { + type = types.lines; + default = ""; + example = "iptables -D INPUT -p icmp -j ACCEPT || true"; + description = + '' + Additional shell commands executed as part of the nat + teardown script. + ''; + }; + + }; + + + ###### implementation + + config = mkMerge [ + { networking.firewall.extraCommands = mkBefore flushNat; } + (mkIf config.networking.nat.enable { + + assertions = [ + { assertion = cfg.enableIPv6 -> config.networking.enableIPv6; + message = "networking.nat.enableIPv6 requires networking.enableIPv6"; + } + { assertion = (cfg.dmzHost != null) -> (cfg.externalInterface != null); + message = "networking.nat.dmzHost requires networking.nat.externalInterface"; + } + { assertion = (cfg.forwardPorts != []) -> (cfg.externalInterface != null); + message = "networking.nat.forwardPorts requires networking.nat.externalInterface"; + } + ]; + + environment.systemPackages = [ pkgs.iptables ]; + + boot = { + kernelModules = [ "nf_nat_ftp" ]; + kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = mkOverride 99 true; + "net.ipv4.conf.default.forwarding" = mkOverride 99 true; + } // optionalAttrs cfg.enableIPv6 { + # Do not prevent IPv6 autoconfiguration. + # See <http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/>. + "net.ipv6.conf.all.accept_ra" = mkOverride 99 2; + "net.ipv6.conf.default.accept_ra" = mkOverride 99 2; + + # Forward IPv6 packets. + "net.ipv6.conf.all.forwarding" = mkOverride 99 true; + "net.ipv6.conf.default.forwarding" = mkOverride 99 true; + }; + }; + + networking.firewall = mkIf config.networking.firewall.enable { + extraCommands = setupNat; + extraStopCommands = flushNat; + }; + + systemd.services = mkIf (!config.networking.firewall.enable) { nat = { + description = "Network Address Translation"; + wantedBy = [ "network.target" ]; + after = [ "network-pre.target" "systemd-modules-load.service" ]; + path = [ pkgs.iptables ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + script = flushNat + setupNat; + + postStop = flushNat; + }; }; + }) + ]; +} diff --git a/nixos/modules/services/networking/nats.nix b/nixos/modules/services/networking/nats.nix new file mode 100644 index 00000000000..3e86a4f07bc --- /dev/null +++ b/nixos/modules/services/networking/nats.nix @@ -0,0 +1,158 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.nats; + + format = pkgs.formats.json { }; + + configFile = format.generate "nats.conf" cfg.settings; + +in { + + ### Interface + + options = { + services.nats = { + enable = mkEnableOption "NATS messaging system"; + + user = mkOption { + type = types.str; + default = "nats"; + description = "User account under which NATS runs."; + }; + + group = mkOption { + type = types.str; + default = "nats"; + description = "Group under which NATS runs."; + }; + + serverName = mkOption { + default = "nats"; + example = "n1-c3"; + type = types.str; + description = '' + Name of the NATS server, must be unique if clustered. + ''; + }; + + jetstream = mkEnableOption "JetStream"; + + port = mkOption { + default = 4222; + type = types.port; + description = '' + Port on which to listen. + ''; + }; + + dataDir = mkOption { + default = "/var/lib/nats"; + type = types.path; + description = '' + The NATS data directory. Only used if JetStream is enabled, for + storing stream metadata and messages. + + If left as the default value this directory will automatically be + created before the NATS server starts, otherwise the sysadmin is + responsible for ensuring the directory exists with appropriate + ownership and permissions. + ''; + }; + + settings = mkOption { + default = { }; + type = format.type; + example = literalExpression '' + { + jetstream = { + max_mem = "1G"; + max_file = "10G"; + }; + }; + ''; + description = '' + Declarative NATS configuration. See the + <link xlink:href="https://docs.nats.io/nats-server/configuration"> + NATS documentation</link> for a list of options. + ''; + }; + }; + }; + + ### Implementation + + config = mkIf cfg.enable { + services.nats.settings = { + server_name = cfg.serverName; + port = cfg.port; + jetstream = optionalAttrs cfg.jetstream { store_dir = cfg.dataDir; }; + }; + + systemd.services.nats = { + description = "NATS messaging system"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = mkMerge [ + (mkIf (cfg.dataDir == "/var/lib/nats") { + StateDirectory = "nats"; + StateDirectoryMode = "0750"; + }) + { + Type = "simple"; + ExecStart = "${pkgs.nats-server}/bin/nats-server -c ${configFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -SIGINT $MAINPID"; + Restart = "on-failure"; + + User = cfg.user; + Group = cfg.group; + + # Hardening + CapabilityBoundingSet = ""; + LimitNOFILE = 800000; # JetStream requires 2 FDs open per stream. + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadOnlyPaths = [ ]; + ReadWritePaths = [ cfg.dataDir ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0077"; + } + ]; + }; + + users.users = mkIf (cfg.user == "nats") { + nats = { + description = "NATS daemon user"; + isSystemUser = true; + group = cfg.group; + home = cfg.dataDir; + }; + }; + + users.groups = mkIf (cfg.group == "nats") { nats = { }; }; + }; + +} diff --git a/nixos/modules/services/networking/nbd.nix b/nixos/modules/services/networking/nbd.nix new file mode 100644 index 00000000000..87f8c41a8e5 --- /dev/null +++ b/nixos/modules/services/networking/nbd.nix @@ -0,0 +1,146 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.nbd; + configFormat = pkgs.formats.ini { }; + iniFields = with types; attrsOf (oneOf [ bool int float str ]); + serverConfig = configFormat.generate "nbd-server-config" + ({ + generic = + (cfg.server.extraOptions // { + user = "root"; + group = "root"; + port = cfg.server.listenPort; + } // (optionalAttrs (cfg.server.listenAddress != null) { + listenaddr = cfg.server.listenAddress; + })); + } + // (mapAttrs + (_: { path, allowAddresses, extraOptions }: + extraOptions // { + exportname = path; + } // (optionalAttrs (allowAddresses != null) { + authfile = pkgs.writeText "authfile" (concatStringsSep "\n" allowAddresses); + })) + cfg.server.exports) + ); + splitLists = + partition + (path: hasPrefix "/dev/" path) + (mapAttrsToList (_: { path, ... }: path) cfg.server.exports); + allowedDevices = splitLists.right; + boundPaths = splitLists.wrong; +in +{ + options = { + services.nbd = { + server = { + enable = mkEnableOption "the Network Block Device (nbd) server"; + + listenPort = mkOption { + type = types.port; + default = 10809; + description = "Port to listen on. The port is NOT automatically opened in the firewall."; + }; + + extraOptions = mkOption { + type = iniFields; + default = { + allowlist = false; + }; + description = '' + Extra options for the server. See + <citerefentry><refentrytitle>nbd-server</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. + ''; + }; + + exports = mkOption { + description = "Files or block devices to make available over the network."; + default = { }; + type = with types; attrsOf + (submodule { + options = { + path = mkOption { + type = str; + description = "File or block device to export."; + example = "/dev/sdb1"; + }; + + allowAddresses = mkOption { + type = nullOr (listOf str); + default = null; + example = [ "10.10.0.0/24" "127.0.0.1" ]; + description = "IPs and subnets that are authorized to connect for this device. If not specified, the server will allow all connections."; + }; + + extraOptions = mkOption { + type = iniFields; + default = { + flush = true; + fua = true; + }; + description = '' + Extra options for this export. See + <citerefentry><refentrytitle>nbd-server</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. + ''; + }; + }; + }); + }; + + listenAddress = mkOption { + type = with types; nullOr str; + description = "Address to listen on. If not specified, the server will listen on all interfaces."; + default = null; + example = "10.10.0.1"; + }; + }; + }; + }; + + config = mkIf cfg.server.enable { + boot.kernelModules = [ "nbd" ]; + + systemd.services.nbd-server = { + after = [ "network-online.target" ]; + before = [ "multi-user.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.nbd}/bin/nbd-server -C ${serverConfig}"; + Type = "forking"; + + DeviceAllow = map (path: "${path} rw") allowedDevices; + BindPaths = boundPaths; + + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = false; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "noaccess"; + ProtectSystem = "strict"; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + UMask = "0077"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/ncdns.nix b/nixos/modules/services/networking/ncdns.nix new file mode 100644 index 00000000000..82c285d0516 --- /dev/null +++ b/nixos/modules/services/networking/ncdns.nix @@ -0,0 +1,283 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfgs = config.services; + cfg = cfgs.ncdns; + + dataDir = "/var/lib/ncdns"; + username = "ncdns"; + + valueType = with types; oneOf [ int str bool path ] + // { description = "setting type (integer, string, bool or path)"; }; + + configType = with types; attrsOf (nullOr (either valueType configType)) + // { description = '' + ncdns.conf configuration type. The format consists of an + attribute set of settings. Each setting can be either `null`, + a value or an attribute set. The allowed values are integers, + strings, booleans or paths. + ''; + }; + + configFile = pkgs.runCommand "ncdns.conf" + { json = builtins.toJSON cfg.settings; + passAsFile = [ "json" ]; + } + "${pkgs.remarshal}/bin/json2toml < $jsonPath > $out"; + + defaultFiles = { + public = "${dataDir}/bit.key"; + private = "${dataDir}/bit.private"; + zonePublic = "${dataDir}/bit-zone.key"; + zonePrivate = "${dataDir}/bit-zone.private"; + }; + + # if all keys are the default value + needsKeygen = all id (flip mapAttrsToList cfg.dnssec.keys + (n: v: v == getAttr n defaultFiles)); + + mkDefaultAttrs = mapAttrs (n: v: mkDefault v); + +in + +{ + + ###### interface + + options = { + + services.ncdns = { + + enable = mkEnableOption '' + ncdns, a Go daemon to bridge Namecoin to DNS. + To resolve .bit domains set <literal>services.namecoind.enable = true;</literal> + and an RPC username/password + ''; + + address = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + The IP address the ncdns resolver will bind to. Leave this unchanged + if you do not wish to directly expose the resolver. + ''; + }; + + port = mkOption { + type = types.port; + default = 5333; + description = '' + The port the ncdns resolver will bind to. + ''; + }; + + identity.hostname = mkOption { + type = types.str; + default = config.networking.hostName; + defaultText = literalExpression "config.networking.hostName"; + example = "example.com"; + description = '' + The hostname of this ncdns instance, which defaults to the machine + hostname. If specified, ncdns lists the hostname as an NS record at + the zone apex: + <programlisting> + bit. IN NS ns1.example.com. + </programlisting> + If unset ncdns will generate an internal psuedo-hostname under the + zone, which will resolve to the value of + <option>services.ncdns.identity.address</option>. + If you are only using ncdns locally you can ignore this. + ''; + }; + + identity.hostmaster = mkOption { + type = types.str; + default = ""; + example = "root@example.com"; + description = '' + An email address for the SOA record at the bit zone. + If you are only using ncdns locally you can ignore this. + ''; + }; + + identity.address = mkOption { + type = types.str; + default = "127.127.127.127"; + description = '' + The IP address the hostname specified in + <option>services.ncdns.identity.hostname</option> should resolve to. + If you are only using ncdns locally you can ignore this. + ''; + }; + + dnssec.enable = mkEnableOption '' + DNSSEC support in ncdns. This will generate KSK and ZSK keypairs + (unless provided via the options + <option>services.ncdns.dnssec.publicKey</option>, + <option>services.ncdns.dnssec.privateKey</option> etc.) and add a trust + anchor to recursive resolvers + ''; + + dnssec.keys.public = mkOption { + type = types.path; + default = defaultFiles.public; + description = '' + Path to the file containing the KSK public key. + The key can be generated using the <literal>dnssec-keygen</literal> + command, provided by the package <package>bind</package> as follows: + <programlisting> + $ dnssec-keygen -a RSASHA256 -3 -b 2048 -f KSK bit + </programlisting> + ''; + }; + + dnssec.keys.private = mkOption { + type = types.path; + default = defaultFiles.private; + description = '' + Path to the file containing the KSK private key. + ''; + }; + + dnssec.keys.zonePublic = mkOption { + type = types.path; + default = defaultFiles.zonePublic; + description = '' + Path to the file containing the ZSK public key. + The key can be generated using the <literal>dnssec-keygen</literal> + command, provided by the package <package>bind</package> as follows: + <programlisting> + $ dnssec-keygen -a RSASHA256 -3 -b 2048 bit + </programlisting> + ''; + }; + + dnssec.keys.zonePrivate = mkOption { + type = types.path; + default = defaultFiles.zonePrivate; + description = '' + Path to the file containing the ZSK private key. + ''; + }; + + settings = mkOption { + type = configType; + default = { }; + example = literalExpression '' + { # enable webserver + ncdns.httplistenaddr = ":8202"; + + # synchronize TLS certs + certstore.nss = true; + # note: all paths are relative to the config file + certstore.nsscertdir = "../../var/lib/ncdns"; + certstore.nssdbdir = "../../home/alice/.pki/nssdb"; + } + ''; + description = '' + ncdns settings. Use this option to configure ncds + settings not exposed in a NixOS option or to bypass one. + See the example ncdns.conf file at <link xlink:href=" + https://git.io/JfX7g"/> for the available options. + ''; + }; + + }; + + services.pdns-recursor.resolveNamecoin = mkOption { + type = types.bool; + default = false; + description = '' + Resolve <literal>.bit</literal> top-level domains using ncdns and namecoin. + ''; + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveNamecoin { + forwardZonesRecurse.bit = "127.0.0.1:${toString cfg.port}"; + luaConfig = + if cfg.dnssec.enable + then ''readTrustAnchorsFromFile("${cfg.dnssec.keys.public}")'' + else ''addNTA("bit", "namecoin DNSSEC disabled")''; + }; + + # Avoid pdns-recursor not finding the DNSSEC keys + systemd.services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveNamecoin { + after = [ "ncdns.service" ]; + wants = [ "ncdns.service" ]; + }; + + services.ncdns.settings = mkDefaultAttrs { + ncdns = + { # Namecoin RPC + namecoinrpcaddress = + "${cfgs.namecoind.rpc.address}:${toString cfgs.namecoind.rpc.port}"; + namecoinrpcusername = cfgs.namecoind.rpc.user; + namecoinrpcpassword = cfgs.namecoind.rpc.password; + + # Identity + selfname = cfg.identity.hostname; + hostmaster = cfg.identity.hostmaster; + selfip = cfg.identity.address; + + # Other + bind = "${cfg.address}:${toString cfg.port}"; + } + // optionalAttrs cfg.dnssec.enable + { # DNSSEC + publickey = "../.." + cfg.dnssec.keys.public; + privatekey = "../.." + cfg.dnssec.keys.private; + zonepublickey = "../.." + cfg.dnssec.keys.zonePublic; + zoneprivatekey = "../.." + cfg.dnssec.keys.zonePrivate; + }; + + # Daemon + service.daemon = true; + xlog.journal = true; + }; + + users.users.ncdns = { + isSystemUser = true; + group = "ncdns"; + description = "ncdns daemon user"; + }; + users.groups.ncdns = {}; + + systemd.services.ncdns = { + description = "ncdns daemon"; + after = [ "namecoind.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "ncdns"; + StateDirectory = "ncdns"; + Restart = "on-failure"; + ExecStart = "${pkgs.ncdns}/bin/ncdns -conf=${configFile}"; + }; + + preStart = optionalString (cfg.dnssec.enable && needsKeygen) '' + cd ${dataDir} + if [ ! -e bit.key ]; then + ${pkgs.bind}/bin/dnssec-keygen -a RSASHA256 -3 -b 2048 bit + mv Kbit.*.key bit-zone.key + mv Kbit.*.private bit-zone.private + ${pkgs.bind}/bin/dnssec-keygen -a RSASHA256 -3 -b 2048 -f KSK bit + mv Kbit.*.key bit.key + mv Kbit.*.private bit.private + fi + ''; + }; + + }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + +} diff --git a/nixos/modules/services/networking/ndppd.nix b/nixos/modules/services/networking/ndppd.nix new file mode 100644 index 00000000000..6046ac860cf --- /dev/null +++ b/nixos/modules/services/networking/ndppd.nix @@ -0,0 +1,189 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.ndppd; + + render = s: f: concatStringsSep "\n" (mapAttrsToList f s); + prefer = a: b: if a != null then a else b; + + ndppdConf = prefer cfg.configFile (pkgs.writeText "ndppd.conf" '' + route-ttl ${toString cfg.routeTTL} + ${render cfg.proxies (proxyInterfaceName: proxy: '' + proxy ${prefer proxy.interface proxyInterfaceName} { + router ${boolToString proxy.router} + timeout ${toString proxy.timeout} + ttl ${toString proxy.ttl} + ${render proxy.rules (ruleNetworkName: rule: '' + rule ${prefer rule.network ruleNetworkName} { + ${rule.method}${if rule.method == "iface" then " ${rule.interface}" else ""} + }'')} + }'')} + ''); + + proxy = types.submodule { + options = { + interface = mkOption { + type = types.nullOr types.str; + description = '' + Listen for any Neighbor Solicitation messages on this interface, + and respond to them according to a set of rules. + Defaults to the name of the attrset. + ''; + default = null; + }; + router = mkOption { + type = types.bool; + description = '' + Turns on or off the router flag for Neighbor Advertisement Messages. + ''; + default = true; + }; + timeout = mkOption { + type = types.int; + description = '' + Controls how long to wait for a Neighbor Advertisment Message before + invalidating the entry, in milliseconds. + ''; + default = 500; + }; + ttl = mkOption { + type = types.int; + description = '' + Controls how long a valid or invalid entry remains in the cache, in + milliseconds. + ''; + default = 30000; + }; + rules = mkOption { + type = types.attrsOf rule; + description = '' + This is a rule that the target address is to match against. If no netmask + is provided, /128 is assumed. You may have several rule sections, and the + addresses may or may not overlap. + ''; + default = {}; + }; + }; + }; + + rule = types.submodule { + options = { + network = mkOption { + type = types.nullOr types.str; + description = '' + This is the target address is to match against. If no netmask + is provided, /128 is assumed. The addresses of serveral rules + may or may not overlap. + Defaults to the name of the attrset. + ''; + default = null; + }; + method = mkOption { + type = types.enum [ "static" "iface" "auto" ]; + description = '' + static: Immediately answer any Neighbor Solicitation Messages + (if they match the IP rule). + iface: Forward the Neighbor Solicitation Message through the specified + interface and only respond if a matching Neighbor Advertisement + Message is received. + auto: Same as iface, but instead of manually specifying the outgoing + interface, check for a matching route in /proc/net/ipv6_route. + ''; + default = "auto"; + }; + interface = mkOption { + type = types.nullOr types.str; + description = "Interface to use when method is iface."; + default = null; + }; + }; + }; + +in { + options.services.ndppd = { + enable = mkEnableOption "daemon that proxies NDP (Neighbor Discovery Protocol) messages between interfaces"; + interface = mkOption { + type = types.nullOr types.str; + description = '' + Interface which is on link-level with router. + (Legacy option, use services.ndppd.proxies.<interface>.rules.<network> instead) + ''; + default = null; + example = "eth0"; + }; + network = mkOption { + type = types.nullOr types.str; + description = '' + Network that we proxy. + (Legacy option, use services.ndppd.proxies.<interface>.rules.<network> instead) + ''; + default = null; + example = "1111::/64"; + }; + configFile = mkOption { + type = types.nullOr types.path; + description = "Path to configuration file."; + default = null; + }; + routeTTL = mkOption { + type = types.int; + description = '' + This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route, + in milliseconds. + ''; + default = 30000; + }; + proxies = mkOption { + type = types.attrsOf proxy; + description = '' + This sets up a listener, that will listen for any Neighbor Solicitation + messages, and respond to them according to a set of rules. + ''; + default = {}; + example = literalExpression '' + { + eth0.rules."1111::/64" = {}; + } + ''; + }; + }; + + config = mkIf cfg.enable { + warnings = mkIf (cfg.interface != null && cfg.network != null) [ '' + The options services.ndppd.interface and services.ndppd.network will probably be removed soon, + please use services.ndppd.proxies.<interface>.rules.<network> instead. + '' ]; + + services.ndppd.proxies = mkIf (cfg.interface != null && cfg.network != null) { + ${cfg.interface}.rules.${cfg.network} = {}; + }; + + systemd.services.ndppd = { + description = "NDP Proxy Daemon"; + documentation = [ "man:ndppd(1)" "man:ndppd.conf(5)" ]; + after = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.ndppd}/bin/ndppd -c ${ndppdConf}"; + + # Sandboxing + CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN"; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = "AF_INET6 AF_PACKET AF_NETLINK"; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix new file mode 100644 index 00000000000..de4439415cf --- /dev/null +++ b/nixos/modules/services/networking/nebula.nix @@ -0,0 +1,217 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.nebula; + enabledNetworks = filterAttrs (n: v: v.enable) cfg.networks; + + format = pkgs.formats.yaml {}; + + nameToId = netName: "nebula-${netName}"; +in +{ + # Interface + + options = { + services.nebula = { + networks = mkOption { + description = "Nebula network definitions."; + default = {}; + type = types.attrsOf (types.submodule { + options = { + enable = mkOption { + type = types.bool; + default = true; + description = "Enable or disable this network."; + }; + + package = mkOption { + type = types.package; + default = pkgs.nebula; + defaultText = literalExpression "pkgs.nebula"; + description = "Nebula derivation to use."; + }; + + ca = mkOption { + type = types.path; + description = "Path to the certificate authority certificate."; + example = "/etc/nebula/ca.crt"; + }; + + cert = mkOption { + type = types.path; + description = "Path to the host certificate."; + example = "/etc/nebula/host.crt"; + }; + + key = mkOption { + type = types.path; + description = "Path to the host key."; + example = "/etc/nebula/host.key"; + }; + + staticHostMap = mkOption { + type = types.attrsOf (types.listOf (types.str)); + default = {}; + description = '' + The static host map defines a set of hosts with fixed IP addresses on the internet (or any network). + A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel. + ''; + example = { "192.168.100.1" = [ "100.64.22.11:4242" ]; }; + }; + + isLighthouse = mkOption { + type = types.bool; + default = false; + description = "Whether this node is a lighthouse."; + }; + + lighthouses = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of IPs of lighthouse hosts this node should report to and query from. This should be empty on lighthouse + nodes. The IPs should be the lighthouse's Nebula IPs, not their external IPs. + ''; + example = [ "192.168.100.1" ]; + }; + + listen.host = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IP address to listen on."; + }; + + listen.port = mkOption { + type = types.port; + default = 4242; + description = "Port number to listen on."; + }; + + tun.disable = mkOption { + type = types.bool; + default = false; + description = '' + When tun is disabled, a lighthouse can be started without a local tun interface (and therefore without root). + ''; + }; + + tun.device = mkOption { + type = types.nullOr types.str; + default = null; + description = "Name of the tun device. Defaults to nebula.\${networkName}."; + }; + + firewall.outbound = mkOption { + type = types.listOf types.attrs; + default = []; + description = "Firewall rules for outbound traffic."; + example = [ { port = "any"; proto = "any"; host = "any"; } ]; + }; + + firewall.inbound = mkOption { + type = types.listOf types.attrs; + default = []; + description = "Firewall rules for inbound traffic."; + example = [ { port = "any"; proto = "any"; host = "any"; } ]; + }; + + settings = mkOption { + type = format.type; + default = {}; + description = '' + Nebula configuration. Refer to + <link xlink:href="https://github.com/slackhq/nebula/blob/master/examples/config.yml"/> + for details on supported values. + ''; + example = literalExpression '' + { + lighthouse.dns = { + host = "0.0.0.0"; + port = 53; + }; + } + ''; + }; + }; + }); + }; + }; + }; + + # Implementation + config = mkIf (enabledNetworks != {}) { + systemd.services = mkMerge (mapAttrsToList (netName: netCfg: + let + networkId = nameToId netName; + settings = recursiveUpdate { + pki = { + ca = netCfg.ca; + cert = netCfg.cert; + key = netCfg.key; + }; + static_host_map = netCfg.staticHostMap; + lighthouse = { + am_lighthouse = netCfg.isLighthouse; + hosts = netCfg.lighthouses; + }; + listen = { + host = netCfg.listen.host; + port = netCfg.listen.port; + }; + tun = { + disabled = netCfg.tun.disable; + dev = if (netCfg.tun.device != null) then netCfg.tun.device else "nebula.${netName}"; + }; + firewall = { + inbound = netCfg.firewall.inbound; + outbound = netCfg.firewall.outbound; + }; + } netCfg.settings; + configFile = format.generate "nebula-config-${netName}.yml" settings; + in + { + # Create systemd service for Nebula. + "nebula@${netName}" = { + description = "Nebula VPN service for ${netName}"; + wants = [ "basic.target" ]; + after = [ "basic.target" "network.target" ]; + before = [ "sshd.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = mkMerge [ + { + Type = "simple"; + Restart = "always"; + ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; + } + # The service needs to launch as root to access the tun device, if it's enabled. + (mkIf netCfg.tun.disable { + User = networkId; + Group = networkId; + }) + ]; + }; + }) enabledNetworks); + + # Open the chosen ports for UDP. + networking.firewall.allowedUDPPorts = + unique (mapAttrsToList (netName: netCfg: netCfg.listen.port) enabledNetworks); + + # Create the service users and groups. + users.users = mkMerge (mapAttrsToList (netName: netCfg: + mkIf netCfg.tun.disable { + ${nameToId netName} = { + group = nameToId netName; + description = "Nebula service user for network ${netName}"; + isSystemUser = true; + }; + }) enabledNetworks); + + users.groups = mkMerge (mapAttrsToList (netName: netCfg: + mkIf netCfg.tun.disable { + ${nameToId netName} = {}; + }) enabledNetworks); + }; +} diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix new file mode 100644 index 00000000000..7a9d9e5428a --- /dev/null +++ b/nixos/modules/services/networking/networkmanager.nix @@ -0,0 +1,568 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.networking.networkmanager; + + basePackages = with pkgs; [ + modemmanager + networkmanager + networkmanager-fortisslvpn + networkmanager-iodine + networkmanager-l2tp + networkmanager-openconnect + networkmanager-openvpn + networkmanager-vpnc + networkmanager-sstp + ] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant; + + delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; + + enableIwd = cfg.wifi.backend == "iwd"; + + mkValue = v: + if v == true then "yes" + else if v == false then "no" + else if lib.isInt v then toString v + else v; + + mkSection = name: attrs: '' + [${name}] + ${ + lib.concatStringsSep "\n" + (lib.mapAttrsToList + (k: v: "${k}=${mkValue v}") + (lib.filterAttrs + (k: v: v != null) + attrs)) + } + ''; + + configFile = pkgs.writeText "NetworkManager.conf" (lib.concatStringsSep "\n" [ + (mkSection "main" { + plugins = "keyfile"; + dhcp = cfg.dhcp; + dns = cfg.dns; + # If resolvconf is disabled that means that resolv.conf is managed by some other module. + rc-manager = + if config.networking.resolvconf.enable then "resolvconf" + else "unmanaged"; + firewall-backend = cfg.firewallBackend; + }) + (mkSection "keyfile" { + unmanaged-devices = + if cfg.unmanaged == [] then null + else lib.concatStringsSep ";" cfg.unmanaged; + }) + (mkSection "logging" { + audit = config.security.audit.enable; + level = cfg.logLevel; + }) + (mkSection "connection" cfg.connectionConfig) + (mkSection "device" { + "wifi.scan-rand-mac-address" = cfg.wifi.scanRandMacAddress; + "wifi.backend" = cfg.wifi.backend; + }) + cfg.extraConfig + ]); + + /* + [network-manager] + Identity=unix-group:networkmanager + Action=org.freedesktop.NetworkManager.* + ResultAny=yes + ResultInactive=no + ResultActive=yes + + [modem-manager] + Identity=unix-group:networkmanager + Action=org.freedesktop.ModemManager* + ResultAny=yes + ResultInactive=no + ResultActive=yes + */ + polkitConf = '' + polkit.addRule(function(action, subject) { + if ( + subject.isInGroup("networkmanager") + && (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 + || action.id.indexOf("org.freedesktop.ModemManager") == 0 + )) + { return polkit.Result.YES; } + }); + ''; + + ns = xs: pkgs.writeText "nameservers" ( + concatStrings (map (s: "nameserver ${s}\n") xs) + ); + + overrideNameserversScript = pkgs.writeScript "02overridedns" '' + #!/bin/sh + PATH=${with pkgs; makeBinPath [ gnused gnugrep coreutils ]} + tmp=$(mktemp) + sed '/nameserver /d' /etc/resolv.conf > $tmp + grep 'nameserver ' /etc/resolv.conf | \ + grep -vf ${ns (cfg.appendNameservers ++ cfg.insertNameservers)} > $tmp.ns + cat $tmp ${ns cfg.insertNameservers} $tmp.ns ${ns cfg.appendNameservers} > /etc/resolv.conf + rm -f $tmp $tmp.ns + ''; + + dispatcherTypesSubdirMap = { + basic = ""; + pre-up = "pre-up.d/"; + pre-down = "pre-down.d/"; + }; + + macAddressOpt = mkOption { + type = types.either types.str (types.enum ["permanent" "preserve" "random" "stable"]); + default = "preserve"; + example = "00:11:22:33:44:55"; + description = '' + Set the MAC address of the interface. + <variablelist> + <varlistentry> + <term>"XX:XX:XX:XX:XX:XX"</term> + <listitem><para>MAC address of the interface</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"permanent"</literal></term> + <listitem><para>Use the permanent MAC address of the device</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"preserve"</literal></term> + <listitem><para>Don’t change the MAC address of the device upon activation</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"random"</literal></term> + <listitem><para>Generate a randomized value upon each connect</para></listitem> + </varlistentry> + <varlistentry> + <term><literal>"stable"</literal></term> + <listitem><para>Generate a stable, hashed MAC address</para></listitem> + </varlistentry> + </variablelist> + ''; + }; + +in { + + meta = { + maintainers = teams.freedesktop.members; + }; + + ###### interface + + options = { + + networking.networkmanager = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to use NetworkManager to obtain an IP address and other + configuration for all network interfaces that are not manually + configured. If enabled, a group <literal>networkmanager</literal> + will be created. Add all users that should have permission + to change network settings to this group. + ''; + }; + + connectionConfig = mkOption { + type = with types; attrsOf (nullOr (oneOf [ + bool + int + str + ])); + default = {}; + description = '' + Configuration for the [connection] section of NetworkManager.conf. + Refer to + <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html"> + https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html#id-1.2.3.11 + </link> + or + <citerefentry> + <refentrytitle>NetworkManager.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + for more information. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Configuration appended to the generated NetworkManager.conf. + Refer to + <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html"> + https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html + </link> + or + <citerefentry> + <refentrytitle>NetworkManager.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + for more information. + ''; + }; + + unmanaged = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of interfaces that will not be managed by NetworkManager. + Interface name can be specified here, but if you need more fidelity, + refer to + <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html#device-spec"> + https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html#device-spec + </link> + or the "Device List Format" Appendix of + <citerefentry> + <refentrytitle>NetworkManager.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry>. + ''; + }; + + packages = mkOption { + type = types.listOf types.package; + default = [ ]; + description = '' + Extra packages that provide NetworkManager plugins. + ''; + apply = list: basePackages ++ list; + }; + + dhcp = mkOption { + type = types.enum [ "dhclient" "dhcpcd" "internal" ]; + default = "internal"; + description = '' + Which program (or internal library) should be used for DHCP. + ''; + }; + + firewallBackend = mkOption { + type = types.enum [ "iptables" "nftables" "none" ]; + default = "iptables"; + description = '' + Which firewall backend should be used for configuring masquerading with shared mode. + If set to none, NetworkManager doesn't manage the configuration at all. + ''; + }; + + logLevel = mkOption { + type = types.enum [ "OFF" "ERR" "WARN" "INFO" "DEBUG" "TRACE" ]; + default = "WARN"; + description = '' + Set the default logging verbosity level. + ''; + }; + + appendNameservers = mkOption { + type = types.listOf types.str; + default = []; + description = '' + A list of name servers that should be appended + to the ones configured in NetworkManager or received by DHCP. + ''; + }; + + insertNameservers = mkOption { + type = types.listOf types.str; + default = []; + description = '' + A list of name servers that should be inserted before + the ones configured in NetworkManager or received by DHCP. + ''; + }; + + ethernet.macAddress = macAddressOpt; + + wifi = { + macAddress = macAddressOpt; + + backend = mkOption { + type = types.enum [ "wpa_supplicant" "iwd" ]; + default = "wpa_supplicant"; + description = '' + Specify the Wi-Fi backend used for the device. + Currently supported are <option>wpa_supplicant</option> or <option>iwd</option> (experimental). + ''; + }; + + powersave = mkOption { + type = types.nullOr types.bool; + default = null; + description = '' + Whether to enable Wi-Fi power saving. + ''; + }; + + scanRandMacAddress = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable MAC address randomization of a Wi-Fi device + during scanning. + ''; + }; + }; + + dns = mkOption { + type = types.enum [ "default" "dnsmasq" "unbound" "systemd-resolved" "none" ]; + default = "default"; + description = '' + Set the DNS (<literal>resolv.conf</literal>) processing mode. + </para> + <para> + A description of these modes can be found in the main section of + <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html"> + https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html + </link> + or in + <citerefentry> + <refentrytitle>NetworkManager.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry>. + ''; + }; + + dispatcherScripts = mkOption { + type = types.listOf (types.submodule { + options = { + source = mkOption { + type = types.path; + description = '' + Path to the hook script. + ''; + }; + + type = mkOption { + type = types.enum (attrNames dispatcherTypesSubdirMap); + default = "basic"; + description = '' + Dispatcher hook type. Look up the hooks described at + <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.html">https://developer.gnome.org/NetworkManager/stable/NetworkManager.html</link> + and choose the type depending on the output folder. + You should then filter the event type (e.g., "up"/"down") from within your script. + ''; + }; + }; + }); + default = []; + example = literalExpression '' + [ { + source = pkgs.writeText "upHook" ''' + + if [ "$2" != "up" ]; then + logger "exit: event $2 != up" + exit + fi + + # coreutils and iproute are in PATH too + logger "Device $DEVICE_IFACE coming up" + '''; + type = "basic"; + } ]''; + description = '' + A list of scripts which will be executed in response to network events. + ''; + }; + + enableStrongSwan = mkOption { + type = types.bool; + default = false; + description = '' + Enable the StrongSwan plugin. + </para><para> + If you enable this option the + <literal>networkmanager_strongswan</literal> plugin will be added to + the <option>networking.networkmanager.packages</option> option + so you don't need to to that yourself. + ''; + }; + + enableFccUnlock = mkOption { + type = types.bool; + default = false; + description = '' + Enable FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer + automatically performs the FCC unlock procedure by default. See + <link xlink:href="https://modemmanager.org/docs/modemmanager/fcc-unlock/">the docs</link> + for more details. + ''; + }; + }; + }; + + imports = [ + (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ]) + (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] '' + This option was removed because allowing (multiple) regular users to + override host entries affecting the whole system opens up a huge attack + vector. There seem to be very rare cases where this might be useful. + Consider setting system-wide host entries using networking.hosts, provide + them via the DNS server in your network, or use environment.etc + to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir. + '') + ]; + + + ###### implementation + + config = mkIf cfg.enable { + + assertions = [ + { assertion = config.networking.wireless.enable == true -> cfg.unmanaged != []; + message = '' + You can not use networking.networkmanager with networking.wireless. + Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager. + ''; + } + ]; + + hardware.wirelessRegulatoryDatabase = true; + + environment.etc = with pkgs; { + "NetworkManager/NetworkManager.conf".source = configFile; + + "NetworkManager/VPN/nm-openvpn-service.name".source = + "${networkmanager-openvpn}/lib/NetworkManager/VPN/nm-openvpn-service.name"; + + "NetworkManager/VPN/nm-vpnc-service.name".source = + "${networkmanager-vpnc}/lib/NetworkManager/VPN/nm-vpnc-service.name"; + + "NetworkManager/VPN/nm-openconnect-service.name".source = + "${networkmanager-openconnect}/lib/NetworkManager/VPN/nm-openconnect-service.name"; + + "NetworkManager/VPN/nm-fortisslvpn-service.name".source = + "${networkmanager-fortisslvpn}/lib/NetworkManager/VPN/nm-fortisslvpn-service.name"; + + "NetworkManager/VPN/nm-l2tp-service.name".source = + "${networkmanager-l2tp}/lib/NetworkManager/VPN/nm-l2tp-service.name"; + + "NetworkManager/VPN/nm-iodine-service.name".source = + "${networkmanager-iodine}/lib/NetworkManager/VPN/nm-iodine-service.name"; + + "NetworkManager/VPN/nm-sstp-service.name".source = + "${networkmanager-sstp}/lib/NetworkManager/VPN/nm-sstp-service.name"; + + } + // optionalAttrs cfg.enableFccUnlock + { + "ModemManager/fcc-unlock.d".source = + "${pkgs.modemmanager}/share/ModemManager/fcc-unlock.available.d/*"; + } + // optionalAttrs (cfg.appendNameservers != [] || cfg.insertNameservers != []) + { + "NetworkManager/dispatcher.d/02overridedns".source = overrideNameserversScript; + } + // optionalAttrs cfg.enableStrongSwan + { + "NetworkManager/VPN/nm-strongswan-service.name".source = + "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; + } + // listToAttrs (lib.imap1 (i: s: + { + name = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; + value = { mode = "0544"; inherit (s) source; }; + }) cfg.dispatcherScripts); + + environment.systemPackages = cfg.packages; + + users.groups = { + networkmanager.gid = config.ids.gids.networkmanager; + nm-openvpn.gid = config.ids.gids.nm-openvpn; + }; + + users.users = { + nm-openvpn = { + uid = config.ids.uids.nm-openvpn; + group = "nm-openvpn"; + extraGroups = [ "networkmanager" ]; + }; + nm-iodine = { + isSystemUser = true; + group = "networkmanager"; + }; + }; + + systemd.packages = cfg.packages; + + systemd.tmpfiles.rules = [ + "d /etc/NetworkManager/system-connections 0700 root root -" + "d /etc/ipsec.d 0700 root root -" + "d /var/lib/NetworkManager-fortisslvpn 0700 root root -" + + "d /var/lib/dhclient 0755 root root -" + "d /var/lib/misc 0755 root root -" # for dnsmasq.leases + ]; + + systemd.services.NetworkManager = { + wantedBy = [ "network.target" ]; + restartTriggers = [ configFile ]; + + aliases = [ "dbus-org.freedesktop.NetworkManager.service" ]; + + serviceConfig = { + StateDirectory = "NetworkManager"; + StateDirectoryMode = 755; # not sure if this really needs to be 755 + }; + }; + + systemd.services.NetworkManager-wait-online = { + wantedBy = [ "network-online.target" ]; + }; + + systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; + + systemd.services.NetworkManager-dispatcher = { + wantedBy = [ "network.target" ]; + restartTriggers = [ configFile overrideNameserversScript ]; + + # useful binaries for user-specified hooks + path = [ pkgs.iproute2 pkgs.util-linux pkgs.coreutils ]; + aliases = [ "dbus-org.freedesktop.nm-dispatcher.service" ]; + }; + + # Turn off NixOS' network management when networking is managed entirely by NetworkManager + networking = mkMerge [ + (mkIf (!delegateWireless) { + useDHCP = false; + }) + + (mkIf cfg.enableStrongSwan { + networkmanager.packages = [ pkgs.networkmanager_strongswan ]; + }) + + (mkIf enableIwd { + wireless.iwd.enable = true; + }) + + { + networkmanager.connectionConfig = { + "ethernet.cloned-mac-address" = cfg.ethernet.macAddress; + "wifi.cloned-mac-address" = cfg.wifi.macAddress; + "wifi.powersave" = + if cfg.wifi.powersave == null then null + else if cfg.wifi.powersave then 3 + else 2; + }; + } + ]; + + boot.kernelModules = [ "ctr" ]; + + security.polkit.enable = true; + security.polkit.extraConfig = polkitConf; + + services.dbus.packages = cfg.packages + ++ optional cfg.enableStrongSwan pkgs.strongswanNM + ++ optional (cfg.dns == "dnsmasq") pkgs.dnsmasq; + + services.udev.packages = cfg.packages; + }; +} diff --git a/nixos/modules/services/networking/nextdns.nix b/nixos/modules/services/networking/nextdns.nix new file mode 100644 index 00000000000..b070eeec894 --- /dev/null +++ b/nixos/modules/services/networking/nextdns.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.nextdns; +in { + options = { + services.nextdns = { + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable the NextDNS DNS/53 to DoH Proxy service."; + }; + arguments = mkOption { + type = types.listOf types.str; + default = []; + example = [ "-config" "10.0.3.0/24=abcdef" ]; + description = "Additional arguments to be passed to nextdns run."; + }; + }; + }; + + # https://github.com/nextdns/nextdns/blob/628ea509eaaccd27adb66337db03e5b56f6f38a8/host/service/systemd/service.go + config = mkIf cfg.enable { + systemd.services.nextdns = { + description = "NextDNS DNS/53 to DoH Proxy"; + environment = { + SERVICE_RUN_MODE = "1"; + }; + startLimitIntervalSec = 5; + startLimitBurst = 10; + serviceConfig = { + ExecStart = "${pkgs.nextdns}/bin/nextdns run ${escapeShellArgs config.services.nextdns.arguments}"; + RestartSec = 120; + LimitMEMLOCK = "infinity"; + }; + after = [ "network.target" ]; + before = [ "nss-lookup.target" ]; + wants = [ "nss-lookup.target" ]; + wantedBy = [ "multi-user.target" ]; + }; + }; +} diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix new file mode 100644 index 00000000000..b911f97491e --- /dev/null +++ b/nixos/modules/services/networking/nftables.nix @@ -0,0 +1,131 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.networking.nftables; +in +{ + ###### interface + + options = { + networking.nftables.enable = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to enable nftables. nftables is a Linux-based packet + filtering framework intended to replace frameworks like iptables. + + This conflicts with the standard networking firewall, so make sure to + disable it before using nftables. + + Note that if you have Docker enabled you will not be able to use + nftables without intervention. Docker uses iptables internally to + setup NAT for containers. This module disables the ip_tables kernel + module, however Docker automatically loads the module. Please see [1] + for more information. + + There are other programs that use iptables internally too, such as + libvirt. For information on how the two firewalls interact, see [2]. + + [1]: https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273 + [2]: https://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F + ''; + }; + networking.nftables.ruleset = mkOption { + type = types.lines; + default = ""; + example = '' + # Check out https://wiki.nftables.org/ for better documentation. + # Table for both IPv4 and IPv6. + table inet filter { + # Block all incomming connections traffic except SSH and "ping". + chain input { + type filter hook input priority 0; + + # accept any localhost traffic + iifname lo accept + + # accept traffic originated from us + ct state {established, related} accept + + # ICMP + # routers may also want: mld-listener-query, nd-router-solicit + ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept + ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept + + # allow "ping" + ip6 nexthdr icmpv6 icmpv6 type echo-request accept + ip protocol icmp icmp type echo-request accept + + # accept SSH connections (required for a server) + tcp dport 22 accept + + # count and drop any other traffic + counter drop + } + + # Allow all outgoing connections. + chain output { + type filter hook output priority 0; + accept + } + + chain forward { + type filter hook forward priority 0; + accept + } + } + ''; + description = + '' + The ruleset to be used with nftables. Should be in a format that + can be loaded using "/bin/nft -f". The ruleset is updated atomically. + ''; + }; + networking.nftables.rulesetFile = mkOption { + type = types.path; + default = pkgs.writeTextFile { + name = "nftables-rules"; + text = cfg.ruleset; + }; + defaultText = literalDocBook ''a file with the contents of <option>networking.nftables.ruleset</option>''; + description = + '' + The ruleset file to be used with nftables. Should be in a format that + can be loaded using "nft -f". The ruleset is updated atomically. + ''; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + assertions = [{ + assertion = config.networking.firewall.enable == false; + message = "You can not use nftables and iptables at the same time. networking.firewall.enable must be set to false."; + }]; + boot.blacklistedKernelModules = [ "ip_tables" ]; + environment.systemPackages = [ pkgs.nftables ]; + networking.networkmanager.firewallBackend = mkDefault "nftables"; + systemd.services.nftables = { + description = "nftables firewall"; + before = [ "network-pre.target" ]; + wants = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + serviceConfig = let + rulesScript = pkgs.writeScript "nftables-rules" '' + #! ${pkgs.nftables}/bin/nft -f + flush ruleset + include "${cfg.rulesetFile}" + ''; + in { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = rulesScript; + ExecReload = rulesScript; + ExecStop = "${pkgs.nftables}/bin/nft flush ruleset"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/nghttpx/backend-params-submodule.nix b/nixos/modules/services/networking/nghttpx/backend-params-submodule.nix new file mode 100644 index 00000000000..6523f4b8b9e --- /dev/null +++ b/nixos/modules/services/networking/nghttpx/backend-params-submodule.nix @@ -0,0 +1,131 @@ +{ lib, ...}: +{ options = { + proto = lib.mkOption { + type = lib.types.enum [ "h2" "http/1.1" ]; + default = "http/1.1"; + description = '' + This option configures the protocol the backend server expects + to use. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b + for more detail. + ''; + }; + + tls = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + This option determines whether nghttpx will negotiate its + connection with a backend server using TLS or not. The burden + is on the backend server to provide the TLS certificate! + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b + for more detail. + ''; + }; + + sni = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = '' + Override the TLS SNI field value. This value (in nghttpx) + defaults to the host value of the backend configuration. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b + for more detail. + ''; + }; + + fall = lib.mkOption { + type = lib.types.int; + default = 0; + description = '' + If nghttpx cannot connect to the backend N times in a row, the + backend is assumed to be offline and is excluded from load + balancing. If N is 0 the backend is never excluded from load + balancing. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b + for more detail. + ''; + }; + + rise = lib.mkOption { + type = lib.types.int; + default = 0; + description = '' + If the backend is excluded from load balancing, nghttpx will + periodically attempt to make a connection to the backend. If + the connection is successful N times in a row the backend is + re-included in load balancing. If N is 0 a backend is never + reconsidered for load balancing once it falls. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b + for more detail. + ''; + }; + + affinity = lib.mkOption { + type = lib.types.enum [ "ip" "none" ]; + default = "none"; + description = '' + If "ip" is given, client IP based session affinity is + enabled. If "none" is given, session affinity is disabled. + + Session affinity is enabled (by nghttpx) per-backend + pattern. If at least one backend has a non-"none" affinity, + then session affinity is enabled for all backend servers + sharing the same pattern. + + It is advised to set affinity on all backends explicitly if + session affinity is desired. The session affinity may break if + one of the backend gets unreachable, or backend settings are + reloaded or replaced by API. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b + for more detail. + ''; + }; + + dns = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Name resolution of a backends host name is done at start up, + or configuration reload. If "dns" is true, name resolution + takes place dynamically. + + This is useful if a backends address changes frequently. If + "dns" is true, name resolution of a backend's host name at + start up, or configuration reload is skipped. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b + for more detail. + ''; + }; + + redirect-if-not-tls = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + If true, a backend match requires the frontend connection be + TLS encrypted. If it is not, nghttpx responds to the request + with a 308 status code and https URI the client should use + instead in the Location header. + + The port number in the redirect URI is 443 by default and can + be changed using 'services.nghttpx.redirect-https-port' + option. + + If at least one backend has "redirect-if-not-tls" set to true, + this feature is enabled for all backend servers with the same + pattern. It is advised to set "redirect-if-no-tls" parameter + to all backends explicitly if this feature is desired. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b + for more detail. + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/nghttpx/backend-submodule.nix b/nixos/modules/services/networking/nghttpx/backend-submodule.nix new file mode 100644 index 00000000000..eb559e926e7 --- /dev/null +++ b/nixos/modules/services/networking/nghttpx/backend-submodule.nix @@ -0,0 +1,50 @@ +{ lib, ... }: +{ options = { + server = lib.mkOption { + type = + lib.types.either + (lib.types.submodule (import ./server-options.nix)) + (lib.types.path); + example = { + host = "127.0.0.1"; + port = 8888; + }; + default = { + host = "127.0.0.1"; + port = 80; + }; + description = '' + Backend server location specified as either a host:port pair + or a unix domain docket. + ''; + }; + + patterns = lib.mkOption { + type = lib.types.listOf lib.types.str; + example = [ + "*.host.net/v1/" + "host.org/v2/mypath" + "/somepath" + ]; + default = []; + description = '' + List of nghttpx backend patterns. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b + for more information on the pattern syntax and nghttpxs behavior. + ''; + }; + + params = lib.mkOption { + type = lib.types.nullOr (lib.types.submodule (import ./backend-params-submodule.nix)); + example = { + proto = "h2"; + tls = true; + }; + default = null; + description = '' + Parameters to configure a backend. + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/nghttpx/default.nix b/nixos/modules/services/networking/nghttpx/default.nix new file mode 100644 index 00000000000..b8a0a24e3aa --- /dev/null +++ b/nixos/modules/services/networking/nghttpx/default.nix @@ -0,0 +1,118 @@ +{config, pkgs, lib, ...}: +let + cfg = config.services.nghttpx; + + # renderHost :: Either ServerOptions Path -> String + renderHost = server: + if builtins.isString server + then "unix://${server}" + else "${server.host},${builtins.toString server.port}"; + + # Filter out submodule parameters whose value is null or false or is + # the key _module. + # + # filterParams :: ParamsSubmodule -> ParamsSubmodule + filterParams = p: + lib.filterAttrs + (n: v: ("_module" != n) && (null != v) && (false != v)) + (lib.optionalAttrs (null != p) p); + + # renderBackend :: BackendSubmodule -> String + renderBackend = backend: + let + host = renderHost backend.server; + patterns = lib.concatStringsSep ":" backend.patterns; + + # Render a set of backend parameters, this is somewhat + # complicated because nghttpx backend patterns can be entirely + # omitted and the params may be given as a mixed collection of + # 'key=val' pairs or atoms (e.g: 'proto=h2;tls') + params = + lib.mapAttrsToList + (n: v: + if builtins.isBool v + then n + else if builtins.isString v + then "${n}=${v}" + else "${n}=${builtins.toString v}") + (filterParams backend.params); + + # NB: params are delimited by a ";" which is the same delimiter + # to separate the host;[pattern];[params] sections of a backend + sections = + builtins.filter (e: "" != e) ([ + host + patterns + ]++params); + formattedSections = lib.concatStringsSep ";" sections; + in + "backend=${formattedSections}"; + + # renderFrontend :: FrontendSubmodule -> String + renderFrontend = frontend: + let + host = renderHost frontend.server; + params0 = + lib.mapAttrsToList + (n: v: if builtins.isBool v then n else v) + (filterParams frontend.params); + + # NB: nghttpx doesn't accept "tls", you must omit "no-tls" for + # the default behavior of turning on TLS. + params1 = lib.remove "tls" params0; + + sections = [ host] ++ params1; + formattedSections = lib.concatStringsSep ";" sections; + in + "frontend=${formattedSections}"; + + configurationFile = pkgs.writeText "nghttpx.conf" '' + ${lib.optionalString (null != cfg.tls) ("private-key-file="+cfg.tls.key)} + ${lib.optionalString (null != cfg.tls) ("certificate-file="+cfg.tls.crt)} + + user=nghttpx + + ${lib.concatMapStringsSep "\n" renderFrontend cfg.frontends} + ${lib.concatMapStringsSep "\n" renderBackend cfg.backends} + + backlog=${builtins.toString cfg.backlog} + backend-address-family=${cfg.backend-address-family} + + workers=${builtins.toString cfg.workers} + rlimit-nofile=${builtins.toString cfg.rlimit-nofile} + + ${lib.optionalString cfg.single-thread "single-thread=yes"} + ${lib.optionalString cfg.single-process "single-process=yes"} + + ${cfg.extraConfig} + ''; +in +{ imports = [ + ./nghttpx-options.nix + ]; + + config = lib.mkIf cfg.enable { + + users.groups.nghttpx = { }; + users.users.nghttpx = { + group = config.users.groups.nghttpx.name; + isSystemUser = true; + }; + + + systemd.services = { + nghttpx = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + script = '' + ${pkgs.nghttp2}/bin/nghttpx --conf=${configurationFile} + ''; + + serviceConfig = { + Restart = "on-failure"; + RestartSec = 60; + }; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/nghttpx/frontend-params-submodule.nix b/nixos/modules/services/networking/nghttpx/frontend-params-submodule.nix new file mode 100644 index 00000000000..33c8572bd14 --- /dev/null +++ b/nixos/modules/services/networking/nghttpx/frontend-params-submodule.nix @@ -0,0 +1,64 @@ +{ lib, ...}: +{ options = { + tls = lib.mkOption { + type = lib.types.enum [ "tls" "no-tls" ]; + default = "tls"; + description = '' + Enable or disable TLS. If true (enabled) the key and + certificate must be configured for nghttpx. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f + for more detail. + ''; + }; + + sni-fwd = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + When performing a match to select a backend server, SNI host + name received from the client is used instead of the request + host. See --backend option about the pattern match. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f + for more detail. + ''; + }; + + api = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable API access for this frontend. This enables you to + dynamically modify nghttpx at run-time therefore this feature + is disabled by default and should be turned on with care. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f + for more detail. + ''; + }; + + healthmon = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Make this frontend a health monitor endpoint. Any request + received on this frontend is responded to with a 200 OK. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f + for more detail. + ''; + }; + + proxyproto = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Accept PROXY protocol version 1 on frontend connection. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f + for more detail. + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/nghttpx/frontend-submodule.nix b/nixos/modules/services/networking/nghttpx/frontend-submodule.nix new file mode 100644 index 00000000000..887ef450213 --- /dev/null +++ b/nixos/modules/services/networking/nghttpx/frontend-submodule.nix @@ -0,0 +1,36 @@ +{ lib, ... }: +{ options = { + server = lib.mkOption { + type = + lib.types.either + (lib.types.submodule (import ./server-options.nix)) + (lib.types.path); + example = { + host = "127.0.0.1"; + port = 8888; + }; + default = { + host = "127.0.0.1"; + port = 80; + }; + description = '' + Frontend server interface binding specification as either a + host:port pair or a unix domain docket. + + NB: a host of "*" listens on all interfaces and includes IPv6 + addresses. + ''; + }; + + params = lib.mkOption { + type = lib.types.nullOr (lib.types.submodule (import ./frontend-params-submodule.nix)); + example = { + tls = "tls"; + }; + default = null; + description = '' + Parameters to configure a backend. + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/nghttpx/nghttpx-options.nix b/nixos/modules/services/networking/nghttpx/nghttpx-options.nix new file mode 100644 index 00000000000..51f1d081b97 --- /dev/null +++ b/nixos/modules/services/networking/nghttpx/nghttpx-options.nix @@ -0,0 +1,142 @@ +{ lib, ... }: +{ options.services.nghttpx = { + enable = lib.mkEnableOption "nghttpx"; + + frontends = lib.mkOption { + type = lib.types.listOf (lib.types.submodule (import ./frontend-submodule.nix)); + description = '' + A list of frontend listener specifications. + ''; + example = [ + { server = { + host = "*"; + port = 80; + }; + + params = { + tls = "no-tls"; + }; + } + ]; + }; + + backends = lib.mkOption { + type = lib.types.listOf (lib.types.submodule (import ./backend-submodule.nix)); + description = '' + A list of backend specifications. + ''; + example = [ + { server = { + host = "172.16.0.22"; + port = 8443; + }; + patterns = [ "/" ]; + params = { + proto = "http/1.1"; + redirect-if-not-tls = true; + }; + } + ]; + }; + + tls = lib.mkOption { + type = lib.types.nullOr (lib.types.submodule (import ./tls-submodule.nix)); + default = null; + description = '' + TLS certificate and key paths. Note that this does not enable + TLS for a frontend listener, to do so, a frontend + specification must set <literal>params.tls</literal> to true. + ''; + example = { + key = "/etc/ssl/keys/server.key"; + crt = "/etc/ssl/certs/server.crt"; + }; + }; + + extraConfig = lib.mkOption { + type = lib.types.lines; + default = ""; + description = '' + Extra configuration options to be appended to the generated + configuration file. + ''; + }; + + single-process = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Run this program in a single process mode for debugging + purpose. Without this option, nghttpx creates at least 2 + processes: master and worker processes. If this option is + used, master and worker are unified into a single + process. nghttpx still spawns additional process if neverbleed + is used. In the single process mode, the signal handling + feature is disabled. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx--single-process + ''; + }; + + backlog = lib.mkOption { + type = lib.types.int; + default = 65536; + description = '' + Listen backlog size. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx--backlog + ''; + }; + + backend-address-family = lib.mkOption { + type = lib.types.enum [ + "auto" + "IPv4" + "IPv6" + ]; + default = "auto"; + description = '' + Specify address family of backend connections. If "auto" is + given, both IPv4 and IPv6 are considered. If "IPv4" is given, + only IPv4 address is considered. If "IPv6" is given, only IPv6 + address is considered. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx--backend-address-family + ''; + }; + + workers = lib.mkOption { + type = lib.types.int; + default = 1; + description = '' + Set the number of worker threads. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-n + ''; + }; + + single-thread = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Run everything in one thread inside the worker process. This + feature is provided for better debugging experience, or for + the platforms which lack thread support. If threading is + disabled, this option is always enabled. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx--single-thread + ''; + }; + + rlimit-nofile = lib.mkOption { + type = lib.types.int; + default = 0; + description = '' + Set maximum number of open files (RLIMIT_NOFILE) to <N>. If 0 + is given, nghttpx does not set the limit. + + Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx--rlimit-nofile + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/nghttpx/server-options.nix b/nixos/modules/services/networking/nghttpx/server-options.nix new file mode 100644 index 00000000000..ef23bfd793c --- /dev/null +++ b/nixos/modules/services/networking/nghttpx/server-options.nix @@ -0,0 +1,18 @@ +{ lib, ... }: +{ options = { + host = lib.mkOption { + type = lib.types.str; + example = "127.0.0.1"; + description = '' + Server host address. + ''; + }; + port = lib.mkOption { + type = lib.types.int; + example = 5088; + description = '' + Server host port. + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/nghttpx/tls-submodule.nix b/nixos/modules/services/networking/nghttpx/tls-submodule.nix new file mode 100644 index 00000000000..8f3cdaae2c8 --- /dev/null +++ b/nixos/modules/services/networking/nghttpx/tls-submodule.nix @@ -0,0 +1,21 @@ +{lib, ...}: +{ options = { + key = lib.mkOption { + type = lib.types.str; + example = "/etc/ssl/keys/mykeyfile.key"; + default = "/etc/ssl/keys/server.key"; + description = '' + Path to the TLS key file. + ''; + }; + + crt = lib.mkOption { + type = lib.types.str; + example = "/etc/ssl/certs/mycert.crt"; + default = "/etc/ssl/certs/server.crt"; + description = '' + Path to the TLS certificate file. + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/ngircd.nix b/nixos/modules/services/networking/ngircd.nix new file mode 100644 index 00000000000..c0b9c98fb4b --- /dev/null +++ b/nixos/modules/services/networking/ngircd.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.ngircd; + + configFile = pkgs.stdenv.mkDerivation { + name = "ngircd.conf"; + + text = cfg.config; + + preferLocalBuild = true; + + buildCommand = '' + echo -n "$text" > $out + ${cfg.package}/sbin/ngircd --config $out --configtest + ''; + }; +in { + options = { + services.ngircd = { + enable = mkEnableOption "the ngircd IRC server"; + + config = mkOption { + description = "The ngircd configuration (see ngircd.conf(5))."; + + type = types.lines; + }; + + package = mkOption { + description = "The ngircd package."; + + type = types.package; + + default = pkgs.ngircd; + defaultText = literalExpression "pkgs.ngircd"; + }; + }; + }; + + config = mkIf cfg.enable { + #!!! TODO: Use ExecReload (see https://github.com/NixOS/nixpkgs/issues/1988) + systemd.services.ngircd = { + description = "The ngircd IRC server"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig.ExecStart = "${cfg.package}/sbin/ngircd --config ${configFile} --nodaemon"; + + serviceConfig.User = "ngircd"; + }; + + users.users.ngircd = { + isSystemUser = true; + group = "ngircd"; + description = "ngircd user."; + }; + users.groups.ngircd = {}; + + }; +} diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix new file mode 100644 index 00000000000..432938d59d9 --- /dev/null +++ b/nixos/modules/services/networking/nix-serve.nix @@ -0,0 +1,91 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.nix-serve; +in +{ + options = { + services.nix-serve = { + enable = mkEnableOption "nix-serve, the standalone Nix binary cache server"; + + port = mkOption { + type = types.port; + default = 5000; + description = '' + Port number where nix-serve will listen on. + ''; + }; + + bindAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + IP address where nix-serve will bind its listening socket. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Open ports in the firewall for nix-serve."; + }; + + secretKeyFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The path to the file used for signing derivation data. + Generate with: + + ``` + nix-store --generate-binary-cache-key key-name secret-key-file public-key-file + ``` + + For more details see <citerefentry><refentrytitle>nix-store</refentrytitle><manvolnum>1</manvolnum></citerefentry>. + ''; + }; + + extraParams = mkOption { + type = types.separatedString " "; + default = ""; + description = '' + Extra command line parameters for nix-serve. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.nix-serve = { + description = "nix-serve binary cache server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + path = [ config.nix.package.out pkgs.bzip2.bin ]; + environment.NIX_REMOTE = "daemon"; + + script = '' + ${lib.optionalString (cfg.secretKeyFile != null) '' + export NIX_SECRET_KEY_FILE="$CREDENTIALS_DIRECTORY/NIX_SECRET_KEY_FILE" + ''} + exec ${pkgs.nix-serve}/bin/nix-serve --listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams} + ''; + + serviceConfig = { + Restart = "always"; + RestartSec = "5s"; + User = "nix-serve"; + Group = "nix-serve"; + DynamicUser = true; + LoadCredential = lib.optionalString (cfg.secretKeyFile != null) + "NIX_SECRET_KEY_FILE:${cfg.secretKeyFile}"; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + }; +} diff --git a/nixos/modules/services/networking/nix-store-gcs-proxy.nix b/nixos/modules/services/networking/nix-store-gcs-proxy.nix new file mode 100644 index 00000000000..0012302db2e --- /dev/null +++ b/nixos/modules/services/networking/nix-store-gcs-proxy.nix @@ -0,0 +1,75 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + opts = { name, config, ... }: { + options = { + enable = mkOption { + default = true; + type = types.bool; + example = true; + description = "Whether to enable proxy for this bucket"; + }; + bucketName = mkOption { + type = types.str; + default = name; + example = "my-bucket-name"; + description = "Name of Google storage bucket"; + }; + address = mkOption { + type = types.str; + example = "localhost:3000"; + description = "The address of the proxy."; + }; + }; + }; + enabledProxies = lib.filterAttrs (n: v: v.enable) config.services.nix-store-gcs-proxy; + mapProxies = function: lib.mkMerge (lib.mapAttrsToList function enabledProxies); +in +{ + options.services.nix-store-gcs-proxy = mkOption { + type = types.attrsOf (types.submodule opts); + default = {}; + description = '' + An attribute set describing an HTTP to GCS proxy that allows us to use GCS + bucket via HTTP protocol. + ''; + }; + + config.systemd.services = mapProxies (name: cfg: { + "nix-store-gcs-proxy-${name}" = { + description = "A HTTP nix store that proxies requests to Google Storage"; + wantedBy = ["multi-user.target"]; + + startLimitIntervalSec = 10; + serviceConfig = { + RestartSec = 5; + ExecStart = '' + ${pkgs.nix-store-gcs-proxy}/bin/nix-store-gcs-proxy \ + --bucket-name ${cfg.bucketName} \ + --addr ${cfg.address} + ''; + + DynamicUser = true; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateUsers = true; + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + }; + }; + }); + + meta.maintainers = [ maintainers.mrkkrp ]; +} diff --git a/nixos/modules/services/networking/nixops-dns.nix b/nixos/modules/services/networking/nixops-dns.nix new file mode 100644 index 00000000000..5e33d872ea4 --- /dev/null +++ b/nixos/modules/services/networking/nixops-dns.nix @@ -0,0 +1,78 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + pkg = pkgs.nixops-dns; + cfg = config.services.nixops-dns; +in + +{ + options = { + services.nixops-dns = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the nixops-dns resolution + of NixOps virtual machines via dnsmasq and fake domain name. + ''; + }; + + user = mkOption { + type = types.str; + description = '' + The user the nixops-dns daemon should run as. + This should be the user, which is also used for nixops and + have the .nixops directory in its home. + ''; + }; + + domain = mkOption { + type = types.str; + description = '' + Fake domain name to resolve to NixOps virtual machines. + + For example "ops" will resolve "vm.ops". + ''; + default = "ops"; + }; + + dnsmasq = mkOption { + type = types.bool; + default = true; + description = '' + Enable dnsmasq forwarding to nixops-dns. This allows to use + nixops-dns for `services.nixops-dns.domain` resolution + while forwarding the rest of the queries to original resolvers. + ''; + }; + + }; + }; + + config = mkIf cfg.enable { + systemd.services.nixops-dns = { + description = "nixops-dns: DNS server for resolving NixOps machines"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + User = cfg.user; + ExecStart="${pkg}/bin/nixops-dns --domain=.${cfg.domain}"; + }; + }; + + services.dnsmasq = mkIf cfg.dnsmasq { + enable = true; + resolveLocalQueries = true; + servers = [ + "/${cfg.domain}/127.0.0.1#5300" + ]; + extraConfig = '' + bind-interfaces + listen-address=127.0.0.1 + ''; + }; + + }; +} diff --git a/nixos/modules/services/networking/nntp-proxy.nix b/nixos/modules/services/networking/nntp-proxy.nix new file mode 100644 index 00000000000..a5973cd5933 --- /dev/null +++ b/nixos/modules/services/networking/nntp-proxy.nix @@ -0,0 +1,234 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + inherit (pkgs) nntp-proxy; + + cfg = config.services.nntp-proxy; + + configBool = b: if b then "TRUE" else "FALSE"; + + confFile = pkgs.writeText "nntp-proxy.conf" '' + nntp_server: + { + # NNTP Server host and port address + server = "${cfg.upstreamServer}"; + port = ${toString cfg.upstreamPort}; + # NNTP username + username = "${cfg.upstreamUser}"; + # NNTP password in clear text + password = "${cfg.upstreamPassword}"; + # Maximum number of connections allowed by the NNTP + max_connections = ${toString cfg.upstreamMaxConnections}; + }; + + proxy: + { + # Local address and port to bind to + bind_ip = "${cfg.listenAddress}"; + bind_port = ${toString cfg.port}; + + # SSL key and cert file + ssl_key = "${cfg.sslKey}"; + ssl_cert = "${cfg.sslCert}"; + + # prohibit users from posting + prohibit_posting = ${configBool cfg.prohibitPosting}; + # Verbose levels: ERROR, WARNING, NOTICE, INFO, DEBUG + verbose = "${toUpper cfg.verbosity}"; + # Password is made with: 'mkpasswd -m sha-512 <password>' + users = (${concatStringsSep ",\n" (mapAttrsToList (username: userConfig: + '' + { + username = "${username}"; + password = "${userConfig.passwordHash}"; + max_connections = ${toString userConfig.maxConnections}; + } + '') cfg.users)}); + }; + ''; + +in + +{ + + ###### interface + + options = { + + services.nntp-proxy = { + enable = mkEnableOption "NNTP-Proxy"; + + upstreamServer = mkOption { + type = types.str; + default = ""; + example = "ssl-eu.astraweb.com"; + description = '' + Upstream server address + ''; + }; + + upstreamPort = mkOption { + type = types.int; + default = 563; + description = '' + Upstream server port + ''; + }; + + upstreamMaxConnections = mkOption { + type = types.int; + default = 20; + description = '' + Upstream server maximum allowed concurrent connections + ''; + }; + + upstreamUser = mkOption { + type = types.str; + default = ""; + description = '' + Upstream server username + ''; + }; + + upstreamPassword = mkOption { + type = types.str; + default = ""; + description = '' + Upstream server password + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1"; + example = "[::]"; + description = '' + Proxy listen address (IPv6 literal addresses need to be enclosed in "[" and "]" characters) + ''; + }; + + port = mkOption { + type = types.int; + default = 5555; + description = '' + Proxy listen port + ''; + }; + + sslKey = mkOption { + type = types.str; + default = "key.pem"; + example = "/path/to/your/key.file"; + description = '' + Proxy ssl key path + ''; + }; + + sslCert = mkOption { + type = types.str; + default = "cert.pem"; + example = "/path/to/your/cert.file"; + description = '' + Proxy ssl certificate path + ''; + }; + + prohibitPosting = mkOption { + type = types.bool; + default = true; + description = '' + Whether to prohibit posting to the upstream server + ''; + }; + + verbosity = mkOption { + type = types.enum [ "error" "warning" "notice" "info" "debug" ]; + default = "info"; + example = "error"; + description = '' + Verbosity level + ''; + }; + + users = mkOption { + type = types.attrsOf (types.submodule { + options = { + username = mkOption { + type = types.str; + description = '' + Username + ''; + }; + + passwordHash = mkOption { + type = types.str; + example = "$6$GtzE7FrpE$wwuVgFYU.TZH4Rz.Snjxk9XGua89IeVwPQ/fEUD8eujr40q5Y021yhn0aNcsQ2Ifw.BLclyzvzgegopgKcneL0"; + description = '' + SHA-512 password hash (can be generated by + <code>mkpasswd -m sha-512 <password></code>) + ''; + }; + + maxConnections = mkOption { + type = types.int; + default = 1; + description = '' + Maximum number of concurrent connections to the proxy for this user + ''; + }; + }; + }); + description = '' + NNTP-Proxy user configuration + ''; + + default = {}; + example = literalExpression '' + { + "user1" = { + passwordHash = "$6$1l0t5Kn2Dk$appzivc./9l/kjq57eg5UCsBKlcfyCr0zNWYNerKoPsI1d7eAwiT0SVsOVx/CTgaBNT/u4fi2vN.iGlPfv1ek0"; + maxConnections = 5; + }; + "anotheruser" = { + passwordHash = "$6$6lwEsWB.TmsS$W7m1riUx4QrA8pKJz8hvff0dnF1NwtZXgdjmGqA1Dx2MDPj07tI9GNcb0SWlMglE.2/hBgynDdAd/XqqtRqVQ0"; + maxConnections = 7; + }; + } + ''; + }; + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + users.users.nntp-proxy = { + isSystemUser = true; + group = "nntp-proxy"; + description = "NNTP-Proxy daemon user"; + }; + users.groups.nntp-proxy = {}; + + systemd.services.nntp-proxy = { + description = "NNTP proxy"; + after = [ "network.target" "nss-lookup.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { User="nntp-proxy"; }; + serviceConfig.ExecStart = "${nntp-proxy}/bin/nntp-proxy ${confFile}"; + preStart = '' + if [ ! \( -f ${cfg.sslCert} -a -f ${cfg.sslKey} \) ]; then + ${pkgs.openssl.bin}/bin/openssl req -subj '/CN=AutoGeneratedCert/O=NixOS Service/C=US' \ + -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout ${cfg.sslKey} -out ${cfg.sslCert}; + fi + ''; + }; + + }; + +} diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix new file mode 100644 index 00000000000..43333af5e2f --- /dev/null +++ b/nixos/modules/services/networking/nomad.nix @@ -0,0 +1,178 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.nomad; + format = pkgs.formats.json { }; +in +{ + ##### interface + options = { + services.nomad = { + enable = mkEnableOption "Nomad, a distributed, highly available, datacenter-aware scheduler"; + + package = mkOption { + type = types.package; + default = pkgs.nomad; + defaultText = literalExpression "pkgs.nomad"; + description = '' + The package used for the Nomad agent and CLI. + ''; + }; + + extraPackages = mkOption { + type = types.listOf types.package; + default = [ ]; + description = '' + Extra packages to add to <envar>PATH</envar> for the Nomad agent process. + ''; + example = literalExpression '' + with pkgs; [ cni-plugins ] + ''; + }; + + dropPrivileges = mkOption { + type = types.bool; + default = true; + description = '' + Whether the nomad agent should be run as a non-root nomad user. + ''; + }; + + enableDocker = mkOption { + type = types.bool; + default = true; + description = '' + Enable Docker support. Needed for Nomad's docker driver. + + Note that the docker group membership is effectively equivalent + to being root, see https://github.com/moby/moby/issues/9976. + ''; + }; + + extraSettingsPaths = mkOption { + type = types.listOf types.path; + default = [ ]; + description = '' + Additional settings paths used to configure nomad. These can be files or directories. + ''; + example = literalExpression '' + [ "/etc/nomad-mutable.json" "/run/keys/nomad-with-secrets.json" "/etc/nomad/config.d" ] + ''; + }; + + extraSettingsPlugins = mkOption { + type = types.listOf (types.either types.package types.path); + default = [ ]; + description = '' + Additional plugins dir used to configure nomad. + ''; + example = literalExpression '' + [ "<pluginDir>" "pkgs.<plugins-name>"] + ''; + }; + + + settings = mkOption { + type = format.type; + default = { }; + description = '' + Configuration for Nomad. See the <link xlink:href="https://www.nomadproject.io/docs/configuration">documentation</link> + for supported values. + + Notes about <literal>data_dir</literal>: + + If <literal>data_dir</literal> is set to a value other than the + default value of <literal>"/var/lib/nomad"</literal> it is the Nomad + cluster manager's responsibility to make sure that this directory + exists and has the appropriate permissions. + + Additionally, if <literal>dropPrivileges</literal> is + <literal>true</literal> then <literal>data_dir</literal> + <emphasis>cannot</emphasis> be customized. Setting + <literal>dropPrivileges</literal> to <literal>true</literal> enables + the <literal>DynamicUser</literal> feature of systemd which directly + manages and operates on <literal>StateDirectory</literal>. + ''; + example = literalExpression '' + { + # A minimal config example: + server = { + enabled = true; + bootstrap_expect = 1; # for demo; no fault tolerance + }; + client = { + enabled = true; + }; + } + ''; + }; + }; + }; + + ##### implementation + config = mkIf cfg.enable { + services.nomad.settings = { + # Agrees with `StateDirectory = "nomad"` set below. + data_dir = mkDefault "/var/lib/nomad"; + }; + + environment = { + etc."nomad.json".source = format.generate "nomad.json" cfg.settings; + systemPackages = [ cfg.package ]; + }; + + systemd.services.nomad = { + description = "Nomad"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + restartTriggers = [ config.environment.etc."nomad.json".source ]; + + path = cfg.extraPackages ++ (with pkgs; [ + # Client mode requires at least the following: + coreutils + iproute2 + iptables + ]); + + serviceConfig = mkMerge [ + { + DynamicUser = cfg.dropPrivileges; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStart = "${cfg.package}/bin/nomad agent -config=/etc/nomad.json" + + concatMapStrings (path: " -config=${path}") cfg.extraSettingsPaths + + concatMapStrings (path: " -plugin-dir=${path}/bin") cfg.extraSettingsPlugins; + KillMode = "process"; + KillSignal = "SIGINT"; + LimitNOFILE = 65536; + LimitNPROC = "infinity"; + OOMScoreAdjust = -1000; + Restart = "on-failure"; + RestartSec = 2; + TasksMax = "infinity"; + } + (mkIf cfg.enableDocker { + SupplementaryGroups = "docker"; # space-separated string + }) + (mkIf (cfg.settings.data_dir == "/var/lib/nomad") { + StateDirectory = "nomad"; + }) + ]; + + unitConfig = { + StartLimitIntervalSec = 10; + StartLimitBurst = 3; + }; + }; + + assertions = [ + { + assertion = cfg.dropPrivileges -> cfg.settings.data_dir == "/var/lib/nomad"; + message = "settings.data_dir must be equal to \"/var/lib/nomad\" if dropPrivileges is true"; + } + ]; + + # Docker support requires the Docker daemon to be running. + virtualisation.docker.enable = mkIf cfg.enableDocker true; + }; +} diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix new file mode 100644 index 00000000000..a51fc534534 --- /dev/null +++ b/nixos/modules/services/networking/nsd.nix @@ -0,0 +1,992 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.nsd; + + username = "nsd"; + stateDir = "/var/lib/nsd"; + pidFile = stateDir + "/var/nsd.pid"; + + # build nsd with the options needed for the given config + nsdPkg = pkgs.nsd.override { + bind8Stats = cfg.bind8Stats; + ipv6 = cfg.ipv6; + ratelimit = cfg.ratelimit.enable; + rootServer = cfg.rootServer; + zoneStats = length (collect (x: (x.zoneStats or null) != null) cfg.zones) > 0; + }; + + mkZoneFileName = name: if name == "." then "root" else name; + + # replaces include: directives for keys with fake keys for nsd-checkconf + injectFakeKeys = keys: concatStrings + (mapAttrsToList + (keyName: keyOptions: '' + fakeKey="$(${pkgs.bind}/bin/tsig-keygen -a ${escapeShellArgs [ keyOptions.algorithm keyName ]} | grep -oP "\s*secret \"\K.*(?=\";)")" + sed "s@^\s*include:\s*\"${stateDir}/private/${keyName}\"\$@secret: $fakeKey@" -i $out/nsd.conf + '') + keys); + + nsdEnv = pkgs.buildEnv { + name = "nsd-env"; + + paths = [ configFile ] + ++ mapAttrsToList (name: zone: writeZoneData name zone.data) zoneConfigs; + + postBuild = '' + echo "checking zone files" + cd $out/zones + + for zoneFile in *; do + echo "|- checking zone '$out/zones/$zoneFile'" + ${nsdPkg}/sbin/nsd-checkzone "$zoneFile" "$zoneFile" || { + if grep -q \\\\\\$ "$zoneFile"; then + echo zone "$zoneFile" contains escaped dollar signs \\\$ + echo Escaping them is not needed any more. Please make sure \ + to unescape them where they prefix a variable name. + fi + + exit 1 + } + done + + echo "checking configuration file" + # Save original config file including key references... + cp $out/nsd.conf{,.orig} + # ...inject mock keys into config + ${injectFakeKeys cfg.keys} + # ...do the checkconf + ${nsdPkg}/sbin/nsd-checkconf $out/nsd.conf + # ... and restore original config file. + mv $out/nsd.conf{.orig,} + ''; + }; + + writeZoneData = name: text: pkgs.writeTextFile { + name = "nsd-zone-${mkZoneFileName name}"; + inherit text; + destination = "/zones/${mkZoneFileName name}"; + }; + + + # options are ordered alphanumerically by the nixos option name + configFile = pkgs.writeTextDir "nsd.conf" '' + server: + chroot: "${stateDir}" + username: ${username} + + # The directory for zonefile: files. The daemon chdirs here. + zonesdir: "${stateDir}" + + # the list of dynamically added zones. + database: "${stateDir}/var/nsd.db" + pidfile: "${pidFile}" + xfrdfile: "${stateDir}/var/xfrd.state" + xfrdir: "${stateDir}/tmp" + zonelistfile: "${stateDir}/var/zone.list" + + # interfaces + ${forEach " ip-address: " cfg.interfaces} + + ip-freebind: ${yesOrNo cfg.ipFreebind} + hide-version: ${yesOrNo cfg.hideVersion} + identity: "${cfg.identity}" + ip-transparent: ${yesOrNo cfg.ipTransparent} + do-ip4: ${yesOrNo cfg.ipv4} + ipv4-edns-size: ${toString cfg.ipv4EDNSSize} + do-ip6: ${yesOrNo cfg.ipv6} + ipv6-edns-size: ${toString cfg.ipv6EDNSSize} + log-time-ascii: ${yesOrNo cfg.logTimeAscii} + ${maybeString "nsid: " cfg.nsid} + port: ${toString cfg.port} + reuseport: ${yesOrNo cfg.reuseport} + round-robin: ${yesOrNo cfg.roundRobin} + server-count: ${toString cfg.serverCount} + ${maybeToString "statistics: " cfg.statistics} + tcp-count: ${toString cfg.tcpCount} + tcp-query-count: ${toString cfg.tcpQueryCount} + tcp-timeout: ${toString cfg.tcpTimeout} + verbosity: ${toString cfg.verbosity} + ${maybeString "version: " cfg.version} + xfrd-reload-timeout: ${toString cfg.xfrdReloadTimeout} + zonefiles-check: ${yesOrNo cfg.zonefilesCheck} + + ${maybeString "rrl-ipv4-prefix-length: " cfg.ratelimit.ipv4PrefixLength} + ${maybeString "rrl-ipv6-prefix-length: " cfg.ratelimit.ipv6PrefixLength} + rrl-ratelimit: ${toString cfg.ratelimit.ratelimit} + ${maybeString "rrl-slip: " cfg.ratelimit.slip} + rrl-size: ${toString cfg.ratelimit.size} + rrl-whitelist-ratelimit: ${toString cfg.ratelimit.whitelistRatelimit} + + ${keyConfigFile} + + remote-control: + control-enable: ${yesOrNo cfg.remoteControl.enable} + control-key-file: "${cfg.remoteControl.controlKeyFile}" + control-cert-file: "${cfg.remoteControl.controlCertFile}" + ${forEach " control-interface: " cfg.remoteControl.interfaces} + control-port: ${toString cfg.remoteControl.port} + server-key-file: "${cfg.remoteControl.serverKeyFile}" + server-cert-file: "${cfg.remoteControl.serverCertFile}" + + ${concatStrings (mapAttrsToList zoneConfigFile zoneConfigs)} + + ${cfg.extraConfig} + ''; + + yesOrNo = b: if b then "yes" else "no"; + maybeString = prefix: x: if x == null then "" else ''${prefix} "${x}"''; + maybeToString = prefix: x: if x == null then "" else ''${prefix} ${toString x}''; + forEach = pre: l: concatMapStrings (x: pre + x + "\n") l; + + + keyConfigFile = concatStrings (mapAttrsToList (keyName: keyOptions: '' + key: + name: "${keyName}" + algorithm: "${keyOptions.algorithm}" + include: "${stateDir}/private/${keyName}" + '') cfg.keys); + + copyKeys = concatStrings (mapAttrsToList (keyName: keyOptions: '' + secret=$(cat "${keyOptions.keyFile}") + dest="${stateDir}/private/${keyName}" + echo " secret: \"$secret\"" > "$dest" + chown ${username}:${username} "$dest" + chmod 0400 "$dest" + '') cfg.keys); + + + # options are ordered alphanumerically by the nixos option name + zoneConfigFile = name: zone: '' + zone: + name: "${name}" + zonefile: "${stateDir}/zones/${mkZoneFileName name}" + ${maybeString "outgoing-interface: " zone.outgoingInterface} + ${forEach " rrl-whitelist: " zone.rrlWhitelist} + ${maybeString "zonestats: " zone.zoneStats} + + ${maybeToString "max-refresh-time: " zone.maxRefreshSecs} + ${maybeToString "min-refresh-time: " zone.minRefreshSecs} + ${maybeToString "max-retry-time: " zone.maxRetrySecs} + ${maybeToString "min-retry-time: " zone.minRetrySecs} + + allow-axfr-fallback: ${yesOrNo zone.allowAXFRFallback} + ${forEach " allow-notify: " zone.allowNotify} + ${forEach " request-xfr: " zone.requestXFR} + + ${forEach " notify: " zone.notify} + notify-retry: ${toString zone.notifyRetry} + ${forEach " provide-xfr: " zone.provideXFR} + ''; + + zoneConfigs = zoneConfigs' {} "" { children = cfg.zones; }; + + zoneConfigs' = parent: name: zone: + if !(zone ? children) || zone.children == null || zone.children == { } + # leaf -> actual zone + then listToAttrs [ (nameValuePair name (parent // zone)) ] + + # fork -> pattern + else zipAttrsWith (name: head) ( + mapAttrsToList (name: child: zoneConfigs' (parent // zone // { children = {}; }) name child) + zone.children + ); + + # options are ordered alphanumerically + zoneOptions = types.submodule { + options = { + + allowAXFRFallback = mkOption { + type = types.bool; + default = true; + description = '' + If NSD as secondary server should be allowed to AXFR if the primary + server does not allow IXFR. + ''; + }; + + allowNotify = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "192.0.2.0/24 NOKEY" "10.0.0.1-10.0.0.5 my_tsig_key_name" + "10.0.3.4&255.255.0.0 BLOCKED" + ]; + description = '' + Listed primary servers are allowed to notify this secondary server. + <screen><![CDATA[ + Format: <ip> <key-name | NOKEY | BLOCKED> + + <ip> either a plain IPv4/IPv6 address or range. Valid patters for ranges: + * 10.0.0.0/24 # via subnet size + * 10.0.0.0&255.255.255.0 # via subnet mask + * 10.0.0.1-10.0.0.254 # via range + + A optional port number could be added with a '@': + * 2001:1234::1@1234 + + <key-name | NOKEY | BLOCKED> + * <key-name> will use the specified TSIG key + * NOKEY no TSIG signature is required + * BLOCKED notifies from non-listed or blocked IPs will be ignored + * ]]></screen> + ''; + }; + + children = mkOption { + # TODO: This relies on the fact that `types.anything` doesn't set any + # values of its own to any defaults, because in the above zoneConfigs', + # values from children override ones from parents, but only if the + # attributes are defined. Because of this, we can't replace the element + # type here with `zoneConfigs`, since that would set all the attributes + # to default values, breaking the parent inheriting function. + type = types.attrsOf types.anything; + default = {}; + description = '' + Children zones inherit all options of their parents. Attributes + defined in a child will overwrite the ones of its parent. Only + leaf zones will be actually served. This way it's possible to + define maybe zones which share most attributes without + duplicating everything. This mechanism replaces nsd's patterns + in a save and functional way. + ''; + }; + + data = mkOption { + type = types.lines; + default = ""; + description = '' + The actual zone data. This is the content of your zone file. + Use imports or pkgs.lib.readFile if you don't want this data in your config file. + ''; + }; + + dnssec = mkEnableOption "DNSSEC"; + + dnssecPolicy = { + algorithm = mkOption { + type = types.str; + default = "RSASHA256"; + description = "Which algorithm to use for DNSSEC"; + }; + keyttl = mkOption { + type = types.str; + default = "1h"; + description = "TTL for dnssec records"; + }; + coverage = mkOption { + type = types.str; + default = "1y"; + description = '' + The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time. + ''; + }; + zsk = mkOption { + type = keyPolicy; + default = { keySize = 2048; + prePublish = "1w"; + postPublish = "1w"; + rollPeriod = "1mo"; + }; + description = "Key policy for zone signing keys"; + }; + ksk = mkOption { + type = keyPolicy; + default = { keySize = 4096; + prePublish = "1mo"; + postPublish = "1mo"; + rollPeriod = "0"; + }; + description = "Key policy for key signing keys"; + }; + }; + + maxRefreshSecs = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Limit refresh time for secondary zones. This is the timer which + checks to see if the zone has to be refetched when it expires. + Normally the value from the SOA record is used, but this option + restricts that value. + ''; + }; + + minRefreshSecs = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Limit refresh time for secondary zones. + ''; + }; + + maxRetrySecs = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Limit retry time for secondary zones. This is the timeout after + a failed fetch attempt for the zone. Normally the value from + the SOA record is used, but this option restricts that value. + ''; + }; + + minRetrySecs = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Limit retry time for secondary zones. + ''; + }; + + + notify = mkOption { + type = types.listOf types.str; + default = []; + example = [ "10.0.0.1@3721 my_key" "::5 NOKEY" ]; + description = '' + This primary server will notify all given secondary servers about + zone changes. + <screen><![CDATA[ + Format: <ip> <key-name | NOKEY> + + <ip> a plain IPv4/IPv6 address with on optional port number (ip@port) + + <key-name | NOKEY> + * <key-name> sign notifies with the specified key + * NOKEY don't sign notifies + ]]></screen> + ''; + }; + + notifyRetry = mkOption { + type = types.int; + default = 5; + description = '' + Specifies the number of retries for failed notifies. Set this along with notify. + ''; + }; + + outgoingInterface = mkOption { + type = types.nullOr types.str; + default = null; + example = "2000::1@1234"; + description = '' + This address will be used for zone-transfere requests if configured + as a secondary server or notifications in case of a primary server. + Supply either a plain IPv4 or IPv6 address with an optional port + number (ip@port). + ''; + }; + + provideXFR = mkOption { + type = types.listOf types.str; + default = []; + example = [ "192.0.2.0/24 NOKEY" "192.0.2.0/24 my_tsig_key_name" ]; + description = '' + Allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED + address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40 + ''; + }; + + requestXFR = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Format: <code>[AXFR|UDP] <ip-address> <key-name | NOKEY></code> + ''; + }; + + rrlWhitelist = mkOption { + type = with types; listOf (enum [ "nxdomain" "error" "referral" "any" "rrsig" "wildcard" "nodata" "dnskey" "positive" "all" ]); + default = []; + description = '' + Whitelists the given rrl-types. + ''; + }; + + zoneStats = mkOption { + type = types.nullOr types.str; + default = null; + example = "%s"; + description = '' + When set to something distinct to null NSD is able to collect + statistics per zone. All statistics of this zone(s) will be added + to the group specified by this given name. Use "%s" to use the zones + name as the group. The groups are output from nsd-control stats + and stats_noreset. + ''; + }; + }; + }; + + keyPolicy = types.submodule { + options = { + keySize = mkOption { + type = types.int; + description = "Key size in bits"; + }; + prePublish = mkOption { + type = types.str; + description = "How long in advance to publish new keys"; + }; + postPublish = mkOption { + type = types.str; + description = "How long after deactivation to keep a key in the zone"; + }; + rollPeriod = mkOption { + type = types.str; + description = "How frequently to change keys"; + }; + }; + }; + + dnssecZones = (filterAttrs (n: v: if v ? dnssec then v.dnssec else false) zoneConfigs); + + dnssec = dnssecZones != {}; + + dnssecTools = pkgs.bind.override { enablePython = true; }; + + signZones = optionalString dnssec '' + mkdir -p ${stateDir}/dnssec + chown ${username}:${username} ${stateDir}/dnssec + chmod 0600 ${stateDir}/dnssec + + ${concatStrings (mapAttrsToList signZone dnssecZones)} + ''; + signZone = name: zone: '' + ${dnssecTools}/bin/dnssec-keymgr -g ${dnssecTools}/bin/dnssec-keygen -s ${dnssecTools}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name} + ${dnssecTools}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name} + ${nsdPkg}/sbin/nsd-checkzone ${name} ${stateDir}/zones/${name}.signed && mv -v ${stateDir}/zones/${name}.signed ${stateDir}/zones/${name} + ''; + policyFile = name: policy: pkgs.writeText "${name}.policy" '' + zone ${name} { + algorithm ${policy.algorithm}; + key-size zsk ${toString policy.zsk.keySize}; + key-size ksk ${toString policy.ksk.keySize}; + keyttl ${policy.keyttl}; + pre-publish zsk ${policy.zsk.prePublish}; + pre-publish ksk ${policy.ksk.prePublish}; + post-publish zsk ${policy.zsk.postPublish}; + post-publish ksk ${policy.ksk.postPublish}; + roll-period zsk ${policy.zsk.rollPeriod}; + roll-period ksk ${policy.ksk.rollPeriod}; + coverage ${policy.coverage}; + }; + ''; +in +{ + # options are ordered alphanumerically + options.services.nsd = { + + enable = mkEnableOption "NSD authoritative DNS server"; + + bind8Stats = mkEnableOption "BIND8 like statistics"; + + dnssecInterval = mkOption { + type = types.str; + default = "1h"; + description = '' + How often to check whether dnssec key rollover is required + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra nsd config. + ''; + }; + + hideVersion = mkOption { + type = types.bool; + default = true; + description = '' + Whether NSD should answer VERSION.BIND and VERSION.SERVER CHAOS class queries. + ''; + }; + + identity = mkOption { + type = types.str; + default = "unidentified server"; + description = '' + Identify the server (CH TXT ID.SERVER entry). + ''; + }; + + interfaces = mkOption { + type = types.listOf types.str; + default = [ "127.0.0.0" "::1" ]; + description = '' + What addresses the server should listen to. + ''; + }; + + ipFreebind = mkOption { + type = types.bool; + default = false; + description = '' + Whether to bind to nonlocal addresses and interfaces that are down. + Similar to ip-transparent. + ''; + }; + + ipTransparent = mkOption { + type = types.bool; + default = false; + description = '' + Allow binding to non local addresses. + ''; + }; + + ipv4 = mkOption { + type = types.bool; + default = true; + description = '' + Whether to listen on IPv4 connections. + ''; + }; + + ipv4EDNSSize = mkOption { + type = types.int; + default = 4096; + description = '' + Preferred EDNS buffer size for IPv4. + ''; + }; + + ipv6 = mkOption { + type = types.bool; + default = true; + description = '' + Whether to listen on IPv6 connections. + ''; + }; + + ipv6EDNSSize = mkOption { + type = types.int; + default = 4096; + description = '' + Preferred EDNS buffer size for IPv6. + ''; + }; + + logTimeAscii = mkOption { + type = types.bool; + default = true; + description = '' + Log time in ascii, if false then in unix epoch seconds. + ''; + }; + + nsid = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + NSID identity (hex string, or "ascii_somestring"). + ''; + }; + + port = mkOption { + type = types.int; + default = 53; + description = '' + Port the service should bind do. + ''; + }; + + reuseport = mkOption { + type = types.bool; + default = pkgs.stdenv.isLinux; + defaultText = literalExpression "pkgs.stdenv.isLinux"; + description = '' + Whether to enable SO_REUSEPORT on all used sockets. This lets multiple + processes bind to the same port. This speeds up operation especially + if the server count is greater than one and makes fast restarts less + prone to fail + ''; + }; + + rootServer = mkOption { + type = types.bool; + default = false; + description = '' + Whether this server will be a root server (a DNS root server, you + usually don't want that). + ''; + }; + + roundRobin = mkEnableOption "round robin rotation of records"; + + serverCount = mkOption { + type = types.int; + default = 1; + description = '' + Number of NSD servers to fork. Put the number of CPUs to use here. + ''; + }; + + statistics = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Statistics are produced every number of seconds. Prints to log. + If null no statistics are logged. + ''; + }; + + tcpCount = mkOption { + type = types.int; + default = 100; + description = '' + Maximum number of concurrent TCP connections per server. + ''; + }; + + tcpQueryCount = mkOption { + type = types.int; + default = 0; + description = '' + Maximum number of queries served on a single TCP connection. + 0 means no maximum. + ''; + }; + + tcpTimeout = mkOption { + type = types.int; + default = 120; + description = '' + TCP timeout in seconds. + ''; + }; + + verbosity = mkOption { + type = types.int; + default = 0; + description = '' + Verbosity level. + ''; + }; + + version = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The version string replied for CH TXT version.server and version.bind + queries. Will use the compiled package version on null. + See hideVersion for enabling/disabling this responses. + ''; + }; + + xfrdReloadTimeout = mkOption { + type = types.int; + default = 1; + description = '' + Number of seconds between reloads triggered by xfrd. + ''; + }; + + zonefilesCheck = mkOption { + type = types.bool; + default = true; + description = '' + Whether to check mtime of all zone files on start and sighup. + ''; + }; + + + keys = mkOption { + type = types.attrsOf (types.submodule { + options = { + + algorithm = mkOption { + type = types.str; + default = "hmac-sha256"; + description = '' + Authentication algorithm for this key. + ''; + }; + + keyFile = mkOption { + type = types.path; + description = '' + Path to the file which contains the actual base64 encoded + key. The key will be copied into "${stateDir}/private" before + NSD starts. The copied file is only accessibly by the NSD + user. + ''; + }; + + }; + }); + default = {}; + example = literalExpression '' + { "tsig.example.org" = { + algorithm = "hmac-md5"; + keyFile = "/path/to/my/key"; + }; + } + ''; + description = '' + Define your TSIG keys here. + ''; + }; + + + ratelimit = { + + enable = mkEnableOption "ratelimit capabilities"; + + ipv4PrefixLength = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + IPv4 prefix length. Addresses are grouped by netblock. + ''; + }; + + ipv6PrefixLength = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + IPv6 prefix length. Addresses are grouped by netblock. + ''; + }; + + ratelimit = mkOption { + type = types.int; + default = 200; + description = '' + Max qps allowed from any query source. + 0 means unlimited. With an verbosity of 2 blocked and + unblocked subnets will be logged. + ''; + }; + + slip = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Number of packets that get discarded before replying a SLIP response. + 0 disables SLIP responses. 1 will make every response a SLIP response. + ''; + }; + + size = mkOption { + type = types.int; + default = 1000000; + description = '' + Size of the hashtable. More buckets use more memory but lower + the chance of hash hash collisions. + ''; + }; + + whitelistRatelimit = mkOption { + type = types.int; + default = 2000; + description = '' + Max qps allowed from whitelisted sources. + 0 means unlimited. Set the rrl-whitelist option for specific + queries to apply this limit instead of the default to them. + ''; + }; + + }; + + + remoteControl = { + + enable = mkEnableOption "remote control via nsd-control"; + + controlCertFile = mkOption { + type = types.path; + default = "/etc/nsd/nsd_control.pem"; + description = '' + Path to the client certificate signed with the server certificate. + This file is used by nsd-control and generated by nsd-control-setup. + ''; + }; + + controlKeyFile = mkOption { + type = types.path; + default = "/etc/nsd/nsd_control.key"; + description = '' + Path to the client private key, which is used by nsd-control + but not by the server. This file is generated by nsd-control-setup. + ''; + }; + + interfaces = mkOption { + type = types.listOf types.str; + default = [ "127.0.0.1" "::1" ]; + description = '' + Which interfaces NSD should bind to for remote control. + ''; + }; + + port = mkOption { + type = types.int; + default = 8952; + description = '' + Port number for remote control operations (uses TLS over TCP). + ''; + }; + + serverCertFile = mkOption { + type = types.path; + default = "/etc/nsd/nsd_server.pem"; + description = '' + Path to the server self signed certificate, which is used by the server + but and by nsd-control. This file is generated by nsd-control-setup. + ''; + }; + + serverKeyFile = mkOption { + type = types.path; + default = "/etc/nsd/nsd_server.key"; + description = '' + Path to the server private key, which is used by the server + but not by nsd-control. This file is generated by nsd-control-setup. + ''; + }; + + }; + + zones = mkOption { + type = types.attrsOf zoneOptions; + default = {}; + example = literalExpression '' + { "serverGroup1" = { + provideXFR = [ "10.1.2.3 NOKEY" ]; + children = { + "example.com." = { + data = ''' + $ORIGIN example.com. + $TTL 86400 + @ IN SOA a.ns.example.com. admin.example.com. ( + ... + '''; + }; + "example.org." = { + data = ''' + $ORIGIN example.org. + $TTL 86400 + @ IN SOA a.ns.example.com. admin.example.com. ( + ... + '''; + }; + }; + }; + + "example.net." = { + provideXFR = [ "10.3.2.1 NOKEY" ]; + data = ''' + ... + '''; + }; + } + ''; + description = '' + Define your zones here. Zones can cascade other zones and therefore + inherit settings from parent zones. Look at the definition of + children to learn about inheritance and child zones. + The given example will define 3 zones (example.(com|org|net).). Both + example.com. and example.org. inherit their configuration from + serverGroup1. + ''; + }; + }; + + config = mkIf cfg.enable { + + assertions = singleton { + assertion = zoneConfigs ? "." -> cfg.rootServer; + message = "You have a root zone configured. If this is really what you " + + "want, please enable 'services.nsd.rootServer'."; + }; + + environment = { + systemPackages = [ nsdPkg ]; + etc."nsd/nsd.conf".source = "${configFile}/nsd.conf"; + }; + + users.groups.${username}.gid = config.ids.gids.nsd; + + users.users.${username} = { + description = "NSD service user"; + home = stateDir; + createHome = true; + uid = config.ids.uids.nsd; + group = username; + }; + + systemd.services.nsd = { + description = "NSD authoritative only domain name service"; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + startLimitBurst = 4; + startLimitIntervalSec = 5 * 60; # 5 mins + serviceConfig = { + ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf"; + StandardError = "null"; + PIDFile = pidFile; + Restart = "always"; + RestartSec = "4s"; + }; + + preStart = '' + rm -Rf "${stateDir}/private/" + rm -Rf "${stateDir}/tmp/" + + mkdir -m 0700 -p "${stateDir}/private" + mkdir -m 0700 -p "${stateDir}/tmp" + mkdir -m 0700 -p "${stateDir}/var" + + cat > "${stateDir}/don't touch anything in here" << EOF + Everything in this directory except NSD's state in var and dnssec + is automatically generated and will be purged and redeployed by + the nsd.service pre-start script. + EOF + + chown ${username}:${username} -R "${stateDir}/private" + chown ${username}:${username} -R "${stateDir}/tmp" + chown ${username}:${username} -R "${stateDir}/var" + + rm -rf "${stateDir}/zones" + cp -rL "${nsdEnv}/zones" "${stateDir}/zones" + + ${copyKeys} + ''; + }; + + systemd.timers.nsd-dnssec = mkIf dnssec { + description = "Automatic DNSSEC key rollover"; + + wantedBy = [ "nsd.service" ]; + + timerConfig = { + OnActiveSec = cfg.dnssecInterval; + OnUnitActiveSec = cfg.dnssecInterval; + }; + }; + + systemd.services.nsd-dnssec = mkIf dnssec { + description = "DNSSEC key rollover"; + + wantedBy = [ "nsd.service" ]; + before = [ "nsd.service" ]; + + script = signZones; + + postStop = '' + /run/current-system/systemd/bin/systemctl kill -s SIGHUP nsd.service + ''; + }; + + }; + + meta.maintainers = with lib.maintainers; [ hrdinka ]; +} diff --git a/nixos/modules/services/networking/ntopng.nix b/nixos/modules/services/networking/ntopng.nix new file mode 100644 index 00000000000..022fc923eda --- /dev/null +++ b/nixos/modules/services/networking/ntopng.nix @@ -0,0 +1,160 @@ +{ config, lib, options, pkgs, ... }: + +with lib; + +let + + cfg = config.services.ntopng; + opt = options.services.ntopng; + + createRedis = cfg.redis.createInstance != null; + redisService = + if cfg.redis.createInstance == "" then + "redis.service" + else + "redis-${cfg.redis.createInstance}.service"; + + configFile = if cfg.configText != "" then + pkgs.writeText "ntopng.conf" '' + ${cfg.configText} + '' + else + pkgs.writeText "ntopng.conf" '' + ${concatStringsSep " " (map (e: "--interface=" + e) cfg.interfaces)} + --http-port=${toString cfg.httpPort} + --redis=${cfg.redis.address} + --data-dir=/var/lib/ntopng + --user=ntopng + ${cfg.extraConfig} + ''; + +in + +{ + + imports = [ + (mkRenamedOptionModule [ "services" "ntopng" "http-port" ] [ "services" "ntopng" "httpPort" ]) + ]; + + options = { + + services.ntopng = { + + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enable ntopng, a high-speed web-based traffic analysis and flow + collection tool. + + With the default configuration, ntopng monitors all network + interfaces and displays its findings at http://localhost:''${toString + config.${opt.http-port}}. Default username and password is admin/admin. + + See the ntopng(8) manual page and http://www.ntop.org/products/ntop/ + for more info. + + Note that enabling ntopng will also enable redis (key-value + database server) for persistent data storage. + ''; + }; + + interfaces = mkOption { + default = [ "any" ]; + example = [ "eth0" "wlan0" ]; + type = types.listOf types.str; + description = '' + List of interfaces to monitor. Use "any" to monitor all interfaces. + ''; + }; + + httpPort = mkOption { + default = 3000; + type = types.int; + description = '' + Sets the HTTP port of the embedded web server. + ''; + }; + + redis.address = mkOption { + type = types.str; + example = literalExpression "config.services.redis.ntopng.unixSocket"; + description = '' + Redis address - may be a Unix socket or a network host and port. + ''; + }; + + redis.createInstance = mkOption { + type = types.nullOr types.str; + default = if versionAtLeast config.system.stateVersion "22.05" then "ntopng" else ""; + description = '' + Local Redis instance name. Set to <literal>null</literal> to disable + local Redis instance. Defaults to <literal>""</literal> for + <literal>system.stateVersion</literal> older than 22.05. + ''; + }; + + configText = mkOption { + default = ""; + example = '' + --interface=any + --http-port=3000 + --disable-login + ''; + type = types.lines; + description = '' + Overridable configuration file contents to use for ntopng. By + default, use the contents automatically generated by NixOS. + ''; + }; + + extraConfig = mkOption { + default = ""; + type = types.lines; + description = '' + Configuration lines that will be appended to the generated ntopng + configuration file. Note that this mechanism does not work when the + manual <option>configText</option> option is used. + ''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + # ntopng uses redis for data storage + services.ntopng.redis.address = + mkIf createRedis config.services.redis.servers.${cfg.redis.createInstance}.unixSocket; + + services.redis.servers = mkIf createRedis { + ${cfg.redis.createInstance} = { + enable = true; + user = mkIf (cfg.redis.createInstance == "ntopng") "ntopng"; + }; + }; + + # nice to have manual page and ntopng command in PATH + environment.systemPackages = [ pkgs.ntopng ]; + + systemd.tmpfiles.rules = [ "d /var/lib/ntopng 0700 ntopng ntopng -" ]; + + systemd.services.ntopng = { + description = "Ntopng Network Monitor"; + requires = optional createRedis redisService; + after = [ "network.target" ] ++ optional createRedis redisService; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${pkgs.ntopng}/bin/ntopng ${configFile}"; + unitConfig.Documentation = "man:ntopng(8)"; + }; + + users.extraUsers.ntopng = { + group = "ntopng"; + isSystemUser = true; + }; + + users.extraGroups.ntopng = { }; + }; + +} diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix new file mode 100644 index 00000000000..34728455a21 --- /dev/null +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -0,0 +1,178 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.chrony; + chronyPkg = cfg.package; + + stateDir = cfg.directory; + driftFile = "${stateDir}/chrony.drift"; + keyFile = "${stateDir}/chrony.keys"; + + configFile = pkgs.writeText "chrony.conf" '' + ${concatMapStringsSep "\n" (server: "server " + server + " " + cfg.serverOption + optionalString (cfg.enableNTS) " nts") cfg.servers} + + ${optionalString + (cfg.initstepslew.enabled && (cfg.servers != [])) + "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.servers}" + } + + driftfile ${driftFile} + keyfile ${keyFile} + ${optionalString (cfg.enableNTS) "ntsdumpdir ${stateDir}"} + + ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} + + ${cfg.extraConfig} + ''; + + chronyFlags = "-n -m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; +in +{ + options = { + services.chrony = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to synchronise your machine's time using chrony. + Make sure you disable NTP if you enable this service. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.chrony; + defaultText = literalExpression "pkgs.chrony"; + description = '' + Which chrony package to use. + ''; + }; + + servers = mkOption { + default = config.networking.timeServers; + defaultText = literalExpression "config.networking.timeServers"; + type = types.listOf types.str; + description = '' + The set of NTP servers from which to synchronise. + ''; + }; + + serverOption = mkOption { + default = "iburst"; + type = types.enum [ "iburst" "offline" ]; + description = '' + Set option for server directives. + + Use "iburst" to rapidly poll on startup. Recommended if your machine + is consistently online. + + Use "offline" to prevent polling on startup. Recommended if your + machine boots offline or is otherwise frequently offline. + ''; + }; + + enableNTS = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Network Time Security authentication. + Make sure it is supported by your selected NTP server(s). + ''; + }; + + initstepslew = { + enabled = mkOption { + type = types.bool; + default = true; + description = '' + Allow chronyd to make a rapid measurement of the system clock error + at boot time, and to correct the system clock by stepping before + normal operation begins. + ''; + }; + + threshold = mkOption { + type = types.either types.float types.int; + default = 1000; # by default, same threshold as 'ntpd -g' (1000s) + description = '' + The threshold of system clock error (in seconds) above which the + clock will be stepped. If the correction required is less than the + threshold, a slew is used instead. + ''; + }; + }; + + directory = mkOption { + type = types.str; + default = "/var/lib/chrony"; + description = "Directory where chrony state is stored."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration directives that should be added to + <literal>chrony.conf</literal> + ''; + }; + + extraFlags = mkOption { + default = []; + example = [ "-s" ]; + type = types.listOf types.str; + description = "Extra flags passed to the chronyd command."; + }; + }; + }; + + config = mkIf cfg.enable { + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; + + environment.systemPackages = [ chronyPkg ]; + + users.groups.chrony.gid = config.ids.gids.chrony; + + users.users.chrony = + { uid = config.ids.uids.chrony; + group = "chrony"; + description = "chrony daemon user"; + home = stateDir; + }; + + services.timesyncd.enable = mkForce false; + + systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "chronyd.service"; }; + + systemd.tmpfiles.rules = [ + "d ${stateDir} 0755 chrony chrony - -" + "f ${driftFile} 0640 chrony chrony -" + "f ${keyFile} 0640 chrony chrony -" + ]; + + systemd.services.chronyd = + { description = "chrony NTP daemon"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "time-sync.target" ]; + before = [ "time-sync.target" ]; + after = [ "network.target" "nss-lookup.target" ]; + conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; + + path = [ chronyPkg ]; + + unitConfig.ConditionCapability = "CAP_SYS_TIME"; + serviceConfig = + { Type = "simple"; + ExecStart = "${chronyPkg}/bin/chronyd ${chronyFlags}"; + + ProtectHome = "yes"; + ProtectSystem = "full"; + PrivateTmp = "yes"; + }; + + }; + }; +} diff --git a/nixos/modules/services/networking/ntp/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix new file mode 100644 index 00000000000..12be0d045a8 --- /dev/null +++ b/nixos/modules/services/networking/ntp/ntpd.nix @@ -0,0 +1,150 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + inherit (pkgs) ntp; + + cfg = config.services.ntp; + + stateDir = "/var/lib/ntp"; + + configFile = pkgs.writeText "ntp.conf" '' + driftfile ${stateDir}/ntp.drift + + restrict default ${toString cfg.restrictDefault} + restrict -6 default ${toString cfg.restrictDefault} + restrict source ${toString cfg.restrictSource} + + restrict 127.0.0.1 + restrict -6 ::1 + + ${toString (map (server: "server " + server + " iburst\n") cfg.servers)} + + ${cfg.extraConfig} + ''; + + ntpFlags = "-c ${configFile} -u ntp:ntp ${toString cfg.extraFlags}"; + +in + +{ + + ###### interface + + options = { + + services.ntp = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to synchronise your machine's time using ntpd, as a peer in + the NTP network. + </para> + <para> + Disables <literal>systemd.timesyncd</literal> if enabled. + ''; + }; + + restrictDefault = mkOption { + type = types.listOf types.str; + description = '' + The restriction flags to be set by default. + </para> + <para> + The default flags prevent external hosts from using ntpd as a DDoS + reflector, setting system time, and querying OS/ntpd version. As + recommended in section 6.5.1.1.3, answer "No" of + http://support.ntp.org/bin/view/Support/AccessRestrictions + ''; + default = [ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ]; + }; + + restrictSource = mkOption { + type = types.listOf types.str; + description = '' + The restriction flags to be set on source. + </para> + <para> + The default flags allow peers to be added by ntpd from configured + pool(s), but not by other means. + ''; + default = [ "limited" "kod" "nomodify" "notrap" "noquery" ]; + }; + + servers = mkOption { + default = config.networking.timeServers; + defaultText = literalExpression "config.networking.timeServers"; + type = types.listOf types.str; + description = '' + The set of NTP servers from which to synchronise. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + fudge 127.127.1.0 stratum 10 + ''; + description = '' + Additional text appended to <filename>ntp.conf</filename>. + ''; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + description = "Extra flags passed to the ntpd command."; + example = literalExpression ''[ "--interface=eth0" ]''; + default = []; + }; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.ntp.enable { + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; + + # Make tools such as ntpq available in the system path. + environment.systemPackages = [ pkgs.ntp ]; + services.timesyncd.enable = mkForce false; + + systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "ntpd.service"; }; + + users.users.ntp = + { isSystemUser = true; + group = "ntp"; + description = "NTP daemon user"; + home = stateDir; + }; + users.groups.ntp = {}; + + systemd.services.ntpd = + { description = "NTP Daemon"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "time-sync.target" ]; + before = [ "time-sync.target" ]; + + preStart = + '' + mkdir -m 0755 -p ${stateDir} + chown ntp ${stateDir} + ''; + + serviceConfig = { + ExecStart = "@${ntp}/bin/ntpd ntpd -g ${ntpFlags}"; + Type = "forking"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/ntp/openntpd.nix b/nixos/modules/services/networking/ntp/openntpd.nix new file mode 100644 index 00000000000..e86b71291f9 --- /dev/null +++ b/nixos/modules/services/networking/ntp/openntpd.nix @@ -0,0 +1,85 @@ +{ pkgs, lib, config, options, ... }: + +with lib; + +let + cfg = config.services.openntpd; + + package = pkgs.openntpd_nixos; + + configFile = '' + ${concatStringsSep "\n" (map (s: "server ${s}") cfg.servers)} + ${cfg.extraConfig} + ''; + + pidFile = "/run/openntpd.pid"; + +in +{ + ###### interface + + options.services.openntpd = { + enable = mkEnableOption "OpenNTP time synchronization server"; + + servers = mkOption { + default = config.services.ntp.servers; + defaultText = literalExpression "config.services.ntp.servers"; + type = types.listOf types.str; + inherit (options.services.ntp.servers) description; + }; + + extraConfig = mkOption { + type = with types; lines; + default = ""; + example = '' + listen on 127.0.0.1 + listen on ::1 + ''; + description = '' + Additional text appended to <filename>openntpd.conf</filename>. + ''; + }; + + extraOptions = mkOption { + type = with types; separatedString " "; + default = ""; + example = "-s"; + description = '' + Extra options used when launching openntpd. + ''; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; + services.timesyncd.enable = mkForce false; + + # Add ntpctl to the environment for status checking + environment.systemPackages = [ package ]; + + environment.etc."ntpd.conf".text = configFile; + + users.users.ntp = { + isSystemUser = true; + group = "ntp"; + description = "OpenNTP daemon user"; + home = "/var/empty"; + }; + users.groups.ntp = {}; + + systemd.services.openntpd = { + description = "OpenNTP Server"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" "time-sync.target" ]; + before = [ "time-sync.target" ]; + after = [ "dnsmasq.service" "bind.service" "network-online.target" ]; + serviceConfig = { + ExecStart = "${package}/sbin/ntpd -p ${pidFile} ${cfg.extraOptions}"; + Type = "forking"; + PIDFile = pidFile; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/nullidentdmod.nix b/nixos/modules/services/networking/nullidentdmod.nix new file mode 100644 index 00000000000..b0d338a2794 --- /dev/null +++ b/nixos/modules/services/networking/nullidentdmod.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: with lib; let + cfg = config.services.nullidentdmod; + +in { + options.services.nullidentdmod = with types; { + enable = mkEnableOption "the nullidentdmod identd daemon"; + + userid = mkOption { + type = nullOr str; + description = "User ID to return. Set to null to return a random string each time."; + default = null; + example = "alice"; + }; + }; + + config = mkIf cfg.enable { + systemd.sockets.nullidentdmod = { + description = "Socket for identd (NullidentdMod)"; + listenStreams = [ "113" ]; + socketConfig.Accept = true; + wantedBy = [ "sockets.target" ]; + }; + + systemd.services."nullidentdmod@" = { + description = "NullidentdMod service"; + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.nullidentdmod}/bin/nullidentdmod${optionalString (cfg.userid != null) " ${cfg.userid}"}"; + StandardInput = "socket"; + StandardOutput = "socket"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/nylon.nix b/nixos/modules/services/networking/nylon.nix new file mode 100644 index 00000000000..a20fa615af8 --- /dev/null +++ b/nixos/modules/services/networking/nylon.nix @@ -0,0 +1,166 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.nylon; + + homeDir = "/var/lib/nylon"; + + configFile = cfg: pkgs.writeText "nylon-${cfg.name}.conf" '' + [General] + No-Simultaneous-Conn=${toString cfg.nrConnections} + Log=${if cfg.logging then "1" else "0"} + Verbose=${if cfg.verbosity then "1" else "0"} + + [Server] + Binding-Interface=${cfg.acceptInterface} + Connecting-Interface=${cfg.bindInterface} + Port=${toString cfg.port} + Allow-IP=${concatStringsSep " " cfg.allowedIPRanges} + Deny-IP=${concatStringsSep " " cfg.deniedIPRanges} + ''; + + nylonOpts = { name, ... }: { + + options = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables nylon as a running service upon activation. + ''; + }; + + name = mkOption { + type = types.str; + default = ""; + description = "The name of this nylon instance."; + }; + + nrConnections = mkOption { + type = types.int; + default = 10; + description = '' + The number of allowed simultaneous connections to the daemon, default 10. + ''; + }; + + logging = mkOption { + type = types.bool; + default = false; + description = '' + Enable logging, default is no logging. + ''; + }; + + verbosity = mkOption { + type = types.bool; + default = false; + description = '' + Enable verbose output, default is to not be verbose. + ''; + }; + + acceptInterface = mkOption { + type = types.str; + default = "lo"; + description = '' + Tell nylon which interface to listen for client requests on, default is "lo". + ''; + }; + + bindInterface = mkOption { + type = types.str; + default = "enp3s0f0"; + description = '' + Tell nylon which interface to use as an uplink, default is "enp3s0f0". + ''; + }; + + port = mkOption { + type = types.int; + default = 1080; + description = '' + What port to listen for client requests, default is 1080. + ''; + }; + + allowedIPRanges = mkOption { + type = with types; listOf str; + default = [ "192.168.0.0/16" "127.0.0.1/8" "172.16.0.1/12" "10.0.0.0/8" ]; + description = '' + Allowed client IP ranges are evaluated first, defaults to ARIN IPv4 private ranges: + [ "192.168.0.0/16" "127.0.0.0/8" "172.16.0.0/12" "10.0.0.0/8" ] + ''; + }; + + deniedIPRanges = mkOption { + type = with types; listOf str; + default = [ "0.0.0.0/0" ]; + description = '' + Denied client IP ranges, these gets evaluated after the allowed IP ranges, defaults to all IPv4 addresses: + [ "0.0.0.0/0" ] + To block all other access than the allowed. + ''; + }; + }; + config = { name = mkDefault name; }; + }; + + mkNamedNylon = cfg: { + "nylon-${cfg.name}" = { + description = "Nylon, a lightweight SOCKS proxy server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = + { + User = "nylon"; + Group = "nylon"; + WorkingDirectory = homeDir; + ExecStart = "${pkgs.nylon}/bin/nylon -f -c ${configFile cfg}"; + }; + }; + }; + + anyNylons = collect (p: p ? enable) cfg; + enabledNylons = filter (p: p.enable == true) anyNylons; + nylonUnits = map (nylon: mkNamedNylon nylon) enabledNylons; + +in + +{ + + ###### interface + + options = { + + services.nylon = mkOption { + default = {}; + description = "Collection of named nylon instances"; + type = with types; attrsOf (submodule nylonOpts); + internal = true; + }; + + }; + + ###### implementation + + config = mkIf (length(enabledNylons) > 0) { + + users.users.nylon = { + group = "nylon"; + description = "Nylon SOCKS Proxy"; + home = homeDir; + createHome = true; + uid = config.ids.uids.nylon; + }; + + users.groups.nylon.gid = config.ids.gids.nylon; + + systemd.services = foldr (a: b: a // b) {} nylonUnits; + + }; +} diff --git a/nixos/modules/services/networking/ocserv.nix b/nixos/modules/services/networking/ocserv.nix new file mode 100644 index 00000000000..dc26ffeafee --- /dev/null +++ b/nixos/modules/services/networking/ocserv.nix @@ -0,0 +1,99 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + + cfg = config.services.ocserv; + +in + +{ + options.services.ocserv = { + enable = mkEnableOption "ocserv"; + + config = mkOption { + type = types.lines; + + description = '' + Configuration content to start an OCServ server. + + For a full configuration reference,please refer to the online documentation + (https://ocserv.gitlab.io/www/manual.html), the openconnect + recipes (https://github.com/openconnect/recipes) or `man ocserv`. + ''; + + example = '' + # configuration examples from $out/doc without explanatory comments. + # for a full reference please look at the installed man pages. + auth = "plain[passwd=./sample.passwd]" + tcp-port = 443 + udp-port = 443 + run-as-user = nobody + run-as-group = nogroup + socket-file = /run/ocserv-socket + server-cert = certs/server-cert.pem + server-key = certs/server-key.pem + keepalive = 32400 + dpd = 90 + mobile-dpd = 1800 + switch-to-tcp-timeout = 25 + try-mtu-discovery = false + cert-user-oid = 0.9.2342.19200300.100.1.1 + tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" + auth-timeout = 240 + min-reauth-time = 300 + max-ban-score = 80 + ban-reset-time = 1200 + cookie-timeout = 300 + deny-roaming = false + rekey-time = 172800 + rekey-method = ssl + use-occtl = true + pid-file = /run/ocserv.pid + device = vpns + predictable-ips = true + default-domain = example.com + ipv4-network = 192.168.1.0 + ipv4-netmask = 255.255.255.0 + dns = 192.168.1.2 + ping-leases = false + route = 10.10.10.0/255.255.255.0 + route = 192.168.0.0/255.255.0.0 + no-route = 192.168.5.0/255.255.255.0 + cisco-client-compat = true + dtls-legacy = true + + [vhost:www.example.com] + auth = "certificate" + ca-cert = certs/ca.pem + server-cert = certs/server-cert-secp521r1.pem + server-key = cersts/certs/server-key-secp521r1.pem + ipv4-network = 192.168.2.0 + ipv4-netmask = 255.255.255.0 + cert-user-oid = 0.9.2342.19200300.100.1.1 + ''; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.ocserv ]; + environment.etc."ocserv/ocserv.conf".text = cfg.config; + + security.pam.services.ocserv = {}; + + systemd.services.ocserv = { + description = "OpenConnect SSL VPN server"; + documentation = [ "man:ocserv(8)" ]; + after = [ "dbus.service" "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + PrivateTmp = true; + PIDFile = "/run/ocserv.pid"; + ExecStart = "${pkgs.ocserv}/bin/ocserv --foreground --pid-file /run/ocesrv.pid --config /etc/ocserv/ocserv.conf"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/ofono.nix b/nixos/modules/services/networking/ofono.nix new file mode 100644 index 00000000000..460b06443c4 --- /dev/null +++ b/nixos/modules/services/networking/ofono.nix @@ -0,0 +1,44 @@ +# Ofono daemon. +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.ofono; + + plugin_path = + lib.concatMapStringsSep ":" + (plugin: "${plugin}/lib/ofono/plugins") + cfg.plugins + ; + +in + +{ + ###### interface + options = { + services.ofono = { + enable = mkEnableOption "Ofono"; + + plugins = mkOption { + type = types.listOf types.package; + default = []; + example = literalExpression "[ pkgs.modem-manager-gui ]"; + description = '' + The list of plugins to install. + ''; + }; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + services.dbus.packages = [ pkgs.ofono ]; + + systemd.packages = [ pkgs.ofono ]; + + systemd.services.ofono.environment.OFONO_PLUGIN_PATH = mkIf (cfg.plugins != []) plugin_path; + + }; +} diff --git a/nixos/modules/services/networking/oidentd.nix b/nixos/modules/services/networking/oidentd.nix new file mode 100644 index 00000000000..feb84806ba9 --- /dev/null +++ b/nixos/modules/services/networking/oidentd.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + ###### interface + + options = { + + services.oidentd.enable = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable ‘oidentd’, an implementation of the Ident + protocol (RFC 1413). It allows remote systems to identify the + name of the user associated with a TCP connection. + ''; + }; + + }; + + + ###### implementation + + config = mkIf config.services.oidentd.enable { + systemd.services.oidentd = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "forking"; + script = "${pkgs.oidentd}/sbin/oidentd -u oidentd -g nogroup"; + }; + + users.users.oidentd = { + description = "Ident Protocol daemon user"; + group = "oidentd"; + uid = config.ids.uids.oidentd; + }; + + users.groups.oidentd.gid = config.ids.gids.oidentd; + + }; + +} diff --git a/nixos/modules/services/networking/onedrive.nix b/nixos/modules/services/networking/onedrive.nix new file mode 100644 index 00000000000..0256a6a4111 --- /dev/null +++ b/nixos/modules/services/networking/onedrive.nix @@ -0,0 +1,71 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.onedrive; + + onedriveLauncher = pkgs.writeShellScriptBin + "onedrive-launcher" + '' + # XDG_CONFIG_HOME is not recognized in the environment here. + if [ -f $HOME/.config/onedrive-launcher ] + then + # Hopefully using underscore boundary helps locate variables + for _onedrive_config_dirname_ in $(cat $HOME/.config/onedrive-launcher | grep -v '[ \t]*#' ) + do + systemctl --user start onedrive@$_onedrive_config_dirname_ + done + else + systemctl --user start onedrive@onedrive + fi + '' + ; + +in { + ### Documentation + # meta.doc = ./onedrive.xml; + + ### Interface + + options.services.onedrive = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Enable OneDrive service"; + }; + + package = lib.mkOption { + type = lib.types.package; + default = pkgs.onedrive; + defaultText = lib.literalExpression "pkgs.onedrive"; + description = '' + OneDrive package to use. + ''; + }; + }; +### Implementation + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + systemd.user.services."onedrive@" = { + description = "Onedrive sync service"; + + serviceConfig = { + Type = "simple"; + ExecStart = '' + ${cfg.package}/bin/onedrive --monitor --confdir=%h/.config/%i + ''; + Restart="on-failure"; + RestartSec=3; + RestartPreventExitStatus=3; + }; + }; + + systemd.user.services.onedrive-launcher = { + wantedBy = [ "default.target" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${onedriveLauncher}/bin/onedrive-launcher"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/onedrive.xml b/nixos/modules/services/networking/onedrive.xml new file mode 100644 index 00000000000..5a9dcf01aee --- /dev/null +++ b/nixos/modules/services/networking/onedrive.xml @@ -0,0 +1,34 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="onedrive"> + <title>Microsoft OneDrive</title> + <para> + Microsoft Onedrive is a popular cloud file-hosting service, used by 85% of Fortune 500 companies. NixOS uses a popular OneDrive client for Linux maintained by github user abraunegg. The Linux client is excellent and allows customization of which files or paths to download, not much unlike the default Windows OneDrive client by Microsoft itself. The client allows syncing with multiple onedrive accounts at the same time, of any type- OneDrive personal, OneDrive business, Office365 and Sharepoint libraries, without any additional charge. + </para> + <para> + For more information, guides and documentation, see <link xlink:href="https://abraunegg.github.io/"/>. + </para> + <para> + To enable OneDrive support, add the following to your <filename>configuration.nix</filename>: +<programlisting> +<xref linkend="opt-services.onedrive.enable"/> = true; +</programlisting> + This installs the <literal>onedrive</literal> package and a service <literal>onedriveLauncher</literal> which will instantiate a <literal>onedrive</literal> service for all your OneDrive accounts. Follow the steps in documentation of the onedrive client to setup your accounts. To use the service with multiple accounts, create a file named <filename>onedrive-launcher</filename> in <filename>~/.config</filename> and add the filename of the config directory, relative to <filename>~/.config</filename>. For example, if you have two OneDrive accounts with configs in <filename>~/.config/onedrive_bob_work</filename> and <filename>~/.config/onedrive_bob_personal</filename>, add the following lines: +<programlisting> +onedrive_bob_work +# Not in use: +# onedrive_bob_office365 +onedrive_bob_personal +</programlisting> + No such file needs to be created if you are using only a single OneDrive account with config in the default location <filename>~/.config/onedrive</filename>, in the absence of <filename>~/.config/onedrive-launcher</filename>, only a single service is instantiated, with default config path. +</para> + + <para> + If you wish to use a custom OneDrive package, say from another channel, add the following line: +<programlisting> +<xref linkend="opt-services.onedrive.package"/> = pkgs.unstable.onedrive; +</programlisting> + </para> +</chapter> diff --git a/nixos/modules/services/networking/openfire.nix b/nixos/modules/services/networking/openfire.nix new file mode 100644 index 00000000000..fe0499d5232 --- /dev/null +++ b/nixos/modules/services/networking/openfire.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + ###### interface + + options = { + + services.openfire = { + + enable = mkEnableOption "OpenFire XMPP server"; + + usePostgreSQL = mkOption { + type = types.bool; + default = true; + description = " + Whether you use PostgreSQL service for your storage back-end. + "; + }; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.openfire.enable { + + assertions = singleton + { assertion = !(config.services.openfire.usePostgreSQL -> config.services.postgresql.enable); + message = "OpenFire configured to use PostgreSQL but services.postgresql.enable is not enabled."; + }; + + systemd.services.openfire = { + description = "OpenFire XMPP server"; + wantedBy = [ "multi-user.target" ]; + after = [ "networking.target" ] ++ + optional config.services.openfire.usePostgreSQL "postgresql.service"; + path = with pkgs; [ jre openfire coreutils which gnugrep gawk gnused ]; + script = '' + export HOME=/tmp + mkdir /var/log/openfire || true + mkdir /etc/openfire || true + for i in ${pkgs.openfire}/conf.inst/*; do + if ! test -f /etc/openfire/$(basename $i); then + cp $i /etc/openfire/ + fi + done + openfire start + ''; # */ + }; + }; + +} diff --git a/nixos/modules/services/networking/openvpn.nix b/nixos/modules/services/networking/openvpn.nix new file mode 100644 index 00000000000..cf3f79fc578 --- /dev/null +++ b/nixos/modules/services/networking/openvpn.nix @@ -0,0 +1,219 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.openvpn; + + inherit (pkgs) openvpn; + + makeOpenVPNJob = cfg: name: + let + + path = makeBinPath (getAttr "openvpn-${name}" config.systemd.services).path; + + upScript = '' + #! /bin/sh + export PATH=${path} + + # For convenience in client scripts, extract the remote domain + # name and name server. + for var in ''${!foreign_option_*}; do + x=(''${!var}) + if [ "''${x[0]}" = dhcp-option ]; then + if [ "''${x[1]}" = DOMAIN ]; then domain="''${x[2]}" + elif [ "''${x[1]}" = DNS ]; then nameserver="''${x[2]}" + fi + fi + done + + ${cfg.up} + ${optionalString cfg.updateResolvConf + "${pkgs.update-resolv-conf}/libexec/openvpn/update-resolv-conf"} + ''; + + downScript = '' + #! /bin/sh + export PATH=${path} + ${optionalString cfg.updateResolvConf + "${pkgs.update-resolv-conf}/libexec/openvpn/update-resolv-conf"} + ${cfg.down} + ''; + + configFile = pkgs.writeText "openvpn-config-${name}" + '' + errors-to-stderr + ${optionalString (cfg.up != "" || cfg.down != "" || cfg.updateResolvConf) "script-security 2"} + ${cfg.config} + ${optionalString (cfg.up != "" || cfg.updateResolvConf) + "up ${pkgs.writeScript "openvpn-${name}-up" upScript}"} + ${optionalString (cfg.down != "" || cfg.updateResolvConf) + "down ${pkgs.writeScript "openvpn-${name}-down" downScript}"} + ${optionalString (cfg.authUserPass != null) + "auth-user-pass ${pkgs.writeText "openvpn-credentials-${name}" '' + ${cfg.authUserPass.username} + ${cfg.authUserPass.password} + ''}"} + ''; + + in { + description = "OpenVPN instance ‘${name}’"; + + wantedBy = optional cfg.autoStart "multi-user.target"; + after = [ "network.target" ]; + + path = [ pkgs.iptables pkgs.iproute2 pkgs.nettools ]; + + serviceConfig.ExecStart = "@${openvpn}/sbin/openvpn openvpn --suppress-timestamps --config ${configFile}"; + serviceConfig.Restart = "always"; + serviceConfig.Type = "notify"; + }; + +in + +{ + imports = [ + (mkRemovedOptionModule [ "services" "openvpn" "enable" ] "") + ]; + + ###### interface + + options = { + + services.openvpn.servers = mkOption { + default = {}; + + example = literalExpression '' + { + server = { + config = ''' + # Simplest server configuration: https://community.openvpn.net/openvpn/wiki/StaticKeyMiniHowto + # server : + dev tun + ifconfig 10.8.0.1 10.8.0.2 + secret /root/static.key + '''; + up = "ip route add ..."; + down = "ip route del ..."; + }; + + client = { + config = ''' + client + remote vpn.example.org + dev tun + proto tcp-client + port 8080 + ca /root/.vpn/ca.crt + cert /root/.vpn/alice.crt + key /root/.vpn/alice.key + '''; + up = "echo nameserver $nameserver | ''${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev"; + down = "''${pkgs.openresolv}/sbin/resolvconf -d $dev"; + }; + } + ''; + + description = '' + Each attribute of this option defines a systemd service that + runs an OpenVPN instance. These can be OpenVPN servers or + clients. The name of each systemd service is + <literal>openvpn-<replaceable>name</replaceable>.service</literal>, + where <replaceable>name</replaceable> is the corresponding + attribute name. + ''; + + type = with types; attrsOf (submodule { + + options = { + + config = mkOption { + type = types.lines; + description = '' + Configuration of this OpenVPN instance. See + <citerefentry><refentrytitle>openvpn</refentrytitle><manvolnum>8</manvolnum></citerefentry> + for details. + + To import an external config file, use the following definition: + <literal>config = "config /path/to/config.ovpn"</literal> + ''; + }; + + up = mkOption { + default = ""; + type = types.lines; + description = '' + Shell commands executed when the instance is starting. + ''; + }; + + down = mkOption { + default = ""; + type = types.lines; + description = '' + Shell commands executed when the instance is shutting down. + ''; + }; + + autoStart = mkOption { + default = true; + type = types.bool; + description = "Whether this OpenVPN instance should be started automatically."; + }; + + updateResolvConf = mkOption { + default = false; + type = types.bool; + description = '' + Use the script from the update-resolv-conf package to automatically + update resolv.conf with the DNS information provided by openvpn. The + script will be run after the "up" commands and before the "down" commands. + ''; + }; + + authUserPass = mkOption { + default = null; + description = '' + This option can be used to store the username / password credentials + with the "auth-user-pass" authentication method. + + WARNING: Using this option will put the credentials WORLD-READABLE in the Nix store! + ''; + type = types.nullOr (types.submodule { + + options = { + username = mkOption { + description = "The username to store inside the credentials file."; + type = types.str; + }; + + password = mkOption { + description = "The password to store inside the credentials file."; + type = types.str; + }; + }; + }); + }; + }; + + }); + + }; + + }; + + + ###### implementation + + config = mkIf (cfg.servers != {}) { + + systemd.services = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers); + + environment.systemPackages = [ openvpn ]; + + boot.kernelModules = [ "tun" ]; + + }; + +} diff --git a/nixos/modules/services/networking/ostinato.nix b/nixos/modules/services/networking/ostinato.nix new file mode 100644 index 00000000000..4da11984b9f --- /dev/null +++ b/nixos/modules/services/networking/ostinato.nix @@ -0,0 +1,104 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + pkg = pkgs.ostinato; + cfg = config.services.ostinato; + configFile = pkgs.writeText "drone.ini" '' + [General] + RateAccuracy=${cfg.rateAccuracy} + + [RpcServer] + Address=${cfg.rpcServer.address} + + [PortList] + Include=${concatStringsSep "," cfg.portList.include} + Exclude=${concatStringsSep "," cfg.portList.exclude} + ''; + +in +{ + + ###### interface + + options = { + + services.ostinato = { + + enable = mkEnableOption "Ostinato agent-controller (Drone)"; + + port = mkOption { + type = types.int; + default = 7878; + description = '' + Port to listen on. + ''; + }; + + rateAccuracy = mkOption { + type = types.enum [ "High" "Low" ]; + default = "High"; + description = '' + To ensure that the actual transmit rate is as close as possible to + the configured transmit rate, Drone runs a busy-wait loop. + While this provides the maximum accuracy possible, the CPU + utilization is 100% while the transmit is on. You can however, + sacrifice the accuracy to reduce the CPU load. + ''; + }; + + rpcServer = { + address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + By default, the Drone RPC server will listen on all interfaces and + local IPv4 adresses for incoming connections from clients. Specify + a single IPv4 or IPv6 address if you want to restrict that. + To listen on any IPv6 address, use :: + ''; + }; + }; + + portList = { + include = mkOption { + type = types.listOf types.str; + default = []; + example = [ "eth*" "lo*" ]; + description = '' + For a port to pass the filter and appear on the port list managed + by drone, it be allowed by this include list. + ''; + }; + exclude = mkOption { + type = types.listOf types.str; + default = []; + example = [ "usbmon*" "eth0" ]; + description = '' + A list of ports does not appear on the port list managed by drone. + ''; + }; + }; + + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkg ]; + + systemd.services.drone = { + description = "Ostinato agent-controller"; + wantedBy = [ "multi-user.target" ]; + script = '' + ${pkg}/bin/drone ${toString cfg.port} ${configFile} + ''; + }; + + }; + +} diff --git a/nixos/modules/services/networking/owamp.nix b/nixos/modules/services/networking/owamp.nix new file mode 100644 index 00000000000..baf64347b09 --- /dev/null +++ b/nixos/modules/services/networking/owamp.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.owamp; +in +{ + + ###### interface + + options = { + services.owamp.enable = mkEnableOption "Enable OWAMP server"; + }; + + + ###### implementation + + config = mkIf cfg.enable { + users.users.owamp = { + group = "owamp"; + description = "Owamp daemon"; + isSystemUser = true; + }; + + users.groups.owamp = { }; + + systemd.services.owamp = { + description = "Owamp server"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart="${pkgs.owamp}/bin/owampd -R /run/owamp -d /run/owamp -v -Z "; + PrivateTmp = true; + Restart = "always"; + Type="simple"; + User = "owamp"; + Group = "owamp"; + RuntimeDirectory = "owamp"; + StateDirectory = "owamp"; + AmbientCapabilities = "cap_net_bind_service"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/pdns-recursor.nix b/nixos/modules/services/networking/pdns-recursor.nix new file mode 100644 index 00000000000..0579d314a9b --- /dev/null +++ b/nixos/modules/services/networking/pdns-recursor.nix @@ -0,0 +1,206 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.pdns-recursor; + + oneOrMore = type: with types; either type (listOf type); + valueType = with types; oneOf [ int str bool path ]; + configType = with types; attrsOf (nullOr (oneOrMore valueType)); + + toBool = val: if val then "yes" else "no"; + serialize = val: with types; + if str.check val then val + else if int.check val then toString val + else if path.check val then toString val + else if bool.check val then toBool val + else if builtins.isList val then (concatMapStringsSep "," serialize val) + else ""; + + configDir = pkgs.writeTextDir "recursor.conf" + (concatStringsSep "\n" + (flip mapAttrsToList cfg.settings + (name: val: "${name}=${serialize val}"))); + + mkDefaultAttrs = mapAttrs (n: v: mkDefault v); + +in { + options.services.pdns-recursor = { + enable = mkEnableOption "PowerDNS Recursor, a recursive DNS server"; + + dns.address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + IP address Recursor DNS server will bind to. + ''; + }; + + dns.port = mkOption { + type = types.int; + default = 53; + description = '' + Port number Recursor DNS server will bind to. + ''; + }; + + dns.allowFrom = mkOption { + type = types.listOf types.str; + default = [ "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]; + example = [ "0.0.0.0/0" ]; + description = '' + IP address ranges of clients allowed to make DNS queries. + ''; + }; + + api.address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + IP address Recursor REST API server will bind to. + ''; + }; + + api.port = mkOption { + type = types.int; + default = 8082; + description = '' + Port number Recursor REST API server will bind to. + ''; + }; + + api.allowFrom = mkOption { + type = types.listOf types.str; + default = [ "0.0.0.0/0" ]; + description = '' + IP address ranges of clients allowed to make API requests. + ''; + }; + + exportHosts = mkOption { + type = types.bool; + default = false; + description = '' + Whether to export names and IP addresses defined in /etc/hosts. + ''; + }; + + forwardZones = mkOption { + type = types.attrs; + default = {}; + description = '' + DNS zones to be forwarded to other authoritative servers. + ''; + }; + + forwardZonesRecurse = mkOption { + type = types.attrs; + example = { eth = "127.0.0.1:5353"; }; + default = {}; + description = '' + DNS zones to be forwarded to other recursive servers. + ''; + }; + + dnssecValidation = mkOption { + type = types.enum ["off" "process-no-validate" "process" "log-fail" "validate"]; + default = "validate"; + description = '' + Controls the level of DNSSEC processing done by the PowerDNS Recursor. + See https://doc.powerdns.com/md/recursor/dnssec/ for a detailed explanation. + ''; + }; + + serveRFC1918 = mkOption { + type = types.bool; + default = true; + description = '' + Whether to directly resolve the RFC1918 reverse-mapping domains: + <literal>10.in-addr.arpa</literal>, + <literal>168.192.in-addr.arpa</literal>, + <literal>16-31.172.in-addr.arpa</literal> + This saves load on the AS112 servers. + ''; + }; + + settings = mkOption { + type = configType; + default = { }; + example = literalExpression '' + { + loglevel = 8; + log-common-errors = true; + } + ''; + description = '' + PowerDNS Recursor settings. Use this option to configure Recursor + settings not exposed in a NixOS option or to bypass one. + See the full documentation at + <link xlink:href="https://doc.powerdns.com/recursor/settings.html"/> + for the available options. + ''; + }; + + luaConfig = mkOption { + type = types.lines; + default = ""; + description = '' + The content Lua configuration file for PowerDNS Recursor. See + <link xlink:href="https://doc.powerdns.com/recursor/lua-config/index.html"/>. + ''; + }; + }; + + config = mkIf cfg.enable { + + services.pdns-recursor.settings = mkDefaultAttrs { + local-address = cfg.dns.address; + local-port = cfg.dns.port; + allow-from = cfg.dns.allowFrom; + + webserver-address = cfg.api.address; + webserver-port = cfg.api.port; + webserver-allow-from = cfg.api.allowFrom; + + forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones; + forward-zones-recurse = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZonesRecurse; + export-etc-hosts = cfg.exportHosts; + dnssec = cfg.dnssecValidation; + serve-rfc1918 = cfg.serveRFC1918; + lua-config-file = pkgs.writeText "recursor.lua" cfg.luaConfig; + + daemon = false; + write-pid = false; + log-timestamp = false; + disable-syslog = true; + }; + + systemd.packages = [ pkgs.pdns-recursor ]; + + systemd.services.pdns-recursor = { + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = [ "" "${pkgs.pdns-recursor}/bin/pdns_recursor --config-dir=${configDir}" ]; + }; + }; + + users.users.pdns-recursor = { + isSystemUser = true; + group = "pdns-recursor"; + description = "PowerDNS Recursor daemon user"; + }; + + users.groups.pdns-recursor = {}; + + }; + + imports = [ + (mkRemovedOptionModule [ "services" "pdns-recursor" "extraConfig" ] + "To change extra Recursor settings use services.pdns-recursor.settings instead.") + ]; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + +} diff --git a/nixos/modules/services/networking/pdnsd.nix b/nixos/modules/services/networking/pdnsd.nix new file mode 100644 index 00000000000..24b5bbc5104 --- /dev/null +++ b/nixos/modules/services/networking/pdnsd.nix @@ -0,0 +1,91 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.pdnsd; + pdnsd = pkgs.pdnsd; + pdnsdUser = "pdnsd"; + pdnsdGroup = "pdnsd"; + pdnsdConf = pkgs.writeText "pdnsd.conf" + '' + global { + run_as=${pdnsdUser}; + cache_dir="${cfg.cacheDir}"; + ${cfg.globalConfig} + } + + server { + ${cfg.serverConfig} + } + ${cfg.extraConfig} + ''; +in + +{ options = + { services.pdnsd = + { enable = mkEnableOption "pdnsd"; + + cacheDir = mkOption { + type = types.str; + default = "/var/cache/pdnsd"; + description = "Directory holding the pdnsd cache"; + }; + + globalConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Global configuration that should be added to the global directory + of <literal>pdnsd.conf</literal>. + ''; + }; + + serverConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Server configuration that should be added to the server directory + of <literal>pdnsd.conf</literal>. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration directives that should be added to + <literal>pdnsd.conf</literal>. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + users.users.${pdnsdUser} = { + uid = config.ids.uids.pdnsd; + group = pdnsdGroup; + description = "pdnsd user"; + }; + + users.groups.${pdnsdGroup} = { + gid = config.ids.gids.pdnsd; + }; + + systemd.services.pdnsd = + { wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + preStart = + '' + mkdir -p "${cfg.cacheDir}" + touch "${cfg.cacheDir}/pdnsd.cache" + chown -R ${pdnsdUser}:${pdnsdGroup} "${cfg.cacheDir}" + ''; + description = "pdnsd"; + serviceConfig = + { + ExecStart = "${pdnsd}/bin/pdnsd -c ${pdnsdConf}"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/pixiecore.nix b/nixos/modules/services/networking/pixiecore.nix new file mode 100644 index 00000000000..d2642c82c2d --- /dev/null +++ b/nixos/modules/services/networking/pixiecore.nix @@ -0,0 +1,135 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.pixiecore; +in +{ + meta.maintainers = with maintainers; [ bbigras danderson ]; + + options = { + services.pixiecore = { + enable = mkEnableOption "Pixiecore"; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open ports (67, 69 UDP and 4011, 'port', 'statusPort' TCP) in the firewall for Pixiecore. + ''; + }; + + mode = mkOption { + description = "Which mode to use"; + default = "boot"; + type = types.enum [ "api" "boot" ]; + }; + + debug = mkOption { + type = types.bool; + default = false; + description = "Log more things that aren't directly related to booting a recognized client"; + }; + + dhcpNoBind = mkOption { + type = types.bool; + default = false; + description = "Handle DHCP traffic without binding to the DHCP server port"; + }; + + kernel = mkOption { + type = types.str or types.path; + default = ""; + description = "Kernel path. Ignored unless mode is set to 'boot'"; + }; + + initrd = mkOption { + type = types.str or types.path; + default = ""; + description = "Initrd path. Ignored unless mode is set to 'boot'"; + }; + + cmdLine = mkOption { + type = types.str; + default = ""; + description = "Kernel commandline arguments. Ignored unless mode is set to 'boot'"; + }; + + listen = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IPv4 address to listen on"; + }; + + port = mkOption { + type = types.port; + default = 80; + description = "Port to listen on for HTTP"; + }; + + statusPort = mkOption { + type = types.port; + default = 80; + description = "HTTP port for status information (can be the same as --port)"; + }; + + apiServer = mkOption { + type = types.str; + example = "localhost:8080"; + description = "host:port to connect to the API. Ignored unless mode is set to 'api'"; + }; + + extraArguments = mkOption { + type = types.listOf types.str; + default = []; + description = "Additional command line arguments to pass to Pixiecore"; + }; + }; + }; + + config = mkIf cfg.enable { + users.groups.pixiecore = {}; + users.users.pixiecore = { + description = "Pixiecore daemon user"; + group = "pixiecore"; + isSystemUser = true; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ 4011 cfg.port cfg.statusPort ]; + allowedUDPPorts = [ 67 69 ]; + }; + + systemd.services.pixiecore = { + description = "Pixiecore server"; + after = [ "network.target"]; + wants = [ "network.target"]; + wantedBy = [ "multi-user.target"]; + serviceConfig = { + User = "pixiecore"; + Restart = "always"; + AmbientCapabilities = [ "cap_net_bind_service" ] ++ optional cfg.dhcpNoBind "cap_net_raw"; + ExecStart = + let + argString = + if cfg.mode == "boot" + then [ "boot" cfg.kernel ] + ++ optional (cfg.initrd != "") cfg.initrd + ++ optionals (cfg.cmdLine != "") [ "--cmdline" cfg.cmdLine ] + else [ "api" cfg.apiServer ]; + in + '' + ${pkgs.pixiecore}/bin/pixiecore \ + ${lib.escapeShellArgs argString} \ + ${optionalString cfg.debug "--debug"} \ + ${optionalString cfg.dhcpNoBind "--dhcp-no-bind"} \ + --listen-addr ${lib.escapeShellArg cfg.listen} \ + --port ${toString cfg.port} \ + --status-port ${toString cfg.statusPort} \ + ${escapeShellArgs cfg.extraArguments} + ''; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix new file mode 100644 index 00000000000..c6d4c14dcb7 --- /dev/null +++ b/nixos/modules/services/networking/pleroma.nix @@ -0,0 +1,149 @@ +{ config, options, lib, pkgs, stdenv, ... }: +let + cfg = config.services.pleroma; + cookieFile = "/var/lib/pleroma/.cookie"; +in { + options = { + services.pleroma = with lib; { + enable = mkEnableOption "pleroma"; + + package = mkOption { + type = types.package; + default = pkgs.pleroma.override { inherit cookieFile; }; + defaultText = literalExpression "pkgs.pleroma"; + description = "Pleroma package to use."; + }; + + user = mkOption { + type = types.str; + default = "pleroma"; + description = "User account under which pleroma runs."; + }; + + group = mkOption { + type = types.str; + default = "pleroma"; + description = "Group account under which pleroma runs."; + }; + + stateDir = mkOption { + type = types.str; + default = "/var/lib/pleroma"; + readOnly = true; + description = "Directory where the pleroma service will save the uploads and static files."; + }; + + configs = mkOption { + type = with types; listOf str; + description = '' + Pleroma public configuration. + + This list gets appended from left to + right into /etc/pleroma/config.exs. Elixir evaluates its + configuration imperatively, meaning you can override a + setting by appending a new str to this NixOS option list. + + <emphasis>DO NOT STORE ANY PLEROMA SECRET + HERE</emphasis>, use + <link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link> + instead. + + This setting is going to be stored in a file part of + the Nix store. The Nix store being world-readable, it's not + the right place to store any secret + + Have a look to Pleroma section in the NixOS manual for more + informations. + ''; + }; + + secretConfigFile = mkOption { + type = types.str; + default = "/var/lib/pleroma/secrets.exs"; + description = '' + Path to the file containing your secret pleroma configuration. + + <emphasis>DO NOT POINT THIS OPTION TO THE NIX + STORE</emphasis>, the store being world-readable, it'll + compromise all your secrets. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + users = { + users."${cfg.user}" = { + description = "Pleroma user"; + home = cfg.stateDir; + group = cfg.group; + isSystemUser = true; + }; + groups."${cfg.group}" = {}; + }; + + environment.systemPackages = [ cfg.package ]; + + environment.etc."/pleroma/config.exs".text = '' + ${lib.concatMapStrings (x: "${x}") cfg.configs} + + # The lau/tzdata library is trying to download the latest + # timezone database in the OTP priv directory by default. + # This directory being in the store, it's read-only. + # Setting that up to a more appropriate location. + config :tzdata, :data_dir, "/var/lib/pleroma/elixir_tzdata_data" + + import_config "${cfg.secretConfigFile}" + ''; + + systemd.services.pleroma = { + description = "Pleroma social network"; + after = [ "network-online.target" "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "exec"; + WorkingDirectory = "~"; + StateDirectory = "pleroma pleroma/static pleroma/uploads"; + StateDirectoryMode = "700"; + + # Checking the conf file is there then running the database + # migration before each service start, just in case there are + # some pending ones. + # + # It's sub-optimal as we'll always run this, even if pleroma + # has not been updated. But the no-op process is pretty fast. + # Better be safe than sorry migration-wise. + ExecStartPre = + let preScript = pkgs.writers.writeBashBin "pleromaStartPre" '' + if [ ! -f "${cookieFile}" ] || [ ! -s "${cookieFile}" ] + then + echo "Creating cookie file" + dd if=/dev/urandom bs=1 count=16 | ${pkgs.hexdump}/bin/hexdump -e '16/1 "%02x"' > "${cookieFile}" + fi + ${cfg.package}/bin/pleroma_ctl migrate + ''; + in "${preScript}/bin/pleromaStartPre"; + + ExecStart = "${cfg.package}/bin/pleroma start"; + ExecStop = "${cfg.package}/bin/pleroma stop"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + # Systemd sandboxing directives. + # Taken from the upstream contrib systemd service at + # pleroma/installation/pleroma.service + PrivateTmp = true; + ProtectHome = true; + ProtectSystem = "full"; + PrivateDevices = false; + NoNewPrivileges = true; + CapabilityBoundingSet = "~CAP_SYS_ADMIN"; + }; + }; + + }; + meta.maintainers = with lib.maintainers; [ ninjatrappeur ]; + meta.doc = ./pleroma.xml; +} diff --git a/nixos/modules/services/networking/pleroma.xml b/nixos/modules/services/networking/pleroma.xml new file mode 100644 index 00000000000..ad0a481af28 --- /dev/null +++ b/nixos/modules/services/networking/pleroma.xml @@ -0,0 +1,188 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-pleroma"> + <title>Pleroma</title> + <para> + <link xlink:href="https://pleroma.social/">Pleroma</link> is a lightweight activity pub server.</para> + <section xml:id="module-services-pleroma-generate-config"> + <title>Generating the Pleroma config</title> + <para>The <literal>pleroma_ctl</literal> CLI utility will prompt you some questions and it will generate an initial config file. This is an example of usage +<programlisting> +<prompt>$ </prompt>mkdir tmp-pleroma +<prompt>$ </prompt>cd tmp-pleroma +<prompt>$ </prompt>nix-shell -p pleroma-otp +<prompt>$ </prompt>pleroma_ctl instance gen --output config.exs --output-psql setup.psql +</programlisting> + </para> + <para>The <literal>config.exs</literal> file can be further customized following the instructions on the <link xlink:href="https://docs-develop.pleroma.social/backend/configuration/cheatsheet/">upstream documentation</link>. Many refinements can be applied also after the service is running.</para> + </section> + <section xml:id="module-services-pleroma-initialize-db"> + <title>Initializing the database</title> + <para>First, the Postgresql service must be enabled in the NixOS configuration +<programlisting> +services.postgresql = { + enable = true; + package = pkgs.postgresql_13; +}; +</programlisting> +and activated with the usual +<programlisting> +<prompt>$ </prompt>nixos-rebuild switch +</programlisting> + </para> + <para>Then you can create and seed the database, using the <literal>setup.psql</literal> file that you generated in the previous section, by running +<programlisting> +<prompt>$ </prompt>sudo -u postgres psql -f setup.psql +</programlisting> + </para> + </section> + <section xml:id="module-services-pleroma-enable"> + <title>Enabling the Pleroma service locally</title> + <para>In this section we will enable the Pleroma service only locally, so its configurations can be improved incrementally.</para> + <para>This is an example of configuration, where <link linkend="opt-services.pleroma.configs">services.pleroma.configs</link> option contains the content of the file <literal>config.exs</literal>, generated <link linkend="module-services-pleroma-generate-config">in the first section</link>, but with the secrets (database password, endpoint secret key, salts, etc.) removed. Removing secrets is important, because otherwise they will be stored publicly in the Nix store. +<programlisting> +services.pleroma = { + enable = true; + secretConfigFile = "/var/lib/pleroma/secrets.exs"; + configs = [ + '' + import Config + + config :pleroma, Pleroma.Web.Endpoint, + url: [host: "pleroma.example.net", scheme: "https", port: 443], + http: [ip: {127, 0, 0, 1}, port: 4000] + + config :pleroma, :instance, + name: "Test", + email: "admin@example.net", + notify_email: "admin@example.net", + limit: 5000, + registrations_open: true + + config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + + config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "pleroma", + database: "pleroma", + hostname: "localhost" + + # Configure web push notifications + config :web_push_encryption, :vapid_details, + subject: "mailto:admin@example.net" + + # ... TO CONTINUE ... + '' + ]; +}; +</programlisting> + </para> + <para>Secrets must be moved into a file pointed by <link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link>, in our case <literal>/var/lib/pleroma/secrets.exs</literal>. This file can be created copying the previously generated <literal>config.exs</literal> file and then removing all the settings, except the secrets. This is an example +<programlisting> +# Pleroma instance passwords + +import Config + +config :pleroma, Pleroma.Web.Endpoint, + secret_key_base: "<the secret generated by pleroma_ctl>", + signing_salt: "<the secret generated by pleroma_ctl>" + +config :pleroma, Pleroma.Repo, + password: "<the secret generated by pleroma_ctl>" + +# Configure web push notifications +config :web_push_encryption, :vapid_details, + public_key: "<the secret generated by pleroma_ctl>", + private_key: "<the secret generated by pleroma_ctl>" + +# ... TO CONTINUE ... +</programlisting> + Note that the lines of the same configuration group are comma separated (i.e. all the lines end with a comma, except the last one), so when the lines with passwords are added or removed, commas must be adjusted accordingly.</para> + + <para>The service can be enabled with the usual +<programlisting> +<prompt>$ </prompt>nixos-rebuild switch +</programlisting> + </para> + <para>The service is accessible only from the local <literal>127.0.0.1:4000</literal> port. It can be tested using a port forwarding like this +<programlisting> +<prompt>$ </prompt>ssh -L 4000:localhost:4000 myuser@example.net +</programlisting> +and then accessing <link xlink:href="http://localhost:4000">http://localhost:4000</link> from a web browser.</para> + </section> + <section xml:id="module-services-pleroma-admin-user"> + <title>Creating the admin user</title> + <para>After Pleroma service is running, all <link xlink:href="https://docs-develop.pleroma.social/">Pleroma administration utilities</link> can be used. In particular an admin user can be created with +<programlisting> +<prompt>$ </prompt>pleroma_ctl user new <nickname> <email> --admin --moderator --password <password> +</programlisting> + </para> + </section> + <section xml:id="module-services-pleroma-nginx"> + <title>Configuring Nginx</title> + <para>In this configuration, Pleroma is listening only on the local port 4000. Nginx can be configured as a Reverse Proxy, for forwarding requests from public ports to the Pleroma service. This is an example of configuration, using +<link xlink:href="https://letsencrypt.org/">Let's Encrypt</link> for the TLS certificates +<programlisting> +security.acme = { + email = "root@example.net"; + acceptTerms = true; +}; + +services.nginx = { + enable = true; + addSSL = true; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + recommendedProxySettings = false; + # NOTE: if enabled, the NixOS proxy optimizations will override the Pleroma + # specific settings, and they will enter in conflict. + + virtualHosts = { + "pleroma.example.net" = { + http2 = true; + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:4000"; + + extraConfig = '' + etag on; + gzip on; + + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; + add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; + if ($request_method = OPTIONS) { + return 204; + } + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + + client_max_body_size 16m; + # NOTE: increase if users need to upload very big files + ''; + }; + }; + }; +}; +</programlisting> + </para> + </section> +</chapter> diff --git a/nixos/modules/services/networking/polipo.nix b/nixos/modules/services/networking/polipo.nix new file mode 100644 index 00000000000..1ff9388346b --- /dev/null +++ b/nixos/modules/services/networking/polipo.nix @@ -0,0 +1,112 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.polipo; + + polipoConfig = pkgs.writeText "polipo.conf" '' + proxyAddress = ${cfg.proxyAddress} + proxyPort = ${toString cfg.proxyPort} + allowedClients = ${concatStringsSep ", " cfg.allowedClients} + ${optionalString (cfg.parentProxy != "") "parentProxy = ${cfg.parentProxy}" } + ${optionalString (cfg.socksParentProxy != "") "socksParentProxy = ${cfg.socksParentProxy}" } + ${config.services.polipo.extraConfig} + ''; + +in + +{ + + options = { + + services.polipo = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to run the polipo caching web proxy."; + }; + + proxyAddress = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "IP address on which Polipo will listen."; + }; + + proxyPort = mkOption { + type = types.int; + default = 8123; + description = "TCP port on which Polipo will listen."; + }; + + allowedClients = mkOption { + type = types.listOf types.str; + default = [ "127.0.0.1" "::1" ]; + example = [ "127.0.0.1" "::1" "134.157.168.0/24" "2001:660:116::/48" ]; + description = '' + List of IP addresses or network addresses that may connect to Polipo. + ''; + }; + + parentProxy = mkOption { + type = types.str; + default = ""; + example = "localhost:8124"; + description = '' + Hostname and port number of an HTTP parent proxy; + it should have the form ‘host:port’. + ''; + }; + + socksParentProxy = mkOption { + type = types.str; + default = ""; + example = "localhost:9050"; + description = '' + Hostname and port number of an SOCKS parent proxy; + it should have the form ‘host:port’. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Polio configuration. Contents will be added + verbatim to the configuration file. + ''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + users.users.polipo = + { uid = config.ids.uids.polipo; + description = "Polipo caching proxy user"; + home = "/var/cache/polipo"; + createHome = true; + }; + + users.groups.polipo = + { gid = config.ids.gids.polipo; + members = [ "polipo" ]; + }; + + systemd.services.polipo = { + description = "caching web proxy"; + after = [ "network.target" "nss-lookup.target" ]; + wantedBy = [ "multi-user.target"]; + serviceConfig = { + ExecStart = "${pkgs.polipo}/bin/polipo -c ${polipoConfig}"; + User = "polipo"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/powerdns.nix b/nixos/modules/services/networking/powerdns.nix new file mode 100644 index 00000000000..8cae61b8354 --- /dev/null +++ b/nixos/modules/services/networking/powerdns.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.powerdns; + configDir = pkgs.writeTextDir "pdns.conf" "${cfg.extraConfig}"; +in { + options = { + services.powerdns = { + enable = mkEnableOption "PowerDNS domain name server"; + + extraConfig = mkOption { + type = types.lines; + default = "launch=bind"; + description = '' + PowerDNS configuration. Refer to + <link xlink:href="https://doc.powerdns.com/authoritative/settings.html"/> + for details on supported values. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + systemd.packages = [ pkgs.powerdns ]; + + systemd.services.pdns = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "mysql.service" "postgresql.service" "openldap.service" ]; + + serviceConfig = { + ExecStart = [ "" "${pkgs.powerdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; + }; + }; + + users.users.pdns = { + isSystemUser = true; + group = "pdns"; + description = "PowerDNS"; + }; + + users.groups.pdns = {}; + + }; +} diff --git a/nixos/modules/services/networking/pppd.nix b/nixos/modules/services/networking/pppd.nix new file mode 100644 index 00000000000..d1ed25b0238 --- /dev/null +++ b/nixos/modules/services/networking/pppd.nix @@ -0,0 +1,154 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.pppd; +in +{ + meta = { + maintainers = with maintainers; [ danderson ]; + }; + + options = { + services.pppd = { + enable = mkEnableOption "pppd"; + + package = mkOption { + default = pkgs.ppp; + defaultText = literalExpression "pkgs.ppp"; + type = types.package; + description = "pppd package to use."; + }; + + peers = mkOption { + default = {}; + description = "pppd peers."; + type = types.attrsOf (types.submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = types.str; + default = name; + example = "dialup"; + description = "Name of the PPP peer."; + }; + + enable = mkOption { + type = types.bool; + default = true; + example = false; + description = "Whether to enable this PPP peer."; + }; + + autostart = mkOption { + type = types.bool; + default = true; + example = false; + description = "Whether the PPP session is automatically started at boot time."; + }; + + config = mkOption { + type = types.lines; + default = ""; + description = "pppd configuration for this peer, see the pppd(8) man page."; + }; + }; + })); + }; + }; + }; + + config = let + enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); + + mkEtc = peerCfg: { + name = "ppp/peers/${peerCfg.name}"; + value.text = peerCfg.config; + }; + + mkSystemd = peerCfg: { + name = "pppd-${peerCfg.name}"; + value = { + restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; + before = [ "network.target" ]; + wants = [ "network.target" ]; + after = [ "network-pre.target" ]; + environment = { + # pppd likes to write directly into /var/run. This is rude + # on a modern system, so we use libredirect to transparently + # move those files into /run/pppd. + LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; + NIX_REDIRECTS = "/var/run=/run/pppd"; + }; + serviceConfig = let + capabilities = [ + "CAP_BPF" + "CAP_SYS_TTY_CONFIG" + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ]; + in + { + ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; + Restart = "always"; + RestartSec = 5; + + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + KeyringMode = "private"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + # pppd can be configured to tweak kernel settings. + ProtectKernelTunables = false; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_ATMPVC" + "AF_ATMSVC" + "AF_INET" + "AF_INET6" + "AF_IPX" + "AF_NETLINK" + "AF_PACKET" + "AF_PPPOX" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SecureBits = "no-setuid-fixup-locked noroot-locked"; + SystemCallFilter = "@system-service"; + SystemCallArchitectures = "native"; + + # All pppd instances on a system must share a runtime + # directory in order for PPP multilink to work correctly. So + # we give all instances the same /run/pppd directory to store + # things in. + # + # For the same reason, we can't set PrivateUsers=true, because + # all instances need to run as the same user to access the + # multilink database. + RuntimeDirectory = "pppd"; + RuntimeDirectoryPreserve = true; + }; + wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ]; + }; + }; + + etcFiles = listToAttrs (map mkEtc enabledConfigs); + systemdConfigs = listToAttrs (map mkSystemd enabledConfigs); + + in mkIf cfg.enable { + environment.etc = etcFiles; + systemd.services = systemdConfigs; + }; +} diff --git a/nixos/modules/services/networking/pptpd.nix b/nixos/modules/services/networking/pptpd.nix new file mode 100644 index 00000000000..3e7753b9dd3 --- /dev/null +++ b/nixos/modules/services/networking/pptpd.nix @@ -0,0 +1,124 @@ +{ config, pkgs, lib, ... }: + +with lib; + +{ + options = { + services.pptpd = { + enable = mkEnableOption "pptpd, the Point-to-Point Tunneling Protocol daemon"; + + serverIp = mkOption { + type = types.str; + description = "The server-side IP address."; + default = "10.124.124.1"; + }; + + clientIpRange = mkOption { + type = types.str; + description = "The range from which client IPs are drawn."; + default = "10.124.124.2-11"; + }; + + maxClients = mkOption { + type = types.int; + description = "The maximum number of simultaneous connections."; + default = 10; + }; + + extraPptpdOptions = mkOption { + type = types.lines; + description = "Adds extra lines to the pptpd configuration file."; + default = ""; + }; + + extraPppdOptions = mkOption { + type = types.lines; + description = "Adds extra lines to the pppd options file."; + default = ""; + example = '' + ms-dns 8.8.8.8 + ms-dns 8.8.4.4 + ''; + }; + }; + }; + + config = mkIf config.services.pptpd.enable { + systemd.services.pptpd = let + cfg = config.services.pptpd; + + pptpd-conf = pkgs.writeText "pptpd.conf" '' + # Inspired from pptpd-1.4.0/samples/pptpd.conf + ppp ${ppp-pptpd-wrapped}/bin/pppd + option ${pppd-options} + pidfile /run/pptpd.pid + localip ${cfg.serverIp} + remoteip ${cfg.clientIpRange} + connections ${toString cfg.maxClients} # (Will get harmless warning if inconsistent with IP range) + + # Extra + ${cfg.extraPptpdOptions} + ''; + + pppd-options = pkgs.writeText "ppp-options-pptpd.conf" '' + # From: cat pptpd-1.4.0/samples/options.pptpd | grep -v ^# | grep -v ^$ + name pptpd + refuse-pap + refuse-chap + refuse-mschap + require-mschap-v2 + require-mppe-128 + proxyarp + lock + nobsdcomp + novj + novjccomp + nologfd + + # Extra: + ${cfg.extraPppdOptions} + ''; + + ppp-pptpd-wrapped = pkgs.stdenv.mkDerivation { + name = "ppp-pptpd-wrapped"; + phases = [ "installPhase" ]; + buildInputs = with pkgs; [ makeWrapper ]; + installPhase = '' + mkdir -p $out/bin + makeWrapper ${pkgs.ppp}/bin/pppd $out/bin/pppd \ + --set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \ + --set NIX_REDIRECTS "/etc/ppp=/etc/ppp-pptpd" + ''; + }; + in { + description = "pptpd server"; + + requires = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + preStart = '' + mkdir -p -m 700 /etc/ppp-pptpd + + secrets="/etc/ppp-pptpd/chap-secrets" + + [ -f "$secrets" ] || cat > "$secrets" << EOF + # From: pptpd-1.4.0/samples/chap-secrets + # Secrets for authentication using CHAP + # client server secret IP addresses + #username pptpd password * + EOF + + chown root.root "$secrets" + chmod 600 "$secrets" + ''; + + serviceConfig = { + ExecStart = "${pkgs.pptpd}/bin/pptpd --conf ${pptpd-conf}"; + KillMode = "process"; + Restart = "on-success"; + Type = "forking"; + PIDFile = "/run/pptpd.pid"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix new file mode 100644 index 00000000000..ae9258b2712 --- /dev/null +++ b/nixos/modules/services/networking/prayer.nix @@ -0,0 +1,90 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + inherit (pkgs) prayer; + + cfg = config.services.prayer; + + stateDir = "/var/lib/prayer"; + + prayerUser = "prayer"; + prayerGroup = "prayer"; + + prayerExtraCfg = pkgs.writeText "extraprayer.cf" '' + prefix = "${prayer}" + var_prefix = "${stateDir}" + prayer_user = "${prayerUser}" + prayer_group = "${prayerGroup}" + sendmail_path = "/run/wrappers/bin/sendmail" + + use_http_port ${cfg.port} + + ${cfg.extraConfig} + ''; + + prayerCfg = pkgs.runCommand "prayer.cf" { preferLocalBuild = true; } '' + # We have to remove the http_port 80, or it will start a server there + cat ${prayer}/etc/prayer.cf | grep -v http_port > $out + cat ${prayerExtraCfg} >> $out + ''; + +in + +{ + + ###### interface + + options = { + + services.prayer = { + + enable = mkEnableOption "the prayer webmail http server"; + + port = mkOption { + default = 2080; + type = types.port; + description = '' + Port the prayer http server is listening to. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = "" ; + description = '' + Extra configuration. Contents will be added verbatim to the configuration file. + ''; + }; + }; + + }; + + + ###### implementation + + config = mkIf config.services.prayer.enable { + environment.systemPackages = [ prayer ]; + + users.users.${prayerUser} = + { uid = config.ids.uids.prayer; + description = "Prayer daemon user"; + home = stateDir; + }; + + users.groups.${prayerGroup} = + { gid = config.ids.gids.prayer; }; + + systemd.services.prayer = { + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "forking"; + preStart = '' + mkdir -m 0755 -p ${stateDir} + chown ${prayerUser}.${prayerGroup} ${stateDir} + ''; + script = "${prayer}/sbin/prayer --config-file=${prayerCfg}"; + }; + }; +} diff --git a/nixos/modules/services/networking/privoxy.nix b/nixos/modules/services/networking/privoxy.nix new file mode 100644 index 00000000000..7bc964d5f34 --- /dev/null +++ b/nixos/modules/services/networking/privoxy.nix @@ -0,0 +1,279 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.privoxy; + + serialise = name: val: + if isList val then concatMapStrings (serialise name) val + else if isBool val then serialise name (if val then "1" else "0") + else "${name} ${toString val}\n"; + + configType = with types; + let atom = oneOf [ int bool string path ]; + in attrsOf (either atom (listOf atom)) + // { description = '' + privoxy configuration type. The format consists of an attribute + set of settings. Each setting can be either a value (integer, string, + boolean or path) or a list of such values. + ''; + }; + + ageType = types.str // { + check = x: + isString x && + (builtins.match "([0-9]+([smhdw]|min|ms|us)*)+" x != null); + description = "tmpfiles.d(5) age format"; + }; + + configFile = pkgs.writeText "privoxy.conf" + (concatStrings ( + # Relative paths in some options are relative to confdir. Privoxy seems + # to parse the options in order of appearance, so this must come first. + # Nix however doesn't preserve the order in attrsets, so we have to + # hardcode confdir here. + [ "confdir ${pkgs.privoxy}/etc\n" ] + ++ mapAttrsToList serialise cfg.settings + )); + + inspectAction = pkgs.writeText "inspect-all-https.action" + '' + # Enable HTTPS inspection for all requests + {+https-inspection} + / + ''; + +in + +{ + + ###### interface + + options.services.privoxy = { + + enable = mkEnableOption "Privoxy, non-caching filtering proxy"; + + enableTor = mkOption { + type = types.bool; + default = false; + description = '' + Whether to configure Privoxy to use Tor's faster SOCKS port, + suitable for HTTP. + ''; + }; + + inspectHttps = mkOption { + type = types.bool; + default = false; + description = '' + Whether to configure Privoxy to inspect HTTPS requests, meaning all + encrypted traffic will be filtered as well. This works by decrypting + and re-encrypting the requests using a per-domain generated certificate. + + To issue per-domain certificates, Privoxy must be provided with a CA + certificate, using the <literal>ca-cert-file</literal>, + <literal>ca-key-file</literal> settings. + + <warning><para> + The CA certificate must also be added to the system trust roots, + otherwise browsers will reject all Privoxy certificates as invalid. + You can do so by using the option + <option>security.pki.certificateFiles</option>. + </para></warning> + ''; + }; + + certsLifetime = mkOption { + type = ageType; + default = "10d"; + example = "12h"; + description = '' + If <literal>inspectHttps</literal> is enabled, the time generated HTTPS + certificates will be stored in a temporary directory for reuse. Once + the lifetime has expired the directory will cleared and the certificate + will have to be generated again, on-demand. + + Depending on the traffic, you may want to reduce the lifetime to limit + the disk usage, since Privoxy itself never deletes the certificates. + + <note><para>The format is that of the <literal>tmpfiles.d(5)</literal> + Age parameter.</para></note> + ''; + }; + + userActions = mkOption { + type = types.lines; + default = ""; + description = '' + Actions to be included in a <literal>user.action</literal> file. This + will have a higher priority and can be used to override all other + actions. + ''; + }; + + userFilters = mkOption { + type = types.lines; + default = ""; + description = '' + Filters to be included in a <literal>user.filter</literal> file. This + will have a higher priority and can be used to override all other + filters definitions. + ''; + }; + + settings = mkOption { + type = types.submodule { + freeformType = configType; + + options.listen-address = mkOption { + type = types.str; + default = "127.0.0.1:8118"; + description = "Pair of address:port the proxy server is listening to."; + }; + + options.enable-edit-actions = mkOption { + type = types.bool; + default = false; + description = "Whether the web-based actions file editor may be used."; + }; + + options.actionsfile = mkOption { + type = types.listOf types.str; + # This must come after all other entries, in order to override the + # other actions/filters installed by Privoxy or the user. + apply = x: x ++ optional (cfg.userActions != "") + (toString (pkgs.writeText "user.actions" cfg.userActions)); + default = [ "match-all.action" "default.action" ]; + description = '' + List of paths to Privoxy action files. These paths may either be + absolute or relative to the privoxy configuration directory. + ''; + }; + + options.filterfile = mkOption { + type = types.listOf types.str; + default = [ "default.filter" ]; + apply = x: x ++ optional (cfg.userFilters != "") + (toString (pkgs.writeText "user.filter" cfg.userFilters)); + description = '' + List of paths to Privoxy filter files. These paths may either be + absolute or relative to the privoxy configuration directory. + ''; + }; + }; + default = {}; + example = literalExpression '' + { # Listen on IPv6 only + listen-address = "[::]:8118"; + + # Forward .onion requests to Tor + forward-socks5 = ".onion localhost:9050 ."; + + # Log redirects and filters + debug = [ 128 64 ]; + # This is equivalent to writing these lines + # in the Privoxy configuration file: + # debug 128 + # debug 64 + } + ''; + description = '' + This option is mapped to the main Privoxy configuration file. + Check out the Privoxy user manual at + <link xlink:href="https://www.privoxy.org/user-manual/config.html"/> + for available settings and documentation. + + <note><para> + Repeated settings can be represented by using a list. + </para></note> + ''; + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + users.users.privoxy = { + description = "Privoxy daemon user"; + isSystemUser = true; + group = "privoxy"; + }; + + users.groups.privoxy = {}; + + systemd.tmpfiles.rules = optional cfg.inspectHttps + "d ${cfg.settings.certificate-directory} 0770 privoxy privoxy ${cfg.certsLifetime}"; + + systemd.services.privoxy = { + description = "Filtering web proxy"; + after = [ "network.target" "nss-lookup.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "privoxy"; + Group = "privoxy"; + ExecStart = "${pkgs.privoxy}/bin/privoxy --no-daemon ${configFile}"; + PrivateDevices = true; + PrivateTmp = true; + ProtectHome = true; + ProtectSystem = "full"; + }; + unitConfig = mkIf cfg.inspectHttps { + ConditionPathExists = with cfg.settings; + [ ca-cert-file ca-key-file ]; + }; + }; + + services.tor.settings.SOCKSPort = mkIf cfg.enableTor [ + # Route HTTP traffic over a faster port (without IsolateDestAddr). + { addr = "127.0.0.1"; port = 9063; IsolateDestAddr = false; } + ]; + + services.privoxy.settings = { + user-manual = "${pkgs.privoxy}/share/doc/privoxy/user-manual"; + # This is needed for external filters + temporary-directory = "/tmp"; + filterfile = [ "default.filter" ]; + actionsfile = + [ "match-all.action" + "default.action" + ] ++ optional cfg.inspectHttps (toString inspectAction); + } // (optionalAttrs cfg.enableTor { + forward-socks5 = "/ 127.0.0.1:9063 ."; + toggle = true; + enable-remote-toggle = false; + enable-edit-actions = false; + enable-remote-http-toggle = false; + }) // (optionalAttrs cfg.inspectHttps { + # This allows setting absolute key/crt paths + ca-directory = "/var/empty"; + certificate-directory = "/run/privoxy/certs"; + trusted-cas-file = "/etc/ssl/certs/ca-certificates.crt"; + }); + + }; + + imports = + let + top = x: [ "services" "privoxy" x ]; + setting = x: [ "services" "privoxy" "settings" x ]; + in + [ (mkRenamedOptionModule (top "enableEditActions") (setting "enable-edit-actions")) + (mkRenamedOptionModule (top "listenAddress") (setting "listen-address")) + (mkRenamedOptionModule (top "actionsFiles") (setting "actionsfile")) + (mkRenamedOptionModule (top "filterFiles") (setting "filterfile")) + (mkRemovedOptionModule (top "extraConfig") + '' + Use services.privoxy.settings instead. + This is part of the general move to use structured settings instead of raw + text for config as introduced by RFC0042: + https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md + '') + ]; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + +} diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix new file mode 100644 index 00000000000..42596ccfefd --- /dev/null +++ b/nixos/modules/services/networking/prosody.nix @@ -0,0 +1,882 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.prosody; + + sslOpts = { ... }: { + + options = { + + key = mkOption { + type = types.path; + description = "Path to the key file."; + }; + + # TODO: rename to certificate to match the prosody config + cert = mkOption { + type = types.path; + description = "Path to the certificate file."; + }; + + extraOptions = mkOption { + type = types.attrs; + default = {}; + description = "Extra SSL configuration options."; + }; + + }; + }; + + discoOpts = { + options = { + url = mkOption { + type = types.str; + description = "URL of the endpoint you want to make discoverable"; + }; + description = mkOption { + type = types.str; + description = "A short description of the endpoint you want to advertise"; + }; + }; + }; + + moduleOpts = { + # Required for compliance with https://compliance.conversations.im/about/ + roster = mkOption { + type = types.bool; + default = true; + description = "Allow users to have a roster"; + }; + + saslauth = mkOption { + type = types.bool; + default = true; + description = "Authentication for clients and servers. Recommended if you want to log in."; + }; + + tls = mkOption { + type = types.bool; + default = true; + description = "Add support for secure TLS on c2s/s2s connections"; + }; + + dialback = mkOption { + type = types.bool; + default = true; + description = "s2s dialback support"; + }; + + disco = mkOption { + type = types.bool; + default = true; + description = "Service discovery"; + }; + + # Not essential, but recommended + carbons = mkOption { + type = types.bool; + default = true; + description = "Keep multiple clients in sync"; + }; + + csi = mkOption { + type = types.bool; + default = true; + description = "Implements the CSI protocol that allows clients to report their active/inactive state to the server"; + }; + + cloud_notify = mkOption { + type = types.bool; + default = true; + description = "Push notifications to inform users of new messages or other pertinent information even when they have no XMPP clients online"; + }; + + pep = mkOption { + type = types.bool; + default = true; + description = "Enables users to publish their mood, activity, playing music and more"; + }; + + private = mkOption { + type = types.bool; + default = true; + description = "Private XML storage (for room bookmarks, etc.)"; + }; + + blocklist = mkOption { + type = types.bool; + default = true; + description = "Allow users to block communications with other users"; + }; + + vcard = mkOption { + type = types.bool; + default = false; + description = "Allow users to set vCards"; + }; + + vcard_legacy = mkOption { + type = types.bool; + default = true; + description = "Converts users profiles and Avatars between old and new formats"; + }; + + bookmarks = mkOption { + type = types.bool; + default = true; + description = "Allows interop between older clients that use XEP-0048: Bookmarks in its 1.0 version and recent clients which use it in PEP"; + }; + + # Nice to have + version = mkOption { + type = types.bool; + default = true; + description = "Replies to server version requests"; + }; + + uptime = mkOption { + type = types.bool; + default = true; + description = "Report how long server has been running"; + }; + + time = mkOption { + type = types.bool; + default = true; + description = "Let others know the time here on this server"; + }; + + ping = mkOption { + type = types.bool; + default = true; + description = "Replies to XMPP pings with pongs"; + }; + + register = mkOption { + type = types.bool; + default = true; + description = "Allow users to register on this server using a client and change passwords"; + }; + + mam = mkOption { + type = types.bool; + default = true; + description = "Store messages in an archive and allow users to access it"; + }; + + smacks = mkOption { + type = types.bool; + default = true; + description = "Allow a client to resume a disconnected session, and prevent message loss"; + }; + + # Admin interfaces + admin_adhoc = mkOption { + type = types.bool; + default = true; + description = "Allows administration via an XMPP client that supports ad-hoc commands"; + }; + + http_files = mkOption { + type = types.bool; + default = true; + description = "Serve static files from a directory over HTTP"; + }; + + proxy65 = mkOption { + type = types.bool; + default = true; + description = "Enables a file transfer proxy service which clients behind NAT can use"; + }; + + admin_telnet = mkOption { + type = types.bool; + default = false; + description = "Opens telnet console interface on localhost port 5582"; + }; + + # HTTP modules + bosh = mkOption { + type = types.bool; + default = false; + description = "Enable BOSH clients, aka 'Jabber over HTTP'"; + }; + + websocket = mkOption { + type = types.bool; + default = false; + description = "Enable WebSocket support"; + }; + + # Other specific functionality + limits = mkOption { + type = types.bool; + default = false; + description = "Enable bandwidth limiting for XMPP connections"; + }; + + groups = mkOption { + type = types.bool; + default = false; + description = "Shared roster support"; + }; + + server_contact_info = mkOption { + type = types.bool; + default = false; + description = "Publish contact information for this service"; + }; + + announce = mkOption { + type = types.bool; + default = false; + description = "Send announcement to all online users"; + }; + + welcome = mkOption { + type = types.bool; + default = false; + description = "Welcome users who register accounts"; + }; + + watchregistrations = mkOption { + type = types.bool; + default = false; + description = "Alert admins of registrations"; + }; + + motd = mkOption { + type = types.bool; + default = false; + description = "Send a message to users when they log in"; + }; + + legacyauth = mkOption { + type = types.bool; + default = false; + description = "Legacy authentication. Only used by some old clients and bots"; + }; + }; + + toLua = x: + if builtins.isString x then ''"${x}"'' + else if builtins.isBool x then boolToString x + else if builtins.isInt x then toString x + else if builtins.isList x then ''{ ${lib.concatStringsSep ", " (map (n: toLua n) x) } }'' + else throw "Invalid Lua value"; + + createSSLOptsStr = o: '' + ssl = { + cafile = "/etc/ssl/certs/ca-bundle.crt"; + key = "${o.key}"; + certificate = "${o.cert}"; + ${concatStringsSep "\n" (mapAttrsToList (name: value: "${name} = ${toLua value};") o.extraOptions)} + }; + ''; + + mucOpts = { ... }: { + options = { + domain = mkOption { + type = types.str; + description = "Domain name of the MUC"; + }; + name = mkOption { + type = types.str; + description = "The name to return in service discovery responses for the MUC service itself"; + default = "Prosody Chatrooms"; + }; + restrictRoomCreation = mkOption { + type = types.enum [ true false "admin" "local" ]; + default = false; + description = "Restrict room creation to server admins"; + }; + maxHistoryMessages = mkOption { + type = types.int; + default = 20; + description = "Specifies a limit on what each room can be configured to keep"; + }; + roomLocking = mkOption { + type = types.bool; + default = true; + description = '' + Enables room locking, which means that a room must be + configured before it can be used. Locked rooms are invisible + and cannot be entered by anyone but the creator + ''; + }; + roomLockTimeout = mkOption { + type = types.int; + default = 300; + description = '' + Timout after which the room is destroyed or unlocked if not + configured, in seconds + ''; + }; + tombstones = mkOption { + type = types.bool; + default = true; + description = '' + When a room is destroyed, it leaves behind a tombstone which + prevents the room being entered or recreated. It also allows + anyone who was not in the room at the time it was destroyed + to learn about it, and to update their bookmarks. Tombstones + prevents the case where someone could recreate a previously + semi-anonymous room in order to learn the real JIDs of those + who often join there. + ''; + }; + tombstoneExpiry = mkOption { + type = types.int; + default = 2678400; + description = '' + This settings controls how long a tombstone is considered + valid. It defaults to 31 days. After this time, the room in + question can be created again. + ''; + }; + + vcard_muc = mkOption { + type = types.bool; + default = true; + description = "Adds the ability to set vCard for Multi User Chat rooms"; + }; + + # Extra parameters. Defaulting to prosody default values. + # Adding them explicitly to make them visible from the options + # documentation. + # + # See https://prosody.im/doc/modules/mod_muc for more details. + roomDefaultPublic = mkOption { + type = types.bool; + default = true; + description = "If set, the MUC rooms will be public by default."; + }; + roomDefaultMembersOnly = mkOption { + type = types.bool; + default = false; + description = "If set, the MUC rooms will only be accessible to the members by default."; + }; + roomDefaultModerated = mkOption { + type = types.bool; + default = false; + description = "If set, the MUC rooms will be moderated by default."; + }; + roomDefaultPublicJids = mkOption { + type = types.bool; + default = false; + description = "If set, the MUC rooms will display the public JIDs by default."; + }; + roomDefaultChangeSubject = mkOption { + type = types.bool; + default = false; + description = "If set, the rooms will display the public JIDs by default."; + }; + roomDefaultHistoryLength = mkOption { + type = types.int; + default = 20; + description = "Number of history message sent to participants by default."; + }; + roomDefaultLanguage = mkOption { + type = types.str; + default = "en"; + description = "Default room language."; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional MUC specific configuration"; + }; + }; + }; + + uploadHttpOpts = { ... }: { + options = { + domain = mkOption { + type = types.nullOr types.str; + description = "Domain name for the http-upload service"; + }; + uploadFileSizeLimit = mkOption { + type = types.str; + default = "50 * 1024 * 1024"; + description = "Maximum file size, in bytes. Defaults to 50MB."; + }; + uploadExpireAfter = mkOption { + type = types.str; + default = "60 * 60 * 24 * 7"; + description = "Max age of a file before it gets deleted, in seconds."; + }; + userQuota = mkOption { + type = types.nullOr types.int; + default = null; + example = 1234; + description = '' + Maximum size of all uploaded files per user, in bytes. There + will be no quota if this option is set to null. + ''; + }; + httpUploadPath = mkOption { + type = types.str; + description = '' + Directory where the uploaded files will be stored. By + default, uploaded files are put in a sub-directory of the + default Prosody storage path (usually /var/lib/prosody). + ''; + default = "/var/lib/prosody"; + }; + }; + }; + + vHostOpts = { ... }: { + + options = { + + # TODO: require attribute + domain = mkOption { + type = types.str; + description = "Domain name"; + }; + + enabled = mkOption { + type = types.bool; + default = false; + description = "Whether to enable the virtual host"; + }; + + ssl = mkOption { + type = types.nullOr (types.submodule sslOpts); + default = null; + description = "Paths to SSL files"; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional virtual host specific configuration"; + }; + + }; + + }; + +in + +{ + + ###### interface + + options = { + + services.prosody = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable the prosody server"; + }; + + xmppComplianceSuite = mkOption { + type = types.bool; + default = true; + description = '' + The XEP-0423 defines a set of recommended XEPs to implement + for a server. It's generally a good idea to implement this + set of extensions if you want to provide your users with a + good XMPP experience. + + This NixOS module aims to provide a "advanced server" + experience as per defined in the XEP-0423[1] specification. + + Setting this option to true will prevent you from building a + NixOS configuration which won't comply with this standard. + You can explicitely decide to ignore this standard if you + know what you are doing by setting this option to false. + + [1] https://xmpp.org/extensions/xep-0423.html + ''; + }; + + package = mkOption { + type = types.package; + description = "Prosody package to use"; + default = pkgs.prosody; + defaultText = literalExpression "pkgs.prosody"; + example = literalExpression '' + pkgs.prosody.override { + withExtraLibs = [ pkgs.luaPackages.lpty ]; + withCommunityModules = [ "auth_external" ]; + }; + ''; + }; + + dataDir = mkOption { + type = types.path; + description = "Directory where Prosody stores its data"; + default = "/var/lib/prosody"; + }; + + disco_items = mkOption { + type = types.listOf (types.submodule discoOpts); + default = []; + description = "List of discoverable items you want to advertise."; + }; + + user = mkOption { + type = types.str; + default = "prosody"; + description = "User account under which prosody runs."; + }; + + group = mkOption { + type = types.str; + default = "prosody"; + description = "Group account under which prosody runs."; + }; + + allowRegistration = mkOption { + type = types.bool; + default = false; + description = "Allow account creation"; + }; + + # HTTP server-related options + httpPorts = mkOption { + type = types.listOf types.int; + description = "Listening HTTP ports list for this service."; + default = [ 5280 ]; + }; + + httpInterfaces = mkOption { + type = types.listOf types.str; + default = [ "*" "::" ]; + description = "Interfaces on which the HTTP server will listen on."; + }; + + httpsPorts = mkOption { + type = types.listOf types.int; + description = "Listening HTTPS ports list for this service."; + default = [ 5281 ]; + }; + + httpsInterfaces = mkOption { + type = types.listOf types.str; + default = [ "*" "::" ]; + description = "Interfaces on which the HTTPS server will listen on."; + }; + + c2sRequireEncryption = mkOption { + type = types.bool; + default = true; + description = '' + Force clients to use encrypted connections? This option will + prevent clients from authenticating unless they are using encryption. + ''; + }; + + s2sRequireEncryption = mkOption { + type = types.bool; + default = true; + description = '' + Force servers to use encrypted connections? This option will + prevent servers from authenticating unless they are using encryption. + Note that this is different from authentication. + ''; + }; + + s2sSecureAuth = mkOption { + type = types.bool; + default = false; + description = '' + Force certificate authentication for server-to-server connections? + This provides ideal security, but requires servers you communicate + with to support encryption AND present valid, trusted certificates. + For more information see https://prosody.im/doc/s2s#security + ''; + }; + + s2sInsecureDomains = mkOption { + type = types.listOf types.str; + default = []; + example = [ "insecure.example.com" ]; + description = '' + Some servers have invalid or self-signed certificates. You can list + remote domains here that will not be required to authenticate using + certificates. They will be authenticated using DNS instead, even + when s2s_secure_auth is enabled. + ''; + }; + + s2sSecureDomains = mkOption { + type = types.listOf types.str; + default = []; + example = [ "jabber.org" ]; + description = '' + Even if you leave s2s_secure_auth disabled, you can still require valid + certificates for some domains by specifying a list here. + ''; + }; + + + modules = moduleOpts; + + extraModules = mkOption { + type = types.listOf types.str; + default = []; + description = "Enable custom modules"; + }; + + extraPluginPaths = mkOption { + type = types.listOf types.path; + default = []; + description = "Addtional path in which to look find plugins/modules"; + }; + + uploadHttp = mkOption { + description = '' + Configures the Prosody builtin HTTP server to handle user uploads. + ''; + type = types.nullOr (types.submodule uploadHttpOpts); + default = null; + example = { + domain = "uploads.my-xmpp-example-host.org"; + }; + }; + + muc = mkOption { + type = types.listOf (types.submodule mucOpts); + default = [ ]; + example = [ { + domain = "conference.my-xmpp-example-host.org"; + } ]; + description = "Multi User Chat (MUC) configuration"; + }; + + virtualHosts = mkOption { + + description = "Define the virtual hosts"; + + type = with types; attrsOf (submodule vHostOpts); + + example = { + myhost = { + domain = "my-xmpp-example-host.org"; + enabled = true; + }; + }; + + default = { + localhost = { + domain = "localhost"; + enabled = true; + }; + }; + + }; + + ssl = mkOption { + type = types.nullOr (types.submodule sslOpts); + default = null; + description = "Paths to SSL files"; + }; + + admins = mkOption { + type = types.listOf types.str; + default = []; + example = [ "admin1@example.com" "admin2@example.com" ]; + description = "List of administrators of the current host"; + }; + + authentication = mkOption { + type = types.enum [ "internal_plain" "internal_hashed" "cyrus" "anonymous" ]; + default = "internal_hashed"; + example = "internal_plain"; + description = "Authentication mechanism used for logins."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional prosody configuration"; + }; + + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + assertions = let + genericErrMsg = '' + + Having a server not XEP-0423-compliant might make your XMPP + experience terrible. See the NixOS manual for further + informations. + + If you know what you're doing, you can disable this warning by + setting config.services.prosody.xmppComplianceSuite to false. + ''; + errors = [ + { assertion = (builtins.length cfg.muc > 0) || !cfg.xmppComplianceSuite; + message = '' + You need to setup at least a MUC domain to comply with + XEP-0423. + '' + genericErrMsg;} + { assertion = cfg.uploadHttp != null || !cfg.xmppComplianceSuite; + message = '' + You need to setup the uploadHttp module through + config.services.prosody.uploadHttp to comply with + XEP-0423. + '' + genericErrMsg;} + ]; + in errors; + + environment.systemPackages = [ cfg.package ]; + + environment.etc."prosody/prosody.cfg.lua".text = + let + httpDiscoItems = if (cfg.uploadHttp != null) + then [{ url = cfg.uploadHttp.domain; description = "HTTP upload endpoint";}] + else []; + mucDiscoItems = builtins.foldl' + (acc: muc: [{ url = muc.domain; description = "${muc.domain} MUC endpoint";}] ++ acc) + [] + cfg.muc; + discoItems = cfg.disco_items ++ httpDiscoItems ++ mucDiscoItems; + in '' + + pidfile = "/run/prosody/prosody.pid" + + log = "*syslog" + + data_path = "${cfg.dataDir}" + plugin_paths = { + ${lib.concatStringsSep ", " (map (n: "\"${n}\"") cfg.extraPluginPaths) } + } + + ${ optionalString (cfg.ssl != null) (createSSLOptsStr cfg.ssl) } + + admins = ${toLua cfg.admins} + + -- we already build with libevent, so we can just enable it for a more performant server + use_libevent = true + + modules_enabled = { + + ${ lib.concatStringsSep "\n " (lib.mapAttrsToList + (name: val: optionalString val "${toLua name};") + cfg.modules) } + ${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.package.communityModules)} + ${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.extraModules)} + }; + + disco_items = { + ${ lib.concatStringsSep "\n" (builtins.map (x: ''{ "${x.url}", "${x.description}"};'') discoItems)} + }; + + allow_registration = ${toLua cfg.allowRegistration} + + c2s_require_encryption = ${toLua cfg.c2sRequireEncryption} + + s2s_require_encryption = ${toLua cfg.s2sRequireEncryption} + + s2s_secure_auth = ${toLua cfg.s2sSecureAuth} + + s2s_insecure_domains = ${toLua cfg.s2sInsecureDomains} + + s2s_secure_domains = ${toLua cfg.s2sSecureDomains} + + authentication = ${toLua cfg.authentication} + + http_interfaces = ${toLua cfg.httpInterfaces} + + https_interfaces = ${toLua cfg.httpsInterfaces} + + http_ports = ${toLua cfg.httpPorts} + + https_ports = ${toLua cfg.httpsPorts} + + ${ cfg.extraConfig } + + ${lib.concatMapStrings (muc: '' + Component ${toLua muc.domain} "muc" + modules_enabled = { "muc_mam"; ${optionalString muc.vcard_muc ''"vcard_muc";'' } } + name = ${toLua muc.name} + restrict_room_creation = ${toLua muc.restrictRoomCreation} + max_history_messages = ${toLua muc.maxHistoryMessages} + muc_room_locking = ${toLua muc.roomLocking} + muc_room_lock_timeout = ${toLua muc.roomLockTimeout} + muc_tombstones = ${toLua muc.tombstones} + muc_tombstone_expiry = ${toLua muc.tombstoneExpiry} + muc_room_default_public = ${toLua muc.roomDefaultPublic} + muc_room_default_members_only = ${toLua muc.roomDefaultMembersOnly} + muc_room_default_moderated = ${toLua muc.roomDefaultModerated} + muc_room_default_public_jids = ${toLua muc.roomDefaultPublicJids} + muc_room_default_change_subject = ${toLua muc.roomDefaultChangeSubject} + muc_room_default_history_length = ${toLua muc.roomDefaultHistoryLength} + muc_room_default_language = ${toLua muc.roomDefaultLanguage} + ${ muc.extraConfig } + '') cfg.muc} + + ${ lib.optionalString (cfg.uploadHttp != null) '' + Component ${toLua cfg.uploadHttp.domain} "http_upload" + http_upload_file_size_limit = ${cfg.uploadHttp.uploadFileSizeLimit} + http_upload_expire_after = ${cfg.uploadHttp.uploadExpireAfter} + ${lib.optionalString (cfg.uploadHttp.userQuota != null) "http_upload_quota = ${toLua cfg.uploadHttp.userQuota}"} + http_upload_path = ${toLua cfg.uploadHttp.httpUploadPath} + ''} + + ${ lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: '' + VirtualHost "${v.domain}" + enabled = ${boolToString v.enabled}; + ${ optionalString (v.ssl != null) (createSSLOptsStr v.ssl) } + ${ v.extraConfig } + '') cfg.virtualHosts) } + ''; + + users.users.prosody = mkIf (cfg.user == "prosody") { + uid = config.ids.uids.prosody; + description = "Prosody user"; + createHome = true; + inherit (cfg) group; + home = "${cfg.dataDir}"; + }; + + users.groups.prosody = mkIf (cfg.group == "prosody") { + gid = config.ids.gids.prosody; + }; + + systemd.services.prosody = { + description = "Prosody XMPP server"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."prosody/prosody.cfg.lua".source ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "forking"; + RuntimeDirectory = [ "prosody" ]; + PIDFile = "/run/prosody/prosody.pid"; + ExecStart = "${cfg.package}/bin/prosodyctl start"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + + }; + meta.doc = ./prosody.xml; +} diff --git a/nixos/modules/services/networking/prosody.xml b/nixos/modules/services/networking/prosody.xml new file mode 100644 index 00000000000..6358d744ff7 --- /dev/null +++ b/nixos/modules/services/networking/prosody.xml @@ -0,0 +1,87 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-prosody"> + <title>Prosody</title> + <para> + <link xlink:href="https://prosody.im/">Prosody</link> is an open-source, modern XMPP server. + </para> + <section xml:id="module-services-prosody-basic-usage"> + <title>Basic usage</title> + + <para> + A common struggle for most XMPP newcomers is to find the right set + of XMPP Extensions (XEPs) to setup. Forget to activate a few of + those and your XMPP experience might turn into a nightmare! + </para> + + <para> + The XMPP community tackles this problem by creating a meta-XEP + listing a decent set of XEPs you should implement. This meta-XEP + is issued every year, the 2020 edition being + <link xlink:href="https://xmpp.org/extensions/xep-0423.html">XEP-0423</link>. + </para> + <para> + The NixOS Prosody module will implement most of these recommendend XEPs out of + the box. That being said, two components still require some + manual configuration: the + <link xlink:href="https://xmpp.org/extensions/xep-0045.html">Multi User Chat (MUC)</link> + and the <link xlink:href="https://xmpp.org/extensions/xep-0363.html">HTTP File Upload</link> ones. + You'll need to create a DNS subdomain for each of those. The current convention is to name your + MUC endpoint <literal>conference.example.org</literal> and your HTTP upload domain <literal>upload.example.org</literal>. + </para> + <para> + A good configuration to start with, including a + <link xlink:href="https://xmpp.org/extensions/xep-0045.html">Multi User Chat (MUC)</link> + endpoint as well as a <link xlink:href="https://xmpp.org/extensions/xep-0363.html">HTTP File Upload</link> + endpoint will look like this: + <programlisting> +services.prosody = { + <link linkend="opt-services.prosody.enable">enable</link> = true; + <link linkend="opt-services.prosody.admins">admins</link> = [ "root@example.org" ]; + <link linkend="opt-services.prosody.ssl.cert">ssl.cert</link> = "/var/lib/acme/example.org/fullchain.pem"; + <link linkend="opt-services.prosody.ssl.key">ssl.key</link> = "/var/lib/acme/example.org/key.pem"; + <link linkend="opt-services.prosody.virtualHosts">virtualHosts</link>."example.org" = { + <link linkend="opt-services.prosody.virtualHosts._name_.enabled">enabled</link> = true; + <link linkend="opt-services.prosody.virtualHosts._name_.domain">domain</link> = "example.org"; + <link linkend="opt-services.prosody.virtualHosts._name_.ssl.cert">ssl.cert</link> = "/var/lib/acme/example.org/fullchain.pem"; + <link linkend="opt-services.prosody.virtualHosts._name_.ssl.key">ssl.key</link> = "/var/lib/acme/example.org/key.pem"; + }; + <link linkend="opt-services.prosody.muc">muc</link> = [ { + <link linkend="opt-services.prosody.muc">domain</link> = "conference.example.org"; + } ]; + <link linkend="opt-services.prosody.uploadHttp">uploadHttp</link> = { + <link linkend="opt-services.prosody.uploadHttp.domain">domain</link> = "upload.example.org"; + }; +};</programlisting> + </para> + </section> + <section xml:id="module-services-prosody-letsencrypt"> + <title>Let's Encrypt Configuration</title> + <para> + As you can see in the code snippet from the + <link linkend="module-services-prosody-basic-usage">previous section</link>, + you'll need a single TLS certificate covering your main endpoint, + the MUC one as well as the HTTP Upload one. We can generate such a + certificate by leveraging the ACME + <link linkend="opt-security.acme.certs._name_.extraDomainNames">extraDomainNames</link> module option. + </para> + <para> + Provided the setup detailed in the previous section, you'll need the following acme configuration to generate + a TLS certificate for the three endponits: + <programlisting> +security.acme = { + <link linkend="opt-security.acme.defaults.email">email</link> = "root@example.org"; + <link linkend="opt-security.acme.acceptTerms">acceptTerms</link> = true; + <link linkend="opt-security.acme.certs">certs</link> = { + "example.org" = { + <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/example.org"; + <link linkend="opt-security.acme.certs._name_.email">email</link> = "root@example.org"; + <link linkend="opt-security.acme.certs._name_.extraDomainNames">extraDomainNames</link> = [ "conference.example.org" "upload.example.org" ]; + }; + }; +};</programlisting> + </para> +</section> +</chapter> diff --git a/nixos/modules/services/networking/quassel.nix b/nixos/modules/services/networking/quassel.nix new file mode 100644 index 00000000000..844c9a6b8b3 --- /dev/null +++ b/nixos/modules/services/networking/quassel.nix @@ -0,0 +1,139 @@ +{ config, lib, options, pkgs, ... }: + +with lib; + +let + cfg = config.services.quassel; + opt = options.services.quassel; + quassel = cfg.package; + user = if cfg.user != null then cfg.user else "quassel"; +in + +{ + + ###### interface + + options = { + + services.quassel = { + + enable = mkEnableOption "the Quassel IRC client daemon"; + + certificateFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to the certificate used for SSL connections with clients. + ''; + }; + + requireSSL = mkOption { + type = types.bool; + default = false; + description = '' + Require SSL for connections from clients. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.quasselDaemon; + defaultText = literalExpression "pkgs.quasselDaemon"; + description = '' + The package of the quassel daemon. + ''; + }; + + interfaces = mkOption { + type = types.listOf types.str; + default = [ "127.0.0.1" ]; + description = '' + The interfaces the Quassel daemon will be listening to. If `[ 127.0.0.1 ]', + only clients on the local host can connect to it; if `[ 0.0.0.0 ]', clients + can access it from any network interface. + ''; + }; + + portNumber = mkOption { + type = types.port; + default = 4242; + description = '' + The port number the Quassel daemon will be listening to. + ''; + }; + + dataDir = mkOption { + default = "/home/${user}/.config/quassel-irc.org"; + defaultText = literalExpression '' + "/home/''${config.${opt.user}}/.config/quassel-irc.org" + ''; + type = types.str; + description = '' + The directory holding configuration files, the SQlite database and the SSL Cert. + ''; + }; + + user = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + The existing user the Quassel daemon should run as. If left empty, a default "quassel" user will be created. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + assertions = [ + { assertion = cfg.requireSSL -> cfg.certificateFile != null; + message = "Quassel needs a certificate file in order to require SSL"; + }]; + + users.users = optionalAttrs (cfg.user == null) { + quassel = { + name = "quassel"; + description = "Quassel IRC client daemon"; + group = "quassel"; + uid = config.ids.uids.quassel; + }; + }; + + users.groups = optionalAttrs (cfg.user == null) { + quassel = { + name = "quassel"; + gid = config.ids.gids.quassel; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - ${user} - - -" + ]; + + systemd.services.quassel = + { description = "Quassel IRC client daemon"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ] ++ optional config.services.postgresql.enable "postgresql.service" + ++ optional config.services.mysql.enable "mysql.service"; + + serviceConfig = + { + ExecStart = concatStringsSep " " ([ + "${quassel}/bin/quasselcore" + "--listen=${concatStringsSep "," cfg.interfaces}" + "--port=${toString cfg.portNumber}" + "--configdir=${cfg.dataDir}" + ] ++ optional cfg.requireSSL "--require-ssl" + ++ optional (cfg.certificateFile != null) "--ssl-cert=${cfg.certificateFile}"); + User = user; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/quicktun.nix b/nixos/modules/services/networking/quicktun.nix new file mode 100644 index 00000000000..438e67d5ebb --- /dev/null +++ b/nixos/modules/services/networking/quicktun.nix @@ -0,0 +1,118 @@ +{ config, pkgs, lib, ... }: + +let + + cfg = config.services.quicktun; + +in + +with lib; + +{ + options = { + + services.quicktun = mkOption { + default = { }; + description = "QuickTun tunnels"; + type = types.attrsOf (types.submodule { + options = { + tunMode = mkOption { + type = types.int; + default = 0; + example = 1; + description = ""; + }; + + remoteAddress = mkOption { + type = types.str; + example = "tunnel.example.com"; + description = ""; + }; + + localAddress = mkOption { + type = types.str; + example = "0.0.0.0"; + description = ""; + }; + + localPort = mkOption { + type = types.int; + default = 2998; + description = ""; + }; + + remotePort = mkOption { + type = types.int; + default = 2998; + description = ""; + }; + + remoteFloat = mkOption { + type = types.int; + default = 0; + description = ""; + }; + + protocol = mkOption { + type = types.str; + default = "nacltai"; + description = ""; + }; + + privateKey = mkOption { + type = types.str; + description = ""; + }; + + publicKey = mkOption { + type = types.str; + description = ""; + }; + + timeWindow = mkOption { + type = types.int; + default = 5; + description = ""; + }; + + upScript = mkOption { + type = types.lines; + default = ""; + description = ""; + }; + }; + }); + }; + + }; + + config = mkIf (cfg != []) { + systemd.services = foldr (a: b: a // b) {} ( + mapAttrsToList (name: qtcfg: { + "quicktun-${name}" = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + environment = { + INTERFACE = name; + TUN_MODE = toString qtcfg.tunMode; + REMOTE_ADDRESS = qtcfg.remoteAddress; + LOCAL_ADDRESS = qtcfg.localAddress; + LOCAL_PORT = toString qtcfg.localPort; + REMOTE_PORT = toString qtcfg.remotePort; + REMOTE_FLOAT = toString qtcfg.remoteFloat; + PRIVATE_KEY = qtcfg.privateKey; + PUBLIC_KEY = qtcfg.publicKey; + TIME_WINDOW = toString qtcfg.timeWindow; + TUN_UP_SCRIPT = pkgs.writeScript "quicktun-${name}-up.sh" qtcfg.upScript; + SUID = "nobody"; + }; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.quicktun}/bin/quicktun.${qtcfg.protocol}"; + }; + }; + }) cfg + ); + }; + +} diff --git a/nixos/modules/services/networking/quorum.nix b/nixos/modules/services/networking/quorum.nix new file mode 100644 index 00000000000..bddcd18c7fb --- /dev/null +++ b/nixos/modules/services/networking/quorum.nix @@ -0,0 +1,231 @@ +{ config, options, pkgs, lib, ... }: +let + + inherit (lib) mkEnableOption mkIf mkOption literalExpression types optionalString; + + cfg = config.services.quorum; + opt = options.services.quorum; + dataDir = "/var/lib/quorum"; + genesisFile = pkgs.writeText "genesis.json" (builtins.toJSON cfg.genesis); + staticNodesFile = pkgs.writeText "static-nodes.json" (builtins.toJSON cfg.staticNodes); + +in { + options = { + + services.quorum = { + enable = mkEnableOption "Quorum blockchain daemon"; + + user = mkOption { + type = types.str; + default = "quorum"; + description = "The user as which to run quorum."; + }; + + group = mkOption { + type = types.str; + default = cfg.user; + defaultText = literalExpression "config.${opt.user}"; + description = "The group as which to run quorum."; + }; + + port = mkOption { + type = types.port; + default = 21000; + description = "Override the default port on which to listen for connections."; + }; + + nodekeyFile = mkOption { + type = types.path; + default = "${dataDir}/nodekey"; + description = "Path to the nodekey."; + }; + + staticNodes = mkOption { + type = types.listOf types.str; + default = []; + example = [ "enode://dd333ec28f0a8910c92eb4d336461eea1c20803eed9cf2c056557f986e720f8e693605bba2f4e8f289b1162e5ac7c80c914c7178130711e393ca76abc1d92f57@0.0.0.0:30303?discport=0" ]; + description = "List of validator nodes."; + }; + + privateconfig = mkOption { + type = types.str; + default = "ignore"; + description = "Configuration of privacy transaction manager."; + }; + + syncmode = mkOption { + type = types.enum [ "fast" "full" "light" ]; + default = "full"; + description = "Blockchain sync mode."; + }; + + blockperiod = mkOption { + type = types.int; + default = 5; + description = "Default minimum difference between two consecutive block's timestamps in seconds."; + }; + + permissioned = mkOption { + type = types.bool; + default = true; + description = "Allow only a defined list of nodes to connect."; + }; + + rpc = { + enable = mkOption { + type = types.bool; + default = true; + description = "Enable RPC interface."; + }; + + address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "Listening address for RPC connections."; + }; + + port = mkOption { + type = types.port; + default = 22004; + description = "Override the default port on which to listen for RPC connections."; + }; + + api = mkOption { + type = types.str; + default = "admin,db,eth,debug,miner,net,shh,txpool,personal,web3,quorum,istanbul"; + description = "API's offered over the HTTP-RPC interface."; + }; + }; + + ws = { + enable = mkOption { + type = types.bool; + default = true; + description = "Enable WS-RPC interface."; + }; + + address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "Listening address for WS-RPC connections."; + }; + + port = mkOption { + type = types.port; + default = 8546; + description = "Override the default port on which to listen for WS-RPC connections."; + }; + + api = mkOption { + type = types.str; + default = "admin,db,eth,debug,miner,net,shh,txpool,personal,web3,quorum,istanbul"; + description = "API's offered over the WS-RPC interface."; + }; + + origins = mkOption { + type = types.str; + default = "*"; + description = "Origins from which to accept websockets requests"; + }; + }; + + genesis = mkOption { + type = types.nullOr types.attrs; + default = null; + example = literalExpression '' { + alloc = { + a47385db68718bdcbddc2d2bb7c54018066ec111 = { + balance = "1000000000000000000000000000"; + }; + }; + coinbase = "0x0000000000000000000000000000000000000000"; + config = { + byzantiumBlock = 4; + chainId = 494702925; + eip150Block = 2; + eip155Block = 3; + eip158Block = 3; + homesteadBlock = 1; + isQuorum = true; + istanbul = { + epoch = 30000; + policy = 0; + }; + }; + difficulty = "0x1"; + extraData = "0x0000000000000000000000000000000000000000000000000000000000000000f85ad59438f0508111273d8e482f49410ca4078afc86a961b8410000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0"; + gasLimit = "0x2FEFD800"; + mixHash = "0x63746963616c2062797a616e74696e65201111756c7420746f6c6572616e6365"; + nonce = "0x0"; + parentHash = "0x0000000000000000000000000000000000000000000000000000000000000000"; + timestamp = "0x00"; + }''; + description = "Blockchain genesis settings."; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.quorum ]; + systemd.tmpfiles.rules = [ + "d '${dataDir}' 0770 '${cfg.user}' '${cfg.group}' - -" + ]; + systemd.services.quorum = { + description = "Quorum daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + PRIVATE_CONFIG = "${cfg.privateconfig}"; + }; + preStart = '' + if [ ! -d ${dataDir}/geth ]; then + if [ ! -d ${dataDir}/keystore ]; then + echo ERROR: You need to create a wallet before initializing your genesis file, run: + echo # su -s /bin/sh - quorum + echo $ geth --datadir ${dataDir} account new + echo and configure your genesis file accordingly. + exit 1; + fi + ln -s ${staticNodesFile} ${dataDir}/static-nodes.json + ${pkgs.quorum}/bin/geth --datadir ${dataDir} init ${genesisFile} + fi + ''; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = ''${pkgs.quorum}/bin/geth \ + --nodiscover \ + --verbosity 5 \ + --nodekey ${cfg.nodekeyFile} \ + --istanbul.blockperiod ${toString cfg.blockperiod} \ + --syncmode ${cfg.syncmode} \ + ${optionalString (cfg.permissioned) + "--permissioned"} \ + --mine --minerthreads 1 \ + ${optionalString (cfg.rpc.enable) + "--rpc --rpcaddr ${cfg.rpc.address} --rpcport ${toString cfg.rpc.port} --rpcapi ${cfg.rpc.api}"} \ + ${optionalString (cfg.ws.enable) + "--ws --wsaddr ${cfg.ws.address} --wsport ${toString cfg.ws.port} --wsapi ${cfg.ws.api} --wsorigins ${cfg.ws.origins}"} \ + --emitcheckpoints \ + --datadir ${dataDir} \ + --port ${toString cfg.port}''; + Restart = "on-failure"; + + # Hardening measures + PrivateTmp = "true"; + ProtectSystem = "full"; + NoNewPrivileges = "true"; + PrivateDevices = "true"; + MemoryDenyWriteExecute = "true"; + }; + }; + users.users.${cfg.user} = { + name = cfg.user; + group = cfg.group; + description = "Quorum daemon user"; + home = dataDir; + isSystemUser = true; + }; + users.groups.${cfg.group} = {}; + }; +} diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix new file mode 100644 index 00000000000..c6c40777ed7 --- /dev/null +++ b/nixos/modules/services/networking/radicale.nix @@ -0,0 +1,204 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.radicale; + + format = pkgs.formats.ini { + listToValue = concatMapStringsSep ", " (generators.mkValueStringDefault { }); + }; + + pkg = if isNull cfg.package then + pkgs.radicale + else + cfg.package; + + confFile = if cfg.settings == { } then + pkgs.writeText "radicale.conf" cfg.config + else + format.generate "radicale.conf" cfg.settings; + + rightsFile = format.generate "radicale.rights" cfg.rights; + + bindLocalhost = cfg.settings != { } && !hasAttrByPath [ "server" "hosts" ] cfg.settings; + +in { + options.services.radicale = { + enable = mkEnableOption "Radicale CalDAV and CardDAV server"; + + package = mkOption { + description = "Radicale package to use."; + # Default cannot be pkgs.radicale because non-null values suppress + # warnings about incompatible configuration and storage formats. + type = with types; nullOr package // { inherit (package) description; }; + default = null; + defaultText = literalExpression "pkgs.radicale"; + }; + + config = mkOption { + type = types.str; + default = ""; + description = '' + Radicale configuration, this will set the service + configuration file. + This option is mutually exclusive with <option>settings</option>. + This option is deprecated. Use <option>settings</option> instead. + ''; + }; + + settings = mkOption { + type = format.type; + default = { }; + description = '' + Configuration for Radicale. See + <link xlink:href="https://radicale.org/3.0.html#documentation/configuration" />. + This option is mutually exclusive with <option>config</option>. + ''; + example = literalExpression '' + server = { + hosts = [ "0.0.0.0:5232" "[::]:5232" ]; + }; + auth = { + type = "htpasswd"; + htpasswd_filename = "/etc/radicale/users"; + htpasswd_encryption = "bcrypt"; + }; + storage = { + filesystem_folder = "/var/lib/radicale/collections"; + }; + ''; + }; + + rights = mkOption { + type = format.type; + description = '' + Configuration for Radicale's rights file. See + <link xlink:href="https://radicale.org/3.0.html#documentation/authentication-and-rights" />. + This option only works in conjunction with <option>settings</option>. + Setting this will also set <option>settings.rights.type</option> and + <option>settings.rights.file</option> to approriate values. + ''; + default = { }; + example = literalExpression '' + root = { + user = ".+"; + collection = ""; + permissions = "R"; + }; + principal = { + user = ".+"; + collection = "{user}"; + permissions = "RW"; + }; + calendars = { + user = ".+"; + collection = "{user}/[^/]+"; + permissions = "rw"; + }; + ''; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = "Extra arguments passed to the Radicale daemon."; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.settings == { } || cfg.config == ""; + message = '' + The options services.radicale.config and services.radicale.settings + are mutually exclusive. + ''; + } + ]; + + warnings = optional (isNull cfg.package && versionOlder config.system.stateVersion "17.09") '' + The configuration and storage formats of your existing Radicale + installation might be incompatible with the newest version. + For upgrade instructions see + https://radicale.org/2.1.html#documentation/migration-from-1xx-to-2xx. + Set services.radicale.package to suppress this warning. + '' ++ optional (isNull cfg.package && versionOlder config.system.stateVersion "20.09") '' + The configuration format of your existing Radicale installation might be + incompatible with the newest version. For upgrade instructions see + https://github.com/Kozea/Radicale/blob/3.0.6/NEWS.md#upgrade-checklist. + Set services.radicale.package to suppress this warning. + '' ++ optional (cfg.config != "") '' + The option services.radicale.config is deprecated. + Use services.radicale.settings instead. + ''; + + services.radicale.settings.rights = mkIf (cfg.rights != { }) { + type = "from_file"; + file = toString rightsFile; + }; + + environment.systemPackages = [ pkg ]; + + users.users.radicale = { + isSystemUser = true; + group = "radicale"; + }; + + users.groups.radicale = {}; + + systemd.services.radicale = { + description = "A Simple Calendar and Contact Server"; + after = [ "network.target" ]; + requires = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = concatStringsSep " " ([ + "${pkg}/bin/radicale" "-C" confFile + ] ++ ( + map escapeShellArg cfg.extraArgs + )); + User = "radicale"; + Group = "radicale"; + StateDirectory = "radicale/collections"; + StateDirectoryMode = "0750"; + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "/dev/stdin" ]; + DevicePolicy = "strict"; + IPAddressAllow = mkIf bindLocalhost "localhost"; + IPAddressDeny = mkIf bindLocalhost "any"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = lib.optional + (hasAttrByPath [ "storage" "filesystem_folder" ] cfg.settings) + cfg.settings.storage.filesystem_folder; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0027"; + WorkingDirectory = "/var/lib/radicale"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ aneeshusa infinisil dotlambda ]; +} diff --git a/nixos/modules/services/networking/radvd.nix b/nixos/modules/services/networking/radvd.nix new file mode 100644 index 00000000000..6e8db55bbf0 --- /dev/null +++ b/nixos/modules/services/networking/radvd.nix @@ -0,0 +1,77 @@ +# Module for the IPv6 Router Advertisement Daemon. + +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.radvd; + + confFile = pkgs.writeText "radvd.conf" cfg.config; + +in + +{ + + ###### interface + + options = { + + services.radvd.enable = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to enable the Router Advertisement Daemon + (<command>radvd</command>), which provides link-local + advertisements of IPv6 router addresses and prefixes using + the Neighbor Discovery Protocol (NDP). This enables + stateless address autoconfiguration in IPv6 clients on the + network. + ''; + }; + + services.radvd.config = mkOption { + type = types.lines; + example = + '' + interface eth0 { + AdvSendAdvert on; + prefix 2001:db8:1234:5678::/64 { }; + }; + ''; + description = + '' + The contents of the radvd configuration file. + ''; + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + users.users.radvd = + { + isSystemUser = true; + group = "radvd"; + description = "Router Advertisement Daemon User"; + }; + users.groups.radvd = {}; + + systemd.services.radvd = + { description = "IPv6 Router Advertisement Daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = + { ExecStart = "@${pkgs.radvd}/bin/radvd radvd -n -u radvd -C ${confFile}"; + Restart = "always"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/rdnssd.nix b/nixos/modules/services/networking/rdnssd.nix new file mode 100644 index 00000000000..fd04bb8108f --- /dev/null +++ b/nixos/modules/services/networking/rdnssd.nix @@ -0,0 +1,82 @@ +# Module for rdnssd, a daemon that configures DNS servers in +# /etc/resolv/conf from IPv6 RDNSS advertisements. + +{ config, lib, pkgs, ... }: + +with lib; +let + mergeHook = pkgs.writeScript "rdnssd-merge-hook" '' + #! ${pkgs.runtimeShell} -e + ${pkgs.openresolv}/bin/resolvconf -u + ''; +in +{ + + ###### interface + + options = { + + services.rdnssd.enable = mkOption { + type = types.bool; + default = false; + #default = config.networking.enableIPv6; + description = + '' + Whether to enable the RDNSS daemon + (<command>rdnssd</command>), which configures DNS servers in + <filename>/etc/resolv.conf</filename> from RDNSS + advertisements sent by IPv6 routers. + ''; + }; + + }; + + + ###### implementation + + config = mkIf config.services.rdnssd.enable { + + assertions = [{ + assertion = config.networking.resolvconf.enable; + message = "rdnssd needs resolvconf to work (probably something sets up a static resolv.conf)"; + }]; + + systemd.services.rdnssd = { + description = "RDNSS daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + preStart = '' + # Create the proper run directory + mkdir -p /run/rdnssd + touch /run/rdnssd/resolv.conf + chown -R rdnssd /run/rdnssd + + # Link the resolvconf interfaces to rdnssd + rm -f /run/resolvconf/interfaces/rdnssd + ln -s /run/rdnssd/resolv.conf /run/resolvconf/interfaces/rdnssd + ${mergeHook} + ''; + + postStop = '' + rm -f /run/resolvconf/interfaces/rdnssd + ${mergeHook} + ''; + + serviceConfig = { + ExecStart = "@${pkgs.ndisc6}/bin/rdnssd rdnssd -p /run/rdnssd/rdnssd.pid -r /run/rdnssd/resolv.conf -u rdnssd -H ${mergeHook}"; + Type = "forking"; + PIDFile = "/run/rdnssd/rdnssd.pid"; + }; + }; + + users.users.rdnssd = { + description = "RDNSSD Daemon User"; + isSystemUser = true; + group = "rdnssd"; + }; + users.groups.rdnssd = {}; + + }; + +} diff --git a/nixos/modules/services/networking/redsocks.nix b/nixos/modules/services/networking/redsocks.nix new file mode 100644 index 00000000000..8481f9debf3 --- /dev/null +++ b/nixos/modules/services/networking/redsocks.nix @@ -0,0 +1,272 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.redsocks; +in +{ + ##### interface + options = { + services.redsocks = { + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable redsocks."; + }; + + log_debug = mkOption { + type = types.bool; + default = false; + description = "Log connection progress."; + }; + + log_info = mkOption { + type = types.bool; + default = false; + description = "Log start and end of client sessions."; + }; + + log = mkOption { + type = types.str; + default = "stderr"; + description = + '' + Where to send logs. + + Possible values are: + - stderr + - file:/path/to/file + - syslog:FACILITY where FACILITY is any of "daemon", "local0", + etc. + ''; + }; + + chroot = mkOption { + type = with types; nullOr str; + default = null; + description = + '' + Chroot under which to run redsocks. Log file is opened before + chroot, but if logging to syslog /etc/localtime may be required. + ''; + }; + + redsocks = mkOption { + description = + '' + Local port to proxy associations to be performed. + + The example shows how to configure a proxy to handle port 80 as HTTP + relay, and all other ports as HTTP connect. + ''; + example = [ + { port = 23456; proxy = "1.2.3.4:8080"; type = "http-relay"; + redirectCondition = "--dport 80"; + doNotRedirect = [ "-d 1.2.0.0/16" ]; + } + { port = 23457; proxy = "1.2.3.4:8080"; type = "http-connect"; + redirectCondition = true; + doNotRedirect = [ "-d 1.2.0.0/16" ]; + } + ]; + type = types.listOf (types.submodule { options = { + ip = mkOption { + type = types.str; + default = "127.0.0.1"; + description = + '' + IP on which redsocks should listen. Defaults to 127.0.0.1 for + security reasons. + ''; + }; + + port = mkOption { + type = types.int; + default = 12345; + description = "Port on which redsocks should listen."; + }; + + proxy = mkOption { + type = types.str; + description = + '' + Proxy through which redsocks should forward incoming traffic. + Example: "example.org:8080" + ''; + }; + + type = mkOption { + type = types.enum [ "socks4" "socks5" "http-connect" "http-relay" ]; + description = "Type of proxy."; + }; + + login = mkOption { + type = with types; nullOr str; + default = null; + description = "Login to send to proxy."; + }; + + password = mkOption { + type = with types; nullOr str; + default = null; + description = + '' + Password to send to proxy. WARNING, this will end up + world-readable in the store! Awaiting + https://github.com/NixOS/nix/issues/8 to be able to fix. + ''; + }; + + disclose_src = mkOption { + type = types.enum [ "false" "X-Forwarded-For" "Forwarded_ip" + "Forwarded_ipport" ]; + default = "false"; + description = + '' + Way to disclose client IP to the proxy. + - "false": do not disclose + http-connect supports the following ways: + - "X-Forwarded-For": add header "X-Forwarded-For: IP" + - "Forwarded_ip": add header "Forwarded: for=IP" (see RFC7239) + - "Forwarded_ipport": add header 'Forwarded: for="IP:port"' + ''; + }; + + redirectInternetOnly = mkOption { + type = types.bool; + default = true; + description = "Exclude all non-globally-routable IPs from redsocks"; + }; + + doNotRedirect = mkOption { + type = with types; listOf str; + default = []; + description = + '' + Iptables filters that if matched will get the packet off of + redsocks. + ''; + example = [ "-d 1.2.3.4" ]; + }; + + redirectCondition = mkOption { + type = with types; either bool str; + default = false; + description = + '' + Conditions to make outbound packets go through this redsocks + instance. + + If set to false, no packet will be forwarded. If set to true, + all packets will be forwarded (except packets excluded by + redirectInternetOnly). + + If set to a string, this is an iptables filter that will be + matched against packets before getting them into redsocks. For + example, setting it to "--dport 80" will only send + packets to port 80 to redsocks. Note "-p tcp" is always + implicitly added, as udp can only be proxied through redudp or + the like. + ''; + }; + };}); + }; + + # TODO: Add support for redudp and dnstc + }; + }; + + ##### implementation + config = let + redsocks_blocks = concatMapStrings (block: + let proxy = splitString ":" block.proxy; in + '' + redsocks { + local_ip = ${block.ip}; + local_port = ${toString block.port}; + + ip = ${elemAt proxy 0}; + port = ${elemAt proxy 1}; + type = ${block.type}; + + ${optionalString (block.login != null) "login = \"${block.login}\";"} + ${optionalString (block.password != null) "password = \"${block.password}\";"} + + disclose_src = ${block.disclose_src}; + } + '') cfg.redsocks; + configfile = pkgs.writeText "redsocks.conf" + '' + base { + log_debug = ${if cfg.log_debug then "on" else "off" }; + log_info = ${if cfg.log_info then "on" else "off" }; + log = ${cfg.log}; + + daemon = off; + redirector = iptables; + + user = redsocks; + group = redsocks; + ${optionalString (cfg.chroot != null) "chroot = ${cfg.chroot};"} + } + + ${redsocks_blocks} + ''; + internetOnly = [ # TODO: add ipv6-equivalent + "-d 0.0.0.0/8" + "-d 10.0.0.0/8" + "-d 127.0.0.0/8" + "-d 169.254.0.0/16" + "-d 172.16.0.0/12" + "-d 192.168.0.0/16" + "-d 224.168.0.0/4" + "-d 240.168.0.0/4" + ]; + redCond = block: + optionalString (isString block.redirectCondition) block.redirectCondition; + iptables = concatImapStrings (idx: block: + let chain = "REDSOCKS${toString idx}"; doNotRedirect = + concatMapStringsSep "\n" + (f: "ip46tables -t nat -A ${chain} ${f} -j RETURN 2>/dev/null || true") + (block.doNotRedirect ++ (optionals block.redirectInternetOnly internetOnly)); + in + optionalString (block.redirectCondition != false) + '' + ip46tables -t nat -F ${chain} 2>/dev/null || true + ip46tables -t nat -N ${chain} 2>/dev/null || true + ${doNotRedirect} + ip46tables -t nat -A ${chain} -p tcp -j REDIRECT --to-ports ${toString block.port} + + # TODO: show errors, when it will be easily possible by a switch to + # iptables-restore + ip46tables -t nat -A OUTPUT -p tcp ${redCond block} -j ${chain} 2>/dev/null || true + '' + ) cfg.redsocks; + in + mkIf cfg.enable { + users.groups.redsocks = {}; + users.users.redsocks = { + description = "Redsocks daemon"; + group = "redsocks"; + isSystemUser = true; + }; + + systemd.services.redsocks = { + description = "Redsocks"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + script = "${pkgs.redsocks}/bin/redsocks -c ${configfile}"; + }; + + networking.firewall.extraCommands = iptables; + + networking.firewall.extraStopCommands = + concatImapStringsSep "\n" (idx: block: + let chain = "REDSOCKS${toString idx}"; in + optionalString (block.redirectCondition != false) + "ip46tables -t nat -D OUTPUT -p tcp ${redCond block} -j ${chain} 2>/dev/null || true" + ) cfg.redsocks; + }; + + meta.maintainers = with lib.maintainers; [ ekleog ]; +} diff --git a/nixos/modules/services/networking/resilio.nix b/nixos/modules/services/networking/resilio.nix new file mode 100644 index 00000000000..89127850641 --- /dev/null +++ b/nixos/modules/services/networking/resilio.nix @@ -0,0 +1,265 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.resilio; + + resilioSync = pkgs.resilio-sync; + + sharedFoldersRecord = map (entry: { + secret = entry.secret; + dir = entry.directory; + + use_relay_server = entry.useRelayServer; + use_tracker = entry.useTracker; + use_dht = entry.useDHT; + + search_lan = entry.searchLAN; + use_sync_trash = entry.useSyncTrash; + known_hosts = entry.knownHosts; + }) cfg.sharedFolders; + + configFile = pkgs.writeText "config.json" (builtins.toJSON ({ + device_name = cfg.deviceName; + storage_path = cfg.storagePath; + listening_port = cfg.listeningPort; + use_gui = false; + check_for_updates = cfg.checkForUpdates; + use_upnp = cfg.useUpnp; + download_limit = cfg.downloadLimit; + upload_limit = cfg.uploadLimit; + lan_encrypt_data = cfg.encryptLAN; + } // optionalAttrs (cfg.directoryRoot != "") { directory_root = cfg.directoryRoot; } + // optionalAttrs cfg.enableWebUI { + webui = { listen = "${cfg.httpListenAddr}:${toString cfg.httpListenPort}"; } // + (optionalAttrs (cfg.httpLogin != "") { login = cfg.httpLogin; }) // + (optionalAttrs (cfg.httpPass != "") { password = cfg.httpPass; }) // + (optionalAttrs (cfg.apiKey != "") { api_key = cfg.apiKey; }); + } // optionalAttrs (sharedFoldersRecord != []) { + shared_folders = sharedFoldersRecord; + })); + +in +{ + options = { + services.resilio = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, start the Resilio Sync daemon. Once enabled, you can + interact with the service through the Web UI, or configure it in your + NixOS configuration. + ''; + }; + + deviceName = mkOption { + type = types.str; + example = "Voltron"; + default = config.networking.hostName; + defaultText = literalExpression "config.networking.hostName"; + description = '' + Name of the Resilio Sync device. + ''; + }; + + listeningPort = mkOption { + type = types.int; + default = 0; + example = 44444; + description = '' + Listening port. Defaults to 0 which randomizes the port. + ''; + }; + + checkForUpdates = mkOption { + type = types.bool; + default = true; + description = '' + Determines whether to check for updates and alert the user + about them in the UI. + ''; + }; + + useUpnp = mkOption { + type = types.bool; + default = true; + description = '' + Use Universal Plug-n-Play (UPnP) + ''; + }; + + downloadLimit = mkOption { + type = types.int; + default = 0; + example = 1024; + description = '' + Download speed limit. 0 is unlimited (default). + ''; + }; + + uploadLimit = mkOption { + type = types.int; + default = 0; + example = 1024; + description = '' + Upload speed limit. 0 is unlimited (default). + ''; + }; + + httpListenAddr = mkOption { + type = types.str; + default = "[::1]"; + example = "0.0.0.0"; + description = '' + HTTP address to bind to. + ''; + }; + + httpListenPort = mkOption { + type = types.int; + default = 9000; + description = '' + HTTP port to bind on. + ''; + }; + + httpLogin = mkOption { + type = types.str; + example = "allyourbase"; + default = ""; + description = '' + HTTP web login username. + ''; + }; + + httpPass = mkOption { + type = types.str; + example = "arebelongtous"; + default = ""; + description = '' + HTTP web login password. + ''; + }; + + encryptLAN = mkOption { + type = types.bool; + default = true; + description = "Encrypt LAN data."; + }; + + enableWebUI = mkOption { + type = types.bool; + default = false; + description = '' + Enable Web UI for administration. Bound to the specified + <literal>httpListenAddress</literal> and + <literal>httpListenPort</literal>. + ''; + }; + + storagePath = mkOption { + type = types.path; + default = "/var/lib/resilio-sync/"; + description = '' + Where BitTorrent Sync will store it's database files (containing + things like username info and licenses). Generally, you should not + need to ever change this. + ''; + }; + + apiKey = mkOption { + type = types.str; + default = ""; + description = "API key, which enables the developer API."; + }; + + directoryRoot = mkOption { + type = types.str; + default = ""; + example = "/media"; + description = "Default directory to add folders in the web UI."; + }; + + sharedFolders = mkOption { + default = []; + type = types.listOf (types.attrsOf types.anything); + example = + [ { secret = "AHMYFPCQAHBM7LQPFXQ7WV6Y42IGUXJ5Y"; + directory = "/home/user/sync_test"; + useRelayServer = true; + useTracker = true; + useDHT = false; + searchLAN = true; + useSyncTrash = true; + knownHosts = [ + "192.168.1.2:4444" + "192.168.1.3:4444" + ]; + } + ]; + description = '' + Shared folder list. If enabled, web UI must be + disabled. Secrets can be generated using <literal>rslsync + --generate-secret</literal>. Note that this secret will be + put inside the Nix store, so it is realistically not very + secret. + + If you would like to be able to modify the contents of this + directories, it is recommended that you make your user a + member of the <literal>rslsync</literal> group. + + Directories in this list should be in the + <literal>rslsync</literal> group, and that group must have + write access to the directory. It is also recommended that + <literal>chmod g+s</literal> is applied to the directory + so that any sub directories created will also belong to + the <literal>rslsync</literal> group. Also, + <literal>setfacl -d -m group:rslsync:rwx</literal> and + <literal>setfacl -m group:rslsync:rwx</literal> should also + be applied so that the sub directories are writable by + the group. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = + [ { assertion = cfg.deviceName != ""; + message = "Device name cannot be empty."; + } + { assertion = cfg.enableWebUI -> cfg.sharedFolders == []; + message = "If using shared folders, the web UI cannot be enabled."; + } + { assertion = cfg.apiKey != "" -> cfg.enableWebUI; + message = "If you're using an API key, you must enable the web server."; + } + ]; + + users.users.rslsync = { + description = "Resilio Sync Service user"; + home = cfg.storagePath; + createHome = true; + uid = config.ids.uids.rslsync; + group = "rslsync"; + }; + + users.groups.rslsync = {}; + + systemd.services.resilio = with pkgs; { + description = "Resilio Sync Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Restart = "on-abort"; + UMask = "0002"; + User = "rslsync"; + ExecStart = '' + ${resilioSync}/bin/rslsync --nodaemon --config ${configFile} + ''; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/robustirc-bridge.nix b/nixos/modules/services/networking/robustirc-bridge.nix new file mode 100644 index 00000000000..255af79ec04 --- /dev/null +++ b/nixos/modules/services/networking/robustirc-bridge.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.robustirc-bridge; +in +{ + options = { + services.robustirc-bridge = { + enable = mkEnableOption "RobustIRC bridge"; + + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + description = ''Extra flags passed to the <command>robustirc-bridge</command> command. See <link xlink:href="https://robustirc.net/docs/adminguide.html#_bridge">RobustIRC Documentation</link> or robustirc-bridge(1) for details.''; + example = [ + "-network robustirc.net" + ]; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.robustirc-bridge = { + description = "RobustIRC bridge"; + documentation = [ + "man:robustirc-bridge(1)" + "https://robustirc.net/" + ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.robustirc-bridge}/bin/robustirc-bridge ${concatStringsSep " " cfg.extraFlags}"; + Restart = "on-failure"; + + # Hardening + PrivateDevices = true; + ProtectSystem = true; + ProtectHome = true; + PrivateTmp = true; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/rpcbind.nix b/nixos/modules/services/networking/rpcbind.nix new file mode 100644 index 00000000000..0a5df698709 --- /dev/null +++ b/nixos/modules/services/networking/rpcbind.nix @@ -0,0 +1,46 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + ###### interface + + options = { + + services.rpcbind = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable `rpcbind', an ONC RPC directory service + notably used by NFS and NIS, and which can be queried + using the rpcinfo(1) command. `rpcbind` is a replacement for + `portmap`. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.rpcbind.enable { + environment.systemPackages = [ pkgs.rpcbind ]; + + systemd.packages = [ pkgs.rpcbind ]; + + systemd.services.rpcbind = { + wantedBy = [ "multi-user.target" ]; + }; + + users.users.rpc = { + group = "nogroup"; + uid = config.ids.uids.rpc; + }; + }; + +} diff --git a/nixos/modules/services/networking/rxe.nix b/nixos/modules/services/networking/rxe.nix new file mode 100644 index 00000000000..868e2c81ccb --- /dev/null +++ b/nixos/modules/services/networking/rxe.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.networking.rxe; + +in { + ###### interface + + options = { + networking.rxe = { + enable = mkEnableOption "RDMA over converged ethernet"; + interfaces = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "eth0" ]; + description = '' + Enable RDMA on the listed interfaces. The corresponding virtual + RDMA interfaces will be named rxe_<interface>. + UDP port 4791 must be open on the respective ethernet interfaces. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.rxe = { + description = "RoCE interfaces"; + + wantedBy = [ "multi-user.target" ]; + after = [ "systemd-modules-load.service" "network-online.target" ]; + wants = [ "network-pre.target" ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = map ( x: + "${pkgs.iproute2}/bin/rdma link add rxe_${x} type rxe netdev ${x}" + ) cfg.interfaces; + + ExecStop = map ( x: + "${pkgs.iproute2}/bin/rdma link delete rxe_${x}" + ) cfg.interfaces; + }; + }; + }; +} + diff --git a/nixos/modules/services/networking/sabnzbd.nix b/nixos/modules/services/networking/sabnzbd.nix new file mode 100644 index 00000000000..54eeba1a9ec --- /dev/null +++ b/nixos/modules/services/networking/sabnzbd.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.sabnzbd; + inherit (pkgs) sabnzbd; + +in + +{ + + ###### interface + + options = { + services.sabnzbd = { + enable = mkEnableOption "the sabnzbd server"; + + package = mkOption { + type = types.package; + default = pkgs.sabnzbd; + defaultText = "pkgs.sabnzbd"; + description = "The sabnzbd executable package run by the service."; + }; + + configFile = mkOption { + type = types.path; + default = "/var/lib/sabnzbd/sabnzbd.ini"; + description = "Path to config file."; + }; + + user = mkOption { + default = "sabnzbd"; + type = types.str; + description = "User to run the service as"; + }; + + group = mkOption { + type = types.str; + default = "sabnzbd"; + description = "Group to run the service as"; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + users.users.sabnzbd = { + uid = config.ids.uids.sabnzbd; + group = "sabnzbd"; + description = "sabnzbd user"; + home = "/var/lib/sabnzbd/"; + createHome = true; + }; + + users.groups.sabnzbd = { + gid = config.ids.gids.sabnzbd; + }; + + systemd.services.sabnzbd = { + description = "sabnzbd server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Type = "forking"; + GuessMainPID = "no"; + User = "${cfg.user}"; + Group = "${cfg.group}"; + ExecStart = "${lib.getBin cfg.package}/bin/sabnzbd -d -f ${cfg.configFile}"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/seafile.nix b/nixos/modules/services/networking/seafile.nix new file mode 100644 index 00000000000..2839ffb60a1 --- /dev/null +++ b/nixos/modules/services/networking/seafile.nix @@ -0,0 +1,287 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.seafile; + settingsFormat = pkgs.formats.ini { }; + + ccnetConf = settingsFormat.generate "ccnet.conf" cfg.ccnetSettings; + + seafileConf = settingsFormat.generate "seafile.conf" cfg.seafileSettings; + + seahubSettings = pkgs.writeText "seahub_settings.py" '' + FILE_SERVER_ROOT = '${cfg.ccnetSettings.General.SERVICE_URL}/seafhttp' + DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.sqlite3', + 'NAME': '${seahubDir}/seahub.db', + } + } + MEDIA_ROOT = '${seahubDir}/media/' + THUMBNAIL_ROOT = '${seahubDir}/thumbnail/' + + with open('${seafRoot}/.seahubSecret') as f: + SECRET_KEY = f.readline().rstrip() + + ${cfg.seahubExtraConf} + ''; + + seafRoot = "/var/lib/seafile"; # hardcode it due to dynamicuser + ccnetDir = "${seafRoot}/ccnet"; + dataDir = "${seafRoot}/data"; + seahubDir = "${seafRoot}/seahub"; + +in { + + ###### Interface + + options.services.seafile = { + enable = mkEnableOption "Seafile server"; + + ccnetSettings = mkOption { + type = types.submodule { + freeformType = settingsFormat.type; + + options = { + General = { + SERVICE_URL = mkOption { + type = types.str; + example = "https://www.example.com"; + description = '' + Seahub public URL. + ''; + }; + }; + }; + }; + default = { }; + description = '' + Configuration for ccnet, see + <link xlink:href="https://manual.seafile.com/config/ccnet-conf/"/> + for supported values. + ''; + }; + + seafileSettings = mkOption { + type = types.submodule { + freeformType = settingsFormat.type; + + options = { + fileserver = { + port = mkOption { + type = types.port; + default = 8082; + description = '' + The tcp port used by seafile fileserver. + ''; + }; + host = mkOption { + type = types.str; + default = "127.0.0.1"; + example = "0.0.0.0"; + description = '' + The binding address used by seafile fileserver. + ''; + }; + }; + }; + }; + default = { }; + description = '' + Configuration for seafile-server, see + <link xlink:href="https://manual.seafile.com/config/seafile-conf/"/> + for supported values. + ''; + }; + + workers = mkOption { + type = types.int; + default = 4; + example = 10; + description = '' + The number of gunicorn worker processes for handling requests. + ''; + }; + + adminEmail = mkOption { + example = "john@example.com"; + type = types.str; + description = '' + Seafile Seahub Admin Account Email. + ''; + }; + + initialAdminPassword = mkOption { + example = "someStrongPass"; + type = types.str; + description = '' + Seafile Seahub Admin Account initial password. + Should be change via Seahub web front-end. + ''; + }; + + seafilePackage = mkOption { + type = types.package; + description = "Which package to use for the seafile server."; + default = pkgs.seafile-server; + defaultText = literalExpression "pkgs.seafile-server"; + }; + + seahubExtraConf = mkOption { + default = ""; + type = types.lines; + description = '' + Extra config to append to `seahub_settings.py` file. + Refer to <link xlink:href="https://manual.seafile.com/config/seahub_settings_py/" /> + for all available options. + ''; + }; + }; + + ###### Implementation + + config = mkIf cfg.enable { + + environment.etc."seafile/ccnet.conf".source = ccnetConf; + environment.etc."seafile/seafile.conf".source = seafileConf; + environment.etc."seafile/seahub_settings.py".source = seahubSettings; + + systemd.targets.seafile = { + wantedBy = [ "multi-user.target" ]; + description = "Seafile components"; + }; + + systemd.services = let + securityOptions = { + ProtectHome = true; + PrivateUsers = true; + PrivateDevices = true; + ProtectClock = true; + ProtectHostname = true; + ProtectProc = "invisible"; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictNamespaces = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + MemoryDenyWriteExecute = true; + SystemCallArchitectures = "native"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" ]; + }; + in { + seaf-server = { + description = "Seafile server"; + partOf = [ "seafile.target" ]; + after = [ "network.target" ]; + wantedBy = [ "seafile.target" ]; + restartTriggers = [ ccnetConf seafileConf ]; + serviceConfig = securityOptions // { + User = "seafile"; + Group = "seafile"; + DynamicUser = true; + StateDirectory = "seafile"; + RuntimeDirectory = "seafile"; + LogsDirectory = "seafile"; + ConfigurationDirectory = "seafile"; + ExecStart = '' + ${cfg.seafilePackage}/bin/seaf-server \ + --foreground \ + -F /etc/seafile \ + -c ${ccnetDir} \ + -d ${dataDir} \ + -l /var/log/seafile/server.log \ + -P /run/seafile/server.pid \ + -p /run/seafile + ''; + }; + preStart = '' + if [ ! -f "${seafRoot}/server-setup" ]; then + mkdir -p ${dataDir}/library-template + mkdir -p ${ccnetDir}/{GroupMgr,misc,OrgMgr,PeerMgr} + ${pkgs.sqlite}/bin/sqlite3 ${ccnetDir}/GroupMgr/groupmgr.db ".read ${cfg.seafilePackage}/share/seafile/sql/sqlite/groupmgr.sql" + ${pkgs.sqlite}/bin/sqlite3 ${ccnetDir}/misc/config.db ".read ${cfg.seafilePackage}/share/seafile/sql/sqlite/config.sql" + ${pkgs.sqlite}/bin/sqlite3 ${ccnetDir}/OrgMgr/orgmgr.db ".read ${cfg.seafilePackage}/share/seafile/sql/sqlite/org.sql" + ${pkgs.sqlite}/bin/sqlite3 ${ccnetDir}/PeerMgr/usermgr.db ".read ${cfg.seafilePackage}/share/seafile/sql/sqlite/user.sql" + ${pkgs.sqlite}/bin/sqlite3 ${dataDir}/seafile.db ".read ${cfg.seafilePackage}/share/seafile/sql/sqlite/seafile.sql" + echo "${cfg.seafilePackage.version}-sqlite" > "${seafRoot}"/server-setup + fi + # checking for upgrades and handling them + # WARNING: needs to be extended to actually handle major version migrations + installedMajor=$(cat "${seafRoot}/server-setup" | cut -d"-" -f1 | cut -d"." -f1) + installedMinor=$(cat "${seafRoot}/server-setup" | cut -d"-" -f1 | cut -d"." -f2) + pkgMajor=$(echo "${cfg.seafilePackage.version}" | cut -d"." -f1) + pkgMinor=$(echo "${cfg.seafilePackage.version}" | cut -d"." -f2) + if [ $installedMajor != $pkgMajor ] || [ $installedMinor != $pkgMinor ]; then + echo "Unsupported upgrade" >&2 + exit 1 + fi + ''; + }; + + seahub = { + description = "Seafile Server Web Frontend"; + wantedBy = [ "seafile.target" ]; + partOf = [ "seafile.target" ]; + after = [ "network.target" "seaf-server.service" ]; + requires = [ "seaf-server.service" ]; + restartTriggers = [ seahubSettings ]; + environment = { + PYTHONPATH = "${pkgs.seahub.pythonPath}:${pkgs.seahub}/thirdpart:${pkgs.seahub}"; + DJANGO_SETTINGS_MODULE = "seahub.settings"; + CCNET_CONF_DIR = ccnetDir; + SEAFILE_CONF_DIR = dataDir; + SEAFILE_CENTRAL_CONF_DIR = "/etc/seafile"; + SEAFILE_RPC_PIPE_PATH = "/run/seafile"; + SEAHUB_LOG_DIR = "/var/log/seafile"; + }; + serviceConfig = securityOptions // { + User = "seafile"; + Group = "seafile"; + DynamicUser = true; + RuntimeDirectory = "seahub"; + StateDirectory = "seafile"; + LogsDirectory = "seafile"; + ConfigurationDirectory = "seafile"; + ExecStart = '' + ${pkgs.seahub.python.pkgs.gunicorn}/bin/gunicorn seahub.wsgi:application \ + --name seahub \ + --workers ${toString cfg.workers} \ + --log-level=info \ + --preload \ + --timeout=1200 \ + --limit-request-line=8190 \ + --bind unix:/run/seahub/gunicorn.sock + ''; + }; + preStart = '' + mkdir -p ${seahubDir}/media + # Link all media except avatars + for m in `find ${pkgs.seahub}/media/ -maxdepth 1 -not -name "avatars"`; do + ln -sf $m ${seahubDir}/media/ + done + if [ ! -e "${seafRoot}/.seahubSecret" ]; then + ${pkgs.seahub.python}/bin/python ${pkgs.seahub}/tools/secret_key_generator.py > ${seafRoot}/.seahubSecret + chmod 400 ${seafRoot}/.seahubSecret + fi + if [ ! -f "${seafRoot}/seahub-setup" ]; then + # avatars directory should be writable + install -D -t ${seahubDir}/media/avatars/ ${pkgs.seahub}/media/avatars/default.png + install -D -t ${seahubDir}/media/avatars/groups ${pkgs.seahub}/media/avatars/groups/default.png + # init database + ${pkgs.seahub}/manage.py migrate + # create admin account + ${pkgs.expect}/bin/expect -c 'spawn ${pkgs.seahub}/manage.py createsuperuser --email=${cfg.adminEmail}; expect "Password: "; send "${cfg.initialAdminPassword}\r"; expect "Password (again): "; send "${cfg.initialAdminPassword}\r"; expect "Superuser created successfully."' + echo "${pkgs.seahub.version}-sqlite" > "${seafRoot}/seahub-setup" + fi + if [ $(cat "${seafRoot}/seahub-setup" | cut -d"-" -f1) != "${pkgs.seahub.version}" ]; then + # update database + ${pkgs.seahub}/manage.py migrate + echo "${pkgs.seahub.version}-sqlite" > "${seafRoot}/seahub-setup" + fi + ''; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/searx.nix b/nixos/modules/services/networking/searx.nix new file mode 100644 index 00000000000..b73f255eb9d --- /dev/null +++ b/nixos/modules/services/networking/searx.nix @@ -0,0 +1,231 @@ +{ options, config, lib, pkgs, ... }: + +with lib; + +let + runDir = "/run/searx"; + + cfg = config.services.searx; + + settingsFile = pkgs.writeText "settings.yml" + (builtins.toJSON cfg.settings); + + generateConfig = '' + cd ${runDir} + + # write NixOS settings as JSON + ( + umask 077 + cp --no-preserve=mode ${settingsFile} settings.yml + ) + + # substitute environment variables + env -0 | while IFS='=' read -r -d ''' n v; do + sed "s#@$n@#$v#g" -i settings.yml + done + ''; + + settingType = with types; (oneOf + [ bool int float str + (listOf settingType) + (attrsOf settingType) + ]) // { description = "JSON value"; }; + +in + +{ + + imports = [ + (mkRenamedOptionModule + [ "services" "searx" "configFile" ] + [ "services" "searx" "settingsFile" ]) + ]; + + ###### interface + + options = { + + services.searx = { + + enable = mkOption { + type = types.bool; + default = false; + relatedPackages = [ "searx" ]; + description = "Whether to enable Searx, the meta search engine."; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Environment file (see <literal>systemd.exec(5)</literal> + "EnvironmentFile=" section for the syntax) to define variables for + Searx. This option can be used to safely include secret keys into the + Searx configuration. + ''; + }; + + settings = mkOption { + type = types.attrsOf settingType; + default = { }; + example = literalExpression '' + { server.port = 8080; + server.bind_address = "0.0.0.0"; + server.secret_key = "@SEARX_SECRET_KEY@"; + + engines = lib.singleton + { name = "wolframalpha"; + shortcut = "wa"; + api_key = "@WOLFRAM_API_KEY@"; + engine = "wolframalpha_api"; + }; + } + ''; + description = '' + Searx settings. These will be merged with (taking precedence over) + the default configuration. It's also possible to refer to + environment variables + (defined in <xref linkend="opt-services.searx.environmentFile"/>) + using the syntax <literal>@VARIABLE_NAME@</literal>. + <note> + <para> + For available settings, see the Searx + <link xlink:href="https://searx.github.io/searx/admin/settings.html">docs</link>. + </para> + </note> + ''; + }; + + settingsFile = mkOption { + type = types.path; + default = "${runDir}/settings.yml"; + description = '' + The path of the Searx server settings.yml file. If no file is + specified, a default file is used (default config file has debug mode + enabled). Note: setting this options overrides + <xref linkend="opt-services.searx.settings"/>. + <warning> + <para> + This file, along with any secret key it contains, will be copied + into the world-readable Nix store. + </para> + </warning> + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.searx; + defaultText = literalExpression "pkgs.searx"; + description = "searx package to use."; + }; + + runInUwsgi = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run searx in uWSGI as a "vassal", instead of using its + built-in HTTP server. This is the recommended mode for public or + large instances, but is unecessary for LAN or local-only use. + <warning> + <para> + The built-in HTTP server logs all queries by default. + </para> + </warning> + ''; + }; + + uwsgiConfig = mkOption { + type = options.services.uwsgi.instance.type; + default = { http = ":8080"; }; + example = literalExpression '' + { + disable-logging = true; + http = ":8080"; # serve via HTTP... + socket = "/run/searx/searx.sock"; # ...or UNIX socket + } + ''; + description = '' + Additional configuration of the uWSGI vassal running searx. It + should notably specify on which interfaces and ports the vassal + should listen. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + users.users.searx = + { description = "Searx daemon user"; + group = "searx"; + isSystemUser = true; + }; + + users.groups.searx = { }; + + systemd.services.searx-init = { + description = "Initialise Searx settings"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + User = "searx"; + RuntimeDirectory = "searx"; + RuntimeDirectoryMode = "750"; + } // optionalAttrs (cfg.environmentFile != null) + { EnvironmentFile = builtins.toPath cfg.environmentFile; }; + script = generateConfig; + }; + + systemd.services.searx = mkIf (!cfg.runInUwsgi) { + description = "Searx server, the meta search engine."; + wantedBy = [ "network.target" "multi-user.target" ]; + requires = [ "searx-init.service" ]; + after = [ "searx-init.service" ]; + serviceConfig = { + User = "searx"; + Group = "searx"; + ExecStart = "${cfg.package}/bin/searx-run"; + } // optionalAttrs (cfg.environmentFile != null) + { EnvironmentFile = builtins.toPath cfg.environmentFile; }; + environment.SEARX_SETTINGS_PATH = cfg.settingsFile; + }; + + systemd.services.uwsgi = mkIf (cfg.runInUwsgi) + { requires = [ "searx-init.service" ]; + after = [ "searx-init.service" ]; + }; + + services.searx.settings = { + # merge NixOS settings with defaults settings.yml + use_default_settings = mkDefault true; + }; + + services.uwsgi = mkIf (cfg.runInUwsgi) { + enable = true; + plugins = [ "python3" ]; + + instance.type = "emperor"; + instance.vassals.searx = { + type = "normal"; + strict = true; + immediate-uid = "searx"; + immediate-gid = "searx"; + lazy-apps = true; + enable-threads = true; + module = "searx.webapp"; + env = [ "SEARX_SETTINGS_PATH=${cfg.settingsFile}" ]; + pythonPackages = self: [ cfg.package ]; + } // cfg.uwsgiConfig; + }; + + }; + + meta.maintainers = with maintainers; [ rnhmjoj ]; +} diff --git a/nixos/modules/services/networking/shadowsocks.nix b/nixos/modules/services/networking/shadowsocks.nix new file mode 100644 index 00000000000..7bea269a9ed --- /dev/null +++ b/nixos/modules/services/networking/shadowsocks.nix @@ -0,0 +1,158 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.shadowsocks; + + opts = { + server = cfg.localAddress; + server_port = cfg.port; + method = cfg.encryptionMethod; + mode = cfg.mode; + user = "nobody"; + fast_open = cfg.fastOpen; + } // optionalAttrs (cfg.plugin != null) { + plugin = cfg.plugin; + plugin_opts = cfg.pluginOpts; + } // optionalAttrs (cfg.password != null) { + password = cfg.password; + } // cfg.extraConfig; + + configFile = pkgs.writeText "shadowsocks.json" (builtins.toJSON opts); + +in + +{ + + ###### interface + + options = { + + services.shadowsocks = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run shadowsocks-libev shadowsocks server. + ''; + }; + + localAddress = mkOption { + type = types.coercedTo types.str singleton (types.listOf types.str); + default = [ "[::0]" "0.0.0.0" ]; + description = '' + Local addresses to which the server binds. + ''; + }; + + port = mkOption { + type = types.int; + default = 8388; + description = '' + Port which the server uses. + ''; + }; + + password = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Password for connecting clients. + ''; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Password file with a password for connecting clients. + ''; + }; + + mode = mkOption { + type = types.enum [ "tcp_only" "tcp_and_udp" "udp_only" ]; + default = "tcp_and_udp"; + description = '' + Relay protocols. + ''; + }; + + fastOpen = mkOption { + type = types.bool; + default = true; + description = '' + use TCP fast-open + ''; + }; + + encryptionMethod = mkOption { + type = types.str; + default = "chacha20-ietf-poly1305"; + description = '' + Encryption method. See <link xlink:href="https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers"/>. + ''; + }; + + plugin = mkOption { + type = types.nullOr types.str; + default = null; + example = literalExpression ''"''${pkgs.shadowsocks-v2ray-plugin}/bin/v2ray-plugin"''; + description = '' + SIP003 plugin for shadowsocks + ''; + }; + + pluginOpts = mkOption { + type = types.str; + default = ""; + example = "server;host=example.com"; + description = '' + Options to pass to the plugin if one was specified + ''; + }; + + extraConfig = mkOption { + type = types.attrs; + default = {}; + example = { + nameserver = "8.8.8.8"; + }; + description = '' + Additional configuration for shadowsocks that is not covered by the + provided options. The provided attrset will be serialized to JSON and + has to contain valid shadowsocks options. Unfortunately most + additional options are undocumented but it's easy to find out what is + available by looking into the source code of + <link xlink:href="https://github.com/shadowsocks/shadowsocks-libev/blob/master/src/jconf.c"/> + ''; + }; + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + assertions = singleton + { assertion = cfg.password == null || cfg.passwordFile == null; + message = "Cannot use both password and passwordFile for shadowsocks-libev"; + }; + + systemd.services.shadowsocks-libev = { + description = "shadowsocks-libev Daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.shadowsocks-libev ] ++ optional (cfg.plugin != null) cfg.plugin ++ optional (cfg.passwordFile != null) pkgs.jq; + serviceConfig.PrivateTmp = true; + script = '' + ${optionalString (cfg.passwordFile != null) '' + cat ${configFile} | jq --arg password "$(cat "${cfg.passwordFile}")" '. + { password: $password }' > /tmp/shadowsocks.json + ''} + exec ss-server -c ${if cfg.passwordFile != null then "/tmp/shadowsocks.json" else configFile} + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/shairport-sync.nix b/nixos/modules/services/networking/shairport-sync.nix new file mode 100644 index 00000000000..eb61663e4d9 --- /dev/null +++ b/nixos/modules/services/networking/shairport-sync.nix @@ -0,0 +1,112 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.shairport-sync; + +in + +{ + + ###### interface + + options = { + + services.shairport-sync = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable the shairport-sync daemon. + + Running with a local system-wide or remote pulseaudio server + is recommended. + ''; + }; + + arguments = mkOption { + type = types.str; + default = "-v -o pa"; + description = '' + Arguments to pass to the daemon. Defaults to a local pulseaudio + server. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to automatically open ports in the firewall. + ''; + }; + + user = mkOption { + type = types.str; + default = "shairport"; + description = '' + User account name under which to run shairport-sync. The account + will be created. + ''; + }; + + group = mkOption { + type = types.str; + default = "shairport"; + description = '' + Group account name under which to run shairport-sync. The account + will be created. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf config.services.shairport-sync.enable { + + services.avahi.enable = true; + services.avahi.publish.enable = true; + services.avahi.publish.userServices = true; + + users = { + users.${cfg.user} = { + description = "Shairport user"; + isSystemUser = true; + createHome = true; + home = "/var/lib/shairport-sync"; + group = cfg.group; + extraGroups = [ "audio" ] ++ optional config.hardware.pulseaudio.enable "pulse"; + }; + groups.${cfg.group} = {}; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ 5000 ]; + allowedUDPPortRanges = [ { from = 6001; to = 6011; } ]; + }; + + systemd.services.shairport-sync = + { + description = "shairport-sync"; + after = [ "network.target" "avahi-daemon.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${pkgs.shairport-sync}/bin/shairport-sync ${cfg.arguments}"; + RuntimeDirectory = "shairport-sync"; + }; + }; + + environment.systemPackages = [ pkgs.shairport-sync ]; + + }; + +} diff --git a/nixos/modules/services/networking/shellhub-agent.nix b/nixos/modules/services/networking/shellhub-agent.nix new file mode 100644 index 00000000000..a45ef148544 --- /dev/null +++ b/nixos/modules/services/networking/shellhub-agent.nix @@ -0,0 +1,91 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.shellhub-agent; +in { + + ###### interface + + options = { + + services.shellhub-agent = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the ShellHub Agent daemon, which allows + secure remote logins. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.shellhub-agent; + defaultText = literalExpression "pkgs.shellhub-agent"; + description = '' + Which ShellHub Agent package to use. + ''; + }; + + tenantId = mkOption { + type = types.str; + example = "ba0a880c-2ada-11eb-a35e-17266ef329d6"; + description = '' + The tenant ID to use when connecting to the ShellHub + Gateway. + ''; + }; + + server = mkOption { + type = types.str; + default = "https://cloud.shellhub.io"; + description = '' + Server address of ShellHub Gateway to connect. + ''; + }; + + privateKey = mkOption { + type = types.path; + default = "/var/lib/shellhub-agent/private.key"; + description = '' + Location where to store the ShellHub Agent private + key. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.shellhub-agent = { + description = "ShellHub Agent"; + + wantedBy = [ "multi-user.target" ]; + requires = [ "local-fs.target" ]; + wants = [ "network-online.target" ]; + after = [ + "local-fs.target" + "network.target" + "network-online.target" + "time-sync.target" + ]; + + environment.SERVER_ADDRESS = cfg.server; + environment.PRIVATE_KEY = cfg.privateKey; + environment.TENANT_ID = cfg.tenantId; + + serviceConfig = { + # The service starts sessions for different users. + User = "root"; + Restart = "on-failure"; + ExecStart = "${cfg.package}/bin/agent"; + }; + }; + + environment.systemPackages = [ cfg.package ]; + }; +} diff --git a/nixos/modules/services/networking/shorewall.nix b/nixos/modules/services/networking/shorewall.nix new file mode 100644 index 00000000000..ac732d4b12e --- /dev/null +++ b/nixos/modules/services/networking/shorewall.nix @@ -0,0 +1,70 @@ +{ config, lib, pkgs, ... }: +let + types = lib.types; + cfg = config.services.shorewall; +in { + options = { + services.shorewall = { + enable = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Shorewall IPv4 Firewall. + <warning> + <para> + Enabling this service WILL disable the existing NixOS + firewall! Default firewall rules provided by packages are not + considered at the moment. + </para> + </warning> + ''; + }; + package = lib.mkOption { + type = types.package; + default = pkgs.shorewall; + defaultText = lib.literalExpression "pkgs.shorewall"; + description = "The shorewall package to use."; + }; + configs = lib.mkOption { + type = types.attrsOf types.lines; + default = {}; + description = '' + This option defines the Shorewall configs. + The attribute name defines the name of the config, + and the attribute value defines the content of the config. + ''; + apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text); + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.firewall.enable = false; + systemd.services.shorewall = { + description = "Shorewall IPv4 Firewall"; + after = [ "ipset.target" ]; + before = [ "network-pre.target" ]; + wants = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = lib.attrValues cfg.configs; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = "${cfg.package}/bin/shorewall start"; + ExecReload = "${cfg.package}/bin/shorewall reload"; + ExecStop = "${cfg.package}/bin/shorewall stop"; + }; + preStart = '' + install -D -d -m 750 /var/lib/shorewall + install -D -d -m 755 /var/lock/subsys + touch /var/log/shorewall.log + chown 750 /var/log/shorewall.log + ''; + }; + environment = { + etc = lib.mapAttrs' (name: conf: lib.nameValuePair "shorewall/${name}" {source=conf;}) cfg.configs; + systemPackages = [ cfg.package ]; + }; + }; +} diff --git a/nixos/modules/services/networking/shorewall6.nix b/nixos/modules/services/networking/shorewall6.nix new file mode 100644 index 00000000000..4235c74a3f8 --- /dev/null +++ b/nixos/modules/services/networking/shorewall6.nix @@ -0,0 +1,70 @@ +{ config, lib, pkgs, ... }: +let + types = lib.types; + cfg = config.services.shorewall6; +in { + options = { + services.shorewall6 = { + enable = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Shorewall IPv6 Firewall. + <warning> + <para> + Enabling this service WILL disable the existing NixOS + firewall! Default firewall rules provided by packages are not + considered at the moment. + </para> + </warning> + ''; + }; + package = lib.mkOption { + type = types.package; + default = pkgs.shorewall; + defaultText = lib.literalExpression "pkgs.shorewall"; + description = "The shorewall package to use."; + }; + configs = lib.mkOption { + type = types.attrsOf types.lines; + default = {}; + description = '' + This option defines the Shorewall configs. + The attribute name defines the name of the config, + and the attribute value defines the content of the config. + ''; + apply = lib.mapAttrs (name: text: pkgs.writeText "${name}" text); + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.firewall.enable = false; + systemd.services.shorewall6 = { + description = "Shorewall IPv6 Firewall"; + after = [ "ipset.target" ]; + before = [ "network-pre.target" ]; + wants = [ "network-pre.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = lib.attrValues cfg.configs; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = "${cfg.package}/bin/shorewall6 start"; + ExecReload = "${cfg.package}/bin/shorewall6 reload"; + ExecStop = "${cfg.package}/bin/shorewall6 stop"; + }; + preStart = '' + install -D -d -m 750 /var/lib/shorewall6 + install -D -d -m 755 /var/lock/subsys + touch /var/log/shorewall6.log + chown 750 /var/log/shorewall6.log + ''; + }; + environment = { + etc = lib.mapAttrs' (name: conf: lib.nameValuePair "shorewall6/${name}" {source=conf;}) cfg.configs; + systemPackages = [ cfg.package ]; + }; + }; +} diff --git a/nixos/modules/services/networking/shout.nix b/nixos/modules/services/networking/shout.nix new file mode 100644 index 00000000000..cca03a8f88a --- /dev/null +++ b/nixos/modules/services/networking/shout.nix @@ -0,0 +1,115 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + cfg = config.services.shout; + shoutHome = "/var/lib/shout"; + + defaultConfig = pkgs.runCommand "config.js" { preferLocalBuild = true; } '' + EDITOR=true ${pkgs.shout}/bin/shout config --home $PWD + mv config.js $out + ''; + + finalConfigFile = if (cfg.configFile != null) then cfg.configFile else '' + var _ = require('${pkgs.shout}/lib/node_modules/shout/node_modules/lodash') + + module.exports = _.merge( + {}, + require('${defaultConfig}'), + ${builtins.toJSON cfg.config} + ) + ''; + +in { + options.services.shout = { + enable = mkEnableOption "Shout web IRC client"; + + private = mkOption { + type = types.bool; + default = false; + description = '' + Make your shout instance private. You will need to configure user + accounts by adding entries in <filename>${shoutHome}/users</filename>. + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IP interface to listen on for http connections."; + }; + + port = mkOption { + type = types.port; + default = 9000; + description = "TCP port to listen on for http connections."; + }; + + configFile = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Contents of Shout's <filename>config.js</filename> file. + + Used for backward compatibility, recommended way is now to use + the <literal>config</literal> option. + + Documentation: http://shout-irc.com/docs/server/configuration.html + ''; + }; + + config = mkOption { + default = {}; + type = types.attrs; + example = { + displayNetwork = false; + defaults = { + name = "Your Network"; + host = "localhost"; + port = 6697; + }; + }; + description = '' + Shout <filename>config.js</filename> contents as attribute set (will be + converted to JSON to generate the configuration file). + + The options defined here will be merged to the default configuration file. + + Documentation: http://shout-irc.com/docs/server/configuration.html + ''; + }; + }; + + config = mkIf cfg.enable { + users.users.shout = { + isSystemUser = true; + group = "shout"; + description = "Shout daemon user"; + home = shoutHome; + createHome = true; + }; + users.groups.shout = {}; + + systemd.services.shout = { + description = "Shout web IRC client"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + preStart = "ln -sf ${pkgs.writeText "config.js" finalConfigFile} ${shoutHome}/config.js"; + script = concatStringsSep " " [ + "${pkgs.shout}/bin/shout" + (if cfg.private then "--private" else "--public") + "--port" (toString cfg.port) + "--host" (toString cfg.listenAddress) + "--home" shoutHome + ]; + serviceConfig = { + User = "shout"; + ProtectHome = "true"; + ProtectSystem = "full"; + PrivateTmp = "true"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/skydns.nix b/nixos/modules/services/networking/skydns.nix new file mode 100644 index 00000000000..dea60a3862a --- /dev/null +++ b/nixos/modules/services/networking/skydns.nix @@ -0,0 +1,93 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.skydns; + +in { + options.services.skydns = { + enable = mkEnableOption "skydns service"; + + etcd = { + machines = mkOption { + default = [ "http://127.0.0.1:2379" ]; + type = types.listOf types.str; + description = "Skydns list of etcd endpoints to connect to."; + }; + + tlsKey = mkOption { + default = null; + type = types.nullOr types.path; + description = "Skydns path of TLS client certificate - private key."; + }; + + tlsPem = mkOption { + default = null; + type = types.nullOr types.path; + description = "Skydns path of TLS client certificate - public key."; + }; + + caCert = mkOption { + default = null; + type = types.nullOr types.path; + description = "Skydns path of TLS certificate authority public key."; + }; + }; + + address = mkOption { + default = "0.0.0.0:53"; + type = types.str; + description = "Skydns address to bind to."; + }; + + domain = mkOption { + default = "skydns.local."; + type = types.str; + description = "Skydns default domain if not specified by etcd config."; + }; + + nameservers = mkOption { + default = map (n: n + ":53") config.networking.nameservers; + defaultText = literalExpression ''map (n: n + ":53") config.networking.nameservers''; + type = types.listOf types.str; + description = "Skydns list of nameservers to forward DNS requests to when not authoritative for a domain."; + example = ["8.8.8.8:53" "8.8.4.4:53"]; + }; + + package = mkOption { + default = pkgs.skydns; + defaultText = literalExpression "pkgs.skydns"; + type = types.package; + description = "Skydns package to use."; + }; + + extraConfig = mkOption { + default = {}; + type = types.attrsOf types.str; + description = "Skydns attribute set of extra config options passed as environment variables."; + }; + }; + + config = mkIf (cfg.enable) { + systemd.services.skydns = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "etcd.service" ]; + description = "Skydns Service"; + environment = { + ETCD_MACHINES = concatStringsSep "," cfg.etcd.machines; + ETCD_TLSKEY = cfg.etcd.tlsKey; + ETCD_TLSPEM = cfg.etcd.tlsPem; + ETCD_CACERT = cfg.etcd.caCert; + SKYDNS_ADDR = cfg.address; + SKYDNS_DOMAIN = cfg.domain; + SKYDNS_NAMESERVERS = concatStringsSep "," cfg.nameservers; + }; + serviceConfig = { + ExecStart = "${cfg.package}/bin/skydns"; + }; + }; + + environment.systemPackages = [ cfg.package ]; + }; +} diff --git a/nixos/modules/services/networking/smartdns.nix b/nixos/modules/services/networking/smartdns.nix new file mode 100644 index 00000000000..7f9df42ce9c --- /dev/null +++ b/nixos/modules/services/networking/smartdns.nix @@ -0,0 +1,62 @@ +{ lib, pkgs, config, ... }: + +with lib; + +let + inherit (lib.types) attrsOf coercedTo listOf oneOf str int bool; + cfg = config.services.smartdns; + + confFile = pkgs.writeText "smartdns.conf" (with generators; + toKeyValue { + mkKeyValue = mkKeyValueDefault { + mkValueString = v: + if isBool v then + if v then "yes" else "no" + else + mkValueStringDefault { } v; + } " "; + listsAsDuplicateKeys = + true; # Allowing duplications because we need to deal with multiple entries with the same key. + } cfg.settings); +in { + options.services.smartdns = { + enable = mkEnableOption "SmartDNS DNS server"; + + bindPort = mkOption { + type = types.port; + default = 53; + description = "DNS listening port number."; + }; + + settings = mkOption { + type = + let atom = oneOf [ str int bool ]; + in attrsOf (coercedTo atom toList (listOf atom)); + example = literalExpression '' + { + bind = ":5353 -no-rule -group example"; + cache-size = 4096; + server-tls = [ "8.8.8.8:853" "1.1.1.1:853" ]; + server-https = "https://cloudflare-dns.com/dns-query -exclude-default-group"; + prefetch-domain = true; + speed-check-mode = "ping,tcp:80"; + }; + ''; + description = '' + A set that will be generated into configuration file, see the <link xlink:href="https://github.com/pymumu/smartdns/blob/master/ReadMe_en.md#configuration-parameter">SmartDNS README</link> for details of configuration parameters. + You could override the options here like <option>services.smartdns.bindPort</option> by writing <literal>settings.bind = ":5353 -no-rule -group example";</literal>. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + services.smartdns.settings.bind = mkDefault ":${toString cfg.bindPort}"; + + systemd.packages = [ pkgs.smartdns ]; + systemd.services.smartdns.wantedBy = [ "multi-user.target" ]; + systemd.services.smartdns.restartTriggers = [ confFile ]; + environment.etc."smartdns/smartdns.conf".source = confFile; + environment.etc."default/smartdns".source = + "${pkgs.smartdns}/etc/default/smartdns"; + }; +} diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix new file mode 100644 index 00000000000..bd71b158dbe --- /dev/null +++ b/nixos/modules/services/networking/smokeping.nix @@ -0,0 +1,362 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + + cfg = config.services.smokeping; + smokepingHome = "/var/lib/smokeping"; + smokepingPidDir = "/run"; + configFile = + if cfg.config == null + then + '' + *** General *** + cgiurl = ${cfg.cgiUrl} + contact = ${cfg.ownerEmail} + datadir = ${smokepingHome}/data + imgcache = ${smokepingHome}/cache + imgurl = ${cfg.imgUrl} + linkstyle = ${cfg.linkStyle} + ${lib.optionalString (cfg.mailHost != "") "mailhost = ${cfg.mailHost}"} + owner = ${cfg.owner} + pagedir = ${smokepingHome}/cache + piddir = ${smokepingPidDir} + ${lib.optionalString (cfg.sendmail != null) "sendmail = ${cfg.sendmail}"} + smokemail = ${cfg.smokeMailTemplate} + *** Presentation *** + template = ${cfg.presentationTemplate} + ${cfg.presentationConfig} + *** Alerts *** + ${cfg.alertConfig} + *** Database *** + ${cfg.databaseConfig} + *** Probes *** + ${cfg.probeConfig} + *** Targets *** + ${cfg.targetConfig} + ${cfg.extraConfig} + '' + else + cfg.config; + + configPath = pkgs.writeText "smokeping.conf" configFile; + cgiHome = pkgs.writeScript "smokeping.fcgi" '' + #!${pkgs.bash}/bin/bash + ${cfg.package}/bin/smokeping_cgi ${configPath} + ''; +in + +{ + options = { + services.smokeping = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the smokeping service"; + }; + alertConfig = mkOption { + type = types.lines; + default = '' + to = root@localhost + from = smokeping@localhost + ''; + example = '' + to = alertee@address.somewhere + from = smokealert@company.xy + + +someloss + type = loss + # in percent + pattern = >0%,*12*,>0%,*12*,>0% + comment = loss 3 times in a row; + ''; + description = "Configuration for alerts."; + }; + cgiUrl = mkOption { + type = types.str; + default = "http://${cfg.hostName}:${toString cfg.port}/smokeping.cgi"; + defaultText = literalExpression ''"http://''${hostName}:''${toString port}/smokeping.cgi"''; + example = "https://somewhere.example.com/smokeping.cgi"; + description = "URL to the smokeping cgi."; + }; + config = mkOption { + type = types.nullOr types.lines; + default = null; + description = "Full smokeping config supplied by the user. Overrides " + + "and replaces any other configuration supplied."; + }; + databaseConfig = mkOption { + type = types.lines; + default = '' + step = 300 + pings = 20 + # consfn mrhb steps total + AVERAGE 0.5 1 1008 + AVERAGE 0.5 12 4320 + MIN 0.5 12 4320 + MAX 0.5 12 4320 + AVERAGE 0.5 144 720 + MAX 0.5 144 720 + MIN 0.5 144 720 + + ''; + example = '' + # near constant pings. + step = 30 + pings = 20 + # consfn mrhb steps total + AVERAGE 0.5 1 10080 + AVERAGE 0.5 12 43200 + MIN 0.5 12 43200 + MAX 0.5 12 43200 + AVERAGE 0.5 144 7200 + MAX 0.5 144 7200 + MIN 0.5 144 7200 + ''; + description = ''Configure the ping frequency and retention of the rrd files. + Once set, changing the interval will require deletion or migration of all + the collected data.''; + }; + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Any additional customization not already included."; + }; + hostName = mkOption { + type = types.str; + default = config.networking.fqdn; + defaultText = literalExpression "config.networking.fqdn"; + example = "somewhere.example.com"; + description = "DNS name for the urls generated in the cgi."; + }; + imgUrl = mkOption { + type = types.str; + default = "cache"; + defaultText = literalExpression ''"cache"''; + example = "https://somewhere.example.com/cache"; + description = '' + Base url for images generated in the cgi. + + The default is a relative URL to ensure it works also when e.g. forwarding + the GUI port via SSH. + ''; + }; + linkStyle = mkOption { + type = types.enum ["original" "absolute" "relative"]; + default = "relative"; + example = "absolute"; + description = "DNS name for the urls generated in the cgi."; + }; + mailHost = mkOption { + type = types.str; + default = ""; + example = "localhost"; + description = "Use this SMTP server to send alerts"; + }; + owner = mkOption { + type = types.str; + default = "nobody"; + example = "Joe Admin"; + description = "Real name of the owner of the instance"; + }; + ownerEmail = mkOption { + type = types.str; + default = "no-reply@${cfg.hostName}"; + defaultText = literalExpression ''"no-reply@''${hostName}"''; + example = "no-reply@yourdomain.com"; + description = "Email contact for owner"; + }; + package = mkOption { + type = types.package; + default = pkgs.smokeping; + defaultText = literalExpression "pkgs.smokeping"; + description = "Specify a custom smokeping package"; + }; + host = mkOption { + type = types.nullOr types.str; + default = "localhost"; + example = "192.0.2.1"; # rfc5737 example IP for documentation + description = '' + Host/IP to bind to for the web server. + + Setting it to <literal>null</literal> skips passing the -h option to thttpd, + which makes it bind to all interfaces. + ''; + }; + port = mkOption { + type = types.int; + default = 8081; + description = "TCP port to use for the web server."; + }; + presentationConfig = mkOption { + type = types.lines; + default = '' + + charts + menu = Charts + title = The most interesting destinations + ++ stddev + sorter = StdDev(entries=>4) + title = Top Standard Deviation + menu = Std Deviation + format = Standard Deviation %f + ++ max + sorter = Max(entries=>5) + title = Top Max Roundtrip Time + menu = by Max + format = Max Roundtrip Time %f seconds + ++ loss + sorter = Loss(entries=>5) + title = Top Packet Loss + menu = Loss + format = Packets Lost %f + ++ median + sorter = Median(entries=>5) + title = Top Median Roundtrip Time + menu = by Median + format = Median RTT %f seconds + + overview + width = 600 + height = 50 + range = 10h + + detail + width = 600 + height = 200 + unison_tolerance = 2 + "Last 3 Hours" 3h + "Last 30 Hours" 30h + "Last 10 Days" 10d + "Last 360 Days" 360d + ''; + description = "presentation graph style"; + }; + presentationTemplate = mkOption { + type = types.str; + default = "${pkgs.smokeping}/etc/basepage.html.dist"; + defaultText = literalExpression ''"''${pkgs.smokeping}/etc/basepage.html.dist"''; + description = "Default page layout for the web UI."; + }; + probeConfig = mkOption { + type = types.lines; + default = '' + + FPing + binary = ${config.security.wrapperDir}/fping + ''; + defaultText = literalExpression '' + ''' + + FPing + binary = ''${config.security.wrapperDir}/fping + ''' + ''; + description = "Probe configuration"; + }; + sendmail = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/wrappers/bin/sendmail"; + description = "Use this sendmail compatible script to deliver alerts"; + }; + smokeMailTemplate = mkOption { + type = types.str; + default = "${cfg.package}/etc/smokemail.dist"; + defaultText = literalExpression ''"''${package}/etc/smokemail.dist"''; + description = "Specify the smokemail template for alerts."; + }; + targetConfig = mkOption { + type = types.lines; + default = '' + probe = FPing + menu = Top + title = Network Latency Grapher + remark = Welcome to the SmokePing website of xxx Company. \ + Here you will learn all about the latency of our network. + + Local + menu = Local + title = Local Network + ++ LocalMachine + menu = Local Machine + title = This host + host = localhost + ''; + description = "Target configuration"; + }; + user = mkOption { + type = types.str; + default = "smokeping"; + description = "User that runs smokeping and (optionally) thttpd. A group of the same name will be created as well."; + }; + webService = mkOption { + type = types.bool; + default = true; + description = "Enable a smokeping web interface"; + }; + }; + + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = !(cfg.sendmail != null && cfg.mailHost != ""); + message = "services.smokeping: sendmail and Mailhost cannot both be enabled."; + } + ]; + security.wrappers = { + fping = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.fping}/bin/fping"; + }; + }; + environment.systemPackages = [ pkgs.fping ]; + users.users.${cfg.user} = { + isNormalUser = false; + isSystemUser = true; + group = cfg.user; + description = "smokeping daemon user"; + home = smokepingHome; + createHome = true; + }; + users.groups.${cfg.user} = {}; + systemd.services.smokeping = { + requiredBy = [ "multi-user.target"]; + serviceConfig = { + User = cfg.user; + Restart = "on-failure"; + ExecStart = "${cfg.package}/bin/smokeping --config=${configPath} --nodaemon"; + }; + preStart = '' + mkdir -m 0755 -p ${smokepingHome}/cache ${smokepingHome}/data + rm -f ${smokepingHome}/cropper + ln -s ${cfg.package}/htdocs/cropper ${smokepingHome}/cropper + rm -f ${smokepingHome}/smokeping.fcgi + ln -s ${cgiHome} ${smokepingHome}/smokeping.fcgi + ${cfg.package}/bin/smokeping --check --config=${configPath} + ${cfg.package}/bin/smokeping --static --config=${configPath} + ''; + }; + systemd.services.thttpd = mkIf cfg.webService { + requiredBy = [ "multi-user.target"]; + requires = [ "smokeping.service"]; + path = with pkgs; [ bash rrdtool smokeping thttpd ]; + serviceConfig = { + Restart = "always"; + ExecStart = lib.concatStringsSep " " (lib.concatLists [ + [ "${pkgs.thttpd}/bin/thttpd" ] + [ "-u ${cfg.user}" ] + [ ''-c "**.fcgi"'' ] + [ "-d ${smokepingHome}" ] + (lib.optional (cfg.host != null) "-h ${cfg.host}") + [ "-p ${builtins.toString cfg.port}" ] + [ "-D -nos" ] + ]); + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ + erictapen + nh2 + ]; +} + diff --git a/nixos/modules/services/networking/sniproxy.nix b/nixos/modules/services/networking/sniproxy.nix new file mode 100644 index 00000000000..adca5398e4a --- /dev/null +++ b/nixos/modules/services/networking/sniproxy.nix @@ -0,0 +1,88 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + + cfg = config.services.sniproxy; + + configFile = pkgs.writeText "sniproxy.conf" '' + user ${cfg.user} + pidfile /run/sniproxy.pid + ${cfg.config} + ''; + +in +{ + imports = [ (mkRemovedOptionModule [ "services" "sniproxy" "logDir" ] "Now done by LogsDirectory=. Set to a custom path if you log to a different folder in your config.") ]; + + options = { + services.sniproxy = { + enable = mkEnableOption "sniproxy server"; + + user = mkOption { + type = types.str; + default = "sniproxy"; + description = "User account under which sniproxy runs."; + }; + + group = mkOption { + type = types.str; + default = "sniproxy"; + description = "Group under which sniproxy runs."; + }; + + config = mkOption { + type = types.lines; + default = ""; + description = "sniproxy.conf configuration excluding the daemon username and pid file."; + example = '' + error_log { + filename /var/log/sniproxy/error.log + } + access_log { + filename /var/log/sniproxy/access.log + } + listen 443 { + proto tls + } + table { + example.com 192.0.2.10 + example.net 192.0.2.20 + } + ''; + }; + }; + + }; + + config = mkIf cfg.enable { + systemd.services.sniproxy = { + description = "sniproxy server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.sniproxy}/bin/sniproxy -c ${configFile}"; + LogsDirectory = "sniproxy"; + LogsDirectoryMode = "0640"; + Restart = "always"; + }; + }; + + users.users = mkIf (cfg.user == "sniproxy") { + sniproxy = { + group = cfg.group; + uid = config.ids.uids.sniproxy; + }; + }; + + users.groups = mkIf (cfg.group == "sniproxy") { + sniproxy = { + gid = config.ids.gids.sniproxy; + }; + }; + + }; +} diff --git a/nixos/modules/services/networking/snowflake-proxy.nix b/nixos/modules/services/networking/snowflake-proxy.nix new file mode 100644 index 00000000000..2124644ed9b --- /dev/null +++ b/nixos/modules/services/networking/snowflake-proxy.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.snowflake-proxy; +in +{ + options = { + services.snowflake-proxy = { + enable = mkEnableOption "System to defeat internet censorship"; + + broker = mkOption { + description = "Broker URL (default \"https://snowflake-broker.torproject.net/\")"; + type = with types; nullOr str; + default = null; + }; + + capacity = mkOption { + description = "Limits the amount of maximum concurrent clients allowed."; + type = with types; nullOr int; + default = null; + }; + + relay = mkOption { + description = "websocket relay URL (default \"wss://snowflake.bamsoftware.com/\")"; + type = with types; nullOr str; + default = null; + }; + + stun = mkOption { + description = "STUN broker URL (default \"stun:stun.stunprotocol.org:3478\")"; + type = with types; nullOr str; + default = null; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.snowflake-proxy = { + wantedBy = [ "network-online.target" ]; + serviceConfig = { + ExecStart = + "${pkgs.snowflake}/bin/proxy " + concatStringsSep " " ( + optional (cfg.broker != null) "-broker ${cfg.broker}" + ++ optional (cfg.capacity != null) "-capacity ${builtins.toString cfg.capacity}" + ++ optional (cfg.relay != null) "-relay ${cfg.relay}" + ++ optional (cfg.stun != null) "-stun ${cfg.stun}" + ); + + # Security Hardening + # Refer to systemd.exec(5) for option descriptions. + CapabilityBoundingSet = ""; + + # implies RemoveIPC=, PrivateTmp=, NoNewPrivileges=, RestrictSUIDSGID=, + # ProtectSystem=strict, ProtectHome=read-only + DynamicUser = true; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectProc = "invisible"; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources"; + UMask = "0077"; + }; + }; + }; + + meta.maintainers = with maintainers; [ yayayayaka ]; +} diff --git a/nixos/modules/services/networking/softether.nix b/nixos/modules/services/networking/softether.nix new file mode 100644 index 00000000000..5405f56871e --- /dev/null +++ b/nixos/modules/services/networking/softether.nix @@ -0,0 +1,163 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.softether; + + package = cfg.package.override { dataDir = cfg.dataDir; }; + +in +{ + + ###### interface + + options = { + + services.softether = { + + enable = mkEnableOption "SoftEther VPN services"; + + package = mkOption { + type = types.package; + default = pkgs.softether; + defaultText = literalExpression "pkgs.softether"; + description = '' + softether derivation to use. + ''; + }; + + vpnserver.enable = mkEnableOption "SoftEther VPN Server"; + + vpnbridge.enable = mkEnableOption "SoftEther VPN Bridge"; + + vpnclient = { + enable = mkEnableOption "SoftEther VPN Client"; + up = mkOption { + type = types.lines; + default = ""; + description = '' + Shell commands executed when the Virtual Network Adapter(s) is/are starting. + ''; + }; + down = mkOption { + type = types.lines; + default = ""; + description = '' + Shell commands executed when the Virtual Network Adapter(s) is/are shutting down. + ''; + }; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/softether"; + description = '' + Data directory for SoftEther VPN. + ''; + }; + + }; + + }; + + ###### implementation + + config = mkIf cfg.enable ( + + mkMerge [{ + environment.systemPackages = [ package ]; + + systemd.services.softether-init = { + description = "SoftEther VPN services initial task"; + wantedBy = [ "network.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = false; + }; + script = '' + for d in vpnserver vpnbridge vpnclient vpncmd; do + if ! test -e ${cfg.dataDir}/$d; then + ${pkgs.coreutils}/bin/mkdir -m0700 -p ${cfg.dataDir}/$d + install -m0600 ${package}${cfg.dataDir}/$d/hamcore.se2 ${cfg.dataDir}/$d/hamcore.se2 + fi + done + rm -rf ${cfg.dataDir}/vpncmd/vpncmd + ln -s ${package}${cfg.dataDir}/vpncmd/vpncmd ${cfg.dataDir}/vpncmd/vpncmd + ''; + }; + } + + (mkIf (cfg.vpnserver.enable) { + systemd.services.vpnserver = { + description = "SoftEther VPN Server"; + after = [ "softether-init.service" ]; + requires = [ "softether-init.service" ]; + wantedBy = [ "network.target" ]; + serviceConfig = { + Type = "forking"; + ExecStart = "${package}/bin/vpnserver start"; + ExecStop = "${package}/bin/vpnserver stop"; + }; + preStart = '' + rm -rf ${cfg.dataDir}/vpnserver/vpnserver + ln -s ${package}${cfg.dataDir}/vpnserver/vpnserver ${cfg.dataDir}/vpnserver/vpnserver + ''; + postStop = '' + rm -rf ${cfg.dataDir}/vpnserver/vpnserver + ''; + }; + }) + + (mkIf (cfg.vpnbridge.enable) { + systemd.services.vpnbridge = { + description = "SoftEther VPN Bridge"; + after = [ "softether-init.service" ]; + requires = [ "softether-init.service" ]; + wantedBy = [ "network.target" ]; + serviceConfig = { + Type = "forking"; + ExecStart = "${package}/bin/vpnbridge start"; + ExecStop = "${package}/bin/vpnbridge stop"; + }; + preStart = '' + rm -rf ${cfg.dataDir}/vpnbridge/vpnbridge + ln -s ${package}${cfg.dataDir}/vpnbridge/vpnbridge ${cfg.dataDir}/vpnbridge/vpnbridge + ''; + postStop = '' + rm -rf ${cfg.dataDir}/vpnbridge/vpnbridge + ''; + }; + }) + + (mkIf (cfg.vpnclient.enable) { + systemd.services.vpnclient = { + description = "SoftEther VPN Client"; + after = [ "softether-init.service" ]; + requires = [ "softether-init.service" ]; + wantedBy = [ "network.target" ]; + serviceConfig = { + Type = "forking"; + ExecStart = "${package}/bin/vpnclient start"; + ExecStop = "${package}/bin/vpnclient stop"; + }; + preStart = '' + rm -rf ${cfg.dataDir}/vpnclient/vpnclient + ln -s ${package}${cfg.dataDir}/vpnclient/vpnclient ${cfg.dataDir}/vpnclient/vpnclient + ''; + postStart = '' + sleep 1 + ${cfg.vpnclient.up} + ''; + postStop = '' + rm -rf ${cfg.dataDir}/vpnclient/vpnclient + sleep 1 + ${cfg.vpnclient.down} + ''; + }; + boot.kernelModules = [ "tun" ]; + }) + + ]); + +} diff --git a/nixos/modules/services/networking/soju.nix b/nixos/modules/services/networking/soju.nix new file mode 100644 index 00000000000..cb0acf4765f --- /dev/null +++ b/nixos/modules/services/networking/soju.nix @@ -0,0 +1,114 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.soju; + stateDir = "/var/lib/soju"; + listenCfg = concatMapStringsSep "\n" (l: "listen ${l}") cfg.listen; + tlsCfg = optionalString (cfg.tlsCertificate != null) + "tls ${cfg.tlsCertificate} ${cfg.tlsCertificateKey}"; + logCfg = optionalString cfg.enableMessageLogging + "log fs ${stateDir}/logs"; + + configFile = pkgs.writeText "soju.conf" '' + ${listenCfg} + hostname ${cfg.hostName} + ${tlsCfg} + db sqlite3 ${stateDir}/soju.db + ${logCfg} + http-origin ${concatStringsSep " " cfg.httpOrigins} + accept-proxy-ip ${concatStringsSep " " cfg.acceptProxyIP} + + ${cfg.extraConfig} + ''; +in +{ + ###### interface + + options.services.soju = { + enable = mkEnableOption "soju"; + + listen = mkOption { + type = types.listOf types.str; + default = [ ":6697" ]; + description = '' + Where soju should listen for incoming connections. See the + <literal>listen</literal> directive in + <citerefentry><refentrytitle>soju</refentrytitle> + <manvolnum>1</manvolnum></citerefentry>. + ''; + }; + + hostName = mkOption { + type = types.str; + default = config.networking.hostName; + defaultText = literalExpression "config.networking.hostName"; + description = "Server hostname."; + }; + + tlsCertificate = mkOption { + type = types.nullOr types.path; + example = "/var/host.cert"; + description = "Path to server TLS certificate."; + }; + + tlsCertificateKey = mkOption { + type = types.nullOr types.path; + example = "/var/host.key"; + description = "Path to server TLS certificate key."; + }; + + enableMessageLogging = mkOption { + type = types.bool; + default = true; + description = "Whether to enable message logging."; + }; + + httpOrigins = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of allowed HTTP origins for WebSocket listeners. The parameters are + interpreted as shell patterns, see + <citerefentry><refentrytitle>glob</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>. + ''; + }; + + acceptProxyIP = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Allow the specified IPs to act as a proxy. Proxys have the ability to + overwrite the remote and local connection addresses (via the X-Forwarded-\* + HTTP header fields). The special name "localhost" accepts the loopback + addresses 127.0.0.0/8 and ::1/128. By default, all IPs are rejected. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Lines added verbatim to the configuration file."; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + systemd.services.soju = { + description = "soju IRC bouncer"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + DynamicUser = true; + Restart = "always"; + ExecStart = "${pkgs.soju}/bin/soju -config ${configFile}"; + StateDirectory = "soju"; + }; + }; + }; + + meta.maintainers = with maintainers; [ malvo ]; +} diff --git a/nixos/modules/services/networking/solanum.nix b/nixos/modules/services/networking/solanum.nix new file mode 100644 index 00000000000..dc066a24549 --- /dev/null +++ b/nixos/modules/services/networking/solanum.nix @@ -0,0 +1,109 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkIf mkOption types; + inherit (pkgs) solanum util-linux; + cfg = config.services.solanum; + + configFile = pkgs.writeText "solanum.conf" cfg.config; +in + +{ + + ###### interface + + options = { + + services.solanum = { + + enable = mkEnableOption "Solanum IRC daemon"; + + config = mkOption { + type = types.str; + default = '' + serverinfo { + name = "irc.example.com"; + sid = "1ix"; + description = "irc!"; + + vhost = "0.0.0.0"; + vhost6 = "::"; + }; + + listen { + host = "0.0.0.0"; + port = 6667; + }; + + auth { + user = "*@*"; + class = "users"; + flags = exceed_limit; + }; + channel { + default_split_user_count = 0; + }; + ''; + description = '' + Solanum IRC daemon configuration file. + check <link xlink:href="https://github.com/solanum-ircd/solanum/blob/main/doc/reference.conf"/> for all options. + ''; + }; + + openFilesLimit = mkOption { + type = types.int; + default = 1024; + description = '' + Maximum number of open files. Limits the clients and server connections. + ''; + }; + + motd = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Solanum MOTD text. + + Solanum will read its MOTD from <literal>/etc/solanum/ircd.motd</literal>. + If set, the value of this option will be written to this path. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable (lib.mkMerge [ + { + + environment.etc."solanum/ircd.conf".source = configFile; + + systemd.services.solanum = { + description = "Solanum IRC daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = [ + configFile + ]; + serviceConfig = { + ExecStart = "${solanum}/bin/solanum -foreground -logfile /dev/stdout -configfile /etc/solanum/ircd.conf -pidfile /run/solanum/ircd.pid"; + ExecReload = "${util-linux}/bin/kill -HUP $MAINPID"; + DynamicUser = true; + User = "solanum"; + StateDirectory = "solanum"; + RuntimeDirectory = "solanum"; + LimitNOFILE = "${toString cfg.openFilesLimit}"; + }; + }; + + } + + (mkIf (cfg.motd != null) { + environment.etc."solanum/ircd.motd".text = cfg.motd; + }) + ]); +} diff --git a/nixos/modules/services/networking/spacecookie.nix b/nixos/modules/services/networking/spacecookie.nix new file mode 100644 index 00000000000..400f3e26cc9 --- /dev/null +++ b/nixos/modules/services/networking/spacecookie.nix @@ -0,0 +1,216 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.spacecookie; + + spacecookieConfig = { + listen = { + inherit (cfg) port; + }; + } // cfg.settings; + + format = pkgs.formats.json {}; + + configFile = format.generate "spacecookie.json" spacecookieConfig; + +in { + imports = [ + (mkRenamedOptionModule [ "services" "spacecookie" "root" ] [ "services" "spacecookie" "settings" "root" ]) + (mkRenamedOptionModule [ "services" "spacecookie" "hostname" ] [ "services" "spacecookie" "settings" "hostname" ]) + ]; + + options = { + + services.spacecookie = { + + enable = mkEnableOption "spacecookie"; + + package = mkOption { + type = types.package; + default = pkgs.spacecookie; + defaultText = literalExpression "pkgs.spacecookie"; + example = literalExpression "pkgs.haskellPackages.spacecookie"; + description = '' + The spacecookie derivation to use. This can be used to + override the used package or to use another version. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the necessary port in the firewall for spacecookie. + ''; + }; + + port = mkOption { + type = types.port; + default = 70; + description = '' + Port the gopher service should be exposed on. + ''; + }; + + address = mkOption { + type = types.str; + default = "[::]"; + description = '' + Address to listen on. Must be in the + <literal>ListenStream=</literal> syntax of + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.socket.html">systemd.socket(5)</link>. + ''; + }; + + settings = mkOption { + type = types.submodule { + freeformType = format.type; + + options.hostname = mkOption { + type = types.str; + default = "localhost"; + description = '' + The hostname the service is reachable via. Clients + will use this hostname for further requests after + loading the initial gopher menu. + ''; + }; + + options.root = mkOption { + type = types.path; + default = "/srv/gopher"; + description = '' + The directory spacecookie should serve via gopher. + Files in there need to be world-readable since + the spacecookie service file sets + <literal>DynamicUser=true</literal>. + ''; + }; + + options.log = { + enable = mkEnableOption "logging for spacecookie" + // { default = true; example = false; }; + + hide-ips = mkOption { + type = types.bool; + default = true; + description = '' + If enabled, spacecookie will hide personal + information of users like IP addresses from + log output. + ''; + }; + + hide-time = mkOption { + type = types.bool; + # since we are starting with systemd anyways + # we deviate from the default behavior here: + # journald will add timestamps, so no need + # to double up. + default = true; + description = '' + If enabled, spacecookie will not print timestamps + at the beginning of every log line. + ''; + }; + + level = mkOption { + type = types.enum [ + "info" + "warn" + "error" + ]; + default = "info"; + description = '' + Log level for the spacecookie service. + ''; + }; + }; + }; + + description = '' + Settings for spacecookie. The settings set here are + directly translated to the spacecookie JSON config + file. See + <link xlink:href="https://sternenseemann.github.io/spacecookie/spacecookie.json.5.html">spacecookie.json(5)</link> + for explanations of all options. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = !(cfg.settings ? user); + message = '' + spacecookie is started as a normal user, so the setuid + feature doesn't work. If you want to run spacecookie as + a specific user, set: + systemd.services.spacecookie.serviceConfig = { + DynamicUser = false; + User = "youruser"; + Group = "yourgroup"; + } + ''; + } + { + assertion = !(cfg.settings ? listen || cfg.settings ? port); + message = '' + The NixOS spacecookie module uses socket activation, + so the listen options have no effect. Use the port + and address options in services.spacecookie instead. + ''; + } + ]; + + systemd.sockets.spacecookie = { + description = "Socket for the Spacecookie Gopher Server"; + wantedBy = [ "sockets.target" ]; + listenStreams = [ "${cfg.address}:${toString cfg.port}" ]; + socketConfig = { + BindIPv6Only = "both"; + }; + }; + + systemd.services.spacecookie = { + description = "Spacecookie Gopher Server"; + wantedBy = [ "multi-user.target" ]; + requires = [ "spacecookie.socket" ]; + + serviceConfig = { + Type = "notify"; + ExecStart = "${lib.getBin cfg.package}/bin/spacecookie ${configFile}"; + FileDescriptorStoreMax = 1; + + DynamicUser = true; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateUsers = true; + + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + + # AF_UNIX for communication with systemd + # AF_INET replaced by BindIPv6Only=both + RestrictAddressFamilies = "AF_UNIX AF_INET6"; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + }; +} diff --git a/nixos/modules/services/networking/spiped.nix b/nixos/modules/services/networking/spiped.nix new file mode 100644 index 00000000000..3c229ecfc72 --- /dev/null +++ b/nixos/modules/services/networking/spiped.nix @@ -0,0 +1,220 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.spiped; +in +{ + options = { + services.spiped = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the spiped service module."; + }; + + config = mkOption { + type = types.attrsOf (types.submodule ( + { + options = { + encrypt = mkOption { + type = types.bool; + default = false; + description = '' + Take unencrypted connections from the + <literal>source</literal> socket and send encrypted + connections to the <literal>target</literal> socket. + ''; + }; + + decrypt = mkOption { + type = types.bool; + default = false; + description = '' + Take encrypted connections from the + <literal>source</literal> socket and send unencrypted + connections to the <literal>target</literal> socket. + ''; + }; + + source = mkOption { + type = types.str; + description = '' + Address on which spiped should listen for incoming + connections. Must be in one of the following formats: + <literal>/absolute/path/to/unix/socket</literal>, + <literal>host.name:port</literal>, + <literal>[ip.v4.ad.dr]:port</literal> or + <literal>[ipv6::addr]:port</literal> - note that + hostnames are resolved when spiped is launched and are + not re-resolved later; thus if DNS entries change + spiped will continue to connect to the expired + address. + ''; + }; + + target = mkOption { + type = types.str; + description = "Address to which spiped should connect."; + }; + + keyfile = mkOption { + type = types.path; + description = '' + Name of a file containing the spiped key. As the + daemon runs as the <literal>spiped</literal> user, the + key file must be somewhere owned by that user. By + default, we recommend putting the keys for any spipe + services in <literal>/var/lib/spiped</literal>. + ''; + }; + + timeout = mkOption { + type = types.int; + default = 5; + description = '' + Timeout, in seconds, after which an attempt to connect to + the target or a protocol handshake will be aborted (and the + connection dropped) if not completed + ''; + }; + + maxConns = mkOption { + type = types.int; + default = 100; + description = '' + Limit on the number of simultaneous connections allowed. + ''; + }; + + waitForDNS = mkOption { + type = types.bool; + default = false; + description = '' + Wait for DNS. Normally when <literal>spiped</literal> is + launched it resolves addresses and binds to its source + socket before the parent process returns; with this option + it will daemonize first and retry failed DNS lookups until + they succeed. This allows <literal>spiped</literal> to + launch even if DNS isn't set up yet, but at the expense of + losing the guarantee that once <literal>spiped</literal> has + finished launching it will be ready to create pipes. + ''; + }; + + disableKeepalives = mkOption { + type = types.bool; + default = false; + description = "Disable transport layer keep-alives."; + }; + + weakHandshake = mkOption { + type = types.bool; + default = false; + description = '' + Use fast/weak handshaking: This reduces the CPU time spent + in the initial connection setup, at the expense of losing + perfect forward secrecy. + ''; + }; + + resolveRefresh = mkOption { + type = types.int; + default = 60; + description = '' + Resolution refresh time for the target socket, in seconds. + ''; + }; + + disableReresolution = mkOption { + type = types.bool; + default = false; + description = "Disable target address re-resolution."; + }; + }; + } + )); + + default = {}; + + example = literalExpression '' + { + pipe1 = + { keyfile = "/var/lib/spiped/pipe1.key"; + encrypt = true; + source = "localhost:6000"; + target = "endpoint.example.com:7000"; + }; + pipe2 = + { keyfile = "/var/lib/spiped/pipe2.key"; + decrypt = true; + source = "0.0.0.0:7000"; + target = "localhost:3000"; + }; + } + ''; + + description = '' + Configuration for a secure pipe daemon. The daemon can be + started, stopped, or examined using + <literal>systemctl</literal>, under the name + <literal>spiped@foo</literal>. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = mapAttrsToList (name: c: { + assertion = (c.encrypt -> !c.decrypt) || (c.decrypt -> c.encrypt); + message = "A pipe must either encrypt or decrypt"; + }) cfg.config; + + users.groups.spiped.gid = config.ids.gids.spiped; + users.users.spiped = { + description = "Secure Pipe Service user"; + group = "spiped"; + uid = config.ids.uids.spiped; + }; + + systemd.services."spiped@" = { + description = "Secure pipe '%i'"; + after = [ "network.target" ]; + + serviceConfig = { + Restart = "always"; + User = "spiped"; + PermissionsStartOnly = true; + }; + + preStart = '' + cd /var/lib/spiped + chmod -R 0660 * + chown -R spiped:spiped * + ''; + scriptArgs = "%i"; + script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`"; + }; + + system.activationScripts.spiped = optionalString (cfg.config != {}) + "mkdir -p /var/lib/spiped"; + + # Setup spiped config files + environment.etc = mapAttrs' (name: cfg: nameValuePair "spiped/${name}.spec" + { text = concatStringsSep " " + [ (if cfg.encrypt then "-e" else "-d") # Mode + "-s ${cfg.source}" # Source + "-t ${cfg.target}" # Target + "-k ${cfg.keyfile}" # Keyfile + "-n ${toString cfg.maxConns}" # Max number of conns + "-o ${toString cfg.timeout}" # Timeout + (optionalString cfg.waitForDNS "-D") # Wait for DNS + (optionalString cfg.weakHandshake "-f") # No PFS + (optionalString cfg.disableKeepalives "-j") # Keepalives + (if cfg.disableReresolution then "-R" + else "-r ${toString cfg.resolveRefresh}") + ]; + }) cfg.config; + }; +} diff --git a/nixos/modules/services/networking/squid.nix b/nixos/modules/services/networking/squid.nix new file mode 100644 index 00000000000..4f3881af8bb --- /dev/null +++ b/nixos/modules/services/networking/squid.nix @@ -0,0 +1,176 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.squid; + + + squidConfig = pkgs.writeText "squid.conf" + (if cfg.configText != null then cfg.configText else + '' + # + # Recommended minimum configuration (3.5): + # + + # Example rule allowing access from your local networks. + # Adapt to list your (internal) IP networks from where browsing + # should be allowed + acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network + acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network + acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network + acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines + acl localnet src fc00::/7 # RFC 4193 local private network range + acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + + acl SSL_ports port 443 # https + acl Safe_ports port 80 # http + acl Safe_ports port 21 # ftp + acl Safe_ports port 443 # https + acl Safe_ports port 70 # gopher + acl Safe_ports port 210 # wais + acl Safe_ports port 1025-65535 # unregistered ports + acl Safe_ports port 280 # http-mgmt + acl Safe_ports port 488 # gss-http + acl Safe_ports port 591 # filemaker + acl Safe_ports port 777 # multiling http + acl CONNECT method CONNECT + + # + # Recommended minimum Access Permission configuration: + # + # Deny requests to certain unsafe ports + http_access deny !Safe_ports + + # Deny CONNECT to other than secure SSL ports + http_access deny CONNECT !SSL_ports + + # Only allow cachemgr access from localhost + http_access allow localhost manager + http_access deny manager + + # We strongly recommend the following be uncommented to protect innocent + # web applications running on the proxy server who think the only + # one who can access services on "localhost" is a local user + http_access deny to_localhost + + # Application logs to syslog, access and store logs have specific files + cache_log syslog + access_log stdio:/var/log/squid/access.log + cache_store_log stdio:/var/log/squid/store.log + + # Required by systemd service + pid_filename /run/squid.pid + + # Run as user and group squid + cache_effective_user squid squid + + # + # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS + # + ${cfg.extraConfig} + + # Example rule allowing access from your local networks. + # Adapt localnet in the ACL section to list your (internal) IP networks + # from where browsing should be allowed + http_access allow localnet + http_access allow localhost + + # And finally deny all other access to this proxy + http_access deny all + + # Squid normally listens to port 3128 + http_port ${ + optionalString (cfg.proxyAddress != null) "${cfg.proxyAddress}:" + }${toString cfg.proxyPort} + + # Leave coredumps in the first cache dir + coredump_dir /var/cache/squid + + # + # Add any of your own refresh_pattern entries above these. + # + refresh_pattern ^ftp: 1440 20% 10080 + refresh_pattern ^gopher: 1440 0% 1440 + refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 + refresh_pattern . 0 20% 4320 + ''); + +in + +{ + + options = { + + services.squid = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to run squid web proxy."; + }; + + proxyAddress = mkOption { + type = types.nullOr types.str; + default = null; + description = "IP address on which squid will listen."; + }; + + proxyPort = mkOption { + type = types.int; + default = 3128; + description = "TCP port on which squid will listen."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Squid configuration. Contents will be added + verbatim to the configuration file. + ''; + }; + + configText = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Verbatim contents of squid.conf. If null (default), use the + autogenerated file from NixOS instead. + ''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + users.users.squid = { + isSystemUser = true; + group = "squid"; + home = "/var/cache/squid"; + createHome = true; + }; + + users.groups.squid = {}; + + systemd.services.squid = { + description = "Squid caching web proxy"; + after = [ "network.target" "nss-lookup.target" ]; + wantedBy = [ "multi-user.target"]; + preStart = '' + mkdir -p "/var/log/squid" + chown squid:squid "/var/log/squid" + ''; + serviceConfig = { + Type="forking"; + PIDFile="/run/squid.pid"; + ExecStart = "${pkgs.squid}/bin/squid -YCs -f ${squidConfig}"; + }; + }; + + }; + +} diff --git a/nixos/modules/services/networking/ssh/lshd.nix b/nixos/modules/services/networking/ssh/lshd.nix new file mode 100644 index 00000000000..862ff7df054 --- /dev/null +++ b/nixos/modules/services/networking/ssh/lshd.nix @@ -0,0 +1,189 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + inherit (pkgs) lsh; + + cfg = config.services.lshd; + +in + +{ + + ###### interface + + options = { + + services.lshd = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the GNU lshd SSH2 daemon, which allows + secure remote login. + ''; + }; + + portNumber = mkOption { + default = 22; + type = types.port; + description = '' + The port on which to listen for connections. + ''; + }; + + interfaces = mkOption { + default = []; + type = types.listOf types.str; + description = '' + List of network interfaces where listening for connections. + When providing the empty list, `[]', lshd listens on all + network interfaces. + ''; + example = [ "localhost" "1.2.3.4:443" ]; + }; + + hostKey = mkOption { + default = "/etc/lsh/host-key"; + type = types.str; + description = '' + Path to the server's private key. Note that this key must + have been created, e.g., using "lsh-keygen --server | + lsh-writekey --server", so that you can run lshd. + ''; + }; + + syslog = mkOption { + type = types.bool; + default = true; + description = "Whether to enable syslog output."; + }; + + passwordAuthentication = mkOption { + type = types.bool; + default = true; + description = "Whether to enable password authentication."; + }; + + publicKeyAuthentication = mkOption { + type = types.bool; + default = true; + description = "Whether to enable public key authentication."; + }; + + rootLogin = mkOption { + type = types.bool; + default = false; + description = "Whether to enable remote root login."; + }; + + loginShell = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + If non-null, override the default login shell with the + specified value. + ''; + example = "/nix/store/xyz-bash-10.0/bin/bash10"; + }; + + srpKeyExchange = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable SRP key exchange and user authentication. + ''; + }; + + tcpForwarding = mkOption { + type = types.bool; + default = true; + description = "Whether to enable TCP/IP forwarding."; + }; + + x11Forwarding = mkOption { + type = types.bool; + default = true; + description = "Whether to enable X11 forwarding."; + }; + + subsystems = mkOption { + type = types.listOf types.path; + description = '' + List of subsystem-path pairs, where the head of the pair + denotes the subsystem name, and the tail denotes the path to + an executable implementing it. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ]; + + systemd.services.lshd = { + description = "GNU lshd SSH2 daemon"; + + after = [ "network.target" ]; + + wantedBy = [ "multi-user.target" ]; + + environment = { + LD_LIBRARY_PATH = config.system.nssModules.path; + }; + + preStart = '' + test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh + test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh + + if ! test -f /var/spool/lsh/yarrow-seed-file + then + # XXX: It would be nice to provide feedback to the + # user when this fails, so that they can retry it + # manually. + ${lsh}/bin/lsh-make-seed --sloppy \ + -o /var/spool/lsh/yarrow-seed-file + fi + + if ! test -f "${cfg.hostKey}" + then + ${lsh}/bin/lsh-keygen --server | \ + ${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}" + fi + ''; + + script = with cfg; '' + ${lsh}/sbin/lshd --daemonic \ + --password-helper="${lsh}/sbin/lsh-pam-checkpw" \ + -p ${toString portNumber} \ + ${if interfaces == [] then "" + else (concatStrings (map (i: "--interface=\"${i}\"") + interfaces))} \ + -h "${hostKey}" \ + ${if !syslog then "--no-syslog" else ""} \ + ${if passwordAuthentication then "--password" else "--no-password" } \ + ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \ + ${if rootLogin then "--root-login" else "--no-root-login" } \ + ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \ + ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \ + ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \ + ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \ + --subsystems=${concatStringsSep "," + (map (pair: (head pair) + "=" + + (head (tail pair))) + subsystems)} + ''; + }; + + security.pam.services.lshd = {}; + }; +} diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix new file mode 100644 index 00000000000..230ab673a97 --- /dev/null +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -0,0 +1,571 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + # The splicing information needed for nativeBuildInputs isn't available + # on the derivations likely to be used as `cfgc.package`. + # This middle-ground solution ensures *an* sshd can do their basic validation + # on the configuration. + validationPackage = if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform + then cfgc.package + else pkgs.buildPackages.openssh; + + sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ validationPackage ]; } '' + cat >$out <<EOL + ${cfg.extraConfig} + EOL + + ssh-keygen -q -f mock-hostkey -N "" + sshd -t -f $out -h mock-hostkey + ''; + + cfg = config.services.openssh; + cfgc = config.programs.ssh; + + nssModulesPath = config.system.nssModules.path; + + userOptions = { + + options.openssh.authorizedKeys = { + keys = mkOption { + type = types.listOf types.singleLineStr; + default = []; + description = '' + A list of verbatim OpenSSH public keys that should be added to the + user's authorized keys. The keys are added to a file that the SSH + daemon reads in addition to the the user's authorized_keys file. + You can combine the <literal>keys</literal> and + <literal>keyFiles</literal> options. + Warning: If you are using <literal>NixOps</literal> then don't use this + option since it will replace the key required for deployment via ssh. + ''; + example = [ + "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host" + "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar" + ]; + }; + + keyFiles = mkOption { + type = types.listOf types.path; + default = []; + description = '' + A list of files each containing one OpenSSH public key that should be + added to the user's authorized keys. The contents of the files are + read at build time and added to a file that the SSH daemon reads in + addition to the the user's authorized_keys file. You can combine the + <literal>keyFiles</literal> and <literal>keys</literal> options. + ''; + }; + }; + + }; + + authKeysFiles = let + mkAuthKeyFile = u: nameValuePair "ssh/authorized_keys.d/${u.name}" { + mode = "0444"; + source = pkgs.writeText "${u.name}-authorized_keys" '' + ${concatStringsSep "\n" u.openssh.authorizedKeys.keys} + ${concatMapStrings (f: readFile f + "\n") u.openssh.authorizedKeys.keyFiles} + ''; + }; + usersWithKeys = attrValues (flip filterAttrs config.users.users (n: u: + length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0 + )); + in listToAttrs (map mkAuthKeyFile usersWithKeys); + +in + +{ + imports = [ + (mkAliasOptionModule [ "services" "sshd" "enable" ] [ "services" "openssh" "enable" ]) + (mkAliasOptionModule [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ]) + (mkRenamedOptionModule [ "services" "openssh" "challengeResponseAuthentication" ] [ "services" "openssh" "kbdInteractiveAuthentication" ]) + ]; + + ###### interface + + options = { + + services.openssh = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the OpenSSH secure shell daemon, which + allows secure remote logins. + ''; + }; + + startWhenNeeded = mkOption { + type = types.bool; + default = false; + description = '' + If set, <command>sshd</command> is socket-activated; that + is, instead of having it permanently running as a daemon, + systemd will start an instance for each incoming connection. + ''; + }; + + forwardX11 = mkOption { + type = types.bool; + default = false; + description = '' + Whether to allow X11 connections to be forwarded. + ''; + }; + + allowSFTP = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable the SFTP subsystem in the SSH daemon. This + enables the use of commands such as <command>sftp</command> and + <command>sshfs</command>. + ''; + }; + + sftpServerExecutable = mkOption { + type = types.str; + example = "internal-sftp"; + description = '' + The sftp server executable. Can be a path or "internal-sftp" to use + the sftp server built into the sshd binary. + ''; + }; + + sftpFlags = mkOption { + type = with types; listOf str; + default = []; + example = [ "-f AUTHPRIV" "-l INFO" ]; + description = '' + Commandline flags to add to sftp-server. + ''; + }; + + permitRootLogin = mkOption { + default = "prohibit-password"; + type = types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"]; + description = '' + Whether the root user can login using ssh. + ''; + }; + + gatewayPorts = mkOption { + type = types.str; + default = "no"; + description = '' + Specifies whether remote hosts are allowed to connect to + ports forwarded for the client. See + <citerefentry><refentrytitle>sshd_config</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. + ''; + }; + + ports = mkOption { + type = types.listOf types.port; + default = [22]; + description = '' + Specifies on which ports the SSH daemon listens. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = true; + description = '' + Whether to automatically open the specified ports in the firewall. + ''; + }; + + listenAddresses = mkOption { + type = with types; listOf (submodule { + options = { + addr = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Host, IPv4 or IPv6 address to listen to. + ''; + }; + port = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Port to listen to. + ''; + }; + }; + }); + default = []; + example = [ { addr = "192.168.3.1"; port = 22; } { addr = "0.0.0.0"; port = 64022; } ]; + description = '' + List of addresses and ports to listen on (ListenAddress directive + in config). If port is not specified for address sshd will listen + on all ports specified by <literal>ports</literal> option. + NOTE: this will override default listening on all local addresses and port 22. + NOTE: setting this option won't automatically enable given ports + in firewall configuration. + ''; + }; + + passwordAuthentication = mkOption { + type = types.bool; + default = true; + description = '' + Specifies whether password authentication is allowed. + ''; + }; + + kbdInteractiveAuthentication = mkOption { + type = types.bool; + default = true; + description = '' + Specifies whether keyboard-interactive authentication is allowed. + ''; + }; + + hostKeys = mkOption { + type = types.listOf types.attrs; + default = + [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + example = + [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; rounds = 100; openSSHFormat = true; } + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; rounds = 100; comment = "key comment"; } + ]; + description = '' + NixOS can automatically generate SSH host keys. This option + specifies the path, type and size of each key. See + <citerefentry><refentrytitle>ssh-keygen</refentrytitle> + <manvolnum>1</manvolnum></citerefentry> for supported types + and sizes. + ''; + }; + + banner = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Message to display to the remote user before authentication is allowed. + ''; + }; + + authorizedKeysFiles = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Specify the rules for which files to read on the host. + + This is an advanced option. If you're looking to configure user + keys, you can generally use <xref linkend="opt-users.users._name_.openssh.authorizedKeys.keys"/> + or <xref linkend="opt-users.users._name_.openssh.authorizedKeys.keyFiles"/>. + + These are paths relative to the host root file system or home + directories and they are subject to certain token expansion rules. + See AuthorizedKeysFile in man sshd_config for details. + ''; + }; + + authorizedKeysCommand = mkOption { + type = types.str; + default = "none"; + description = '' + Specifies a program to be used to look up the user's public + keys. The program must be owned by root, not writable by group + or others and specified by an absolute path. + ''; + }; + + authorizedKeysCommandUser = mkOption { + type = types.str; + default = "nobody"; + description = '' + Specifies the user under whose account the AuthorizedKeysCommand + is run. It is recommended to use a dedicated user that has no + other role on the host than running authorized keys commands. + ''; + }; + + kexAlgorithms = mkOption { + type = types.listOf types.str; + default = [ + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; + description = '' + Allowed key exchange algorithms + </para> + <para> + Defaults to recommended settings from both + <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> + and + <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> + ''; + }; + + ciphers = mkOption { + type = types.listOf types.str; + default = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes128-gcm@openssh.com" + "aes256-ctr" + "aes192-ctr" + "aes128-ctr" + ]; + description = '' + Allowed ciphers + </para> + <para> + Defaults to recommended settings from both + <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> + and + <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> + ''; + }; + + macs = mkOption { + type = types.listOf types.str; + default = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; + description = '' + Allowed MACs + </para> + <para> + Defaults to recommended settings from both + <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> + and + <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> + ''; + }; + + logLevel = mkOption { + type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ]; + default = "INFO"; # upstream default + description = '' + Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: + QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 + are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level + violates the privacy of users and is not recommended. + ''; + }; + + useDns = mkOption { + type = types.bool; + default = false; + description = '' + Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for + the remote IP address maps back to the very same IP address. + If this option is set to no (the default) then only addresses and not host names may be used in + ~/.ssh/authorized_keys from and sshd_config Match Host directives. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Verbatim contents of <filename>sshd_config</filename>."; + }; + + moduliFile = mkOption { + example = "/etc/my-local-ssh-moduli;"; + type = types.path; + description = '' + Path to <literal>moduli</literal> file to install in + <literal>/etc/ssh/moduli</literal>. If this option is unset, then + the <literal>moduli</literal> file shipped with OpenSSH will be used. + ''; + }; + + }; + + users.users = mkOption { + type = with types; attrsOf (submodule userOptions); + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + users.users.sshd = + { + isSystemUser = true; + group = "sshd"; + description = "SSH privilege separation user"; + }; + users.groups.sshd = {}; + + services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; + services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server"; + + environment.etc = authKeysFiles // + { "ssh/moduli".source = cfg.moduliFile; + "ssh/sshd_config".source = sshconf; + }; + + systemd = + let + service = + { description = "SSH Daemon"; + wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target"; + after = [ "network.target" ]; + stopIfChanged = false; + path = [ cfgc.package pkgs.gawk ]; + environment.LD_LIBRARY_PATH = nssModulesPath; + + restartTriggers = optionals (!cfg.startWhenNeeded) [ + config.environment.etc."ssh/sshd_config".source + ]; + + preStart = + '' + # Make sure we don't write to stdout, since in case of + # socket activation, it goes to the remote side (#19589). + exec >&2 + + mkdir -m 0755 -p /etc/ssh + + ${flip concatMapStrings cfg.hostKeys (k: '' + if ! [ -s "${k.path}" ]; then + ssh-keygen \ + -t "${k.type}" \ + ${if k ? bits then "-b ${toString k.bits}" else ""} \ + ${if k ? rounds then "-a ${toString k.rounds}" else ""} \ + ${if k ? comment then "-C '${k.comment}'" else ""} \ + ${if k ? openSSHFormat && k.openSSHFormat then "-o" else ""} \ + -f "${k.path}" \ + -N "" + fi + '')} + ''; + + serviceConfig = + { ExecStart = + (optionalString cfg.startWhenNeeded "-") + + "${cfgc.package}/bin/sshd " + (optionalString cfg.startWhenNeeded "-i ") + + "-D " + # don't detach into a daemon process + "-f /etc/ssh/sshd_config"; + KillMode = "process"; + } // (if cfg.startWhenNeeded then { + StandardInput = "socket"; + StandardError = "journal"; + } else { + Restart = "always"; + Type = "simple"; + }); + + }; + in + + if cfg.startWhenNeeded then { + + sockets.sshd = + { description = "SSH Socket"; + wantedBy = [ "sockets.target" ]; + socketConfig.ListenStream = if cfg.listenAddresses != [] then + map (l: "${l.addr}:${toString (if l.port != null then l.port else 22)}") cfg.listenAddresses + else + cfg.ports; + socketConfig.Accept = true; + # Prevent brute-force attacks from shutting down socket + socketConfig.TriggerLimitIntervalSec = 0; + }; + + services."sshd@" = service; + + } else { + + services.sshd = service; + + }; + + networking.firewall.allowedTCPPorts = if cfg.openFirewall then cfg.ports else []; + + security.pam.services.sshd = + { startSession = true; + showMotd = true; + unixAuth = cfg.passwordAuthentication; + }; + + # These values are merged with the ones defined externally, see: + # https://github.com/NixOS/nixpkgs/pull/10155 + # https://github.com/NixOS/nixpkgs/pull/41745 + services.openssh.authorizedKeysFiles = + [ "%h/.ssh/authorized_keys" "%h/.ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; + + services.openssh.extraConfig = mkOrder 0 + '' + UsePAM yes + + Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner} + + AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} + ${concatMapStrings (port: '' + Port ${toString port} + '') cfg.ports} + + ${concatMapStrings ({ port, addr, ... }: '' + ListenAddress ${addr}${if port != null then ":" + toString port else ""} + '') cfg.listenAddresses} + + ${optionalString cfgc.setXAuthLocation '' + XAuthLocation ${pkgs.xorg.xauth}/bin/xauth + ''} + + X11Forwarding ${if cfg.forwardX11 then "yes" else "no"} + + ${optionalString cfg.allowSFTP '' + Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags} + ''} + + PermitRootLogin ${cfg.permitRootLogin} + GatewayPorts ${cfg.gatewayPorts} + PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else "no"} + KbdInteractiveAuthentication ${if cfg.kbdInteractiveAuthentication then "yes" else "no"} + + PrintMotd no # handled by pam_motd + + AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} + ${optionalString (cfg.authorizedKeysCommand != "none") '' + AuthorizedKeysCommand ${cfg.authorizedKeysCommand} + AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser} + ''} + + ${flip concatMapStrings cfg.hostKeys (k: '' + HostKey ${k.path} + '')} + + KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms} + Ciphers ${concatStringsSep "," cfg.ciphers} + MACs ${concatStringsSep "," cfg.macs} + + LogLevel ${cfg.logLevel} + + UseDNS ${if cfg.useDns then "yes" else "no"} + + ''; + + assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; + message = "cannot enable X11 forwarding without setting xauth location";}] + ++ forEach cfg.listenAddresses ({ addr, ... }: { + assertion = addr != null; + message = "addr must be specified in each listenAddresses entry"; + }); + + }; + +} diff --git a/nixos/modules/services/networking/sslh.nix b/nixos/modules/services/networking/sslh.nix new file mode 100644 index 00000000000..abe96f60f81 --- /dev/null +++ b/nixos/modules/services/networking/sslh.nix @@ -0,0 +1,168 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.sslh; + user = "sslh"; + configFile = pkgs.writeText "sslh.conf" '' + verbose: ${boolToString cfg.verbose}; + foreground: true; + inetd: false; + numeric: false; + transparent: ${boolToString cfg.transparent}; + timeout: "${toString cfg.timeout}"; + + listen: + ( + ${ + concatMapStringsSep ",\n" + (addr: ''{ host: "${addr}"; port: "${toString cfg.port}"; }'') + cfg.listenAddresses + } + ); + + ${cfg.appendConfig} + ''; + defaultAppendConfig = '' + protocols: + ( + { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; probe: "builtin"; }, + { name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; }, + { name: "xmpp"; host: "localhost"; port: "5222"; probe: "builtin"; }, + { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; }, + { name: "tls"; host: "localhost"; port: "443"; probe: "builtin"; }, + { name: "anyprot"; host: "localhost"; port: "443"; probe: "builtin"; } + ); + ''; +in +{ + imports = [ + (mkRenamedOptionModule [ "services" "sslh" "listenAddress" ] [ "services" "sslh" "listenAddresses" ]) + ]; + + options = { + services.sslh = { + enable = mkEnableOption "sslh"; + + verbose = mkOption { + type = types.bool; + default = false; + description = "Verbose logs."; + }; + + timeout = mkOption { + type = types.int; + default = 2; + description = "Timeout in seconds."; + }; + + transparent = mkOption { + type = types.bool; + default = false; + description = "Will the services behind sslh (Apache, sshd and so on) see the external IP and ports as if the external world connected directly to them"; + }; + + listenAddresses = mkOption { + type = types.coercedTo types.str singleton (types.listOf types.str); + default = [ "0.0.0.0" "[::]" ]; + description = "Listening addresses or hostnames."; + }; + + port = mkOption { + type = types.int; + default = 443; + description = "Listening port."; + }; + + appendConfig = mkOption { + type = types.str; + default = defaultAppendConfig; + description = "Verbatim configuration file."; + }; + }; + }; + + config = mkMerge [ + (mkIf cfg.enable { + systemd.services.sslh = { + description = "Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + DynamicUser = true; + User = "sslh"; + PermissionsStartOnly = true; + Restart = "always"; + RestartSec = "1s"; + ExecStart = "${pkgs.sslh}/bin/sslh -F${configFile}"; + KillMode = "process"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_SETGID CAP_SETUID"; + PrivateTmp = true; + PrivateDevices = true; + ProtectSystem = "full"; + ProtectHome = true; + }; + }; + }) + + # code from https://github.com/yrutschle/sslh#transparent-proxy-support + # the only difference is using iptables mark 0x2 instead of 0x1 to avoid conflicts with nixos/nat module + (mkIf (cfg.enable && cfg.transparent) { + # Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination + boot.kernel.sysctl."net.ipv4.conf.default.route_localnet" = 1; + boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1; + + systemd.services.sslh = let + iptablesCommands = [ + # DROP martian packets as they would have been if route_localnet was zero + # Note: packets not leaving the server aren't affected by this, thus sslh will still work + { table = "raw"; command = "PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP"; } + { table = "mangle"; command = "POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP"; } + # Mark all connections made by ssl for special treatment (here sslh is run as user ${user}) + { table = "nat"; command = "OUTPUT -m owner --uid-owner ${user} -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x02/0x0f"; } + # Outgoing packets that should go to sslh instead have to be rerouted, so mark them accordingly (copying over the connection mark) + { table = "mangle"; command = "OUTPUT ! -o lo -p tcp -m connmark --mark 0x02/0x0f -j CONNMARK --restore-mark --mask 0x0f"; } + ]; + ip6tablesCommands = [ + { table = "raw"; command = "PREROUTING ! -i lo -d ::1/128 -j DROP"; } + { table = "mangle"; command = "POSTROUTING ! -o lo -s ::1/128 -j DROP"; } + { table = "nat"; command = "OUTPUT -m owner --uid-owner ${user} -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x02/0x0f"; } + { table = "mangle"; command = "OUTPUT ! -o lo -p tcp -m connmark --mark 0x02/0x0f -j CONNMARK --restore-mark --mask 0x0f"; } + ]; + in { + path = [ pkgs.iptables pkgs.iproute2 pkgs.procps ]; + + preStart = '' + # Cleanup old iptables entries which might be still there + ${concatMapStringsSep "\n" ({table, command}: "while iptables -w -t ${table} -D ${command} 2>/dev/null; do echo; done") iptablesCommands} + ${concatMapStringsSep "\n" ({table, command}: "iptables -w -t ${table} -A ${command}" ) iptablesCommands} + + # Configure routing for those marked packets + ip rule add fwmark 0x2 lookup 100 + ip route add local 0.0.0.0/0 dev lo table 100 + + '' + optionalString config.networking.enableIPv6 '' + ${concatMapStringsSep "\n" ({table, command}: "while ip6tables -w -t ${table} -D ${command} 2>/dev/null; do echo; done") ip6tablesCommands} + ${concatMapStringsSep "\n" ({table, command}: "ip6tables -w -t ${table} -A ${command}" ) ip6tablesCommands} + + ip -6 rule add fwmark 0x2 lookup 100 + ip -6 route add local ::/0 dev lo table 100 + ''; + + postStop = '' + ${concatMapStringsSep "\n" ({table, command}: "iptables -w -t ${table} -D ${command}") iptablesCommands} + + ip rule del fwmark 0x2 lookup 100 + ip route del local 0.0.0.0/0 dev lo table 100 + '' + optionalString config.networking.enableIPv6 '' + ${concatMapStringsSep "\n" ({table, command}: "ip6tables -w -t ${table} -D ${command}") ip6tablesCommands} + + ip -6 rule del fwmark 0x2 lookup 100 + ip -6 route del local ::/0 dev lo table 100 + ''; + }; + }) + ]; +} diff --git a/nixos/modules/services/networking/strongswan-swanctl/module.nix b/nixos/modules/services/networking/strongswan-swanctl/module.nix new file mode 100644 index 00000000000..9287943fcde --- /dev/null +++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: + +with lib; +with (import ./param-lib.nix lib); + +let + cfg = config.services.strongswan-swanctl; + swanctlParams = import ./swanctl-params.nix lib; +in { + options.services.strongswan-swanctl = { + enable = mkEnableOption "strongswan-swanctl service"; + + package = mkOption { + type = types.package; + default = pkgs.strongswan; + defaultText = literalExpression "pkgs.strongswan"; + description = '' + The strongswan derivation to use. + ''; + }; + + strongswan.extraConfig = mkOption { + type = types.str; + default = ""; + description = '' + Contents of the <literal>strongswan.conf</literal> file. + ''; + }; + + swanctl = paramsToOptions swanctlParams; + }; + + config = mkIf cfg.enable { + + assertions = [ + { assertion = !config.services.strongswan.enable; + message = "cannot enable both services.strongswan and services.strongswan-swanctl. Choose either one."; + } + ]; + + environment.etc."swanctl/swanctl.conf".text = + paramsToConf cfg.swanctl swanctlParams; + + # The swanctl command complains when the following directories don't exist: + # See: https://wiki.strongswan.org/projects/strongswan/wiki/Swanctldirectory + system.activationScripts.strongswan-swanctl-etc = stringAfter ["etc"] '' + mkdir -p '/etc/swanctl/x509' # Trusted X.509 end entity certificates + mkdir -p '/etc/swanctl/x509ca' # Trusted X.509 Certificate Authority certificates + mkdir -p '/etc/swanctl/x509ocsp' + mkdir -p '/etc/swanctl/x509aa' # Trusted X.509 Attribute Authority certificates + mkdir -p '/etc/swanctl/x509ac' # Attribute Certificates + mkdir -p '/etc/swanctl/x509crl' # Certificate Revocation Lists + mkdir -p '/etc/swanctl/pubkey' # Raw public keys + mkdir -p '/etc/swanctl/private' # Private keys in any format + mkdir -p '/etc/swanctl/rsa' # PKCS#1 encoded RSA private keys + mkdir -p '/etc/swanctl/ecdsa' # Plain ECDSA private keys + mkdir -p '/etc/swanctl/bliss' + mkdir -p '/etc/swanctl/pkcs8' # PKCS#8 encoded private keys of any type + mkdir -p '/etc/swanctl/pkcs12' # PKCS#12 containers + ''; + + systemd.services.strongswan-swanctl = { + description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + path = with pkgs; [ kmod iproute2 iptables util-linux ]; + environment = { + STRONGSWAN_CONF = pkgs.writeTextFile { + name = "strongswan.conf"; + text = cfg.strongswan.extraConfig; + }; + SWANCTL_DIR = "/etc/swanctl"; + }; + restartTriggers = [ config.environment.etc."swanctl/swanctl.conf".source ]; + serviceConfig = { + ExecStart = "${cfg.package}/sbin/charon-systemd"; + Type = "notify"; + ExecStartPost = "${cfg.package}/sbin/swanctl --load-all --noprompt"; + ExecReload = "${cfg.package}/sbin/swanctl --reload"; + Restart = "on-abnormal"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix b/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix new file mode 100644 index 00000000000..dfdfc50d8ae --- /dev/null +++ b/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix @@ -0,0 +1,162 @@ +# In the following context a parameter is an attribute set that +# contains a NixOS option and a render function. It also contains the +# attribute: '_type = "param"' so we can distinguish it from other +# sets. +# +# The render function is used to convert the value of the option to a +# snippet of strongswan.conf. Most parameters simply render their +# value to a string. For example, take the following parameter: +# +# threads = mkIntParam 10 "Threads to use for request handling."; +# +# When a users defines the corresponding option as for example: +# +# services.strongswan-swanctl.strongswan.threads = 32; +# +# It will get rendered to the following snippet in strongswan.conf: +# +# threads = 32 +# +# Some parameters however need to be able to change the attribute +# name. For example, take the following parameter: +# +# id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") "..."; +# +# A user can define the corresponding option as for example: +# +# id = { +# "foo" = "bar"; +# "baz" = "qux"; +# }; +# +# This will get rendered to the following snippet: +# +# foo-id = bar +# baz-id = qux +# +# For this reason the render function is not simply a function from +# value -> string but a function from a value to an attribute set: +# { "${name}" = string }. This allows parameters to change the attribute +# name like in the previous example. + +lib : + +with lib; +with (import ./param-lib.nix lib); + +rec { + mkParamOfType = type : strongswanDefault : description : { + _type = "param"; + option = mkOption { + type = types.nullOr type; + default = null; + description = documentDefault description strongswanDefault; + }; + render = single toString; + }; + + documentDefault = description : strongswanDefault : + if strongswanDefault == null + then description + else description + '' + </para><para> + StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal> + ''; + + single = f: name: value: { ${name} = f value; }; + + mkStrParam = mkParamOfType types.str; + mkOptionalStrParam = mkStrParam null; + + mkEnumParam = values : mkParamOfType (types.enum values); + + mkIntParam = mkParamOfType types.int; + mkOptionalIntParam = mkIntParam null; + + # We should have floats in Nix... + mkFloatParam = mkStrParam; + + # TODO: Check for hex format: + mkHexParam = mkStrParam; + mkOptionalHexParam = mkOptionalStrParam; + + # TODO: Check for duration format: + mkDurationParam = mkStrParam; + mkOptionalDurationParam = mkOptionalStrParam; + + mkYesNoParam = strongswanDefault : description : { + _type = "param"; + option = mkOption { + type = types.nullOr types.bool; + default = null; + description = documentDefault description strongswanDefault; + }; + render = single (b: if b then "yes" else "no"); + }; + yes = true; + no = false; + + mkSpaceSepListParam = mkSepListParam " "; + mkCommaSepListParam = mkSepListParam ","; + + mkSepListParam = sep : strongswanDefault : description : { + _type = "param"; + option = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + description = documentDefault description strongswanDefault; + }; + render = single (value: concatStringsSep sep value); + }; + + mkAttrsOfParams = params : + mkAttrsOf params (types.submodule {options = paramsToOptions params;}); + + mkAttrsOfParam = param : + mkAttrsOf param param.option.type; + + mkAttrsOf = param : option : description : { + _type = "param"; + option = mkOption { + type = types.attrsOf option; + default = {}; + inherit description; + }; + render = single (attrs: + (paramsToRenderedStrings attrs + (mapAttrs (_n: _v: param) attrs))); + }; + + mkPrefixedAttrsOfParams = params : + mkPrefixedAttrsOf params (types.submodule {options = paramsToOptions params;}); + + mkPrefixedAttrsOfParam = param : + mkPrefixedAttrsOf param param.option.type; + + mkPrefixedAttrsOf = p : option : description : { + _type = "param"; + option = mkOption { + type = types.attrsOf option; + default = {}; + inherit description; + }; + render = prefix: attrs: + let prefixedAttrs = mapAttrs' (name: nameValuePair "${prefix}-${name}") attrs; + in paramsToRenderedStrings prefixedAttrs + (mapAttrs (_n: _v: p) prefixedAttrs); + }; + + mkPostfixedAttrsOfParams = params : description : { + _type = "param"; + option = mkOption { + type = types.attrsOf (types.submodule {options = paramsToOptions params;}); + default = {}; + inherit description; + }; + render = postfix: attrs: + let postfixedAttrs = mapAttrs' (name: nameValuePair "${name}-${postfix}") attrs; + in paramsToRenderedStrings postfixedAttrs + (mapAttrs (_n: _v: params) postfixedAttrs); + }; + +} diff --git a/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix b/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix new file mode 100644 index 00000000000..2bbb39a7604 --- /dev/null +++ b/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix @@ -0,0 +1,82 @@ +lib : + +with lib; + +rec { + paramsToConf = cfg : ps : mkConf 0 (paramsToRenderedStrings cfg ps); + + # mkConf takes an indentation level (which usually starts at 0) and a nested + # attribute set of strings and will render that set to a strongswan.conf style + # configuration format. For example: + # + # mkConf 0 {a = "1"; b = { c = { "foo" = "2"; "bar" = "3"; }; d = "4";};} => '' + # a = 1 + # b { + # c { + # foo = 2 + # bar = 3 + # } + # d = 4 + # }'' + mkConf = indent : ps : + concatMapStringsSep "\n" + (name: + let value = ps.${name}; + indentation = replicate indent " "; + in + indentation + ( + if isAttrs value + then "${name} {\n" + + mkConf (indent + 2) value + "\n" + + indentation + "}" + else "${name} = ${value}" + ) + ) + (attrNames ps); + + replicate = n : c : concatStrings (builtins.genList (_x : c) n); + + # `paramsToRenderedStrings cfg ps` converts the NixOS configuration `cfg` + # (typically the "config" argument of a NixOS module) and the set of + # parameters `ps` (an attribute set where the values are constructed using the + # parameter constructors in ./param-constructors.nix) to a nested attribute + # set of strings (rendered parameters). + paramsToRenderedStrings = cfg : ps : + filterEmptySets ( + (mapParamsRecursive (path: name: param: + let value = attrByPath path null cfg; + in optionalAttrs (value != null) (param.render name value) + ) ps)); + + filterEmptySets = set : filterAttrs (n: v: (v != null)) (mapAttrs (name: value: + if isAttrs value + then let value' = filterEmptySets value; + in if value' == {} + then null + else value' + else value + ) set); + + # Recursively map over every parameter in the given attribute set. + mapParamsRecursive = mapAttrsRecursiveCond' (as: (!(as ? _type && as._type == "param"))); + + mapAttrsRecursiveCond' = cond: f: set: + let + recurse = path: set: + let + g = + name: value: + if isAttrs value && cond value + then { ${name} = recurse (path ++ [name]) value; } + else f (path ++ [name]) name value; + in mapAttrs'' g set; + in recurse [] set; + + mapAttrs'' = f: set: + foldl' (a: b: a // b) {} (map (attr: f attr set.${attr}) (attrNames set)); + + # Extract the options from the given set of parameters. + paramsToOptions = ps : + mapParamsRecursive (_path: name: param: { ${name} = param.option; }) ps; + +} diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix new file mode 100644 index 00000000000..cca61b9ce93 --- /dev/null +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -0,0 +1,1310 @@ +# See: https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf +# +# When strongSwan is upgraded please update the parameters in this file. You can +# see which parameters should be deleted, changed or added by diffing +# swanctl.opt: +# +# git clone https://github.com/strongswan/strongswan.git +# cd strongswan +# git diff 5.7.2..5.8.0 src/swanctl/swanctl.opt + +lib: with (import ./param-constructors.nix lib); + +let + certParams = { + file = mkOptionalStrParam '' + Absolute path to the certificate to load. Passed as-is to the daemon, so + it must be readable by it. + </para><para> + Configure either this or <option>handle</option>, but not both, in one section. + ''; + + handle = mkOptionalHexParam '' + Hex-encoded CKA_ID or handle of the certificate on a token or TPM, + respectively. + </para><para> + Configure either this or <option>file</option>, but not both, in one section. + ''; + + slot = mkOptionalIntParam '' + Optional slot number of the token that stores the certificate. + ''; + + module = mkOptionalStrParam '' + Optional PKCS#11 module name. + ''; + }; +in { + authorities = mkAttrsOfParams ({ + + cacert = mkOptionalStrParam '' + The certificates may use a relative path from the swanctl + <literal>x509ca</literal> directory or an absolute path. + </para><para> + Configure one of <option>cacert</option>, + <option>file</option>, or + <option>handle</option> per section. + ''; + + cert_uri_base = mkOptionalStrParam '' + Defines the base URI for the Hash and URL feature supported by + IKEv2. Instead of exchanging complete certificates, IKEv2 allows one to + send an URI that resolves to the DER encoded certificate. The certificate + URIs are built by appending the SHA1 hash of the DER encoded certificates + to this base URI. + ''; + + crl_uris = mkCommaSepListParam [] '' + List of CRL distribution points (ldap, http, or file URI). + ''; + + ocsp_uris = mkCommaSepListParam [] '' + List of OCSP URIs. + ''; + + } // certParams) '' + Section defining complementary attributes of certification authorities, each + in its own subsection with an arbitrary yet unique name + ''; + + connections = mkAttrsOfParams { + + version = mkIntParam 0 '' + IKE major version to use for connection. + <itemizedlist> + <listitem><para>1 uses IKEv1 aka ISAKMP,</para></listitem> + <listitem><para>2 uses IKEv2.</para></listitem> + <listitem><para>A connection using the default of 0 accepts both IKEv1 and IKEv2 as + responder, and initiates the connection actively with IKEv2.</para></listitem> + </itemizedlist> + ''; + + local_addrs = mkCommaSepListParam [] '' + Local address(es) to use for IKE communication. Takes + single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. + </para><para> + As initiator, the first non-range/non-subnet is used to initiate the + connection from. As responder, the local destination address must match at + least to one of the specified addresses, subnets or ranges. + </para><para> + If FQDNs are assigned they are resolved every time a configuration lookup + is done. If DNS resolution times out, the lookup is delayed for that time. + ''; + + remote_addrs = mkCommaSepListParam [] '' + Remote address(es) to use for IKE communication. Takes + single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. + </para><para> + As initiator, the first non-range/non-subnet is used to initiate the + connection to. As responder, the initiator source address must match at + least to one of the specified addresses, subnets or ranges. + </para><para> + If FQDNs are assigned they are resolved every time a configuration lookup + is done. If DNS resolution times out, the lookup is delayed for that time. + To initiate a connection, at least one specific address or DNS name must + be specified. + ''; + + local_port = mkIntParam 500 '' + Local UDP port for IKE communication. By default the port of the socket + backend is used, which is usually <literal>500</literal>. If port + <literal>500</literal> is used, automatic IKE port floating to port + <literal>4500</literal> is used to work around NAT issues. + </para><para> + Using a non-default local IKE port requires support from the socket + backend in use (socket-dynamic). + ''; + + remote_port = mkIntParam 500 '' + Remote UDP port for IKE communication. If the default of port + <literal>500</literal> is used, automatic IKE port floating to port + <literal>4500</literal> is used to work around NAT issues. + ''; + + proposals = mkCommaSepListParam ["default"] '' + A proposal is a set of algorithms. For non-AEAD algorithms, this includes + for IKE an encryption algorithm, an integrity algorithm, a pseudo random + function and a Diffie-Hellman group. For AEAD algorithms, instead of + encryption and integrity algorithms, a combined algorithm is used. + </para><para> + In IKEv2, multiple algorithms of the same kind can be specified in a + single proposal, from which one gets selected. In IKEv1, only one + algorithm per kind is allowed per proposal, more algorithms get implicitly + stripped. Use multiple proposals to offer different algorithms + combinations in IKEv1. + </para><para> + Algorithm keywords get separated using dashes. Multiple proposals may be + specified in a list. The special value <literal>default</literal> forms a + default proposal of supported algorithms considered safe, and is usually a + good choice for interoperability. + ''; + + vips = mkCommaSepListParam [] '' + List of virtual IPs to request in IKEv2 configuration payloads or IKEv1 + Mode Config. The wildcard addresses <literal>0.0.0.0</literal> and + <literal>::</literal> request an arbitrary address, specific addresses may + be defined. The responder may return a different address, though, or none + at all. + ''; + + aggressive = mkYesNoParam no '' + Enables Aggressive Mode instead of Main Mode with Identity + Protection. Aggressive Mode is considered less secure, because the ID and + HASH payloads are exchanged unprotected. This allows a passive attacker to + snoop peer identities, and even worse, start dictionary attacks on the + Preshared Key. + ''; + + pull = mkYesNoParam yes '' + If the default of yes is used, Mode Config works in pull mode, where the + initiator actively requests a virtual IP. With no, push mode is used, + where the responder pushes down a virtual IP to the initiating peer. + </para><para> + Push mode is currently supported for IKEv1, but not in IKEv2. It is used + by a few implementations only, pull mode is recommended. + ''; + + dscp = mkStrParam "000000" '' + Differentiated Services Field Codepoint to set on outgoing IKE packets for + this connection. The value is a six digit binary encoded string specifying + the Codepoint to set, as defined in RFC 2474. + ''; + + encap = mkYesNoParam no '' + To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the + NAT detection payloads. This makes the peer believe that NAT takes place + on the path, forcing it to encapsulate ESP packets in UDP. + </para><para> + Usually this is not required, but it can help to work around connectivity + issues with too restrictive intermediary firewalls. + ''; + + mobike = mkYesNoParam yes '' + Enables MOBIKE on IKEv2 connections. MOBIKE is enabled by default on IKEv2 + connections, and allows mobility of clients and multi-homing on servers by + migrating active IPsec tunnels. + </para><para> + Usually keeping MOBIKE enabled is unproblematic, as it is not used if the + peer does not indicate support for it. However, due to the design of + MOBIKE, IKEv2 always floats to port 4500 starting from the second + exchange. Some implementations don't like this behavior, hence it can be + disabled. + ''; + + dpd_delay = mkDurationParam "0s" '' + Interval to check the liveness of a peer actively using IKEv2 + INFORMATIONAL exchanges or IKEv1 R_U_THERE messages. Active DPD checking + is only enforced if no IKE or ESP/AH packet has been received for the + configured DPD delay. + ''; + + dpd_timeout = mkDurationParam "0s" '' + Charon by default uses the normal retransmission mechanism and timeouts to + check the liveness of a peer, as all messages are used for liveness + checking. For compatibility reasons, with IKEv1 a custom interval may be + specified; this option has no effect on connections using IKEv2. + ''; + + fragmentation = mkEnumParam ["yes" "accept" "force" "no"] "yes" '' + Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 + fragmentation). Acceptable values are <literal>yes</literal> (the default + since 5.5.1), <literal>accept</literal> (since versions:5.5.3), + <literal>force</literal> and <literal>no</literal>. + <itemizedlist> + <listitem><para>If set to <literal>yes</literal>, and the peer + supports it, oversized IKE messages will be sent in fragments.</para></listitem> + <listitem><para>If set to + <literal>accept</literal>, support for fragmentation is announced to the peer but the daemon + does not send its own messages in fragments.</para></listitem> + <listitem><para>If set to <literal>force</literal> (only + supported for IKEv1) the initial IKE message will already be fragmented if + required.</para></listitem> + <listitem><para>Finally, setting the option to <literal>no</literal> will disable announcing + support for this feature.</para></listitem> + </itemizedlist> + </para><para> + Note that fragmented IKE messages sent by a peer are always processed + irrespective of the value of this option (even when set to no). + ''; + + childless = mkEnumParam [ "allow" "force" "never" ] "allow" '' + Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values + are <literal>allow</literal> (the default), <literal>force</literal> and + <literal>never</literal>. If set to <literal>allow</literal>, responders + will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT + response) while initiators continue to create regular IKE_SAs with the + first CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated + explicitly without any children (which will fail if the responder does not + support or has disabled this extension). If set to + <literal>force</literal>, only childless initiation is accepted and the + first CHILD_SA is created with a separate CREATE_CHILD_SA exchange + (e.g. to use an independent DH exchange for all CHILD_SAs). Finally, + setting the option to <literal>never</literal> disables support for + childless IKE_SAs as responder. + ''; + + send_certreq = mkYesNoParam yes '' + Send certificate request payloads to offer trusted root CA certificates to + the peer. Certificate requests help the peer to choose an appropriate + certificate/private key for authentication and are enabled by default. + Disabling certificate requests can be useful if too many trusted root CA + certificates are installed, as each certificate request increases the size + of the initial IKE packets. + ''; + + send_cert = mkEnumParam ["always" "never" "ifasked" ] "ifasked" '' + Send certificate payloads when using certificate authentication. + <itemizedlist> + <listitem><para>With the default of <literal>ifasked</literal> the daemon sends + certificate payloads only if certificate requests have been received.</para></listitem> + <listitem><para><literal>never</literal> disables sending of certificate payloads + altogether,</para></listitem> + <listitem><para><literal>always</literal> causes certificate payloads to be sent + unconditionally whenever certificate authentication is used.</para></listitem> + </itemizedlist> + ''; + + ppk_id = mkOptionalStrParam '' + String identifying the Postquantum Preshared Key (PPK) to be used. + ''; + + ppk_required = mkYesNoParam no '' + Whether a Postquantum Preshared Key (PPK) is required for this connection. + ''; + + keyingtries = mkIntParam 1 '' + Number of retransmission sequences to perform during initial + connect. Instead of giving up initiation after the first retransmission + sequence with the default value of <literal>1</literal>, additional + sequences may be started according to the configured value. A value of + <literal>0</literal> initiates a new sequence until the connection + establishes or fails with a permanent error. + ''; + + unique = mkEnumParam ["no" "never" "keep" "replace"] "no" '' + Connection uniqueness policy to enforce. To avoid multiple connections + from the same user, a uniqueness policy can be enforced. + </para><para> + <itemizedlist> + <listitem><para> + The value <literal>never</literal> does never enforce such a policy, even + if a peer included INITIAL_CONTACT notification messages, + </para></listitem> + <listitem><para> + whereas <literal>no</literal> replaces existing connections for the same + identity if a new one has the INITIAL_CONTACT notify. + </para></listitem> + <listitem><para> + <literal>keep</literal> rejects new connection attempts if the same user + already has an active connection, + </para></listitem> + <listitem><para> + <literal>replace</literal> deletes any existing connection if a new one + for the same user gets established. + </para></listitem> + </itemizedlist> + To compare connections for uniqueness, the remote IKE identity is used. If + EAP or XAuth authentication is involved, the EAP-Identity or XAuth + username is used to enforce the uniqueness policy instead. + </para><para> + On initiators this setting specifies whether an INITIAL_CONTACT notify is + sent during IKE_AUTH if no existing connection is found with the remote + peer (determined by the identities of the first authentication + round). Unless set to <literal>never</literal> the client will send a notify. + ''; + + reauth_time = mkDurationParam "0s" '' + Time to schedule IKE reauthentication. IKE reauthentication recreates the + IKE/ISAKMP SA from scratch and re-evaluates the credentials. In asymmetric + configurations (with EAP or configuration payloads) it might not be + possible to actively reauthenticate as responder. The IKEv2 + reauthentication lifetime negotiation can instruct the client to perform + reauthentication. + </para><para> + Reauthentication is disabled by default. Enabling it usually may lead to + small connection interruptions, as strongSwan uses a break-before-make + policy with IKEv2 to avoid any conflicts with associated tunnel resources. + ''; + + rekey_time = mkDurationParam "4h" '' + IKE rekeying refreshes key material using a Diffie-Hellman exchange, but + does not re-check associated credentials. It is supported in IKEv2 only, + IKEv1 performs a reauthentication procedure instead. + </para><para> + With the default value IKE rekeying is scheduled every 4 hours, minus the + configured rand_time. If a reauth_time is configured, rekey_time defaults + to zero, disabling rekeying; explicitly set both to enforce rekeying and + reauthentication. + ''; + + over_time = mkOptionalDurationParam '' + Hard IKE_SA lifetime if rekey/reauth does not complete, as time. To avoid + having an IKE/ISAKMP kept alive if IKE reauthentication or rekeying fails + perpetually, a maximum hard lifetime may be specified. If the IKE_SA fails + to rekey or reauthenticate within the specified time, the IKE_SA gets + closed. + </para><para> + In contrast to CHILD_SA rekeying, over_time is relative in time to the + rekey_time and reauth_time values, as it applies to both. + </para><para> + The default is 10% of the longer of <option>rekey_time</option> and + <option>reauth_time</option>. + ''; + + rand_time = mkOptionalDurationParam '' + Time range from which to choose a random value to subtract from + rekey/reauth times. To avoid having both peers initiating the rekey/reauth + procedure simultaneously, a random time gets subtracted from the + rekey/reauth times. + </para><para> + The default is equal to the configured <option>over_time</option>. + ''; + + pools = mkCommaSepListParam [] '' + List of named IP pools to allocate virtual IP addresses + and other configuration attributes from. Each name references a pool by + name from either the pools section or an external pool. + ''; + + if_id_in = mkStrParam "0" '' + XFRM interface ID set on inbound policies/SA, can be overridden by child + config, see there for details. + ''; + + if_id_out = mkStrParam "0" '' + XFRM interface ID set on outbound policies/SA, can be overridden by child + config, see there for details. + ''; + + mediation = mkYesNoParam no '' + Whether this connection is a mediation connection, that is, whether this + connection is used to mediate other connections using the IKEv2 Mediation + Extension. Mediation connections create no CHILD_SA. + ''; + + mediated_by = mkOptionalStrParam '' + The name of the connection to mediate this connection through. If given, + the connection will be mediated through the named mediation + connection. The mediation connection must have mediation enabled. + ''; + + mediation_peer = mkOptionalStrParam '' + Identity under which the peer is registered at the mediation server, that + is, the IKE identity the other end of this connection uses as its local + identity on its connection to the mediation server. This is the identity + we request the mediation server to mediate us with. Only relevant on + connections that set mediated_by. If it is not given, the remote IKE + identity of the first authentication round of this connection will be + used. + ''; + + local = mkPrefixedAttrsOfParams { + + round = mkIntParam 0 '' + Optional numeric identifier by which authentication rounds are + sorted. If not specified rounds are ordered by their position in the + config file/vici message. + ''; + + certs = mkCommaSepListParam [] '' + List of certificate candidates to use for + authentication. The certificates may use a relative path from the + swanctl <literal>x509</literal> directory or an absolute path. + </para><para> + The certificate used for authentication is selected based on the + received certificate request payloads. If no appropriate CA can be + located, the first certificate is used. + ''; + + cert = mkPostfixedAttrsOfParams certParams '' + Section for a certificate candidate to use for + authentication. Certificates in certs are transmitted as binary blobs, + these sections offer more flexibility. + ''; + + pubkeys = mkCommaSepListParam [] '' + List of raw public key candidates to use for + authentication. The public keys may use a relative path from the swanctl + <literal>pubkey</literal> directory or an absolute path. + </para><para> + Even though multiple local public keys could be defined in principle, + only the first public key in the list is used for authentication. + ''; + + auth = mkStrParam "pubkey" '' + Authentication to perform locally. + <itemizedlist> + <listitem><para> + The default <literal>pubkey</literal> uses public key authentication + using a private key associated to a usable certificate. + </para></listitem> + <listitem><para> + <literal>psk</literal> uses pre-shared key authentication. + </para></listitem> + <listitem><para> + The IKEv1 specific <literal>xauth</literal> is used for XAuth or Hybrid + authentication, + </para></listitem> + <listitem><para> + while the IKEv2 specific <literal>eap</literal> keyword defines EAP + authentication. + </para></listitem> + <listitem><para> + For <literal>xauth</literal>, a specific backend name may be appended, + separated by a dash. The appropriate <literal>xauth</literal> backend is + selected to perform the XAuth exchange. For traditional XAuth, the + <literal>xauth</literal> method is usually defined in the second + authentication round following an initial <literal>pubkey</literal> (or + <literal>psk</literal>) round. Using <literal>xauth</literal> in the + first round performs Hybrid Mode client authentication. + </para></listitem> + <listitem><para> + For <literal>eap</literal>, a specific EAP method name may be appended, separated by a + dash. An EAP module implementing the appropriate method is selected to + perform the EAP conversation. + </para></listitem> + <listitem><para> + Since 5.4.0, if both peers support RFC 7427 ("Signature Authentication + in IKEv2") specific hash algorithms to be used during IKEv2 + authentication may be configured. To do so use <literal>ike:</literal> + followed by a trust chain signature scheme constraint (see description + of the <option>remote</option> section's <option>auth</option> + keyword). For example, with <literal>ike:pubkey-sha384-sha256</literal> + a public key signature scheme with either SHA-384 or SHA-256 would get + used for authentication, in that order and depending on the hash + algorithms supported by the peer. If no specific hash algorithms are + configured, the default is to prefer an algorithm that matches or + exceeds the strength of the signature key. If no constraints with + <literal>ike:</literal> prefix are configured any signature scheme + constraint (without <literal>ike:</literal> prefix) will also apply to + IKEv2 authentication, unless this is disabled in + <literal>strongswan.conf</literal>. To use RSASSA-PSS signatures use + <literal>rsa/pss</literal> instead of <literal>pubkey</literal> or + <literal>rsa</literal> as in e.g. + <literal>ike:rsa/pss-sha256</literal>. If <literal>pubkey</literal> or + <literal>rsa</literal> constraints are configured RSASSA-PSS signatures + will only be used if enabled in <literal>strongswan.conf</literal>(5). + </para></listitem> + </itemizedlist> + ''; + + id = mkOptionalStrParam '' + IKE identity to use for authentication round. When using certificate + authentication, the IKE identity must be contained in the certificate, + either as subject or as subjectAltName. + ''; + + eap_id = mkOptionalStrParam '' + Client EAP-Identity to use in EAP-Identity exchange and the EAP method. + ''; + + aaa_id = mkOptionalStrParam '' + Server side EAP-Identity to expect in the EAP method. Some EAP methods, + such as EAP-TLS, use an identity for the server to perform mutual + authentication. This identity may differ from the IKE identity, + especially when EAP authentication is delegated from the IKE responder + to an AAA backend. + </para><para> + For EAP-(T)TLS, this defines the identity for which the server must + provide a certificate in the TLS exchange. + ''; + + xauth_id = mkOptionalStrParam '' + Client XAuth username used in the XAuth exchange. + ''; + + } '' + Section for a local authentication round. A local authentication round + defines the rules how authentication is performed for the local + peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple + Authentication or IKEv1 XAuth. + </para><para> + Each round is defined in a section having <literal>local</literal> as + prefix, and an optional unique suffix. To define a single authentication + round, the suffix may be omitted. + ''; + + remote = mkPrefixedAttrsOfParams { + + round = mkIntParam 0 '' + Optional numeric identifier by which authentication rounds are + sorted. If not specified rounds are ordered by their position in the + config file/vici message. + ''; + + id = mkStrParam "%any" '' + IKE identity to expect for authentication round. When using certificate + authentication, the IKE identity must be contained in the certificate, + either as subject or as subjectAltName. + ''; + + eap_id = mkOptionalStrParam '' + Identity to use as peer identity during EAP authentication. If set to + <literal>%any</literal> the EAP-Identity method will be used to ask the + client for an EAP identity. + ''; + + groups = mkCommaSepListParam [] '' + Authorization group memberships to require. The peer + must prove membership to at least one of the specified groups. Group + membership can be certified by different means, for example by + appropriate Attribute Certificates or by an AAA backend involved in the + authentication. + ''; + + cert_policy = mkCommaSepListParam [] '' + List of certificate policy OIDs the peer's certificate + must have. OIDs are specified using the numerical dotted representation. + ''; + + certs = mkCommaSepListParam [] '' + List of certificates to accept for authentication. The certificates may + use a relative path from the swanctl <literal>x509</literal> directory + or an absolute path. + ''; + + cert = mkPostfixedAttrsOfParams certParams '' + Section for a certificate candidate to use for + authentication. Certificates in certs are transmitted as binary blobs, + these sections offer more flexibility. + ''; + + ca_id = mkOptionalStrParam '' + Identity in CA certificate to accept for authentication. The specified + identity must be contained in one (intermediate) CA of the remote peer + trustchain, either as subject or as subjectAltName. This has the same + effect as specifying <literal>cacerts</literal> to force clients under + a CA to specific connections; it does not require the CA certificate + to be available locally, and can be received from the peer during the + IKE exchange. + ''; + + cacerts = mkCommaSepListParam [] '' + List of CA certificates to accept for + authentication. The certificates may use a relative path from the + swanctl <literal>x509ca</literal> directory or an absolute path. + ''; + + cacert = mkPostfixedAttrsOfParams certParams '' + Section for a CA certificate to accept for authentication. Certificates + in cacerts are transmitted as binary blobs, these sections offer more + flexibility. + ''; + + pubkeys = mkCommaSepListParam [] '' + List of raw public keys to accept for + authentication. The public keys may use a relative path from the swanctl + <literal>pubkey</literal> directory or an absolute path. + ''; + + revocation = mkEnumParam ["strict" "ifuri" "relaxed"] "relaxed" '' + Certificate revocation policy for CRL or OCSP revocation. + <itemizedlist> + <listitem><para> + A <literal>strict</literal> revocation policy fails if no revocation information is + available, i.e. the certificate is not known to be unrevoked. + </para></listitem> + <listitem><para> + <literal>ifuri</literal> fails only if a CRL/OCSP URI is available, but certificate + revocation checking fails, i.e. there should be revocation information + available, but it could not be obtained. + </para></listitem> + <listitem><para> + The default revocation policy <literal>relaxed</literal> fails only if a certificate is + revoked, i.e. it is explicitly known that it is bad. + </para></listitem> + </itemizedlist> + ''; + + auth = mkStrParam "pubkey" '' + Authentication to expect from remote. See the <option>local</option> + section's <option>auth</option> keyword description about the details of + supported mechanisms. + </para><para> + Since 5.4.0, to require a trustchain public key strength for the remote + side, specify the key type followed by the minimum strength in bits (for + example <literal>ecdsa-384</literal> or + <literal>rsa-2048-ecdsa-256</literal>). To limit the acceptable set of + hashing algorithms for trustchain validation, append hash algorithms to + pubkey or a key strength definition (for example + <literal>pubkey-sha256-sha512</literal>, + <literal>rsa-2048-sha256-sha384-sha512</literal> or + <literal>rsa-2048-sha256-ecdsa-256-sha256-sha384</literal>). + Unless disabled in <literal>strongswan.conf</literal>, or explicit IKEv2 + signature constraints are configured (refer to the description of the + <option>local</option> section's <option>auth</option> keyword for + details), such key types and hash algorithms are also applied as + constraints against IKEv2 signature authentication schemes used by the + remote side. To require RSASSA-PSS signatures use + <literal>rsa/pss</literal> instead of <literal>pubkey</literal> or + <literal>rsa</literal> as in e.g. <literal>rsa/pss-sha256</literal>. If + <literal>pubkey</literal> or <literal>rsa</literal> constraints are + configured RSASSA-PSS signatures will only be accepted if enabled in + <literal>strongswan.conf</literal>(5). + </para><para> + To specify trust chain constraints for EAP-(T)TLS, append a colon to the + EAP method, followed by the key type/size and hash algorithm as + discussed above (e.g. <literal>eap-tls:ecdsa-384-sha384</literal>). + ''; + + } '' + Section for a remote authentication round. A remote authentication round + defines the constraints how the peers must authenticate to use this + connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple + Authentication or IKEv1 XAuth. + </para><para> + Each round is defined in a section having <literal>remote</literal> as + prefix, and an optional unique suffix. To define a single authentication + round, the suffix may be omitted. + ''; + + children = mkAttrsOfParams { + ah_proposals = mkCommaSepListParam [] '' + AH proposals to offer for the CHILD_SA. A proposal is a set of + algorithms. For AH, this includes an integrity algorithm and an optional + Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode + rekeying and initial negotiation uses a separate Diffie-Hellman exchange + using the specified group (refer to esp_proposals for details). + </para><para> + In IKEv2, multiple algorithms of the same kind can be specified in a + single proposal, from which one gets selected. In IKEv1, only one + algorithm per kind is allowed per proposal, more algorithms get + implicitly stripped. Use multiple proposals to offer different algorithms + combinations in IKEv1. + </para><para> + Algorithm keywords get separated using dashes. Multiple proposals may be + specified in a list. The special value <literal>default</literal> forms + a default proposal of supported algorithms considered safe, and is + usually a good choice for interoperability. By default no AH proposals + are included, instead ESP is proposed. + ''; + + esp_proposals = mkCommaSepListParam ["default"] '' + ESP proposals to offer for the CHILD_SA. A proposal is a set of + algorithms. For ESP non-AEAD proposals, this includes an integrity + algorithm, an encryption algorithm, an optional Diffie-Hellman group and + an optional Extended Sequence Number Mode indicator. For AEAD proposals, + a combined mode algorithm is used instead of the separate + encryption/integrity algorithms. + </para><para> + If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial + negotiation use a separate Diffie-Hellman exchange using the specified + group. However, for IKEv2, the keys of the CHILD_SA created implicitly + with the IKE_SA will always be derived from the IKE_SA's key material. So + any DH group specified here will only apply when the CHILD_SA is later + rekeyed or is created with a separate CREATE_CHILD_SA exchange. A + proposal mismatch might, therefore, not immediately be noticed when the + SA is established, but may later cause rekeying to fail. + </para><para> + Extended Sequence Number support may be indicated with the + <literal>esn</literal> and <literal>noesn</literal> values, both may be + included to indicate support for both modes. If omitted, + <literal>noesn</literal> is assumed. + </para><para> + In IKEv2, multiple algorithms of the same kind can be specified in a + single proposal, from which one gets selected. In IKEv1, only one + algorithm per kind is allowed per proposal, more algorithms get + implicitly stripped. Use multiple proposals to offer different algorithms + combinations in IKEv1. + </para><para> + Algorithm keywords get separated using dashes. Multiple proposals may be + specified as a list. The special value <literal>default</literal> forms + a default proposal of supported algorithms considered safe, and is + usually a good choice for interoperability. If no algorithms are + specified for AH nor ESP, the default set of algorithms for ESP is + included. + ''; + + sha256_96 = mkYesNoParam no '' + HMAC-SHA-256 is used with 128-bit truncation with IPsec. For + compatibility with implementations that incorrectly use 96-bit truncation + this option may be enabled to configure the shorter truncation length in + the kernel. This is not negotiated, so this only works with peers that + use the incorrect truncation length (or have this option enabled). + ''; + + local_ts = mkCommaSepListParam ["dynamic"] '' + List of local traffic selectors to include in CHILD_SA. Each selector is + a CIDR subnet definition, followed by an optional proto/port + selector. The special value <literal>dynamic</literal> may be used + instead of a subnet definition, which gets replaced by the tunnel outer + address or the virtual IP, if negotiated. This is the default. + </para><para> + A protocol/port selector is surrounded by opening and closing square + brackets. Between these brackets, a numeric or getservent(3) protocol + name may be specified. After the optional protocol restriction, an + optional port restriction may be specified, separated by a slash. The + port restriction may be numeric, a getservent(3) service name, or the + special value <literal>opaque</literal> for RFC 4301 OPAQUE + selectors. Port ranges may be specified as well, none of the kernel + backends currently support port ranges, though. + </para><para> + When IKEv1 is used only the first selector is interpreted, except if the + Cisco Unity extension plugin is used. This is due to a limitation of the + IKEv1 protocol, which only allows a single pair of selectors per + CHILD_SA. So to tunnel traffic matched by several pairs of selectors when + using IKEv1 several children (CHILD_SAs) have to be defined that cover + the selectors. The IKE daemon uses traffic selector narrowing for IKEv1, + the same way it is standardized and implemented for IKEv2. However, this + may lead to problems with other implementations. To avoid that, configure + identical selectors in such scenarios. + ''; + + remote_ts = mkCommaSepListParam ["dynamic"] '' + List of remote selectors to include in CHILD_SA. See + <option>local_ts</option> for a description of the selector syntax. + ''; + + rekey_time = mkDurationParam "1h" '' + Time to schedule CHILD_SA rekeying. CHILD_SA rekeying refreshes key + material, optionally using a Diffie-Hellman exchange if a group is + specified in the proposal. To avoid rekey collisions initiated by both + ends simultaneously, a value in the range of <option>rand_time</option> + gets subtracted to form the effective soft lifetime. + </para><para> + By default CHILD_SA rekeying is scheduled every hour, minus + <option>rand_time</option>. + ''; + + life_time = mkOptionalDurationParam '' + Maximum lifetime before CHILD_SA gets closed. Usually this hard lifetime + is never reached, because the CHILD_SA gets rekeyed before. If that fails + for whatever reason, this limit closes the CHILD_SA. The default is 10% + more than the <option>rekey_time</option>. + ''; + + rand_time = mkOptionalDurationParam '' + Time range from which to choose a random value to subtract from + <option>rekey_time</option>. The default is the difference between + <option>life_time</option> and <option>rekey_time</option>. + ''; + + rekey_bytes = mkIntParam 0 '' + Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA + rekeying refreshes key material, optionally using a Diffie-Hellman + exchange if a group is specified in the proposal. + </para><para> + To avoid rekey collisions initiated by both ends simultaneously, a value + in the range of <option>rand_bytes</option> gets subtracted to form the + effective soft volume limit. + </para><para> + Volume based CHILD_SA rekeying is disabled by default. + ''; + + life_bytes = mkOptionalIntParam '' + Maximum bytes processed before CHILD_SA gets closed. Usually this hard + volume limit is never reached, because the CHILD_SA gets rekeyed + before. If that fails for whatever reason, this limit closes the + CHILD_SA. The default is 10% more than <option>rekey_bytes</option>. + ''; + + rand_bytes = mkOptionalIntParam '' + Byte range from which to choose a random value to subtract from + <option>rekey_bytes</option>. The default is the difference between + <option>life_bytes</option> and <option>rekey_bytes</option>. + ''; + + rekey_packets = mkIntParam 0 '' + Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA + rekeying refreshes key material, optionally using a Diffie-Hellman + exchange if a group is specified in the proposal. + </para><para> + To avoid rekey collisions initiated by both ends simultaneously, a value + in the range of <option>rand_packets</option> gets subtracted to form + the effective soft packet count limit. + </para><para> + Packet count based CHILD_SA rekeying is disabled by default. + ''; + + life_packets = mkOptionalIntParam '' + Maximum number of packets processed before CHILD_SA gets closed. Usually + this hard packets limit is never reached, because the CHILD_SA gets + rekeyed before. If that fails for whatever reason, this limit closes the + CHILD_SA. + </para><para> + The default is 10% more than <option>rekey_bytes</option>. + ''; + + rand_packets = mkOptionalIntParam '' + Packet range from which to choose a random value to subtract from + <option>rekey_packets</option>. The default is the difference between + <option>life_packets</option> and <option>rekey_packets</option>. + ''; + + updown = mkOptionalStrParam '' + Updown script to invoke on CHILD_SA up and down events. + ''; + + hostaccess = mkYesNoParam no '' + Hostaccess variable to pass to <literal>updown</literal> script. + ''; + + mode = mkEnumParam [ "tunnel" + "transport" + "transport_proxy" + "beet" + "pass" + "drop" + ] "tunnel" '' + IPsec Mode to establish CHILD_SA with. + <itemizedlist> + <listitem><para> + <literal>tunnel</literal> negotiates the CHILD_SA in IPsec Tunnel Mode, + </para></listitem> + <listitem><para> + whereas <literal>transport</literal> uses IPsec Transport Mode. + </para></listitem> + <listitem><para> + <literal>transport_proxy</literal> signifying the special Mobile IPv6 + Transport Proxy Mode. + </para></listitem> + <listitem><para> + <literal>beet</literal> is the Bound End to End Tunnel mixture mode, + working with fixed inner addresses without the need to include them in + each packet. + </para></listitem> + <listitem><para> + Both <literal>transport</literal> and <literal>beet</literal> modes are + subject to mode negotiation; <literal>tunnel</literal> mode is + negotiated if the preferred mode is not available. + </para></listitem> + <listitem><para> + <literal>pass</literal> and <literal>drop</literal> are used to install + shunt policies which explicitly bypass the defined traffic from IPsec + processing or drop it, respectively. + </para></listitem> + </itemizedlist> + ''; + + policies = mkYesNoParam yes '' + Whether to install IPsec policies or not. Disabling this can be useful in + some scenarios e.g. MIPv6, where policies are not managed by the IKE + daemon. Since 5.3.3. + ''; + + policies_fwd_out = mkYesNoParam no '' + Whether to install outbound FWD IPsec policies or not. Enabling this is + required in case there is a drop policy that would match and block + forwarded traffic for this CHILD_SA. Since 5.5.1. + ''; + + dpd_action = mkEnumParam ["clear" "trap" "restart"] "clear" '' + Action to perform for this CHILD_SA on DPD timeout. The default clear + closes the CHILD_SA and does not take further action. trap installs a + trap policy, which will catch matching traffic and tries to re-negotiate + the tunnel on-demand. restart immediately tries to re-negotiate the + CHILD_SA under a fresh IKE_SA. + ''; + + ipcomp = mkYesNoParam no '' + Enable IPComp compression before encryption. If enabled, IKE tries to + negotiate IPComp compression to compress ESP payload data prior to + encryption. + ''; + + inactivity = mkDurationParam "0s" '' + Timeout before closing CHILD_SA after inactivity. If no traffic has been + processed in either direction for the configured timeout, the CHILD_SA + gets closed due to inactivity. The default value of 0 disables inactivity + checks. + ''; + + reqid = mkIntParam 0 '' + Fixed reqid to use for this CHILD_SA. This might be helpful in some + scenarios, but works only if each CHILD_SA configuration is instantiated + not more than once. The default of 0 uses dynamic reqids, allocated + incrementally. + ''; + + priority = mkIntParam 0 '' + Optional fixed priority for IPsec policies. This could be useful to + install high-priority drop policies. The default of 0 uses dynamically + calculated priorities based on the size of the traffic selectors. + ''; + + interface = mkOptionalStrParam '' + Optional interface name to restrict outbound IPsec policies. + ''; + + mark_in = mkStrParam "0/0x00000000" '' + Netfilter mark and mask for input traffic. On Linux, Netfilter may + require marks on each packet to match an SA/policy having that option + set. This allows installing duplicate policies and enables Netfilter + rules to select specific SAs/policies for incoming traffic. Note that + inbound marks are only set on policies, by default, unless + <option>mark_in_sa</option> is enabled. The special value + <literal>%unique</literal> sets a unique mark on each CHILD_SA instance, + beyond that the value <literal>%unique-dir</literal> assigns a different + unique mark for each + </para><para> + An additional mask may be appended to the mark, separated by + <literal>/</literal>. The default mask if omitted is + <literal>0xffffffff</literal>. + ''; + + mark_in_sa = mkYesNoParam no '' + Whether to set <option>mark_in</option> on the inbound SA. By default, + the inbound mark is only set on the inbound policy. The tuple destination + address, protocol and SPI is unique and the mark is not required to find + the correct SA, allowing to mark traffic after decryption instead (where + more specific selectors may be used) to match different policies. Marking + packets before decryption is still possible, even if no mark is set on + the SA. + ''; + + mark_out = mkStrParam "0/0x00000000" '' + Netfilter mark and mask for output traffic. On Linux, Netfilter may + require marks on each packet to match a policy/SA having that option + set. This allows installing duplicate policies and enables Netfilter + rules to select specific policies/SAs for outgoing traffic. The special + value <literal>%unique</literal> sets a unique mark on each CHILD_SA + instance, beyond that the value <literal>%unique-dir</literal> assigns a + different unique mark for each CHILD_SA direction (in/out). + </para><para> + An additional mask may be appended to the mark, separated by + <literal>/</literal>. The default mask if omitted is + <literal>0xffffffff</literal>. + ''; + + set_mark_in = mkStrParam "0/0x00000000" '' + Netfilter mark applied to packets after the inbound IPsec SA processed + them. This way it's not necessary to mark packets via Netfilter before + decryption or right afterwards to match policies or process them + differently (e.g. via policy routing). + + An additional mask may be appended to the mark, separated by + <literal>/</literal>. The default mask if omitted is 0xffffffff. The + special value <literal>%same</literal> uses the value (but not the mask) + from <option>mark_in</option> as mark value, which can be fixed, + <literal>%unique</literal> or <literal>%unique-dir</literal>. + + Setting marks in XFRM input requires Linux 4.19 or higher. + ''; + + set_mark_out = mkStrParam "0/0x00000000" '' + Netfilter mark applied to packets after the outbound IPsec SA processed + them. This allows processing ESP packets differently than the original + traffic (e.g. via policy routing). + + An additional mask may be appended to the mark, separated by + <literal>/</literal>. The default mask if omitted is 0xffffffff. The + special value <literal>%same</literal> uses the value (but not the mask) + from <option>mark_out</option> as mark value, which can be fixed, + <literal>%unique_</literal> or <literal>%unique-dir</literal>. + + Setting marks in XFRM output is supported since Linux 4.14. Setting a + mask requires at least Linux 4.19. + ''; + + if_id_in = mkStrParam "0" '' + XFRM interface ID set on inbound policies/SA. This allows installing + duplicate policies/SAs and associates them with an interface with the + same ID. The special value <literal>%unique</literal> sets a unique + interface ID on each CHILD_SA instance, beyond that the value + <literal>%unique-dir</literal> assigns a different unique interface ID + for each CHILD_SA direction (in/out). + ''; + + if_id_out = mkStrParam "0" '' + XFRM interface ID set on outbound policies/SA. This allows installing + duplicate policies/SAs and associates them with an interface with the + same ID. The special value <literal>%unique</literal> sets a unique + interface ID on each CHILD_SA instance, beyond that the value + <literal>%unique-dir</literal> assigns a different unique interface ID + for each CHILD_SA direction (in/out). + + The daemon will not install routes for CHILD_SAs that have this option set. + ''; + + tfc_padding = mkParamOfType (with lib.types; either int (enum ["mtu"])) 0 '' + Pads ESP packets with additional data to have a consistent ESP packet + size for improved Traffic Flow Confidentiality. The padding defines the + minimum size of all ESP packets sent. The default value of + <literal>0</literal> disables TFC padding, the special value + <literal>mtu</literal> adds TFC padding to create a packet size equal to + the Path Maximum Transfer Unit. + ''; + + replay_window = mkIntParam 32 '' + IPsec replay window to configure for this CHILD_SA. Larger values than + the default of <literal>32</literal> are supported using the Netlink + backend only, a value of <literal>0</literal> disables IPsec replay + protection. + ''; + + hw_offload = mkEnumParam ["yes" "no" "auto"] "no" '' + Enable hardware offload for this CHILD_SA, if supported by the IPsec + implementation. The value <literal>yes</literal> enforces offloading + and the installation will fail if it's not supported by either kernel or + device. The value <literal>auto</literal> enables offloading, if it's + supported, but the installation does not fail otherwise. + ''; + + copy_df = mkYesNoParam yes '' + Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This + effectively disables Path MTU discovery (PMTUD). Controlling this + behavior is not supported by all kernel interfaces. + ''; + + copy_ecn = mkYesNoParam yes '' + Whether to copy the ECN (Explicit Congestion Notification) header field + to/from the outer IP header in tunnel mode. Controlling this behavior is + not supported by all kernel interfaces. + ''; + + copy_dscp = mkEnumParam [ "out" "in" "yes" "no" ] "out" '' + Whether to copy the DSCP (Differentiated Services Field Codepoint) + header field to/from the outer IP header in tunnel mode. The value + <literal>out</literal> only copies the field from the inner to the outer + header, the value <literal>in</literal> does the opposite and only + copies the field from the outer to the inner header when decapsulating, + the value <literal>yes</literal> copies the field in both directions, + and the value <literal>no</literal> disables copying the field + altogether. Setting this to <literal>yes</literal> or + <literal>in</literal> could allow an attacker to adversely affect other + traffic at the receiver, which is why the default is + <literal>out</literal>. Controlling this behavior is not supported by + all kernel interfaces. + ''; + + start_action = mkEnumParam ["none" "trap" "start"] "none" '' + Action to perform after loading the configuration. + <itemizedlist> + <listitem><para> + The default of <literal>none</literal> loads the connection only, which + then can be manually initiated or used as a responder configuration. + </para></listitem> + <listitem><para> + The value <literal>trap</literal> installs a trap policy, which triggers + the tunnel as soon as matching traffic has been detected. + </para></listitem> + <listitem><para> + The value <literal>start</literal> initiates the connection actively. + </para></listitem> + </itemizedlist> + When unloading or replacing a CHILD_SA configuration having a + <option>start_action</option> different from <literal>none</literal>, + the inverse action is performed. Configurations with + <literal>start</literal> get closed, while such with + <literal>trap</literal> get uninstalled. + ''; + + close_action = mkEnumParam ["none" "trap" "start"] "none" '' + Action to perform after a CHILD_SA gets closed by the peer. + <itemizedlist> + <listitem><para> + The default of <literal>none</literal> does not take any action, + </para></listitem> + <listitem><para> + <literal>trap</literal> installs a trap policy for the CHILD_SA. + </para></listitem> + <listitem><para> + <literal>start</literal> tries to re-create the CHILD_SA. + </para></listitem> + </itemizedlist> + </para><para> + <option>close_action</option> does not provide any guarantee that the + CHILD_SA is kept alive. It acts on explicit close messages only, but not + on negotiation failures. Use trap policies to reliably re-create failed + CHILD_SAs. + ''; + + } '' + CHILD_SA configuration sub-section. Each connection definition may have + one or more sections in its <option>children</option> subsection. The + section name defines the name of the CHILD_SA configuration, which must be + unique within the connection (denoted <child> below). + ''; + } '' + Section defining IKE connection configurations, each in its own subsection + with an arbitrary yet unique name + ''; + + secrets = let + mkEapXauthParams = mkPrefixedAttrsOfParams { + secret = mkOptionalStrParam '' + Value of the EAP/XAuth secret. It may either be an ASCII string, a hex + encoded string if it has a 0x prefix or a Base64 encoded string if it + has a 0s prefix in its value. + ''; + + id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' + Identity the EAP/XAuth secret belongs to. Multiple unique identities may + be specified, each having an <literal>id</literal> prefix, if a secret + is shared between multiple users. + ''; + + } '' + EAP secret section for a specific secret. Each EAP secret is defined in a + unique section having the <literal>eap</literal> prefix. EAP secrets are + used for XAuth authentication as well. + ''; + + in { + + eap = mkEapXauthParams; + xauth = mkEapXauthParams; + + ntlm = mkPrefixedAttrsOfParams { + secret = mkOptionalStrParam '' + Value of the NTLM secret, which is the NT Hash of the actual secret, + that is, MD4(UTF-16LE(secret)). The resulting 16-byte value may either + be given as a hex encoded string with a 0x prefix or as a Base64 encoded + string with a 0s prefix. + ''; + + id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' + Identity the NTLM secret belongs to. Multiple unique identities may be + specified, each having an id prefix, if a secret is shared between + multiple users. + ''; + } '' + NTLM secret section for a specific secret. Each NTLM secret is defined in + a unique section having the <literal>ntlm</literal> prefix. NTLM secrets + may only be used for EAP-MSCHAPv2 authentication. + ''; + + ike = mkPrefixedAttrsOfParams { + secret = mkOptionalStrParam '' + Value of the IKE preshared secret. It may either be an ASCII string, a + hex encoded string if it has a 0x prefix or a Base64 encoded string if + it has a 0s prefix in its value. + ''; + + id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' + IKE identity the IKE preshared secret belongs to. Multiple unique + identities may be specified, each having an <literal>id</literal> + prefix, if a secret is shared between multiple peers. + ''; + } '' + IKE preshared secret section for a specific secret. Each IKE PSK is + defined in a unique section having the <literal>ike</literal> prefix. + ''; + + ppk = mkPrefixedAttrsOfParams { + secret = mkOptionalStrParam '' + Value of the PPK. It may either be an ASCII string, a hex encoded string + if it has a <literal>0x</literal> prefix or a Base64 encoded string if + it has a <literal>0s</literal> prefix in its value. Should have at least + 256 bits of entropy for 128-bit security. + ''; + + id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' + PPK identity the PPK belongs to. Multiple unique identities may be + specified, each having an <literal>id</literal> prefix, if a secret is + shared between multiple peers. + ''; + } '' + Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is + defined in a unique section having the <literal>ppk</literal> prefix. + ''; + + private = mkPrefixedAttrsOfParams { + file = mkOptionalStrParam '' + File name in the private folder for which this passphrase should be used. + ''; + + secret = mkOptionalStrParam '' + Value of decryption passphrase for private key. + ''; + } '' + Private key decryption passphrase for a key in the + <literal>private</literal> folder. + ''; + + rsa = mkPrefixedAttrsOfParams { + file = mkOptionalStrParam '' + File name in the <literal>rsa</literal> folder for which this passphrase + should be used. + ''; + secret = mkOptionalStrParam '' + Value of decryption passphrase for RSA key. + ''; + } '' + Private key decryption passphrase for a key in the <literal>rsa</literal> + folder. + ''; + + ecdsa = mkPrefixedAttrsOfParams { + file = mkOptionalStrParam '' + File name in the <literal>ecdsa</literal> folder for which this + passphrase should be used. + ''; + secret = mkOptionalStrParam '' + Value of decryption passphrase for ECDSA key. + ''; + } '' + Private key decryption passphrase for a key in the + <literal>ecdsa</literal> folder. + ''; + + pkcs8 = mkPrefixedAttrsOfParams { + file = mkOptionalStrParam '' + File name in the <literal>pkcs8</literal> folder for which this + passphrase should be used. + ''; + secret = mkOptionalStrParam '' + Value of decryption passphrase for PKCS#8 key. + ''; + } '' + Private key decryption passphrase for a key in the + <literal>pkcs8</literal> folder. + ''; + + pkcs12 = mkPrefixedAttrsOfParams { + file = mkOptionalStrParam '' + File name in the <literal>pkcs12</literal> folder for which this + passphrase should be used. + ''; + secret = mkOptionalStrParam '' + Value of decryption passphrase for PKCS#12 container. + ''; + } '' + PKCS#12 decryption passphrase for a container in the + <literal>pkcs12</literal> folder. + ''; + + token = mkPrefixedAttrsOfParams { + handle = mkOptionalHexParam '' + Hex-encoded CKA_ID or handle of the private key on the token or TPM, + respectively. + ''; + + slot = mkOptionalIntParam '' + Optional slot number to access the token. + ''; + + module = mkOptionalStrParam '' + Optional PKCS#11 module name to access the token. + ''; + + pin = mkOptionalStrParam '' + Optional PIN required to access the key on the token. If none is + provided the user is prompted during an interactive + <literal>--load-creds</literal> call. + ''; + } "Definition for a private key that's stored on a token/smartcard/TPM."; + + }; + + pools = mkAttrsOfParams { + addrs = mkOptionalStrParam '' + Subnet or range defining addresses allocated in pool. Accepts a single + CIDR subnet defining the pool to allocate addresses from or an address + range (<from>-<to>). Pools must be unique and non-overlapping. + ''; + + dns = mkCommaSepListParam [] "Address or CIDR subnets"; + nbns = mkCommaSepListParam [] "Address or CIDR subnets"; + dhcp = mkCommaSepListParam [] "Address or CIDR subnets"; + netmask = mkCommaSepListParam [] "Address or CIDR subnets"; + server = mkCommaSepListParam [] "Address or CIDR subnets"; + subnet = mkCommaSepListParam [] "Address or CIDR subnets"; + split_include = mkCommaSepListParam [] "Address or CIDR subnets"; + split_exclude = mkCommaSepListParam [] "Address or CIDR subnets"; + } '' + Section defining named pools. Named pools may be referenced by connections + with the pools option to assign virtual IPs and other configuration + attributes. Each pool must have a unique name (denoted <name> below). + ''; +} diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix new file mode 100644 index 00000000000..e3a97207be7 --- /dev/null +++ b/nixos/modules/services/networking/strongswan.nix @@ -0,0 +1,170 @@ +{ config, lib, pkgs, ... }: + +let + + inherit (builtins) toFile; + inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList + mkIf mkEnableOption mkOption types literalExpression; + + cfg = config.services.strongswan; + + ipsecSecrets = secrets: toFile "ipsec.secrets" ( + concatMapStringsSep "\n" (f: "include ${f}") secrets + ); + + ipsecConf = {setup, connections, ca}: + let + # https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf + makeSections = type: sections: concatStringsSep "\n\n" ( + mapAttrsToList (sec: attrs: + "${type} ${sec}\n" + + (concatStringsSep "\n" ( mapAttrsToList (k: v: " ${k}=${v}") attrs )) + ) sections + ); + setupConf = makeSections "config" { inherit setup; }; + connectionsConf = makeSections "conn" connections; + caConf = makeSections "ca" ca; + + in + builtins.toFile "ipsec.conf" '' + ${setupConf} + ${connectionsConf} + ${caConf} + ''; + + strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' + charon { + ${if managePlugins then "load_modular = no" else ""} + ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""} + plugins { + stroke { + secrets_file = ${secretsFile} + } + } + } + + starter { + config_file = ${ipsecConf { inherit setup connections ca; }} + } + ''; + +in +{ + options.services.strongswan = { + enable = mkEnableOption "strongSwan"; + + secrets = mkOption { + type = types.listOf types.str; + default = []; + example = [ "/run/keys/ipsec-foo.secret" ]; + description = '' + A list of paths to IPSec secret files. These + files will be included into the main ipsec.secrets file with + the <literal>include</literal> directive. It is safer if these + paths are absolute. + ''; + }; + + setup = mkOption { + type = types.attrsOf types.str; + default = {}; + example = { cachecrls = "yes"; strictcrlpolicy = "yes"; }; + description = '' + A set of options for the ‘config setup’ section of the + <filename>ipsec.conf</filename> file. Defines general + configuration parameters. + ''; + }; + + connections = mkOption { + type = types.attrsOf (types.attrsOf types.str); + default = {}; + example = literalExpression '' + { + "%default" = { + keyexchange = "ikev2"; + keyingtries = "1"; + }; + roadwarrior = { + auto = "add"; + leftcert = "/run/keys/moonCert.pem"; + leftid = "@moon.strongswan.org"; + leftsubnet = "10.1.0.0/16"; + right = "%any"; + }; + } + ''; + description = '' + A set of connections and their options for the ‘conn xxx’ + sections of the <filename>ipsec.conf</filename> file. + ''; + }; + + ca = mkOption { + type = types.attrsOf (types.attrsOf types.str); + default = {}; + example = { + strongswan = { + auto = "add"; + cacert = "/run/keys/strongswanCert.pem"; + crluri = "http://crl2.strongswan.org/strongswan.crl"; + }; + }; + description = '' + A set of CAs (certification authorities) and their options for + the ‘ca xxx’ sections of the <filename>ipsec.conf</filename> + file. + ''; + }; + + managePlugins = mkOption { + type = types.bool; + default = false; + description = '' + If set to true, this option will disable automatic plugin loading and + then tell strongSwan to enable the plugins specified in the + <option>enabledPlugins</option> option. + ''; + }; + + enabledPlugins = mkOption { + type = types.listOf types.str; + default = []; + description = '' + A list of additional plugins to enable if + <option>managePlugins</option> is true. + ''; + }; + }; + + + config = with cfg; + let + secretsFile = ipsecSecrets cfg.secrets; + in + mkIf enable + { + + # here we should use the default strongswan ipsec.secrets and + # append to it (default one is empty so not a pb for now) + environment.etc."ipsec.secrets".source = secretsFile; + + systemd.services.strongswan = { + description = "strongSwan IPSec Service"; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ kmod iproute2 iptables util-linux ]; # XXX Linux + after = [ "network-online.target" ]; + environment = { + STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; + }; + serviceConfig = { + ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork"; + }; + preStart = '' + # with 'nopeerdns' setting, ppp writes into this folder + mkdir -m 700 -p /etc/ppp + ''; + }; + }; +} + diff --git a/nixos/modules/services/networking/stubby.nix b/nixos/modules/services/networking/stubby.nix new file mode 100644 index 00000000000..78c13798dde --- /dev/null +++ b/nixos/modules/services/networking/stubby.nix @@ -0,0 +1,89 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.stubby; + settingsFormat = pkgs.formats.yaml { }; + confFile = settingsFormat.generate "stubby.yml" cfg.settings; +in { + imports = map (x: + (mkRemovedOptionModule [ "services" "stubby" x ] + "Stubby configuration moved to services.stubby.settings.")) [ + "authenticationMode" + "fallbackProtocols" + "idleTimeout" + "listenAddresses" + "queryPaddingBlocksize" + "roundRobinUpstreams" + "subnetPrivate" + "upstreamServers" + ]; + + options = { + services.stubby = { + + enable = mkEnableOption "Stubby DNS resolver"; + + settings = mkOption { + type = types.attrsOf settingsFormat.type; + example = lib.literalExpression '' + pkgs.stubby.passthru.settingsExample // { + upstream_recursive_servers = [{ + address_data = "158.64.1.29"; + tls_auth_name = "kaitain.restena.lu"; + tls_pubkey_pinset = [{ + digest = "sha256"; + value = "7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4="; + }]; + }]; + }; + ''; + description = '' + Content of the Stubby configuration file. All Stubby settings may be set or queried + here. The default settings are available at + <literal>pkgs.stubby.passthru.settingsExample</literal>. See + <link xlink:href="https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby"/>. + A list of the public recursive servers can be found here: + <link xlink:href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers"/>. + ''; + }; + + debugLogging = mkOption { + default = false; + type = types.bool; + description = "Enable or disable debug level logging."; + }; + + }; + }; + + config = mkIf cfg.enable { + assertions = [{ + assertion = + (cfg.settings.resolution_type or "") == "GETDNS_RESOLUTION_STUB"; + message = '' + services.stubby.settings.resolution_type must be set to "GETDNS_RESOLUTION_STUB". + Is services.stubby.settings unset? + ''; + }]; + + services.stubby.settings.appdata_dir = "/var/cache/stubby"; + + systemd.services.stubby = { + description = "Stubby local DNS resolver"; + after = [ "network.target" ]; + before = [ "nss-lookup.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "notify"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; + ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}"; + DynamicUser = true; + CacheDirectory = "stubby"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/stunnel.nix b/nixos/modules/services/networking/stunnel.nix new file mode 100644 index 00000000000..df4908a0fff --- /dev/null +++ b/nixos/modules/services/networking/stunnel.nix @@ -0,0 +1,238 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.stunnel; + yesNo = val: if val then "yes" else "no"; + + verifyChainPathAssert = n: c: { + assertion = c.verifyHostname == null || (c.verifyChain || c.verifyPeer); + message = "stunnel: \"${n}\" client configuration - hostname verification " + + "is not possible without either verifyChain or verifyPeer enabled"; + }; + + serverConfig = { + options = { + accept = mkOption { + type = types.either types.str types.int; + description = '' + On which [host:]port stunnel should listen for incoming TLS connections. + Note that unlike other softwares stunnel ipv6 address need no brackets, + so to listen on all IPv6 addresses on port 1234 one would use ':::1234'. + ''; + }; + + connect = mkOption { + type = types.either types.str types.int; + description = "Port or IP:Port to which the decrypted connection should be forwarded."; + }; + + cert = mkOption { + type = types.path; + description = "File containing both the private and public keys."; + }; + }; + }; + + clientConfig = { + options = { + accept = mkOption { + type = types.str; + description = "IP:Port on which connections should be accepted."; + }; + + connect = mkOption { + type = types.str; + description = "IP:Port destination to connect to."; + }; + + verifyChain = mkOption { + type = types.bool; + default = true; + description = "Check if the provided certificate has a valid certificate chain (against CAPath)."; + }; + + verifyPeer = mkOption { + type = types.bool; + default = false; + description = "Check if the provided certificate is contained in CAPath."; + }; + + CAPath = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to a directory containing certificates to validate against."; + }; + + CAFile = mkOption { + type = types.nullOr types.path; + default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + defaultText = literalExpression ''"''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"''; + description = "Path to a file containing certificates to validate against."; + }; + + verifyHostname = mkOption { + type = with types; nullOr str; + default = null; + description = "If set, stunnel checks if the provided certificate is valid for the given hostname."; + }; + }; + }; + + +in + +{ + + ###### interface + + options = { + + services.stunnel = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Whether to enable the stunnel TLS tunneling service."; + }; + + user = mkOption { + type = with types; nullOr str; + default = "nobody"; + description = "The user under which stunnel runs."; + }; + + group = mkOption { + type = with types; nullOr str; + default = "nogroup"; + description = "The group under which stunnel runs."; + }; + + logLevel = mkOption { + type = types.enum [ "emerg" "alert" "crit" "err" "warning" "notice" "info" "debug" ]; + default = "info"; + description = "Verbosity of stunnel output."; + }; + + fipsMode = mkOption { + type = types.bool; + default = false; + description = "Enable FIPS 140-2 mode required for compliance."; + }; + + enableInsecureSSLv3 = mkOption { + type = types.bool; + default = false; + description = "Enable support for the insecure SSLv3 protocol."; + }; + + + servers = mkOption { + description = "Define the server configuations."; + type = with types; attrsOf (submodule serverConfig); + example = { + fancyWebserver = { + accept = 443; + connect = 8080; + cert = "/path/to/pem/file"; + }; + }; + default = { }; + }; + + clients = mkOption { + description = "Define the client configurations."; + type = with types; attrsOf (submodule clientConfig); + example = { + foobar = { + accept = "0.0.0.0:8080"; + connect = "nixos.org:443"; + verifyChain = false; + }; + }; + default = { }; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + assertions = concatLists [ + (singleton { + assertion = (length (attrValues cfg.servers) != 0) || ((length (attrValues cfg.clients)) != 0); + message = "stunnel: At least one server- or client-configuration has to be present."; + }) + + (mapAttrsToList verifyChainPathAssert cfg.clients) + ]; + + environment.systemPackages = [ pkgs.stunnel ]; + + environment.etc."stunnel.cfg".text = '' + ${ if cfg.user != null then "setuid = ${cfg.user}" else "" } + ${ if cfg.group != null then "setgid = ${cfg.group}" else "" } + + debug = ${cfg.logLevel} + + ${ optionalString cfg.fipsMode "fips = yes" } + ${ optionalString cfg.enableInsecureSSLv3 "options = -NO_SSLv3" } + + ; ----- SERVER CONFIGURATIONS ----- + ${ lib.concatStringsSep "\n" + (lib.mapAttrsToList + (n: v: '' + [${n}] + accept = ${toString v.accept} + connect = ${toString v.connect} + cert = ${v.cert} + + '') + cfg.servers) + } + + ; ----- CLIENT CONFIGURATIONS ----- + ${ lib.concatStringsSep "\n" + (lib.mapAttrsToList + (n: v: '' + [${n}] + client = yes + accept = ${v.accept} + connect = ${v.connect} + verifyChain = ${yesNo v.verifyChain} + verifyPeer = ${yesNo v.verifyPeer} + ${optionalString (v.CAPath != null) "CApath = ${v.CAPath}"} + ${optionalString (v.CAFile != null) "CAFile = ${v.CAFile}"} + ${optionalString (v.verifyHostname != null) "checkHost = ${v.verifyHostname}"} + OCSPaia = yes + + '') + cfg.clients) + } + ''; + + systemd.services.stunnel = { + description = "stunnel TLS tunneling service"; + after = [ "network.target" ]; + wants = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."stunnel.cfg".source ]; + serviceConfig = { + ExecStart = "${pkgs.stunnel}/bin/stunnel ${config.environment.etc."stunnel.cfg".source}"; + Type = "forking"; + }; + }; + + meta.maintainers = with maintainers; [ + # Server side + lschuermann + # Client side + das_j + ]; + }; + +} diff --git a/nixos/modules/services/networking/supplicant.nix b/nixos/modules/services/networking/supplicant.nix new file mode 100644 index 00000000000..eb24130e519 --- /dev/null +++ b/nixos/modules/services/networking/supplicant.nix @@ -0,0 +1,240 @@ +{ config, lib, utils, pkgs, ... }: + +with lib; + +let + + cfg = config.networking.supplicant; + + # We must escape interfaces due to the systemd interpretation + subsystemDevice = interface: + "sys-subsystem-net-devices-${utils.escapeSystemdPath interface}.device"; + + serviceName = iface: "supplicant-${if (iface=="WLAN") then "wlan@" else ( + if (iface=="LAN") then "lan@" else ( + if (iface=="DBUS") then "dbus" + else (replaceChars [" "] ["-"] iface)))}"; + + # TODO: Use proper privilege separation for wpa_supplicant + supplicantService = iface: suppl: + let + deps = (if (iface=="WLAN"||iface=="LAN") then ["sys-subsystem-net-devices-%i.device"] else ( + if (iface=="DBUS") then ["dbus.service"] + else (map subsystemDevice (splitString " " iface)))) + ++ optional (suppl.bridge!="") (subsystemDevice suppl.bridge); + + ifaceArg = concatStringsSep " -N " (map (i: "-i${i}") (splitString " " iface)); + driverArg = optionalString (suppl.driver != null) "-D${suppl.driver}"; + bridgeArg = optionalString (suppl.bridge!="") "-b${suppl.bridge}"; + confFileArg = optionalString (suppl.configFile.path!=null) "-c${suppl.configFile.path}"; + extraConfFile = pkgs.writeText "supplicant-extra-conf-${replaceChars [" "] ["-"] iface}" '' + ${optionalString suppl.userControlled.enable "ctrl_interface=DIR=${suppl.userControlled.socketDir} GROUP=${suppl.userControlled.group}"} + ${optionalString suppl.configFile.writable "update_config=1"} + ${suppl.extraConf} + ''; + in + { description = "Supplicant ${iface}${optionalString (iface=="WLAN"||iface=="LAN") " %I"}"; + wantedBy = [ "multi-user.target" ] ++ deps; + wants = [ "network.target" ]; + bindsTo = deps; + after = deps; + before = [ "network.target" ]; + + path = [ pkgs.coreutils ]; + + preStart = '' + ${optionalString (suppl.configFile.path!=null) '' + (umask 077 && touch -a "${suppl.configFile.path}") + ''} + ${optionalString suppl.userControlled.enable '' + install -dm770 -g "${suppl.userControlled.group}" "${suppl.userControlled.socketDir}" + ''} + ''; + + serviceConfig.ExecStart = "${pkgs.wpa_supplicant}/bin/wpa_supplicant -s ${driverArg} ${confFileArg} -I${extraConfFile} ${bridgeArg} ${suppl.extraCmdArgs} ${if (iface=="WLAN"||iface=="LAN") then "-i%I" else (if (iface=="DBUS") then "-u" else ifaceArg)}"; + + }; + + +in + +{ + + ###### interface + + options = { + + networking.supplicant = mkOption { + type = with types; attrsOf (submodule { + options = { + + configFile = { + + path = mkOption { + type = types.nullOr types.path; + default = null; + example = literalExpression "/etc/wpa_supplicant.conf"; + description = '' + External <literal>wpa_supplicant.conf</literal> configuration file. + The configuration options defined declaratively within <literal>networking.supplicant</literal> have + precedence over options defined in <literal>configFile</literal>. + ''; + }; + + writable = mkOption { + type = types.bool; + default = false; + description = '' + Whether the configuration file at <literal>configFile.path</literal> should be written to by + <literal>wpa_supplicant</literal>. + ''; + }; + + }; + + extraConf = mkOption { + type = types.lines; + default = ""; + example = '' + ap_scan=1 + device_name=My-NixOS-Device + device_type=1-0050F204-1 + driver_param=use_p2p_group_interface=1 + disable_scan_offload=1 + p2p_listen_reg_class=81 + p2p_listen_channel=1 + p2p_oper_reg_class=81 + p2p_oper_channel=1 + manufacturer=NixOS + model_name=NixOS_Unstable + model_number=2015 + ''; + description = '' + Configuration options for <literal>wpa_supplicant.conf</literal>. + Options defined here have precedence over options in <literal>configFile</literal>. + NOTE: Do not write sensitive data into <literal>extraConf</literal> as it will + be world-readable in the <literal>nix-store</literal>. For sensitive information + use the <literal>configFile</literal> instead. + ''; + }; + + extraCmdArgs = mkOption { + type = types.str; + default = ""; + example = "-e/run/wpa_supplicant/entropy.bin"; + description = + "Command line arguments to add when executing <literal>wpa_supplicant</literal>."; + }; + + driver = mkOption { + type = types.nullOr types.str; + default = "nl80211,wext"; + description = "Force a specific wpa_supplicant driver."; + }; + + bridge = mkOption { + type = types.str; + default = ""; + description = "Name of the bridge interface that wpa_supplicant should listen at."; + }; + + userControlled = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli. + This is useful for laptop users that switch networks a lot and don't want + to depend on a large package such as NetworkManager just to pick nearby + access points. + ''; + }; + + socketDir = mkOption { + type = types.str; + default = "/run/wpa_supplicant"; + description = "Directory of sockets for controlling wpa_supplicant."; + }; + + group = mkOption { + type = types.str; + default = "wheel"; + example = "network"; + description = "Members of this group can control wpa_supplicant."; + }; + + }; + }; + }); + + default = { }; + + example = literalExpression '' + { "wlan0 wlan1" = { + configFile.path = "/etc/wpa_supplicant.conf"; + userControlled.group = "network"; + extraConf = ''' + ap_scan=1 + p2p_disabled=1 + '''; + extraCmdArgs = "-u -W"; + bridge = "br0"; + }; + } + ''; + + description = '' + Interfaces for which to start <command>wpa_supplicant</command>. + The supplicant is used to scan for and associate with wireless networks, + or to authenticate with 802.1x capable network switches. + + The value of this option is an attribute set. Each attribute configures a + <command>wpa_supplicant</command> service, where the attribute name specifies + the name of the interface that <command>wpa_supplicant</command> operates on. + The attribute name can be a space separated list of interfaces. + The attribute names <literal>WLAN</literal>, <literal>LAN</literal> and <literal>DBUS</literal> + have a special meaning. <literal>WLAN</literal> and <literal>LAN</literal> are + configurations for universal <command>wpa_supplicant</command> service that is + started for each WLAN interface or for each LAN interface, respectively. + <literal>DBUS</literal> defines a device-unrelated <command>wpa_supplicant</command> + service that can be accessed through <literal>D-Bus</literal>. + ''; + + }; + + }; + + + ###### implementation + + config = mkIf (cfg != {}) { + + environment.systemPackages = [ pkgs.wpa_supplicant ]; + + services.dbus.packages = [ pkgs.wpa_supplicant ]; + + systemd.services = mapAttrs' (n: v: nameValuePair (serviceName n) (supplicantService n v)) cfg; + + services.udev.packages = [ + (pkgs.writeTextFile { + name = "99-zzz-60-supplicant.rules"; + destination = "/etc/udev/rules.d/99-zzz-60-supplicant.rules"; + text = '' + ${flip (concatMapStringsSep "\n") (filter (n: n!="WLAN" && n!="LAN" && n!="DBUS") (attrNames cfg)) (iface: + flip (concatMapStringsSep "\n") (splitString " " iface) (i: '' + ACTION=="add", SUBSYSTEM=="net", ENV{INTERFACE}=="${i}", TAG+="systemd", ENV{SYSTEMD_WANTS}+="supplicant-${replaceChars [" "] ["-"] iface}.service", TAG+="SUPPLICANT_ASSIGNED"''))} + + ${optionalString (hasAttr "WLAN" cfg) '' + ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", TAG!="SUPPLICANT_ASSIGNED", TAG+="systemd", PROGRAM="${pkgs.systemd}/bin/systemd-escape -p %E{INTERFACE}", ENV{SYSTEMD_WANTS}+="supplicant-wlan@$result.service" + ''} + ${optionalString (hasAttr "LAN" cfg) '' + ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="lan", TAG!="SUPPLICANT_ASSIGNED", TAG+="systemd", PROGRAM="${pkgs.systemd}/bin/systemd-escape -p %E{INTERFACE}", ENV{SYSTEMD_WANTS}+="supplicant-lan@$result.service" + ''} + ''; + })]; + + }; + +} + diff --git a/nixos/modules/services/networking/supybot.nix b/nixos/modules/services/networking/supybot.nix new file mode 100644 index 00000000000..94b79c7e247 --- /dev/null +++ b/nixos/modules/services/networking/supybot.nix @@ -0,0 +1,163 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.supybot; + isStateDirHome = hasPrefix "/home/" cfg.stateDir; + isStateDirVar = cfg.stateDir == "/var/lib/supybot"; + pyEnv = pkgs.python3.withPackages (p: [ p.limnoria ] ++ (cfg.extraPackages p)); +in +{ + options = { + + services.supybot = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Enable Supybot, an IRC bot (also known as Limnoria)."; + }; + + stateDir = mkOption { + type = types.path; + default = if versionAtLeast config.system.stateVersion "20.09" + then "/var/lib/supybot" + else "/home/supybot"; + defaultText = literalExpression "/var/lib/supybot"; + description = "The root directory, logs and plugins are stored here"; + }; + + configFile = mkOption { + type = types.path; + description = '' + Path to initial supybot config file. This can be generated by + running supybot-wizard. + + Note: all paths should include the full path to the stateDir + directory (backup conf data logs logs/plugins plugins tmp web). + ''; + }; + + plugins = mkOption { + type = types.attrsOf types.path; + default = {}; + description = '' + Attribute set of additional plugins that will be symlinked to the + <filename>plugin</filename> subdirectory. + + Please note that you still need to add the plugins to the config + file (or with <literal>!load</literal>) using their attribute name. + ''; + example = literalExpression '' + let + plugins = pkgs.fetchzip { + url = "https://github.com/ProgVal/Supybot-plugins/archive/57c2450c.zip"; + sha256 = "077snf84ibnva3sbpzdfpfma6hcdw7dflwnhg6pw7mgnf0nd84qd"; + }; + in + { + Wikipedia = "''${plugins}/Wikipedia"; + Decide = ./supy-decide; + } + ''; + }; + + extraPackages = mkOption { + type = types.functionTo (types.listOf types.package); + default = p: []; + defaultText = literalExpression "p: []"; + description = '' + Extra Python packages available to supybot plugins. The + value must be a function which receives the attrset defined + in <varname>python3Packages</varname> as the sole argument. + ''; + example = literalExpression "p: [ p.lxml p.requests ]"; + }; + + }; + + }; + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.python3Packages.limnoria ]; + + users.users.supybot = { + uid = config.ids.uids.supybot; + group = "supybot"; + description = "Supybot IRC bot user"; + home = cfg.stateDir; + isSystemUser = true; + }; + + users.groups.supybot = { + gid = config.ids.gids.supybot; + }; + + systemd.services.supybot = { + description = "Supybot, an IRC bot"; + documentation = [ "https://limnoria.readthedocs.io/" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + # This needs to be created afresh every time + rm -f '${cfg.stateDir}/supybot.cfg.bak' + ''; + + startLimitIntervalSec = 5 * 60; # 5 min + startLimitBurst = 1; + serviceConfig = { + ExecStart = "${pyEnv}/bin/supybot ${cfg.stateDir}/supybot.cfg"; + PIDFile = "/run/supybot.pid"; + User = "supybot"; + Group = "supybot"; + UMask = "0007"; + Restart = "on-abort"; + + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + RestrictNamespaces = true; + RestrictRealtime = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RemoveIPC = true; + ProtectHostname = true; + CapabilityBoundingSet = ""; + ProtectSystem = "full"; + } + // optionalAttrs isStateDirVar { + StateDirectory = "supybot"; + ProtectSystem = "strict"; + } + // optionalAttrs (!isStateDirHome) { + ProtectHome = true; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' 0700 supybot supybot - -" + "d '${cfg.stateDir}/backup' 0750 supybot supybot - -" + "d '${cfg.stateDir}/conf' 0750 supybot supybot - -" + "d '${cfg.stateDir}/data' 0750 supybot supybot - -" + "d '${cfg.stateDir}/plugins' 0750 supybot supybot - -" + "d '${cfg.stateDir}/logs' 0750 supybot supybot - -" + "d '${cfg.stateDir}/logs/plugins' 0750 supybot supybot - -" + "d '${cfg.stateDir}/tmp' 0750 supybot supybot - -" + "d '${cfg.stateDir}/web' 0750 supybot supybot - -" + "L '${cfg.stateDir}/supybot.cfg' - - - - ${cfg.configFile}" + ] + ++ (flip mapAttrsToList cfg.plugins (name: dest: + "L+ '${cfg.stateDir}/plugins/${name}' - - - - ${dest}" + )); + + }; +} diff --git a/nixos/modules/services/networking/syncplay.nix b/nixos/modules/services/networking/syncplay.nix new file mode 100644 index 00000000000..b6faf2d3f77 --- /dev/null +++ b/nixos/modules/services/networking/syncplay.nix @@ -0,0 +1,80 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.syncplay; + + cmdArgs = + [ "--port" cfg.port ] + ++ optionals (cfg.salt != null) [ "--salt" cfg.salt ] + ++ optionals (cfg.certDir != null) [ "--tls" cfg.certDir ]; + +in +{ + options = { + services.syncplay = { + enable = mkOption { + type = types.bool; + default = false; + description = "If enabled, start the Syncplay server."; + }; + + port = mkOption { + type = types.port; + default = 8999; + description = '' + TCP port to bind to. + ''; + }; + + salt = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Salt to allow room operator passwords generated by this server + instance to still work when the server is restarted. + ''; + }; + + certDir = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + TLS certificates directory to use for encryption. See + <link xlink:href="https://github.com/Syncplay/syncplay/wiki/TLS-support"/>. + ''; + }; + + user = mkOption { + type = types.str; + default = "nobody"; + description = '' + User to use when running Syncplay. + ''; + }; + + group = mkOption { + type = types.str; + default = "nogroup"; + description = '' + Group to use when running Syncplay. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.syncplay = { + description = "Syncplay Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.syncplay}/bin/syncplay-server ${escapeShellArgs cmdArgs}"; + User = cfg.user; + Group = cfg.group; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/syncthing-relay.nix b/nixos/modules/services/networking/syncthing-relay.nix new file mode 100644 index 00000000000..f5ca63e7893 --- /dev/null +++ b/nixos/modules/services/networking/syncthing-relay.nix @@ -0,0 +1,121 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.syncthing.relay; + + dataDirectory = "/var/lib/syncthing-relay"; + + relayOptions = + [ + "--keys=${dataDirectory}" + "--listen=${cfg.listenAddress}:${toString cfg.port}" + "--status-srv=${cfg.statusListenAddress}:${toString cfg.statusPort}" + "--provided-by=${escapeShellArg cfg.providedBy}" + ] + ++ optional (cfg.pools != null) "--pools=${escapeShellArg (concatStringsSep "," cfg.pools)}" + ++ optional (cfg.globalRateBps != null) "--global-rate=${toString cfg.globalRateBps}" + ++ optional (cfg.perSessionRateBps != null) "--per-session-rate=${toString cfg.perSessionRateBps}" + ++ cfg.extraOptions; +in { + ###### interface + + options.services.syncthing.relay = { + enable = mkEnableOption "Syncthing relay service"; + + listenAddress = mkOption { + type = types.str; + default = ""; + example = "1.2.3.4"; + description = '' + Address to listen on for relay traffic. + ''; + }; + + port = mkOption { + type = types.port; + default = 22067; + description = '' + Port to listen on for relay traffic. This port should be added to + <literal>networking.firewall.allowedTCPPorts</literal>. + ''; + }; + + statusListenAddress = mkOption { + type = types.str; + default = ""; + example = "1.2.3.4"; + description = '' + Address to listen on for serving the relay status API. + ''; + }; + + statusPort = mkOption { + type = types.port; + default = 22070; + description = '' + Port to listen on for serving the relay status API. This port should be + added to <literal>networking.firewall.allowedTCPPorts</literal>. + ''; + }; + + pools = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + description = '' + Relay pools to join. If null, uses the default global pool. + ''; + }; + + providedBy = mkOption { + type = types.str; + default = ""; + description = '' + Human-readable description of the provider of the relay (you). + ''; + }; + + globalRateBps = mkOption { + type = types.nullOr types.ints.positive; + default = null; + description = '' + Global bandwidth rate limit in bytes per second. + ''; + }; + + perSessionRateBps = mkOption { + type = types.nullOr types.ints.positive; + default = null; + description = '' + Per session bandwidth rate limit in bytes per second. + ''; + }; + + extraOptions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra command line arguments to pass to strelaysrv. + ''; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + systemd.services.syncthing-relay = { + description = "Syncthing relay service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + DynamicUser = true; + StateDirectory = baseNameOf dataDirectory; + + Restart = "on-failure"; + ExecStart = "${pkgs.syncthing-relay}/bin/strelaysrv ${concatStringsSep " " relayOptions}"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix new file mode 100644 index 00000000000..3a3d4c80ecf --- /dev/null +++ b/nixos/modules/services/networking/syncthing.nix @@ -0,0 +1,601 @@ +{ config, lib, options, pkgs, ... }: + +with lib; + +let + cfg = config.services.syncthing; + opt = options.services.syncthing; + defaultUser = "syncthing"; + defaultGroup = defaultUser; + + devices = mapAttrsToList (name: device: { + deviceID = device.id; + inherit (device) name addresses introducer autoAcceptFolders; + }) cfg.devices; + + folders = mapAttrsToList ( _: folder: { + inherit (folder) path id label type; + devices = map (device: { deviceId = cfg.devices.${device}.id; }) folder.devices; + rescanIntervalS = folder.rescanInterval; + fsWatcherEnabled = folder.watch; + fsWatcherDelayS = folder.watchDelay; + ignorePerms = folder.ignorePerms; + ignoreDelete = folder.ignoreDelete; + versioning = folder.versioning; + }) (filterAttrs ( + _: folder: + folder.enable + ) cfg.folders); + + updateConfig = pkgs.writers.writeDash "merge-syncthing-config" '' + set -efu + + # get the api key by parsing the config.xml + while + ! api_key=$(${pkgs.libxml2}/bin/xmllint \ + --xpath 'string(configuration/gui/apikey)' \ + ${cfg.configDir}/config.xml) + do sleep 1; done + + curl() { + ${pkgs.curl}/bin/curl -sSLk -H "X-API-Key: $api_key" \ + --retry 1000 --retry-delay 1 --retry-all-errors \ + "$@" + } + + # query the old config + old_cfg=$(curl ${cfg.guiAddress}/rest/config) + + # generate the new config by merging with the NixOS config options + new_cfg=$(printf '%s\n' "$old_cfg" | ${pkgs.jq}/bin/jq -c '. * { + "devices": (${builtins.toJSON devices}${optionalString (! cfg.overrideDevices) " + .devices"}), + "folders": (${builtins.toJSON folders}${optionalString (! cfg.overrideFolders) " + .folders"}) + } * ${builtins.toJSON cfg.extraOptions}') + + # send the new config + curl -X PUT -d "$new_cfg" ${cfg.guiAddress}/rest/config + + # restart Syncthing if required + if curl ${cfg.guiAddress}/rest/config/restart-required | + ${pkgs.jq}/bin/jq -e .requiresRestart > /dev/null; then + curl -X POST ${cfg.guiAddress}/rest/system/restart + fi + ''; +in { + ###### interface + options = { + services.syncthing = { + + enable = mkEnableOption + "Syncthing, a self-hosted open-source alternative to Dropbox and Bittorrent Sync"; + + cert = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to the <literal>cert.pem</literal> file, which will be copied into Syncthing's + <link linkend="opt-services.syncthing.configDir">configDir</link>. + ''; + }; + + key = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to the <literal>key.pem</literal> file, which will be copied into Syncthing's + <link linkend="opt-services.syncthing.configDir">configDir</link>. + ''; + }; + + overrideDevices = mkOption { + type = types.bool; + default = true; + description = '' + Whether to delete the devices which are not configured via the + <link linkend="opt-services.syncthing.devices">devices</link> option. + If set to <literal>false</literal>, devices added via the web + interface will persist and will have to be deleted manually. + ''; + }; + + devices = mkOption { + default = {}; + description = '' + Peers/devices which Syncthing should communicate with. + + Note that you can still add devices manually, but those changes + will be reverted on restart if <link linkend="opt-services.syncthing.overrideDevices">overrideDevices</link> + is enabled. + ''; + example = { + bigbox = { + id = "7CFNTQM-IMTJBHJ-3UWRDIU-ZGQJFR6-VCXZ3NB-XUH3KZO-N52ITXR-LAIYUAU"; + addresses = [ "tcp://192.168.0.10:51820" ]; + }; + }; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + + name = mkOption { + type = types.str; + default = name; + description = '' + The name of the device. + ''; + }; + + addresses = mkOption { + type = types.listOf types.str; + default = []; + description = '' + The addresses used to connect to the device. + If this is left empty, dynamic configuration is attempted. + ''; + }; + + id = mkOption { + type = types.str; + description = '' + The device ID. See <link xlink:href="https://docs.syncthing.net/dev/device-ids.html"/>. + ''; + }; + + introducer = mkOption { + type = types.bool; + default = false; + description = '' + Whether the device should act as an introducer and be allowed + to add folders on this computer. + See <link xlink:href="https://docs.syncthing.net/users/introducer.html"/>. + ''; + }; + + autoAcceptFolders = mkOption { + type = types.bool; + default = false; + description = '' + Automatically create or share folders that this device advertises at the default path. + See <link xlink:href="https://docs.syncthing.net/users/config.html?highlight=autoaccept#config-file-format"/>. + ''; + }; + + }; + })); + }; + + overrideFolders = mkOption { + type = types.bool; + default = true; + description = '' + Whether to delete the folders which are not configured via the + <link linkend="opt-services.syncthing.folders">folders</link> option. + If set to <literal>false</literal>, folders added via the web + interface will persist and will have to be deleted manually. + ''; + }; + + folders = mkOption { + default = {}; + description = '' + Folders which should be shared by Syncthing. + + Note that you can still add devices manually, but those changes + will be reverted on restart if <link linkend="opt-services.syncthing.overrideDevices">overrideDevices</link> + is enabled. + ''; + example = literalExpression '' + { + "/home/user/sync" = { + id = "syncme"; + devices = [ "bigbox" ]; + }; + } + ''; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to share this folder. + This option is useful when you want to define all folders + in one place, but not every machine should share all folders. + ''; + }; + + path = mkOption { + type = types.str; + default = name; + description = '' + The path to the folder which should be shared. + ''; + }; + + id = mkOption { + type = types.str; + default = name; + description = '' + The ID of the folder. Must be the same on all devices. + ''; + }; + + label = mkOption { + type = types.str; + default = name; + description = '' + The label of the folder. + ''; + }; + + devices = mkOption { + type = types.listOf types.str; + default = []; + description = '' + The devices this folder should be shared with. Each device must + be defined in the <link linkend="opt-services.syncthing.devices">devices</link> option. + ''; + }; + + versioning = mkOption { + default = null; + description = '' + How to keep changed/deleted files with Syncthing. + There are 4 different types of versioning with different parameters. + See <link xlink:href="https://docs.syncthing.net/users/versioning.html"/>. + ''; + example = literalExpression '' + [ + { + versioning = { + type = "simple"; + params.keep = "10"; + }; + } + { + versioning = { + type = "trashcan"; + params.cleanoutDays = "1000"; + }; + } + { + versioning = { + type = "staggered"; + params = { + cleanInterval = "3600"; + maxAge = "31536000"; + versionsPath = "/syncthing/backup"; + }; + }; + } + { + versioning = { + type = "external"; + params.versionsPath = pkgs.writers.writeBash "backup" ''' + folderpath="$1" + filepath="$2" + rm -rf "$folderpath/$filepath" + '''; + }; + } + ] + ''; + type = with types; nullOr (submodule { + options = { + type = mkOption { + type = enum [ "external" "simple" "staggered" "trashcan" ]; + description = '' + The type of versioning. + See <link xlink:href="https://docs.syncthing.net/users/versioning.html"/>. + ''; + }; + params = mkOption { + type = attrsOf (either str path); + description = '' + The parameters for versioning. Structure depends on + <link linkend="opt-services.syncthing.folders._name_.versioning.type">versioning.type</link>. + See <link xlink:href="https://docs.syncthing.net/users/versioning.html"/>. + ''; + }; + }; + }); + }; + + rescanInterval = mkOption { + type = types.int; + default = 3600; + description = '' + How often the folder should be rescanned for changes. + ''; + }; + + type = mkOption { + type = types.enum [ "sendreceive" "sendonly" "receiveonly" ]; + default = "sendreceive"; + description = '' + Whether to only send changes for this folder, only receive them + or both. + ''; + }; + + watch = mkOption { + type = types.bool; + default = true; + description = '' + Whether the folder should be watched for changes by inotify. + ''; + }; + + watchDelay = mkOption { + type = types.int; + default = 10; + description = '' + The delay after an inotify event is triggered. + ''; + }; + + ignorePerms = mkOption { + type = types.bool; + default = true; + description = '' + Whether to ignore permission changes. + ''; + }; + + ignoreDelete = mkOption { + type = types.bool; + default = false; + description = '' + Whether to skip deleting files that are deleted by peers. + See <link xlink:href="https://docs.syncthing.net/advanced/folder-ignoredelete.html"/>. + ''; + }; + }; + })); + }; + + extraOptions = mkOption { + type = types.addCheck (pkgs.formats.json {}).type isAttrs; + default = {}; + description = '' + Extra configuration options for Syncthing. + See <link xlink:href="https://docs.syncthing.net/users/config.html"/>. + ''; + example = { + options.localAnnounceEnabled = false; + gui.theme = "black"; + }; + }; + + guiAddress = mkOption { + type = types.str; + default = "127.0.0.1:8384"; + description = '' + The address to serve the web interface at. + ''; + }; + + systemService = mkOption { + type = types.bool; + default = true; + description = '' + Whether to auto-launch Syncthing as a system service. + ''; + }; + + user = mkOption { + type = types.str; + default = defaultUser; + example = "yourUser"; + description = '' + The user to run Syncthing as. + By default, a user named <literal>${defaultUser}</literal> will be created. + ''; + }; + + group = mkOption { + type = types.str; + default = defaultGroup; + example = "yourGroup"; + description = '' + The group to run Syncthing under. + By default, a group named <literal>${defaultGroup}</literal> will be created. + ''; + }; + + all_proxy = mkOption { + type = with types; nullOr str; + default = null; + example = "socks5://address.com:1234"; + description = '' + Overwrites the all_proxy environment variable for the Syncthing process to + the given value. This is normally used to let Syncthing connect + through a SOCKS5 proxy server. + See <link xlink:href="https://docs.syncthing.net/users/proxying.html"/>. + ''; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/syncthing"; + example = "/home/yourUser"; + description = '' + The path where synchronised directories will exist. + ''; + }; + + configDir = let + cond = versionAtLeast config.system.stateVersion "19.03"; + in mkOption { + type = types.path; + description = '' + The path where the settings and keys will exist. + ''; + default = cfg.dataDir + optionalString cond "/.config/syncthing"; + defaultText = literalDocBook '' + <variablelist> + <varlistentry> + <term><literal>stateVersion >= 19.03</literal></term> + <listitem> + <programlisting> + config.${opt.dataDir} + "/.config/syncthing" + </programlisting> + </listitem> + </varlistentry> + <varlistentry> + <term>otherwise</term> + <listitem> + <programlisting> + config.${opt.dataDir} + </programlisting> + </listitem> + </varlistentry> + </variablelist> + ''; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + example = [ "--reset-deltas" ]; + description = '' + Extra flags passed to the syncthing command in the service definition. + ''; + }; + + openDefaultPorts = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + Whether to open the default ports in the firewall: TCP/UDP 22000 for transfers + and UDP 21027 for discovery. + + If multiple users are running Syncthing on this machine, you will need + to manually open a set of ports for each instance and leave this disabled. + Alternatively, if you are running only a single instance on this machine + using the default ports, enable this. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.syncthing; + defaultText = literalExpression "pkgs.syncthing"; + description = '' + The Syncthing package to use. + ''; + }; + }; + }; + + imports = [ + (mkRemovedOptionModule [ "services" "syncthing" "useInotify" ] '' + This option was removed because Syncthing now has the inotify functionality included under the name "fswatcher". + It can be enabled on a per-folder basis through the web interface. + '') + ] ++ map (o: + mkRenamedOptionModule [ "services" "syncthing" "declarative" o ] [ "services" "syncthing" o ] + ) [ "cert" "key" "devices" "folders" "overrideDevices" "overrideFolders" "extraOptions"]; + + ###### implementation + + config = mkIf cfg.enable { + + networking.firewall = mkIf cfg.openDefaultPorts { + allowedTCPPorts = [ 22000 ]; + allowedUDPPorts = [ 21027 22000 ]; + }; + + systemd.packages = [ pkgs.syncthing ]; + + users.users = mkIf (cfg.systemService && cfg.user == defaultUser) { + ${defaultUser} = + { group = cfg.group; + home = cfg.dataDir; + createHome = true; + uid = config.ids.uids.syncthing; + description = "Syncthing daemon user"; + }; + }; + + users.groups = mkIf (cfg.systemService && cfg.group == defaultGroup) { + ${defaultGroup}.gid = + config.ids.gids.syncthing; + }; + + systemd.services = { + syncthing = mkIf cfg.systemService { + description = "Syncthing service"; + after = [ "network.target" ]; + environment = { + STNORESTART = "yes"; + STNOUPGRADE = "yes"; + inherit (cfg) all_proxy; + } // config.networking.proxy.envVars; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Restart = "on-failure"; + SuccessExitStatus = "2 3 4"; + RestartForceExitStatus="3 4"; + User = cfg.user; + Group = cfg.group; + ExecStartPre = mkIf (cfg.cert != null || cfg.key != null) + "+${pkgs.writers.writeBash "syncthing-copy-keys" '' + install -dm700 -o ${cfg.user} -g ${cfg.group} ${cfg.configDir} + ${optionalString (cfg.cert != null) '' + install -Dm400 -o ${cfg.user} -g ${cfg.group} ${toString cfg.cert} ${cfg.configDir}/cert.pem + ''} + ${optionalString (cfg.key != null) '' + install -Dm400 -o ${cfg.user} -g ${cfg.group} ${toString cfg.key} ${cfg.configDir}/key.pem + ''} + ''}" + ; + ExecStart = '' + ${cfg.package}/bin/syncthing \ + -no-browser \ + -gui-address=${cfg.guiAddress} \ + -home=${cfg.configDir} ${escapeShellArgs cfg.extraFlags} + ''; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + CapabilityBoundingSet = [ + "~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN" + "~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP" + "~CAP_SYS_TIME" "~CAP_KILL" + ]; + }; + }; + syncthing-init = mkIf ( + cfg.devices != {} || cfg.folders != {} || cfg.extraOptions != {} + ) { + description = "Syncthing configuration updater"; + requisite = [ "syncthing.service" ]; + after = [ "syncthing.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = cfg.user; + RemainAfterExit = true; + Type = "oneshot"; + ExecStart = updateConfig; + }; + }; + + syncthing-resume = { + wantedBy = [ "suspend.target" ]; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix new file mode 100644 index 00000000000..3f41646bf01 --- /dev/null +++ b/nixos/modules/services/networking/tailscale.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.services.tailscale; +in { + meta.maintainers = with maintainers; [ danderson mbaillie ]; + + options.services.tailscale = { + enable = mkEnableOption "Tailscale client daemon"; + + port = mkOption { + type = types.port; + default = 41641; + description = "The port to listen on for tunnel traffic (0=autoselect)."; + }; + + interfaceName = mkOption { + type = types.str; + default = "tailscale0"; + description = ''The interface name for tunnel traffic. Use "userspace-networking" (beta) to not use TUN.''; + }; + + package = mkOption { + type = types.package; + default = pkgs.tailscale; + defaultText = literalExpression "pkgs.tailscale"; + description = "The package to use for tailscale"; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; # for the CLI + systemd.packages = [ cfg.package ]; + systemd.services.tailscaled = { + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.openresolv pkgs.procps ]; + serviceConfig.Environment = [ + "PORT=${toString cfg.port}" + ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName}"'' + ]; + }; + }; +} diff --git a/nixos/modules/services/networking/tcpcrypt.nix b/nixos/modules/services/networking/tcpcrypt.nix new file mode 100644 index 00000000000..5a91054e166 --- /dev/null +++ b/nixos/modules/services/networking/tcpcrypt.nix @@ -0,0 +1,80 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.networking.tcpcrypt; + +in + +{ + + ###### interface + + options = { + + networking.tcpcrypt.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable opportunistic TCP encryption. If the other end + speaks Tcpcrypt, then your traffic will be encrypted; otherwise + it will be sent in clear text. Thus, Tcpcrypt alone provides no + guarantees -- it is best effort. If, however, a Tcpcrypt + connection is successful and any attackers that exist are + passive, then Tcpcrypt guarantees privacy. + ''; + }; + }; + + config = mkIf cfg.enable { + + users.users.tcpcryptd = { + uid = config.ids.uids.tcpcryptd; + description = "tcpcrypt daemon user"; + }; + + systemd.services.tcpcrypt = { + description = "tcpcrypt"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ]; + + preStart = '' + mkdir -p /run/tcpcryptd + chown tcpcryptd /run/tcpcryptd + sysctl -n net.ipv4.tcp_ecn > /run/tcpcryptd/pre-tcpcrypt-ecn-state + sysctl -w net.ipv4.tcp_ecn=0 + + iptables -t raw -N nixos-tcpcrypt + iptables -t raw -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666 + iptables -t raw -I PREROUTING -j nixos-tcpcrypt + + iptables -t mangle -N nixos-tcpcrypt + iptables -t mangle -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666 + iptables -t mangle -I POSTROUTING -j nixos-tcpcrypt + ''; + + script = "tcpcryptd -x 0x10"; + + postStop = '' + if [ -f /run/tcpcryptd/pre-tcpcrypt-ecn-state ]; then + sysctl -w net.ipv4.tcp_ecn=$(cat /run/tcpcryptd/pre-tcpcrypt-ecn-state) + fi + + iptables -t mangle -D POSTROUTING -j nixos-tcpcrypt || true + iptables -t raw -D PREROUTING -j nixos-tcpcrypt || true + + iptables -t raw -F nixos-tcpcrypt || true + iptables -t raw -X nixos-tcpcrypt || true + + iptables -t mangle -F nixos-tcpcrypt || true + iptables -t mangle -X nixos-tcpcrypt || true + ''; + }; + }; + +} diff --git a/nixos/modules/services/networking/teamspeak3.nix b/nixos/modules/services/networking/teamspeak3.nix new file mode 100644 index 00000000000..c0ed08282aa --- /dev/null +++ b/nixos/modules/services/networking/teamspeak3.nix @@ -0,0 +1,160 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + ts3 = pkgs.teamspeak_server; + cfg = config.services.teamspeak3; + user = "teamspeak"; + group = "teamspeak"; +in + +{ + + ###### interface + + options = { + + services.teamspeak3 = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run the Teamspeak3 voice communication server daemon. + ''; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/teamspeak3-server"; + description = '' + Directory to store TS3 database and other state/data files. + ''; + }; + + logPath = mkOption { + type = types.path; + default = "/var/log/teamspeak3-server/"; + description = '' + Directory to store log files in. + ''; + }; + + voiceIP = mkOption { + type = types.nullOr types.str; + default = null; + example = "[::]"; + description = '' + IP on which the server instance will listen for incoming voice connections. Defaults to any IP. + ''; + }; + + defaultVoicePort = mkOption { + type = types.int; + default = 9987; + description = '' + Default UDP port for clients to connect to virtual servers - used for first virtual server, subsequent ones will open on incrementing port numbers by default. + ''; + }; + + fileTransferIP = mkOption { + type = types.nullOr types.str; + default = null; + example = "[::]"; + description = '' + IP on which the server instance will listen for incoming file transfer connections. Defaults to any IP. + ''; + }; + + fileTransferPort = mkOption { + type = types.int; + default = 30033; + description = '' + TCP port opened for file transfers. + ''; + }; + + queryIP = mkOption { + type = types.nullOr types.str; + default = null; + example = "0.0.0.0"; + description = '' + IP on which the server instance will listen for incoming ServerQuery connections. Defaults to any IP. + ''; + }; + + queryPort = mkOption { + type = types.int; + default = 10011; + description = '' + TCP port opened for ServerQuery connections. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Open ports in the firewall for the TeamSpeak3 server."; + }; + + openFirewallServerQuery = mkOption { + type = types.bool; + default = false; + description = "Open ports in the firewall for the TeamSpeak3 serverquery (administration) system. Requires openFirewall."; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + users.users.teamspeak = { + description = "Teamspeak3 voice communication server daemon"; + group = group; + uid = config.ids.uids.teamspeak; + home = cfg.dataDir; + createHome = true; + }; + + users.groups.teamspeak = { + gid = config.ids.gids.teamspeak; + }; + + systemd.tmpfiles.rules = [ + "d '${cfg.logPath}' - ${user} ${group} - -" + ]; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.fileTransferPort ] ++ optionals (cfg.openFirewallServerQuery) [ cfg.queryPort (cfg.queryPort + 11) ]; + # subsequent vServers will use the incremented voice port, let's just open the next 10 + allowedUDPPortRanges = [ { from = cfg.defaultVoicePort; to = cfg.defaultVoicePort + 10; } ]; + }; + + systemd.services.teamspeak3-server = { + description = "Teamspeak3 voice communication server daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = '' + ${ts3}/bin/ts3server \ + dbsqlpath=${ts3}/lib/teamspeak/sql/ logpath=${cfg.logPath} \ + ${optionalString (cfg.voiceIP != null) "voice_ip=${cfg.voiceIP}"} \ + default_voice_port=${toString cfg.defaultVoicePort} \ + ${optionalString (cfg.fileTransferIP != null) "filetransfer_ip=${cfg.fileTransferIP}"} \ + filetransfer_port=${toString cfg.fileTransferPort} \ + ${optionalString (cfg.queryIP != null) "query_ip=${cfg.queryIP}"} \ + query_port=${toString cfg.queryPort} license_accepted=1 + ''; + WorkingDirectory = cfg.dataDir; + User = user; + Group = group; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ arobyn ]; +} diff --git a/nixos/modules/services/networking/tedicross.nix b/nixos/modules/services/networking/tedicross.nix new file mode 100644 index 00000000000..c7830289dca --- /dev/null +++ b/nixos/modules/services/networking/tedicross.nix @@ -0,0 +1,100 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + dataDir = "/var/lib/tedicross"; + cfg = config.services.tedicross; + configJSON = pkgs.writeText "tedicross-settings.json" (builtins.toJSON cfg.config); + configYAML = pkgs.runCommand "tedicross-settings.yaml" { preferLocalBuild = true; } '' + ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out + ''; + +in { + options = { + services.tedicross = { + enable = mkEnableOption "the TediCross Telegram-Discord bridge service"; + + config = mkOption { + type = types.attrs; + # from https://github.com/TediCross/TediCross/blob/master/example.settings.yaml + example = literalExpression '' + { + telegram = { + useFirstNameInsteadOfUsername = false; + colonAfterSenderName = false; + skipOldMessages = true; + sendEmojiWithStickers = true; + }; + discord = { + useNickname = false; + skipOldMessages = true; + displayTelegramReplies = "embed"; + replyLength = 100; + }; + bridges = [ + { + name = "Default bridge"; + direction = "both"; + telegram = { + chatId = -123456789; + relayJoinMessages = true; + relayLeaveMessages = true; + sendUsernames = true; + ignoreCommands = true; + }; + discord = { + serverId = "DISCORD_SERVER_ID"; + channelId = "DISCORD_CHANNEL_ID"; + relayJoinMessages = true; + relayLeaveMessages = true; + sendUsernames = true; + crossDeleteOnTelegram = true; + }; + } + ]; + + debug = false; + } + ''; + description = '' + <filename>settings.yaml</filename> configuration as a Nix attribute set. + Secret tokens should be specified using <option>environmentFile</option> + instead of this world-readable file. + ''; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + File containing environment variables to be passed to the TediCross service, + in which secret tokens can be specified securely using the + <literal>TELEGRAM_BOT_TOKEN</literal> and <literal>DISCORD_BOT_TOKEN</literal> + keys. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + # from https://github.com/TediCross/TediCross/blob/master/guides/autostart/Linux.md + systemd.services.tedicross = { + description = "TediCross Telegram-Discord bridge service"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.nodePackages.tedicross}/bin/tedicross --config='${configYAML}' --data-dir='${dataDir}'"; + Restart = "always"; + DynamicUser = true; + StateDirectory = baseNameOf dataDir; + EnvironmentFile = cfg.environmentFile; + }; + }; + }; + + meta.maintainers = with maintainers; [ pacien ]; +} + diff --git a/nixos/modules/services/networking/teleport.nix b/nixos/modules/services/networking/teleport.nix new file mode 100644 index 00000000000..45479162180 --- /dev/null +++ b/nixos/modules/services/networking/teleport.nix @@ -0,0 +1,99 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.teleport; + settingsYaml = pkgs.formats.yaml { }; +in +{ + options = { + services.teleport = with lib.types; { + enable = mkEnableOption "the Teleport service"; + + settings = mkOption { + type = settingsYaml.type; + default = { }; + example = literalExpression '' + { + teleport = { + nodename = "client"; + advertise_ip = "192.168.1.2"; + auth_token = "60bdc117-8ff4-478d-95e4-9914597847eb"; + auth_servers = [ "192.168.1.1:3025" ]; + log.severity = "DEBUG"; + }; + ssh_service = { + enabled = true; + labels = { + role = "client"; + }; + }; + proxy_service.enabled = false; + auth_service.enabled = false; + } + ''; + description = '' + Contents of the <literal>teleport.yaml</literal> config file. + The <literal>--config</literal> arguments will only be passed if this set is not empty. + + See <link xlink:href="https://goteleport.com/docs/setup/reference/config/"/>. + ''; + }; + + insecure.enable = mkEnableOption '' + starting teleport in insecure mode. + + This is dangerous! + Sensitive information will be logged to console and certificates will not be verified. + Proceed with caution! + + Teleport starts with disabled certificate validation on Proxy Service, validation still occurs on Auth Service + ''; + + diag = { + enable = mkEnableOption '' + endpoints for monitoring purposes. + + See <link xlink:href="https://goteleport.com/docs/setup/admin/troubleshooting/#troubleshooting/"/> + ''; + + addr = mkOption { + type = str; + default = "127.0.0.1"; + description = "Metrics and diagnostics address."; + }; + + port = mkOption { + type = int; + default = 3000; + description = "Metrics and diagnostics port."; + }; + }; + }; + }; + + config = mkIf config.services.teleport.enable { + environment.systemPackages = [ pkgs.teleport ]; + + systemd.services.teleport = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.teleport}/bin/teleport start \ + ${optionalString cfg.insecure.enable "--insecure"} \ + ${optionalString cfg.diag.enable "--diag-addr=${cfg.diag.addr}:${toString cfg.diag.port}"} \ + ${optionalString (cfg.settings != { }) "--config=${settingsYaml.generate "teleport.yaml" cfg.settings}"} + ''; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + LimitNOFILE = 65536; + Restart = "always"; + RestartSec = "5s"; + RuntimeDirectory = "teleport"; + Type = "simple"; + }; + }; + }; +} + diff --git a/nixos/modules/services/networking/tetrd.nix b/nixos/modules/services/networking/tetrd.nix new file mode 100644 index 00000000000..0801ce12924 --- /dev/null +++ b/nixos/modules/services/networking/tetrd.nix @@ -0,0 +1,96 @@ +{ config, lib, pkgs, ... }: + +{ + options.services.tetrd.enable = lib.mkEnableOption "tetrd"; + + config = lib.mkIf config.services.tetrd.enable { + environment = { + systemPackages = [ pkgs.tetrd ]; + etc."resolv.conf".source = "/etc/tetrd/resolv.conf"; + }; + + systemd = { + tmpfiles.rules = [ "f /etc/tetrd/resolv.conf - - -" ]; + + services.tetrd = { + description = pkgs.tetrd.meta.description; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.tetrd}/opt/Tetrd/bin/tetrd"; + Restart = "always"; + RuntimeDirectory = "tetrd"; + RootDirectory = "/run/tetrd"; + DynamicUser = true; + UMask = "006"; + DeviceAllow = "usb_device"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateNetwork = lib.mkDefault false; + PrivateTmp = true; + PrivateUsers = lib.mkDefault false; + ProtectClock = lib.mkDefault false; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + + SystemCallFilter = [ + "@system-service" + "~@aio" + "~@chown" + "~@clock" + "~@cpu-emulation" + "~@debug" + "~@keyring" + "~@memlock" + "~@module" + "~@mount" + "~@obsolete" + "~@pkey" + "~@raw-io" + "~@reboot" + "~@swap" + "~@sync" + ]; + + BindReadOnlyPaths = [ + builtins.storeDir + "/etc/ssl" + "/etc/static/ssl" + "${pkgs.nettools}/bin/route:/usr/bin/route" + "${pkgs.nettools}/bin/ifconfig:/usr/bin/ifconfig" + ]; + + BindPaths = [ + "/etc/tetrd/resolv.conf:/etc/resolv.conf" + "/run" + "/var/log" + ]; + + CapabilityBoundingSet = [ + "CAP_DAC_OVERRIDE" + "CAP_NET_ADMIN" + ]; + + AmbientCapabilities = [ + "CAP_DAC_OVERRIDE" + "CAP_NET_ADMIN" + ]; + }; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/tftpd.nix b/nixos/modules/services/networking/tftpd.nix new file mode 100644 index 00000000000..c9c0a2b321d --- /dev/null +++ b/nixos/modules/services/networking/tftpd.nix @@ -0,0 +1,46 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + ###### interface + + options = { + + services.tftpd.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable tftpd, a Trivial File Transfer Protocol server. + The server will be run as an xinetd service. + ''; + }; + + services.tftpd.path = mkOption { + type = types.path; + default = "/srv/tftp"; + description = '' + Where the tftp server files are stored. + ''; + }; + + }; + + + ###### implementation + + config = mkIf config.services.tftpd.enable { + + services.xinetd.enable = true; + + services.xinetd.services = singleton + { name = "tftp"; + protocol = "udp"; + server = "${pkgs.netkittftp}/sbin/in.tftpd"; + serverArgs = "${config.services.tftpd.path}"; + }; + + }; + +} diff --git a/nixos/modules/services/networking/thelounge.nix b/nixos/modules/services/networking/thelounge.nix new file mode 100644 index 00000000000..a5118fd8b33 --- /dev/null +++ b/nixos/modules/services/networking/thelounge.nix @@ -0,0 +1,106 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + cfg = config.services.thelounge; + dataDir = "/var/lib/thelounge"; + configJsData = "module.exports = " + builtins.toJSON ( + { inherit (cfg) public port; } // cfg.extraConfig + ); + pluginManifest = { + dependencies = builtins.listToAttrs (builtins.map (pkg: { name = getName pkg; value = getVersion pkg; }) cfg.plugins); + }; + plugins = pkgs.runCommandLocal "thelounge-plugins" { } '' + mkdir -p $out/node_modules + echo ${escapeShellArg (builtins.toJSON pluginManifest)} >> $out/package.json + ${concatMapStringsSep "\n" (pkg: '' + ln -s ${pkg}/lib/node_modules/${getName pkg} $out/node_modules/${getName pkg} + '') cfg.plugins} + ''; +in +{ + imports = [ (mkRemovedOptionModule [ "services" "thelounge" "private" ] "The option was renamed to `services.thelounge.public` to follow upstream changes.") ]; + + options.services.thelounge = { + enable = mkEnableOption "The Lounge web IRC client"; + + public = mkOption { + type = types.bool; + default = false; + description = '' + Make your The Lounge instance public. + Setting this to <literal>false</literal> will require you to configure user + accounts by using the (<command>thelounge</command>) command or by adding + entries in <filename>${dataDir}/users</filename>. You might need to restart + The Lounge after making changes to the state directory. + ''; + }; + + port = mkOption { + type = types.port; + default = 9000; + description = "TCP port to listen on for http connections."; + }; + + extraConfig = mkOption { + default = { }; + type = types.attrs; + example = literalExpression ''{ + reverseProxy = true; + defaults = { + name = "Your Network"; + host = "localhost"; + port = 6697; + }; + }''; + description = '' + The Lounge's <filename>config.js</filename> contents as attribute set (will be + converted to JSON to generate the configuration file). + + The options defined here will be merged to the default configuration file. + Note: In case of duplicate configuration, options from <option>extraConfig</option> have priority. + + Documentation: <link xlink:href="https://thelounge.chat/docs/server/configuration" /> + ''; + }; + + plugins = mkOption { + default = [ ]; + type = types.listOf types.package; + example = literalExpression "[ pkgs.theLoungePlugins.themes.solarized ]"; + description = '' + The Lounge plugins to install. Plugins can be found in + <literal>pkgs.theLoungePlugins.plugins</literal> and <literal>pkgs.theLoungePlugins.themes</literal>. + ''; + }; + }; + + config = mkIf cfg.enable { + users.users.thelounge = { + description = "The Lounge service user"; + group = "thelounge"; + isSystemUser = true; + }; + + users.groups.thelounge = { }; + + systemd.services.thelounge = { + description = "The Lounge web IRC client"; + wantedBy = [ "multi-user.target" ]; + preStart = "ln -sf ${pkgs.writeText "config.js" configJsData} ${dataDir}/config.js"; + environment.THELOUNGE_PACKAGES = mkIf (cfg.plugins != [ ]) "${plugins}"; + serviceConfig = { + User = "thelounge"; + StateDirectory = baseNameOf dataDir; + ExecStart = "${pkgs.thelounge}/bin/thelounge start"; + }; + }; + + environment.systemPackages = [ pkgs.thelounge ]; + }; + + meta = { + maintainers = with lib.maintainers; [ winter ]; + }; +} diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix new file mode 100644 index 00000000000..31731b60d48 --- /dev/null +++ b/nixos/modules/services/networking/tinc.nix @@ -0,0 +1,439 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.tinc; + + mkValueString = value: + if value == true then "yes" + else if value == false then "no" + else generators.mkValueStringDefault { } value; + + toTincConf = generators.toKeyValue { + listsAsDuplicateKeys = true; + mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } "="; + }; + + tincConfType = with types; + let + valueType = oneOf [ bool str int ]; + in + attrsOf (either valueType (listOf valueType)); + + addressSubmodule = { + options = { + address = mkOption { + type = types.str; + description = "The external IP address or hostname where the host can be reached."; + }; + + port = mkOption { + type = types.nullOr types.port; + default = null; + description = '' + The port where the host can be reached. + + If no port is specified, the default Port is used. + ''; + }; + }; + }; + + subnetSubmodule = { + options = { + address = mkOption { + type = types.str; + description = '' + The subnet of this host. + + Subnets can either be single MAC, IPv4 or IPv6 addresses, in which case + a subnet consisting of only that single address is assumed, or they can + be a IPv4 or IPv6 network address with a prefix length. + + IPv4 subnets are notated like 192.168.1.0/24, IPv6 subnets are notated + like fec0:0:0:1::/64. MAC addresses are notated like 0:1a:2b:3c:4d:5e. + + Note that subnets like 192.168.1.1/24 are invalid. + ''; + }; + + prefixLength = mkOption { + type = with types; nullOr (addCheck int (n: n >= 0 && n <= 128)); + default = null; + description = '' + The prefix length of the subnet. + + If null, a subnet consisting of only that single address is assumed. + + This conforms to standard CIDR notation as described in RFC1519. + ''; + }; + + weight = mkOption { + type = types.ints.unsigned; + default = 10; + description = '' + Indicates the priority over identical Subnets owned by different nodes. + + Lower values indicate higher priority. Packets will be sent to the + node with the highest priority, unless that node is not reachable, in + which case the node with the next highest priority will be tried, and + so on. + ''; + }; + }; + }; + + hostSubmodule = { config, ... }: { + options = { + addresses = mkOption { + type = types.listOf (types.submodule addressSubmodule); + default = [ ]; + description = '' + The external address where the host can be reached. This will set this + host's <option>settings.Address</option> option. + + This variable is only required if you want to connect to this host. + ''; + }; + + subnets = mkOption { + type = types.listOf (types.submodule subnetSubmodule); + default = [ ]; + description = '' + The subnets which this tinc daemon will serve. This will set this + host's <option>settings.Subnet</option> option. + + Tinc tries to look up which other daemon it should send a packet to by + searching the appropriate subnet. If the packet matches a subnet, it + will be sent to the daemon who has this subnet in his host + configuration file. + ''; + }; + + rsaPublicKey = mkOption { + type = types.str; + default = ""; + description = '' + Legacy RSA public key of the host in PEM format, including start and + end markers. + + This will be appended as-is in the host's configuration file. + + The ed25519 public key can be specified using the + <option>settings.Ed25519PublicKey</option> option instead. + ''; + }; + + settings = mkOption { + default = { }; + type = types.submodule { freeformType = tincConfType; }; + description = '' + Configuration for this host. + + See <link xlink:href="https://tinc-vpn.org/documentation-1.1/Host-configuration-variables.html"/> + for supported values. + ''; + }; + }; + + config.settings = { + Address = mkDefault (map + (address: "${address.address} ${toString address.port}") + config.addresses); + + Subnet = mkDefault (map + (subnet: + if subnet.prefixLength == null then "${subnet.address}#${toString subnet.weight}" + else "${subnet.address}/${toString subnet.prefixLength}#${toString subnet.weight}") + config.subnets); + }; + }; + +in +{ + + ###### interface + + options = { + + services.tinc = { + + networks = mkOption { + default = { }; + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + + extraConfig = mkOption { + default = ""; + type = types.lines; + description = '' + Extra lines to add to the tinc service configuration file. + + Note that using the declarative <option>service.tinc.networks.<name>.settings</option> + option is preferred. + ''; + }; + + name = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + The name of the node which is used as an identifier when communicating + with the remote nodes in the mesh. If null then the hostname of the system + is used to derive a name (note that tinc may replace non-alphanumeric characters in + hostnames by underscores). + ''; + }; + + ed25519PrivateKeyFile = mkOption { + default = null; + type = types.nullOr types.path; + description = '' + Path of the private ed25519 keyfile. + ''; + }; + + rsaPrivateKeyFile = mkOption { + default = null; + type = types.nullOr types.path; + description = '' + Path of the private RSA keyfile. + ''; + }; + + debugLevel = mkOption { + default = 0; + type = types.addCheck types.int (l: l >= 0 && l <= 5); + description = '' + The amount of debugging information to add to the log. 0 means little + logging while 5 is the most logging. <command>man tincd</command> for + more details. + ''; + }; + + hosts = mkOption { + default = { }; + type = types.attrsOf types.lines; + description = '' + The name of the host in the network as well as the configuration for that host. + This name should only contain alphanumerics and underscores. + + Note that using the declarative <option>service.tinc.networks.<name>.hostSettings</option> + option is preferred. + ''; + }; + + hostSettings = mkOption { + default = { }; + example = literalExpression '' + { + host1 = { + addresses = [ + { address = "192.168.1.42"; } + { address = "192.168.1.42"; port = 1655; } + ]; + subnets = [ { address = "10.0.0.42"; } ]; + rsaPublicKey = "..."; + settings = { + Ed25519PublicKey = "..."; + }; + }; + host2 = { + subnets = [ { address = "10.0.1.0"; prefixLength = 24; weight = 2; } ]; + rsaPublicKey = "..."; + settings = { + Compression = 10; + }; + }; + } + ''; + type = types.attrsOf (types.submodule hostSubmodule); + description = '' + The name of the host in the network as well as the configuration for that host. + This name should only contain alphanumerics and underscores. + ''; + }; + + interfaceType = mkOption { + default = "tun"; + type = types.enum [ "tun" "tap" ]; + description = '' + The type of virtual interface used for the network connection. + ''; + }; + + listenAddress = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + The ip address to listen on for incoming connections. + ''; + }; + + bindToAddress = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + The ip address to bind to (both listen on and send packets from). + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.tinc_pre; + defaultText = literalExpression "pkgs.tinc_pre"; + description = '' + The package to use for the tinc daemon's binary. + ''; + }; + + chroot = mkOption { + default = false; + type = types.bool; + description = '' + Change process root directory to the directory where the config file is located (/etc/tinc/netname/), for added security. + The chroot is performed after all the initialization is done, after writing pid files and opening network sockets. + + Note that this currently breaks dns resolution and tinc can't run scripts anymore (such as tinc-down or host-up), unless it is setup to be runnable inside chroot environment. + ''; + }; + + settings = mkOption { + default = { }; + type = types.submodule { freeformType = tincConfType; }; + example = literalExpression '' + { + Interface = "custom.interface"; + DirectOnly = true; + Mode = "switch"; + } + ''; + description = '' + Configuration of the Tinc daemon for this network. + + See <link xlink:href="https://tinc-vpn.org/documentation-1.1/Main-configuration-variables.html"/> + for supported values. + ''; + }; + }; + + config = { + hosts = mapAttrs + (hostname: host: '' + ${toTincConf host.settings} + ${host.rsaPublicKey} + '') + config.hostSettings; + + settings = { + DeviceType = mkDefault config.interfaceType; + Name = mkDefault (if config.name == null then "$HOST" else config.name); + Ed25519PrivateKeyFile = mkIf (config.ed25519PrivateKeyFile != null) (mkDefault config.ed25519PrivateKeyFile); + PrivateKeyFile = mkIf (config.rsaPrivateKeyFile != null) (mkDefault config.rsaPrivateKeyFile); + ListenAddress = mkIf (config.listenAddress != null) (mkDefault config.listenAddress); + BindToAddress = mkIf (config.bindToAddress != null) (mkDefault config.bindToAddress); + }; + }; + })); + + description = '' + Defines the tinc networks which will be started. + Each network invokes a different daemon. + ''; + }; + }; + + }; + + + ###### implementation + + config = mkIf (cfg.networks != { }) { + + environment.etc = foldr (a: b: a // b) { } + (flip mapAttrsToList cfg.networks (network: data: + flip mapAttrs' data.hosts (host: text: nameValuePair + ("tinc/${network}/hosts/${host}") + ({ mode = "0644"; user = "tinc.${network}"; inherit text; }) + ) // { + "tinc/${network}/tinc.conf" = { + mode = "0444"; + text = '' + ${toTincConf ({ Interface = "tinc.${network}"; } // data.settings)} + ${data.extraConfig} + ''; + }; + } + )); + + systemd.services = flip mapAttrs' cfg.networks (network: data: nameValuePair + ("tinc.${network}") + ({ + description = "Tinc Daemon - ${network}"; + wantedBy = [ "multi-user.target" ]; + path = [ data.package ]; + restartTriggers = [ config.environment.etc."tinc/${network}/tinc.conf".source ]; + serviceConfig = { + Type = "simple"; + Restart = "always"; + RestartSec = "3"; + ExecReload = mkIf (versionAtLeast (getVersion data.package) "1.1pre") "${data.package}/bin/tinc -n ${network} reload"; + ExecStart = "${data.package}/bin/tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}"; + }; + preStart = '' + mkdir -p /etc/tinc/${network}/hosts + chown tinc.${network} /etc/tinc/${network}/hosts + mkdir -p /etc/tinc/${network}/invitations + chown tinc.${network} /etc/tinc/${network}/invitations + + # Determine how we should generate our keys + if type tinc >/dev/null 2>&1; then + # Tinc 1.1+ uses the tinc helper application for key generation + ${if data.ed25519PrivateKeyFile != null then " # ed25519 Keyfile managed by nix" else '' + # Prefer ED25519 keys (only in 1.1+) + [ -f "/etc/tinc/${network}/ed25519_key.priv" ] || tinc -n ${network} generate-ed25519-keys + ''} + ${if data.rsaPrivateKeyFile != null then " # RSA Keyfile managed by nix" else '' + [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tinc -n ${network} generate-rsa-keys 4096 + ''} + # In case there isn't anything to do + true + else + # Tinc 1.0 uses the tincd application + [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tincd -n ${network} -K 4096 + fi + ''; + }) + ); + + environment.systemPackages = let + cli-wrappers = pkgs.stdenv.mkDerivation { + name = "tinc-cli-wrappers"; + buildInputs = [ pkgs.makeWrapper ]; + buildCommand = '' + mkdir -p $out/bin + ${concatStringsSep "\n" (mapAttrsToList (network: data: + optionalString (versionAtLeast data.package.version "1.1pre") '' + makeWrapper ${data.package}/bin/tinc "$out/bin/tinc.${network}" \ + --add-flags "--pidfile=/run/tinc.${network}.pid" \ + --add-flags "--config=/etc/tinc/${network}" + '') cfg.networks)} + ''; + }; + in [ cli-wrappers ]; + + users.users = flip mapAttrs' cfg.networks (network: _: + nameValuePair ("tinc.${network}") ({ + description = "Tinc daemon user for ${network}"; + isSystemUser = true; + group = "tinc.${network}"; + }) + ); + users.groups = flip mapAttrs' cfg.networks (network: _: + nameValuePair "tinc.${network}" {} + ); + }; + + meta.maintainers = with maintainers; [ minijackson mic92 ]; +} diff --git a/nixos/modules/services/networking/tinydns.nix b/nixos/modules/services/networking/tinydns.nix new file mode 100644 index 00000000000..2c44ad49296 --- /dev/null +++ b/nixos/modules/services/networking/tinydns.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + ###### interface + + options = { + services.tinydns = { + enable = mkOption { + default = false; + type = types.bool; + description = "Whether to run the tinydns dns server"; + }; + + data = mkOption { + type = types.lines; + default = ""; + description = "The DNS data to serve, in the format described by tinydns-data(8)"; + }; + + ip = mkOption { + default = "0.0.0.0"; + type = types.str; + description = "IP address on which to listen for connections"; + }; + }; + }; + + ###### implementation + + config = mkIf config.services.tinydns.enable { + environment.systemPackages = [ pkgs.djbdns ]; + + users.users.tinydns = { + isSystemUser = true; + group = "tinydns"; + }; + users.groups.tinydns = {}; + + systemd.services.tinydns = { + description = "djbdns tinydns server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = with pkgs; [ daemontools djbdns ]; + preStart = '' + rm -rf /var/lib/tinydns + tinydns-conf tinydns tinydns /var/lib/tinydns ${config.services.tinydns.ip} + cd /var/lib/tinydns/root/ + ln -sf ${pkgs.writeText "tinydns-data" config.services.tinydns.data} data + tinydns-data + ''; + script = '' + cd /var/lib/tinydns + exec ./run + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/tox-bootstrapd.nix b/nixos/modules/services/networking/tox-bootstrapd.nix new file mode 100644 index 00000000000..7c13724e084 --- /dev/null +++ b/nixos/modules/services/networking/tox-bootstrapd.nix @@ -0,0 +1,74 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + WorkingDirectory = "/var/lib/tox-bootstrapd"; + PIDFile = "${WorkingDirectory}/pid"; + + pkg = pkgs.libtoxcore; + cfg = config.services.toxBootstrapd; + cfgFile = builtins.toFile "tox-bootstrapd.conf" + '' + port = ${toString cfg.port} + keys_file_path = "${WorkingDirectory}/keys" + pid_file_path = "${PIDFile}" + ${cfg.extraConfig} + ''; +in +{ + options = + { services.toxBootstrapd = + { enable = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to enable the Tox DHT bootstrap daemon. + ''; + }; + + port = mkOption { + type = types.int; + default = 33445; + description = "Listening port (UDP)."; + }; + + keysFile = mkOption { + type = types.str; + default = "${WorkingDirectory}/keys"; + description = "Node key file."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = + '' + Configuration for bootstrap daemon. + See <link xlink:href="https://github.com/irungentoo/toxcore/blob/master/other/bootstrap_daemon/tox-bootstrapd.conf"/> + and <link xlink:href="http://wiki.tox.im/Nodes"/>. + ''; + }; + }; + + }; + + config = mkIf config.services.toxBootstrapd.enable { + + systemd.services.tox-bootstrapd = { + description = "Tox DHT bootstrap daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = + { ExecStart = "${pkg}/bin/tox-bootstrapd --config=${cfgFile}"; + Type = "forking"; + inherit PIDFile WorkingDirectory; + AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; + DynamicUser = true; + StateDirectory = "tox-bootstrapd"; + }; + }; + + }; +} diff --git a/nixos/modules/services/networking/tox-node.nix b/nixos/modules/services/networking/tox-node.nix new file mode 100644 index 00000000000..c6e5c2d6e81 --- /dev/null +++ b/nixos/modules/services/networking/tox-node.nix @@ -0,0 +1,90 @@ +{ lib, pkgs, config, ... }: + +with lib; + +let + pkg = pkgs.tox-node; + cfg = config.services.tox-node; + homeDir = "/var/lib/tox-node"; + + configFile = let + src = "${pkg.src}/dpkg/config.yml"; + confJSON = pkgs.writeText "config.json" ( + builtins.toJSON { + log-type = cfg.logType; + keys-file = cfg.keysFile; + udp-address = cfg.udpAddress; + tcp-addresses = cfg.tcpAddresses; + tcp-connections-limit = cfg.tcpConnectionLimit; + lan-discovery = cfg.lanDiscovery; + threads = cfg.threads; + motd = cfg.motd; + } + ); + in with pkgs; runCommand "config.yml" {} '' + ${remarshal}/bin/remarshal -if yaml -of json ${src} -o src.json + ${jq}/bin/jq -s '(.[0] | with_entries( select(.key == "bootstrap-nodes"))) * .[1]' src.json ${confJSON} > $out + ''; + +in { + options.services.tox-node = { + enable = mkEnableOption "Tox Node service"; + + logType = mkOption { + type = types.enum [ "Stderr" "Stdout" "Syslog" "None" ]; + default = "Stderr"; + description = "Logging implementation."; + }; + keysFile = mkOption { + type = types.str; + default = "${homeDir}/keys"; + description = "Path to the file where DHT keys are stored."; + }; + udpAddress = mkOption { + type = types.str; + default = "0.0.0.0:33445"; + description = "UDP address to run DHT node."; + }; + tcpAddresses = mkOption { + type = types.listOf types.str; + default = [ "0.0.0.0:33445" ]; + description = "TCP addresses to run TCP relay."; + }; + tcpConnectionLimit = mkOption { + type = types.int; + default = 8192; + description = "Maximum number of active TCP connections relay can hold"; + }; + lanDiscovery = mkOption { + type = types.bool; + default = true; + description = "Enable local network discovery."; + }; + threads = mkOption { + type = types.int; + default = 1; + description = "Number of threads for execution"; + }; + motd = mkOption { + type = types.str; + default = "Hi from tox-rs! I'm up {{uptime}}. TCP: incoming {{tcp_packets_in}}, outgoing {{tcp_packets_out}}, UDP: incoming {{udp_packets_in}}, outgoing {{udp_packets_out}}"; + description = "Message of the day"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.tox-node = { + description = "Tox Node"; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${pkg}/bin/tox-node config ${configFile}"; + StateDirectory = "tox-node"; + DynamicUser = true; + Restart = "always"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/toxvpn.nix b/nixos/modules/services/networking/toxvpn.nix new file mode 100644 index 00000000000..18cf7672d5f --- /dev/null +++ b/nixos/modules/services/networking/toxvpn.nix @@ -0,0 +1,70 @@ +{ config, pkgs, lib, ... }: + +with lib; + +{ + options = { + services.toxvpn = { + enable = mkEnableOption "toxvpn running on startup"; + + localip = mkOption { + type = types.str; + default = "10.123.123.1"; + description = "your ip on the vpn"; + }; + + port = mkOption { + type = types.int; + default = 33445; + description = "udp port for toxcore, port-forward to help with connectivity if you run many nodes behind one NAT"; + }; + + auto_add_peers = mkOption { + type = types.listOf types.str; + default = []; + example = [ "toxid1" "toxid2" ]; + description = "peers to automatically connect to on startup"; + }; + }; + }; + + config = mkIf config.services.toxvpn.enable { + systemd.services.toxvpn = { + description = "toxvpn daemon"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = '' + mkdir -p /run/toxvpn || true + chown toxvpn /run/toxvpn + ''; + + path = [ pkgs.toxvpn ]; + + script = '' + exec toxvpn -i ${config.services.toxvpn.localip} -l /run/toxvpn/control -u toxvpn -p ${toString config.services.toxvpn.port} ${lib.concatMapStringsSep " " (x: "-a ${x}") config.services.toxvpn.auto_add_peers} + ''; + + serviceConfig = { + KillMode = "process"; + Restart = "on-success"; + Type = "notify"; + }; + + restartIfChanged = false; # Likely to be used for remote admin + }; + + environment.systemPackages = [ pkgs.toxvpn ]; + + users.users = { + toxvpn = { + isSystemUser = true; + group = "toxvpn"; + home = "/var/lib/toxvpn"; + createHome = true; + }; + }; + users.groups.toxvpn = {}; + }; +} diff --git a/nixos/modules/services/networking/trickster.nix b/nixos/modules/services/networking/trickster.nix new file mode 100644 index 00000000000..e48bba8fa58 --- /dev/null +++ b/nixos/modules/services/networking/trickster.nix @@ -0,0 +1,113 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.trickster; +in +{ + + options = { + services.trickster = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable Trickster. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.trickster; + defaultText = literalExpression "pkgs.trickster"; + description = '' + Package that should be used for trickster. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to configuration file. + ''; + }; + + instance-id = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Instance ID for when running multiple processes (default null). + ''; + }; + + log-level = mkOption { + type = types.str; + default = "info"; + description = '' + Level of Logging to use (debug, info, warn, error) (default "info"). + ''; + }; + + metrics-port = mkOption { + type = types.port; + default = 8082; + description = '' + Port that the /metrics endpoint will listen on. + ''; + }; + + origin = mkOption { + type = types.str; + default = "http://prometheus:9090"; + description = '' + URL to the Prometheus Origin. Enter it like you would in grafana, e.g., http://prometheus:9090 (default http://prometheus:9090). + ''; + }; + + profiler-port = mkOption { + type = types.nullOr types.port; + default = null; + description = '' + Port that the /debug/pprof endpoint will listen on. + ''; + }; + + proxy-port = mkOption { + type = types.port; + default = 9090; + description = '' + Port that the Proxy server will listen on. + ''; + }; + + }; + }; + + config = mkIf cfg.enable { + systemd.services.trickster = { + description = "Dashboard Accelerator for Prometheus"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${cfg.package}/bin/trickster \ + -log-level ${cfg.log-level} \ + -metrics-port ${toString cfg.metrics-port} \ + -origin ${cfg.origin} \ + -proxy-port ${toString cfg.proxy-port} \ + ${optionalString (cfg.configFile != null) "-config ${cfg.configFile}"} \ + ${optionalString (cfg.profiler-port != null) "-profiler-port ${cfg.profiler-port}"} \ + ${optionalString (cfg.instance-id != null) "-instance-id ${cfg.instance-id}"} + ''; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + }; + }; + }; + + meta.maintainers = with maintainers; [ _1000101 ]; + +} diff --git a/nixos/modules/services/networking/tvheadend.nix b/nixos/modules/services/networking/tvheadend.nix new file mode 100644 index 00000000000..19a10a03bd9 --- /dev/null +++ b/nixos/modules/services/networking/tvheadend.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.services.tvheadend; + pidFile = "${config.users.users.tvheadend.home}/tvheadend.pid"; +in + +{ + options = { + services.tvheadend = { + enable = mkEnableOption "Tvheadend"; + httpPort = mkOption { + type = types.int; + default = 9981; + description = "Port to bind HTTP to."; + }; + + htspPort = mkOption { + type = types.int; + default = 9982; + description = "Port to bind HTSP to."; + }; + }; + }; + + config = mkIf cfg.enable { + users.users.tvheadend = { + description = "Tvheadend Service user"; + home = "/var/lib/tvheadend"; + createHome = true; + isSystemUser = true; + group = "tvheadend"; + }; + users.groups.tvheadend = {}; + + systemd.services.tvheadend = { + description = "Tvheadend TV streaming server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + Type = "forking"; + PIDFile = pidFile; + Restart = "always"; + RestartSec = 5; + User = "tvheadend"; + Group = "video"; + ExecStart = '' + ${pkgs.tvheadend}/bin/tvheadend \ + --http_port ${toString cfg.httpPort} \ + --htsp_port ${toString cfg.htspPort} \ + -f \ + -C \ + -p ${pidFile} \ + -u tvheadend \ + -g video + ''; + ExecStop = "${pkgs.coreutils}/bin/rm ${pidFile}"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/ucarp.nix b/nixos/modules/services/networking/ucarp.nix new file mode 100644 index 00000000000..189e4f99cef --- /dev/null +++ b/nixos/modules/services/networking/ucarp.nix @@ -0,0 +1,183 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.networking.ucarp; + + ucarpExec = concatStringsSep " " ( + [ + "${cfg.package}/bin/ucarp" + "--interface=${cfg.interface}" + "--srcip=${cfg.srcIp}" + "--vhid=${toString cfg.vhId}" + "--passfile=${cfg.passwordFile}" + "--addr=${cfg.addr}" + "--advbase=${toString cfg.advBase}" + "--advskew=${toString cfg.advSkew}" + "--upscript=${cfg.upscript}" + "--downscript=${cfg.downscript}" + "--deadratio=${toString cfg.deadratio}" + ] + ++ (optional cfg.preempt "--preempt") + ++ (optional cfg.neutral "--neutral") + ++ (optional cfg.shutdown "--shutdown") + ++ (optional cfg.ignoreIfState "--ignoreifstate") + ++ (optional cfg.noMcast "--nomcast") + ++ (optional (cfg.extraParam != null) "--xparam=${cfg.extraParam}") + ); +in { + options.networking.ucarp = { + enable = mkEnableOption "ucarp, userspace implementation of CARP"; + + interface = mkOption { + type = types.str; + description = "Network interface to bind to."; + example = "eth0"; + }; + + srcIp = mkOption { + type = types.str; + description = "Source (real) IP address of this host."; + }; + + vhId = mkOption { + type = types.ints.between 1 255; + description = "Virtual IP identifier shared between CARP hosts."; + example = 1; + }; + + passwordFile = mkOption { + type = types.str; + description = "File containing shared password between CARP hosts."; + example = "/run/keys/ucarp-password"; + }; + + preempt = mkOption { + type = types.bool; + description = '' + Enable preemptive failover. + Thus, this host becomes the CARP master as soon as possible. + ''; + default = false; + }; + + neutral = mkOption { + type = types.bool; + description = "Do not run downscript at start if the host is the backup."; + default = false; + }; + + addr = mkOption { + type = types.str; + description = "Virtual shared IP address."; + }; + + advBase = mkOption { + type = types.ints.unsigned; + description = "Advertisement frequency in seconds."; + default = 1; + }; + + advSkew = mkOption { + type = types.ints.unsigned; + description = "Advertisement skew in seconds."; + default = 0; + }; + + upscript = mkOption { + type = types.path; + description = '' + Command to run after become master, the interface name, virtual address + and optional extra parameters are passed as arguments. + ''; + example = literalExpression '' + pkgs.writeScript "upscript" ''' + #!/bin/sh + ''${pkgs.iproute2}/bin/ip addr add "$2"/24 dev "$1" + '''; + ''; + }; + + downscript = mkOption { + type = types.path; + description = '' + Command to run after become backup, the interface name, virtual address + and optional extra parameters are passed as arguments. + ''; + example = literalExpression '' + pkgs.writeScript "downscript" ''' + #!/bin/sh + ''${pkgs.iproute2}/bin/ip addr del "$2"/24 dev "$1" + '''; + ''; + }; + + deadratio = mkOption { + type = types.ints.unsigned; + description = "Ratio to consider a host as dead."; + default = 3; + }; + + shutdown = mkOption { + type = types.bool; + description = "Call downscript at exit."; + default = false; + }; + + ignoreIfState = mkOption { + type = types.bool; + description = "Ignore interface state, e.g., down or no carrier."; + default = false; + }; + + noMcast = mkOption { + type = types.bool; + description = "Use broadcast instead of multicast advertisements."; + default = false; + }; + + extraParam = mkOption { + type = types.nullOr types.str; + description = "Extra parameter to pass to the up/down scripts."; + default = null; + }; + + package = mkOption { + type = types.package; + description = '' + Package that should be used for ucarp. + + Please note that the default package, pkgs.ucarp, has not received any + upstream updates for a long time and can be considered as unmaintained. + ''; + default = pkgs.ucarp; + defaultText = literalExpression "pkgs.ucarp"; + }; + }; + + config = mkIf cfg.enable { + systemd.services.ucarp = { + description = "ucarp, userspace implementation of CARP"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + Type = "exec"; + ExecStart = ucarpExec; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + ProtectClock = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ oxzi ]; +} diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix new file mode 100644 index 00000000000..87873c8c1e8 --- /dev/null +++ b/nixos/modules/services/networking/unbound.nix @@ -0,0 +1,314 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.unbound; + + yesOrNo = v: if v then "yes" else "no"; + + toOption = indent: n: v: "${indent}${toString n}: ${v}"; + + toConf = indent: n: v: + if builtins.isFloat v then (toOption indent n (builtins.toJSON v)) + else if isInt v then (toOption indent n (toString v)) + else if isBool v then (toOption indent n (yesOrNo v)) + else if isString v then (toOption indent n v) + else if isList v then (concatMapStringsSep "\n" (toConf indent n) v) + else if isAttrs v then (concatStringsSep "\n" ( + ["${indent}${n}:"] ++ ( + mapAttrsToList (toConf "${indent} ") v + ) + )) + else throw (traceSeq v "services.unbound.settings: unexpected type"); + + confNoServer = concatStringsSep "\n" ((mapAttrsToList (toConf "") (builtins.removeAttrs cfg.settings [ "server" ])) ++ [""]); + confServer = concatStringsSep "\n" (mapAttrsToList (toConf " ") (builtins.removeAttrs cfg.settings.server [ "define-tag" ])); + + confFile = pkgs.writeText "unbound.conf" '' + server: + ${optionalString (cfg.settings.server.define-tag != "") (toOption " " "define-tag" cfg.settings.server.define-tag)} + ${confServer} + ${confNoServer} + ''; + + rootTrustAnchorFile = "${cfg.stateDir}/root.key"; + +in { + + ###### interface + + options = { + services.unbound = { + + enable = mkEnableOption "Unbound domain name server"; + + package = mkOption { + type = types.package; + default = pkgs.unbound-with-systemd; + defaultText = literalExpression "pkgs.unbound-with-systemd"; + description = "The unbound package to use"; + }; + + user = mkOption { + type = types.str; + default = "unbound"; + description = "User account under which unbound runs."; + }; + + group = mkOption { + type = types.str; + default = "unbound"; + description = "Group under which unbound runs."; + }; + + stateDir = mkOption { + type = types.path; + default = "/var/lib/unbound"; + description = "Directory holding all state for unbound to run."; + }; + + resolveLocalQueries = mkOption { + type = types.bool; + default = true; + description = '' + Whether unbound should resolve local queries (i.e. add 127.0.0.1 to + /etc/resolv.conf). + ''; + }; + + enableRootTrustAnchor = mkOption { + default = true; + type = types.bool; + description = "Use and update root trust anchor for DNSSEC validation."; + }; + + localControlSocketPath = mkOption { + default = null; + # FIXME: What is the proper type here so users can specify strings, + # paths and null? + # My guess would be `types.nullOr (types.either types.str types.path)` + # but I haven't verified yet. + type = types.nullOr types.str; + example = "/run/unbound/unbound.ctl"; + description = '' + When not set to <literal>null</literal> this option defines the path + at which the unbound remote control socket should be created at. The + socket will be owned by the unbound user (<literal>unbound</literal>) + and group will be <literal>nogroup</literal>. + + Users that should be permitted to access the socket must be in the + <literal>config.services.unbound.group</literal> group. + + If this option is <literal>null</literal> remote control will not be + enabled. Unbounds default values apply. + ''; + }; + + settings = mkOption { + default = {}; + type = with types; submodule { + + freeformType = let + validSettingsPrimitiveTypes = oneOf [ int str bool float ]; + validSettingsTypes = oneOf [ validSettingsPrimitiveTypes (listOf validSettingsPrimitiveTypes) ]; + settingsType = oneOf [ str (attrsOf validSettingsTypes) ]; + in attrsOf (oneOf [ settingsType (listOf settingsType) ]) + // { description = '' + unbound.conf configuration type. The format consist of an attribute + set of settings. Each settings can be either one value, a list of + values or an attribute set. The allowed values are integers, + strings, booleans or floats. + ''; + }; + + options = { + remote-control.control-enable = mkOption { + type = bool; + default = false; + internal = true; + }; + }; + }; + example = literalExpression '' + { + server = { + interface = [ "127.0.0.1" ]; + }; + forward-zone = [ + { + name = "."; + forward-addr = "1.1.1.1@853#cloudflare-dns.com"; + } + { + name = "example.org."; + forward-addr = [ + "1.1.1.1@853#cloudflare-dns.com" + "1.0.0.1@853#cloudflare-dns.com" + ]; + } + ]; + remote-control.control-enable = true; + }; + ''; + description = '' + Declarative Unbound configuration + See the <citerefentry><refentrytitle>unbound.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> manpage for a list of + available options. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + services.unbound.settings = { + server = { + directory = mkDefault cfg.stateDir; + username = cfg.user; + chroot = ''""''; + pidfile = ''""''; + # when running under systemd there is no need to daemonize + do-daemonize = false; + interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); + access-control = mkDefault ([ "127.0.0.0/8 allow" ] ++ (optional config.networking.enableIPv6 "::1/128 allow")); + auto-trust-anchor-file = mkIf cfg.enableRootTrustAnchor rootTrustAnchorFile; + tls-cert-bundle = mkDefault "/etc/ssl/certs/ca-certificates.crt"; + # prevent race conditions on system startup when interfaces are not yet + # configured + ip-freebind = mkDefault true; + define-tag = mkDefault ""; + }; + remote-control = { + control-enable = mkDefault false; + control-interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); + server-key-file = mkDefault "${cfg.stateDir}/unbound_server.key"; + server-cert-file = mkDefault "${cfg.stateDir}/unbound_server.pem"; + control-key-file = mkDefault "${cfg.stateDir}/unbound_control.key"; + control-cert-file = mkDefault "${cfg.stateDir}/unbound_control.pem"; + } // optionalAttrs (cfg.localControlSocketPath != null) { + control-enable = true; + control-interface = cfg.localControlSocketPath; + }; + }; + + environment.systemPackages = [ cfg.package ]; + + users.users = mkIf (cfg.user == "unbound") { + unbound = { + description = "unbound daemon user"; + isSystemUser = true; + group = cfg.group; + }; + }; + + users.groups = mkIf (cfg.group == "unbound") { + unbound = {}; + }; + + networking = mkIf cfg.resolveLocalQueries { + resolvconf = { + useLocalResolver = mkDefault true; + }; + + networkmanager.dns = "unbound"; + }; + + environment.etc."unbound/unbound.conf".source = confFile; + + systemd.services.unbound = { + description = "Unbound recursive Domain Name Server"; + after = [ "network.target" ]; + before = [ "nss-lookup.target" ]; + wantedBy = [ "multi-user.target" "nss-lookup.target" ]; + + path = mkIf cfg.settings.remote-control.control-enable [ pkgs.openssl ]; + + preStart = '' + ${optionalString cfg.enableRootTrustAnchor '' + ${cfg.package}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" + ''} + ${optionalString cfg.settings.remote-control.control-enable '' + ${cfg.package}/bin/unbound-control-setup -d ${cfg.stateDir} + ''} + ''; + + restartTriggers = [ + confFile + ]; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/unbound -p -d -c /etc/unbound/unbound.conf"; + ExecReload = "+/run/current-system/sw/bin/kill -HUP $MAINPID"; + + NotifyAccess = "main"; + Type = "notify"; + + # FIXME: Which of these do we actualy need, can we drop the chroot flag? + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + "CAP_SETGID" + "CAP_SETUID" + "CAP_SYS_CHROOT" + "CAP_SYS_RESOURCE" + ]; + + User = cfg.user; + Group = cfg.group; + + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectHome = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectSystem = "strict"; + RuntimeDirectory = "unbound"; + ConfigurationDirectory = "unbound"; + StateDirectory = "unbound"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ]; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@clock" + "@cpu-emulation" + "@debug" + "@keyring" + "@module" + "mount" + "@obsolete" + "@resources" + ]; + RestrictNamespaces = true; + LockPersonality = true; + RestrictSUIDSGID = true; + + Restart = "on-failure"; + RestartSec = "5s"; + }; + }; + }; + + imports = [ + (mkRenamedOptionModule [ "services" "unbound" "interfaces" ] [ "services" "unbound" "settings" "server" "interface" ]) + (mkChangedOptionModule [ "services" "unbound" "allowedAccess" ] [ "services" "unbound" "settings" "server" "access-control" ] ( + config: map (value: "${value} allow") (getAttrFromPath [ "services" "unbound" "allowedAccess" ] config) + )) + (mkRemovedOptionModule [ "services" "unbound" "forwardAddresses" ] '' + Add a new setting: + services.unbound.settings.forward-zone = [{ + name = "."; + forward-addr = [ # Your current services.unbound.forwardAddresses ]; + }]; + If any of those addresses are local addresses (127.0.0.1 or ::1), you must + also set services.unbound.settings.server.do-not-query-localhost to false. + '') + (mkRemovedOptionModule [ "services" "unbound" "extraConfig" ] '' + You can use services.unbound.settings to add any configuration you want. + '') + ]; +} diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix new file mode 100644 index 00000000000..a683c537f05 --- /dev/null +++ b/nixos/modules/services/networking/unifi.nix @@ -0,0 +1,202 @@ +{ config, options, lib, pkgs, utils, ... }: +with lib; +let + cfg = config.services.unifi; + stateDir = "/var/lib/unifi"; + cmd = '' + @${cfg.jrePackage}/bin/java java \ + ${optionalString (cfg.initialJavaHeapSize != null) "-Xms${(toString cfg.initialJavaHeapSize)}m"} \ + ${optionalString (cfg.maximumJavaHeapSize != null) "-Xmx${(toString cfg.maximumJavaHeapSize)}m"} \ + -jar ${stateDir}/lib/ace.jar + ''; +in +{ + + options = { + + services.unifi.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether or not to enable the unifi controller service. + ''; + }; + + services.unifi.jrePackage = mkOption { + type = types.package; + default = pkgs.jre8; + defaultText = literalExpression "pkgs.jre8"; + description = '' + The JRE package to use. Check the release notes to ensure it is supported. + ''; + }; + + services.unifi.unifiPackage = mkOption { + type = types.package; + default = pkgs.unifiLTS; + defaultText = literalExpression "pkgs.unifiLTS"; + description = '' + The unifi package to use. + ''; + }; + + services.unifi.mongodbPackage = mkOption { + type = types.package; + default = pkgs.mongodb; + defaultText = literalExpression "pkgs.mongodb"; + description = '' + The mongodb package to use. + ''; + }; + + services.unifi.openFirewall = mkOption { + type = types.bool; + default = true; + description = '' + Whether or not to open the minimum required ports on the firewall. + + This is necessary to allow firmware upgrades and device discovery to + work. For remote login, you should additionally open (or forward) port + 8443. + ''; + }; + + services.unifi.initialJavaHeapSize = mkOption { + type = types.nullOr types.int; + default = null; + example = 1024; + description = '' + Set the initial heap size for the JVM in MB. If this option isn't set, the + JVM will decide this value at runtime. + ''; + }; + + services.unifi.maximumJavaHeapSize = mkOption { + type = types.nullOr types.int; + default = null; + example = 4096; + description = '' + Set the maximimum heap size for the JVM in MB. If this option isn't set, the + JVM will decide this value at runtime. + ''; + }; + + }; + + config = mkIf cfg.enable { + + warnings = optional + (options.services.unifi.openFirewall.highestPrio >= (mkOptionDefault null).priority) + "The current services.unifi.openFirewall = true default is deprecated and will change to false in 22.11. Set it explicitly to silence this warning."; + + users.users.unifi = { + isSystemUser = true; + group = "unifi"; + description = "UniFi controller daemon user"; + home = "${stateDir}"; + }; + users.groups.unifi = {}; + + networking.firewall = mkIf cfg.openFirewall { + # https://help.ubnt.com/hc/en-us/articles/218506997 + allowedTCPPorts = [ + 8080 # Port for UAP to inform controller. + 8880 # Port for HTTP portal redirect, if guest portal is enabled. + 8843 # Port for HTTPS portal redirect, ditto. + 6789 # Port for UniFi mobile speed test. + ]; + allowedUDPPorts = [ + 3478 # UDP port used for STUN. + 10001 # UDP port used for device discovery. + ]; + }; + + systemd.services.unifi = { + description = "UniFi controller daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + # This a HACK to fix missing dependencies of dynamic libs extracted from jars + environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc.lib}/lib"; + # Make sure package upgrades trigger a service restart + restartTriggers = [ cfg.unifiPackage cfg.mongodbPackage ]; + + serviceConfig = { + Type = "simple"; + ExecStart = "${(removeSuffix "\n" cmd)} start"; + ExecStop = "${(removeSuffix "\n" cmd)} stop"; + Restart = "on-failure"; + TimeoutSec = "5min"; + User = "unifi"; + UMask = "0077"; + WorkingDirectory = "${stateDir}"; + # the stop command exits while the main process is still running, and unifi + # wants to manage its own child processes. this means we have to set KillSignal + # to something the main process ignores, otherwise every stop will have unifi.service + # fail with SIGTERM status. + KillSignal = "SIGCONT"; + + # Hardening + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + DevicePolicy = "closed"; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ "@system-service" ]; + + StateDirectory = "unifi"; + RuntimeDirectory = "unifi"; + LogsDirectory = "unifi"; + CacheDirectory= "unifi"; + + TemporaryFileSystem = [ + # required as we want to create bind mounts below + "${stateDir}/webapps:rw" + ]; + + # We must create the binary directories as bind mounts instead of symlinks + # This is because the controller resolves all symlinks to absolute paths + # to be used as the working directory. + BindPaths = [ + "/var/log/unifi:${stateDir}/logs" + "/run/unifi:${stateDir}/run" + "${cfg.unifiPackage}/dl:${stateDir}/dl" + "${cfg.unifiPackage}/lib:${stateDir}/lib" + "${cfg.mongodbPackage}/bin:${stateDir}/bin" + "${cfg.unifiPackage}/webapps/ROOT:${stateDir}/webapps/ROOT" + ]; + + # Needs network access + PrivateNetwork = false; + # Cannot be true due to OpenJDK + MemoryDenyWriteExecute = false; + }; + }; + + }; + imports = [ + (mkRemovedOptionModule [ "services" "unifi" "dataDir" ] "You should move contents of dataDir to /var/lib/unifi/data" ) + (mkRenamedOptionModule [ "services" "unifi" "openPorts" ] [ "services" "unifi" "openFirewall" ]) + ]; + + meta.maintainers = with lib.maintainers; [ erictapen pennae ]; +} diff --git a/nixos/modules/services/networking/v2ray.nix b/nixos/modules/services/networking/v2ray.nix new file mode 100644 index 00000000000..95e8761ba5c --- /dev/null +++ b/nixos/modules/services/networking/v2ray.nix @@ -0,0 +1,95 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + options = { + + services.v2ray = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run v2ray server. + + Either <literal>configFile</literal> or <literal>config</literal> must be specified. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.v2ray; + defaultText = literalExpression "pkgs.v2ray"; + description = '' + Which v2ray package to use. + ''; + }; + + configFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/etc/v2ray/config.json"; + description = '' + The absolute path to the configuration file. + + Either <literal>configFile</literal> or <literal>config</literal> must be specified. + + See <link xlink:href="https://www.v2fly.org/en_US/config/overview.html"/>. + ''; + }; + + config = mkOption { + type = types.nullOr (types.attrsOf types.unspecified); + default = null; + example = { + inbounds = [{ + port = 1080; + listen = "127.0.0.1"; + protocol = "http"; + }]; + outbounds = [{ + protocol = "freedom"; + }]; + }; + description = '' + The configuration object. + + Either `configFile` or `config` must be specified. + + See <link xlink:href="https://www.v2fly.org/en_US/config/overview.html"/>. + ''; + }; + }; + + }; + + config = let + cfg = config.services.v2ray; + configFile = if cfg.configFile != null + then cfg.configFile + else pkgs.writeTextFile { + name = "v2ray.json"; + text = builtins.toJSON cfg.config; + checkPhase = '' + ${cfg.package}/bin/v2ray -test -config $out + ''; + }; + + in mkIf cfg.enable { + assertions = [ + { + assertion = (cfg.configFile == null) != (cfg.config == null); + message = "Either but not both `configFile` and `config` should be specified for v2ray."; + } + ]; + + systemd.services.v2ray = { + description = "v2ray Daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${cfg.package}/bin/v2ray -config ${configFile}"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/vsftpd.nix b/nixos/modules/services/networking/vsftpd.nix new file mode 100644 index 00000000000..d205302051e --- /dev/null +++ b/nixos/modules/services/networking/vsftpd.nix @@ -0,0 +1,329 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + /* minimal secure setup: + + enable = true; + forceLocalLoginsSSL = true; + forceLocalDataSSL = true; + userlistDeny = false; + localUsers = true; + userlist = ["non-root-user" "other-non-root-user"]; + rsaCertFile = "/var/vsftpd/vsftpd.pem"; + + */ + + cfg = config.services.vsftpd; + + inherit (pkgs) vsftpd; + + yesNoOption = nixosName: vsftpdName: default: description: { + cfgText = "${vsftpdName}=${if getAttr nixosName cfg then "YES" else "NO"}"; + + nixosOption = { + type = types.bool; + name = nixosName; + value = mkOption { + inherit description default; + type = types.bool; + }; + }; + }; + + optionDescription = [ + (yesNoOption "allowWriteableChroot" "allow_writeable_chroot" false '' + Allow the use of writeable root inside chroot(). + '') + (yesNoOption "virtualUseLocalPrivs" "virtual_use_local_privs" false '' + If enabled, virtual users will use the same privileges as local + users. By default, virtual users will use the same privileges as + anonymous users, which tends to be more restrictive (especially + in terms of write access). + '') + (yesNoOption "anonymousUser" "anonymous_enable" false '' + Whether to enable the anonymous FTP user. + '') + (yesNoOption "anonymousUserNoPassword" "no_anon_password" false '' + Whether to disable the password for the anonymous FTP user. + '') + (yesNoOption "localUsers" "local_enable" false '' + Whether to enable FTP for local users. + '') + (yesNoOption "writeEnable" "write_enable" false '' + Whether any write activity is permitted to users. + '') + (yesNoOption "anonymousUploadEnable" "anon_upload_enable" false '' + Whether any uploads are permitted to anonymous users. + '') + (yesNoOption "anonymousMkdirEnable" "anon_mkdir_write_enable" false '' + Whether any uploads are permitted to anonymous users. + '') + (yesNoOption "chrootlocalUser" "chroot_local_user" false '' + Whether local users are confined to their home directory. + '') + (yesNoOption "userlistEnable" "userlist_enable" false '' + Whether users are included. + '') + (yesNoOption "userlistDeny" "userlist_deny" false '' + Specifies whether <option>userlistFile</option> is a list of user + names to allow or deny access. + The default <literal>false</literal> means whitelist/allow. + '') + (yesNoOption "forceLocalLoginsSSL" "force_local_logins_ssl" false '' + Only applies if <option>sslEnable</option> is true. Non anonymous (local) users + must use a secure SSL connection to send a password. + '') + (yesNoOption "forceLocalDataSSL" "force_local_data_ssl" false '' + Only applies if <option>sslEnable</option> is true. Non anonymous (local) users + must use a secure SSL connection for sending/receiving data on data connection. + '') + (yesNoOption "portPromiscuous" "port_promiscuous" false '' + Set to YES if you want to disable the PORT security check that ensures that + outgoing data connections can only connect to the client. Only enable if you + know what you are doing! + '') + (yesNoOption "ssl_tlsv1" "ssl_tlsv1" true '' + Only applies if <option>ssl_enable</option> is activated. If + enabled, this option will permit TLS v1 protocol connections. + TLS v1 connections are preferred. + '') + (yesNoOption "ssl_sslv2" "ssl_sslv2" false '' + Only applies if <option>ssl_enable</option> is activated. If + enabled, this option will permit SSL v2 protocol connections. + TLS v1 connections are preferred. + '') + (yesNoOption "ssl_sslv3" "ssl_sslv3" false '' + Only applies if <option>ssl_enable</option> is activated. If + enabled, this option will permit SSL v3 protocol connections. + TLS v1 connections are preferred. + '') + ]; + + configFile = pkgs.writeText "vsftpd.conf" + '' + ${concatMapStrings (x: "${x.cfgText}\n") optionDescription} + ${optionalString (cfg.rsaCertFile != null) '' + ssl_enable=YES + rsa_cert_file=${cfg.rsaCertFile} + ''} + ${optionalString (cfg.rsaKeyFile != null) '' + rsa_private_key_file=${cfg.rsaKeyFile} + ''} + ${optionalString (cfg.userlistFile != null) '' + userlist_file=${cfg.userlistFile} + ''} + background=YES + listen=NO + listen_ipv6=YES + nopriv_user=vsftpd + secure_chroot_dir=/var/empty + ${optionalString (cfg.localRoot != null) '' + local_root=${cfg.localRoot} + ''} + syslog_enable=YES + ${optionalString (pkgs.stdenv.hostPlatform.system == "x86_64-linux") '' + seccomp_sandbox=NO + ''} + anon_umask=${cfg.anonymousUmask} + ${optionalString cfg.anonymousUser '' + anon_root=${cfg.anonymousUserHome} + ''} + ${optionalString cfg.enableVirtualUsers '' + guest_enable=YES + guest_username=vsftpd + ''} + pam_service_name=vsftpd + ${cfg.extraConfig} + ''; + +in + +{ + + ###### interface + + options = { + + services.vsftpd = { + + enable = mkEnableOption "vsftpd"; + + userlist = mkOption { + default = []; + type = types.listOf types.str; + description = "See <option>userlistFile</option>."; + }; + + userlistFile = mkOption { + type = types.path; + default = pkgs.writeText "userlist" (concatMapStrings (x: "${x}\n") cfg.userlist); + defaultText = literalExpression ''pkgs.writeText "userlist" (concatMapStrings (x: "''${x}\n") cfg.userlist)''; + description = '' + Newline separated list of names to be allowed/denied if <option>userlistEnable</option> + is <literal>true</literal>. Meaning see <option>userlistDeny</option>. + + The default is a file containing the users from <option>userlist</option>. + + If explicitely set to null userlist_file will not be set in vsftpd's config file. + ''; + }; + + enableVirtualUsers = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the <literal>pam_userdb</literal>-based + virtual user system + ''; + }; + + userDbPath = mkOption { + type = types.nullOr types.str; + example = "/etc/vsftpd/userDb"; + default = null; + description = '' + Only applies if <option>enableVirtualUsers</option> is true. + Path pointing to the <literal>pam_userdb</literal> user + database used by vsftpd to authenticate the virtual users. + + This user list should be stored in the Berkeley DB database + format. + + To generate a new user database, create a text file, add + your users using the following format: + <programlisting> + user1 + password1 + user2 + password2 + </programlisting> + + You can then install <literal>pkgs.db</literal> to generate + the Berkeley DB using + <programlisting> + db_load -T -t hash -f logins.txt userDb.db + </programlisting> + + Caution: <literal>pam_userdb</literal> will automatically + append a <literal>.db</literal> suffix to the filename you + provide though this option. This option shouldn't include + this filetype suffix. + ''; + }; + + localRoot = mkOption { + type = types.nullOr types.str; + default = null; + example = "/var/www/$USER"; + description = '' + This option represents a directory which vsftpd will try to + change into after a local (i.e. non- anonymous) login. + + Failure is silently ignored. + ''; + }; + + anonymousUserHome = mkOption { + type = types.path; + default = "/home/ftp/"; + description = '' + Directory to consider the HOME of the anonymous user. + ''; + }; + + rsaCertFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "RSA certificate file."; + }; + + rsaKeyFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "RSA private key file."; + }; + + anonymousUmask = mkOption { + type = types.str; + default = "077"; + example = "002"; + description = "Anonymous write umask."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = "ftpd_banner=Hello"; + description = "Extra configuration to add at the bottom of the generated configuration file."; + }; + + } // (listToAttrs (catAttrs "nixosOption" optionDescription)); + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + assertions = [ + { assertion = + (cfg.forceLocalLoginsSSL -> cfg.rsaCertFile != null) + && (cfg.forceLocalDataSSL -> cfg.rsaCertFile != null); + message = "vsftpd: If forceLocalLoginsSSL or forceLocalDataSSL is true then a rsaCertFile must be provided!"; + } + { + assertion = (cfg.enableVirtualUsers -> cfg.userDbPath != null) + && (cfg.enableVirtualUsers -> cfg.localUsers != null); + message = "vsftpd: If enableVirtualUsers is true, you need to setup both the userDbPath and localUsers options."; + }]; + + users.users = { + "vsftpd" = { + group = "vsftpd"; + isSystemUser = true; + description = "VSFTPD user"; + home = if cfg.localRoot != null + then cfg.localRoot # <= Necessary for virtual users. + else "/homeless-shelter"; + }; + } // optionalAttrs cfg.anonymousUser { + "ftp" = { name = "ftp"; + uid = config.ids.uids.ftp; + group = "ftp"; + description = "Anonymous FTP user"; + home = cfg.anonymousUserHome; + }; + }; + + users.groups.vsftpd = {}; + users.groups.ftp.gid = config.ids.gids.ftp; + + # If you really have to access root via FTP use mkOverride or userlistDeny + # = false and whitelist root + services.vsftpd.userlist = if cfg.userlistDeny then ["root"] else []; + + systemd = { + tmpfiles.rules = optional cfg.anonymousUser + #Type Path Mode User Gr Age Arg + "d '${builtins.toString cfg.anonymousUserHome}' 0555 'ftp' 'ftp' - -"; + services.vsftpd = { + description = "Vsftpd Server"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig.ExecStart = "@${vsftpd}/sbin/vsftpd vsftpd ${configFile}"; + serviceConfig.Restart = "always"; + serviceConfig.Type = "forking"; + }; + }; + + security.pam.services.vsftpd.text = mkIf (cfg.enableVirtualUsers && cfg.userDbPath != null)'' + auth required pam_userdb.so db=${cfg.userDbPath} + account required pam_userdb.so db=${cfg.userDbPath} + ''; + }; +} diff --git a/nixos/modules/services/networking/wasabibackend.nix b/nixos/modules/services/networking/wasabibackend.nix new file mode 100644 index 00000000000..b6dcd940915 --- /dev/null +++ b/nixos/modules/services/networking/wasabibackend.nix @@ -0,0 +1,160 @@ +{ config, lib, options, pkgs, ... }: + +let + cfg = config.services.wasabibackend; + opt = options.services.wasabibackend; + + inherit (lib) literalExpression mkEnableOption mkIf mkOption optionalAttrs optionalString types; + + confOptions = { + BitcoinRpcConnectionString = "${cfg.rpc.user}:${cfg.rpc.password}"; + } // optionalAttrs (cfg.network == "mainnet") { + Network = "Main"; + MainNetBitcoinP2pEndPoint = "${cfg.endpoint.ip}:${toString cfg.endpoint.port}"; + MainNetBitcoinCoreRpcEndPoint = "${cfg.rpc.ip}:${toString cfg.rpc.port}"; + } // optionalAttrs (cfg.network == "testnet") { + Network = "TestNet"; + TestNetBitcoinP2pEndPoint = "${cfg.endpoint.ip}:${toString cfg.endpoint.port}"; + TestNetBitcoinCoreRpcEndPoint = "${cfg.rpc.ip}:${toString cfg.rpc.port}"; + } // optionalAttrs (cfg.network == "regtest") { + Network = "RegTest"; + RegTestBitcoinP2pEndPoint = "${cfg.endpoint.ip}:${toString cfg.endpoint.port}"; + RegTestBitcoinCoreRpcEndPoint = "${cfg.rpc.ip}:${toString cfg.rpc.port}"; + }; + + configFile = pkgs.writeText "wasabibackend.conf" (builtins.toJSON confOptions); + +in { + + options = { + + services.wasabibackend = { + enable = mkEnableOption "Wasabi backend service"; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/wasabibackend"; + description = "The data directory for the Wasabi backend node."; + }; + + customConfigFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Defines the path to a custom configuration file that is copied to the user's directory. Overrides any config options."; + }; + + network = mkOption { + type = types.enum [ "mainnet" "testnet" "regtest" ]; + default = "mainnet"; + description = "The network to use for the Wasabi backend service."; + }; + + endpoint = { + ip = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "IP address for P2P connection to bitcoind."; + }; + + port = mkOption { + type = types.port; + default = 8333; + description = "Port for P2P connection to bitcoind."; + }; + }; + + rpc = { + ip = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "IP address for RPC connection to bitcoind."; + }; + + port = mkOption { + type = types.port; + default = 8332; + description = "Port for RPC connection to bitcoind."; + }; + + user = mkOption { + type = types.str; + default = "bitcoin"; + description = "RPC user for the bitcoin endpoint."; + }; + + password = mkOption { + type = types.str; + default = "password"; + description = "RPC password for the bitcoin endpoint. Warning: this is stored in cleartext in the Nix store! Use <literal>configFile</literal> or <literal>passwordFile</literal> if needed."; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "File that contains the password of the RPC user."; + }; + }; + + user = mkOption { + type = types.str; + default = "wasabibackend"; + description = "The user as which to run the wasabibackend node."; + }; + + group = mkOption { + type = types.str; + default = cfg.user; + defaultText = literalExpression "config.${opt.user}"; + description = "The group as which to run the wasabibackend node."; + }; + }; + }; + + config = mkIf cfg.enable { + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 '${cfg.user}' '${cfg.group}' - -" + ]; + + systemd.services.wasabibackend = { + description = "wasabibackend server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + environment = { + DOTNET_PRINT_TELEMETRY_MESSAGE = "false"; + DOTNET_CLI_TELEMETRY_OPTOUT = "true"; + }; + preStart = '' + mkdir -p ${cfg.dataDir}/.walletwasabi/backend + ${if cfg.customConfigFile != null then '' + cp -v ${cfg.customConfigFile} ${cfg.dataDir}/.walletwasabi/backend/Config.json + '' else '' + cp -v ${configFile} ${cfg.dataDir}/.walletwasabi/backend/Config.json + ${optionalString (cfg.rpc.passwordFile != null) '' + CONFIGTMP=$(mktemp) + cat ${cfg.dataDir}/.walletwasabi/backend/Config.json | ${pkgs.jq}/bin/jq --arg rpconnection "${cfg.rpc.user}:$(cat "${cfg.rpc.passwordFile}")" '. + { BitcoinRpcConnectionString: $rpconnection }' > $CONFIGTMP + mv $CONFIGTMP ${cfg.dataDir}/.walletwasabi/backend/Config.json + ''} + ''} + chmod ug+w ${cfg.dataDir}/.walletwasabi/backend/Config.json + ''; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${pkgs.wasabibackend}/bin/WasabiBackend"; + ProtectSystem = "full"; + }; + }; + + users.users.${cfg.user} = { + name = cfg.user; + group = cfg.group; + description = "wasabibackend daemon user"; + home = cfg.dataDir; + isSystemUser = true; + }; + + users.groups.${cfg.group} = {}; + + }; +} diff --git a/nixos/modules/services/networking/websockify.nix b/nixos/modules/services/networking/websockify.nix new file mode 100644 index 00000000000..f7e014e03ef --- /dev/null +++ b/nixos/modules/services/networking/websockify.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.services.networking.websockify; in { + options = { + services.networking.websockify = { + enable = mkOption { + description = "Whether to enable websockify to forward websocket connections to TCP connections."; + + default = false; + + type = types.bool; + }; + + sslCert = mkOption { + description = "Path to the SSL certificate."; + type = types.path; + }; + + sslKey = mkOption { + description = "Path to the SSL key."; + default = cfg.sslCert; + defaultText = literalExpression "config.services.networking.websockify.sslCert"; + type = types.path; + }; + + portMap = mkOption { + description = "Ports to map by default."; + default = {}; + type = types.attrsOf types.int; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services."websockify@" = { + description = "Service to forward websocket connections to TCP connections (from port:to port %I)"; + script = '' + IFS=':' read -a array <<< "$1" + ${pkgs.pythonPackages.websockify}/bin/websockify --ssl-only \ + --cert=${cfg.sslCert} --key=${cfg.sslKey} 0.0.0.0:''${array[0]} 0.0.0.0:''${array[1]} + ''; + scriptArgs = "%i"; + }; + + systemd.targets.default-websockify = { + description = "Target to start all default websockify@ services"; + unitConfig.X-StopOnReconfiguration = true; + wants = mapAttrsToList (name: value: "websockify@${name}:${toString value}.service") cfg.portMap; + wantedBy = [ "multi-user.target" ]; + }; + }; +} diff --git a/nixos/modules/services/networking/wg-netmanager.nix b/nixos/modules/services/networking/wg-netmanager.nix new file mode 100644 index 00000000000..493ff7ceba9 --- /dev/null +++ b/nixos/modules/services/networking/wg-netmanager.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.wg-netmanager; +in +{ + + options = { + services.wg-netmanager = { + enable = mkEnableOption "Wireguard network manager"; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + # NOTE: wg-netmanager runs as root + systemd.services.wg-netmanager = { + description = "Wireguard network manager"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = with pkgs; [ wireguard-tools iproute2 wireguard-go ]; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + ExecStart = "${pkgs.wg-netmanager}/bin/wg_netmanager"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + ReadWritePaths = [ + "/tmp" # wg-netmanager creates files in /tmp before deleting them after use + ]; + }; + unitConfig = { + ConditionPathExists = ["/etc/wg_netmanager/network.yaml" "/etc/wg_netmanager/peer.yaml"]; + }; + }; + }; + + meta.maintainers = with maintainers; [ gin66 ]; +} diff --git a/nixos/modules/services/networking/wg-quick.nix b/nixos/modules/services/networking/wg-quick.nix new file mode 100644 index 00000000000..414775fc357 --- /dev/null +++ b/nixos/modules/services/networking/wg-quick.nix @@ -0,0 +1,304 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.networking.wg-quick; + + kernel = config.boot.kernelPackages; + + # interface options + + interfaceOpts = { ... }: { + options = { + address = mkOption { + example = [ "192.168.2.1/24" ]; + default = []; + type = with types; listOf str; + description = "The IP addresses of the interface."; + }; + + dns = mkOption { + example = [ "192.168.2.2" ]; + default = []; + type = with types; listOf str; + description = "The IP addresses of DNS servers to configure."; + }; + + privateKey = mkOption { + example = "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="; + type = with types; nullOr str; + default = null; + description = '' + Base64 private key generated by <command>wg genkey</command>. + + Warning: Consider using privateKeyFile instead if you do not + want to store the key in the world-readable Nix store. + ''; + }; + + privateKeyFile = mkOption { + example = "/private/wireguard_key"; + type = with types; nullOr str; + default = null; + description = '' + Private key file as generated by <command>wg genkey</command>. + ''; + }; + + listenPort = mkOption { + default = null; + type = with types; nullOr int; + example = 51820; + description = '' + 16-bit port for listening. Optional; if not specified, + automatically generated based on interface name. + ''; + }; + + preUp = mkOption { + example = literalExpression ''"''${pkgs.iproute2}/bin/ip netns add foo"''; + default = ""; + type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; + description = '' + Commands called at the start of the interface setup. + ''; + }; + + preDown = mkOption { + example = literalExpression ''"''${pkgs.iproute2}/bin/ip netns del foo"''; + default = ""; + type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; + description = '' + Command called before the interface is taken down. + ''; + }; + + postUp = mkOption { + example = literalExpression ''"''${pkgs.iproute2}/bin/ip netns add foo"''; + default = ""; + type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; + description = '' + Commands called after the interface setup. + ''; + }; + + postDown = mkOption { + example = literalExpression ''"''${pkgs.iproute2}/bin/ip netns del foo"''; + default = ""; + type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; + description = '' + Command called after the interface is taken down. + ''; + }; + + table = mkOption { + example = "main"; + default = null; + type = with types; nullOr str; + description = '' + The kernel routing table to add this interface's + associated routes to. Setting this is useful for e.g. policy routing + ("ip rule") or virtual routing and forwarding ("ip vrf"). Both + numeric table IDs and table names (/etc/rt_tables) can be used. + Defaults to "main". + ''; + }; + + mtu = mkOption { + example = 1248; + default = null; + type = with types; nullOr int; + description = '' + If not specified, the MTU is automatically determined + from the endpoint addresses or the system default route, which is usually + a sane choice. However, to manually specify an MTU to override this + automatic discovery, this value may be specified explicitly. + ''; + }; + + peers = mkOption { + default = []; + description = "Peers linked to the interface."; + type = with types; listOf (submodule peerOpts); + }; + }; + }; + + # peer options + + peerOpts = { + options = { + publicKey = mkOption { + example = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="; + type = types.str; + description = "The base64 public key to the peer."; + }; + + presharedKey = mkOption { + default = null; + example = "rVXs/Ni9tu3oDBLS4hOyAUAa1qTWVA3loR8eL20os3I="; + type = with types; nullOr str; + description = '' + Base64 preshared key generated by <command>wg genpsk</command>. + Optional, and may be omitted. This option adds an additional layer of + symmetric-key cryptography to be mixed into the already existing + public-key cryptography, for post-quantum resistance. + + Warning: Consider using presharedKeyFile instead if you do not + want to store the key in the world-readable Nix store. + ''; + }; + + presharedKeyFile = mkOption { + default = null; + example = "/private/wireguard_psk"; + type = with types; nullOr str; + description = '' + File pointing to preshared key as generated by <command>wg genpsk</command>. + Optional, and may be omitted. This option adds an additional layer of + symmetric-key cryptography to be mixed into the already existing + public-key cryptography, for post-quantum resistance. + ''; + }; + + allowedIPs = mkOption { + example = [ "10.192.122.3/32" "10.192.124.1/24" ]; + type = with types; listOf str; + description = ''List of IP (v4 or v6) addresses with CIDR masks from + which this peer is allowed to send incoming traffic and to which + outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may + be specified for matching all IPv4 addresses, and ::/0 may be specified + for matching all IPv6 addresses.''; + }; + + endpoint = mkOption { + default = null; + example = "demo.wireguard.io:12913"; + type = with types; nullOr str; + description = ''Endpoint IP or hostname of the peer, followed by a colon, + and then a port number of the peer.''; + }; + + persistentKeepalive = mkOption { + default = null; + type = with types; nullOr int; + example = 25; + description = ''This is optional and is by default off, because most + users will not need it. It represents, in seconds, between 1 and 65535 + inclusive, how often to send an authenticated empty packet to the peer, + for the purpose of keeping a stateful firewall or NAT mapping valid + persistently. For example, if the interface very rarely sends traffic, + but it might at anytime receive traffic from a peer, and it is behind + NAT, the interface might benefit from having a persistent keepalive + interval of 25 seconds; however, most users will not need this.''; + }; + }; + }; + + writeScriptFile = name: text: ((pkgs.writeShellScriptBin name text) + "/bin/${name}"); + + generateUnit = name: values: + assert assertMsg ((values.privateKey != null) != (values.privateKeyFile != null)) "Only one of privateKey or privateKeyFile may be set"; + let + preUpFile = if values.preUp != "" then writeScriptFile "preUp.sh" values.preUp else null; + postUp = + optional (values.privateKeyFile != null) "wg set ${name} private-key <(cat ${values.privateKeyFile})" ++ + (concatMap (peer: optional (peer.presharedKeyFile != null) "wg set ${name} peer ${peer.publicKey} preshared-key <(cat ${peer.presharedKeyFile})") values.peers) ++ + optional (values.postUp != null) values.postUp; + postUpFile = if postUp != [] then writeScriptFile "postUp.sh" (concatMapStringsSep "\n" (line: line) postUp) else null; + preDownFile = if values.preDown != "" then writeScriptFile "preDown.sh" values.preDown else null; + postDownFile = if values.postDown != "" then writeScriptFile "postDown.sh" values.postDown else null; + configDir = pkgs.writeTextFile { + name = "config-${name}"; + executable = false; + destination = "/${name}.conf"; + text = + '' + [interface] + ${concatMapStringsSep "\n" (address: + "Address = ${address}" + ) values.address} + ${concatMapStringsSep "\n" (dns: + "DNS = ${dns}" + ) values.dns} + '' + + optionalString (values.table != null) "Table = ${values.table}\n" + + optionalString (values.mtu != null) "MTU = ${toString values.mtu}\n" + + optionalString (values.privateKey != null) "PrivateKey = ${values.privateKey}\n" + + optionalString (values.listenPort != null) "ListenPort = ${toString values.listenPort}\n" + + optionalString (preUpFile != null) "PreUp = ${preUpFile}\n" + + optionalString (postUpFile != null) "PostUp = ${postUpFile}\n" + + optionalString (preDownFile != null) "PreDown = ${preDownFile}\n" + + optionalString (postDownFile != null) "PostDown = ${postDownFile}\n" + + concatMapStringsSep "\n" (peer: + assert assertMsg (!((peer.presharedKeyFile != null) && (peer.presharedKey != null))) "Only one of presharedKey or presharedKeyFile may be set"; + "[Peer]\n" + + "PublicKey = ${peer.publicKey}\n" + + optionalString (peer.presharedKey != null) "PresharedKey = ${peer.presharedKey}\n" + + optionalString (peer.endpoint != null) "Endpoint = ${peer.endpoint}\n" + + optionalString (peer.persistentKeepalive != null) "PersistentKeepalive = ${toString peer.persistentKeepalive}\n" + + optionalString (peer.allowedIPs != []) "AllowedIPs = ${concatStringsSep "," peer.allowedIPs}\n" + ) values.peers; + }; + configPath = "${configDir}/${name}.conf"; + in + nameValuePair "wg-quick-${name}" + { + description = "wg-quick WireGuard Tunnel - ${name}"; + requires = [ "network-online.target" ]; + after = [ "network.target" "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + environment.DEVICE = name; + path = [ pkgs.kmod pkgs.wireguard-tools ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + script = '' + ${optionalString (!config.boot.isContainer) "modprobe wireguard"} + wg-quick up ${configPath} + ''; + + preStop = '' + wg-quick down ${configPath} + ''; + }; +in { + + ###### interface + + options = { + networking.wg-quick = { + interfaces = mkOption { + description = "Wireguard interfaces."; + default = {}; + example = { + wg0 = { + address = [ "192.168.20.4/24" ]; + privateKey = "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="; + peers = [ + { allowedIPs = [ "192.168.20.1/32" ]; + publicKey = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="; + endpoint = "demo.wireguard.io:12913"; } + ]; + }; + }; + type = with types; attrsOf (submodule interfaceOpts); + }; + }; + }; + + + ###### implementation + + config = mkIf (cfg.interfaces != {}) { + boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard; + environment.systemPackages = [ pkgs.wireguard-tools ]; + # This is forced to false for now because the default "--validmark" rpfilter we apply on reverse path filtering + # breaks the wg-quick routing because wireguard packets leave with a fwmark from wireguard. + networking.firewall.checkReversePath = false; + systemd.services = mapAttrs' generateUnit cfg.interfaces; + }; +} diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix new file mode 100644 index 00000000000..7cd44b2f8a0 --- /dev/null +++ b/nixos/modules/services/networking/wireguard.nix @@ -0,0 +1,503 @@ +{ config, lib, options, pkgs, ... }: + +with lib; + +let + + cfg = config.networking.wireguard; + opt = options.networking.wireguard; + + kernel = config.boot.kernelPackages; + + # interface options + + interfaceOpts = { ... }: { + + options = { + + ips = mkOption { + example = [ "192.168.2.1/24" ]; + default = []; + type = with types; listOf str; + description = "The IP addresses of the interface."; + }; + + privateKey = mkOption { + example = "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="; + type = with types; nullOr str; + default = null; + description = '' + Base64 private key generated by <command>wg genkey</command>. + + Warning: Consider using privateKeyFile instead if you do not + want to store the key in the world-readable Nix store. + ''; + }; + + generatePrivateKeyFile = mkOption { + default = false; + type = types.bool; + description = '' + Automatically generate a private key with + <command>wg genkey</command>, at the privateKeyFile location. + ''; + }; + + privateKeyFile = mkOption { + example = "/private/wireguard_key"; + type = with types; nullOr str; + default = null; + description = '' + Private key file as generated by <command>wg genkey</command>. + ''; + }; + + listenPort = mkOption { + default = null; + type = with types; nullOr int; + example = 51820; + description = '' + 16-bit port for listening. Optional; if not specified, + automatically generated based on interface name. + ''; + }; + + preSetup = mkOption { + example = literalExpression ''"''${pkgs.iproute2}/bin/ip netns add foo"''; + default = ""; + type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; + description = '' + Commands called at the start of the interface setup. + ''; + }; + + postSetup = mkOption { + example = literalExpression '' + '''printf "nameserver 10.200.100.1" | ''${pkgs.openresolv}/bin/resolvconf -a wg0 -m 0''' + ''; + default = ""; + type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; + description = "Commands called at the end of the interface setup."; + }; + + postShutdown = mkOption { + example = literalExpression ''"''${pkgs.openresolv}/bin/resolvconf -d wg0"''; + default = ""; + type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; + description = "Commands called after shutting down the interface."; + }; + + table = mkOption { + default = "main"; + type = types.str; + description = '' + The kernel routing table to add this interface's + associated routes to. Setting this is useful for e.g. policy routing + ("ip rule") or virtual routing and forwarding ("ip vrf"). Both + numeric table IDs and table names (/etc/rt_tables) can be used. + Defaults to "main". + ''; + }; + + peers = mkOption { + default = []; + description = "Peers linked to the interface."; + type = with types; listOf (submodule peerOpts); + }; + + allowedIPsAsRoutes = mkOption { + example = false; + default = true; + type = types.bool; + description = '' + Determines whether to add allowed IPs as routes or not. + ''; + }; + + socketNamespace = mkOption { + default = null; + type = with types; nullOr str; + example = "container"; + description = ''The pre-existing network namespace in which the + WireGuard interface is created, and which retains the socket even if the + interface is moved via <option>interfaceNamespace</option>. When + <literal>null</literal>, the interface is created in the init namespace. + See <link + xlink:href="https://www.wireguard.com/netns/">documentation</link>. + ''; + }; + + interfaceNamespace = mkOption { + default = null; + type = with types; nullOr str; + example = "init"; + description = ''The pre-existing network namespace the WireGuard + interface is moved to. The special value <literal>init</literal> means + the init namespace. When <literal>null</literal>, the interface is not + moved. + See <link + xlink:href="https://www.wireguard.com/netns/">documentation</link>. + ''; + }; + }; + + }; + + # peer options + + peerOpts = { + + options = { + + publicKey = mkOption { + example = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="; + type = types.str; + description = "The base64 public key of the peer."; + }; + + presharedKey = mkOption { + default = null; + example = "rVXs/Ni9tu3oDBLS4hOyAUAa1qTWVA3loR8eL20os3I="; + type = with types; nullOr str; + description = '' + Base64 preshared key generated by <command>wg genpsk</command>. + Optional, and may be omitted. This option adds an additional layer of + symmetric-key cryptography to be mixed into the already existing + public-key cryptography, for post-quantum resistance. + + Warning: Consider using presharedKeyFile instead if you do not + want to store the key in the world-readable Nix store. + ''; + }; + + presharedKeyFile = mkOption { + default = null; + example = "/private/wireguard_psk"; + type = with types; nullOr str; + description = '' + File pointing to preshared key as generated by <command>wg genpsk</command>. + Optional, and may be omitted. This option adds an additional layer of + symmetric-key cryptography to be mixed into the already existing + public-key cryptography, for post-quantum resistance. + ''; + }; + + allowedIPs = mkOption { + example = [ "10.192.122.3/32" "10.192.124.1/24" ]; + type = with types; listOf str; + description = ''List of IP (v4 or v6) addresses with CIDR masks from + which this peer is allowed to send incoming traffic and to which + outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may + be specified for matching all IPv4 addresses, and ::/0 may be specified + for matching all IPv6 addresses.''; + }; + + endpoint = mkOption { + default = null; + example = "demo.wireguard.io:12913"; + type = with types; nullOr str; + description = ''Endpoint IP or hostname of the peer, followed by a colon, + and then a port number of the peer. + + Warning for endpoints with changing IPs: + The WireGuard kernel side cannot perform DNS resolution. + Thus DNS resolution is done once by the <literal>wg</literal> userspace + utility, when setting up WireGuard. Consequently, if the IP address + behind the name changes, WireGuard will not notice. + This is especially common for dynamic-DNS setups, but also applies to + any other DNS-based setup. + If you do not use IP endpoints, you likely want to set + <option>networking.wireguard.dynamicEndpointRefreshSeconds</option> + to refresh the IPs periodically. + ''; + }; + + dynamicEndpointRefreshSeconds = mkOption { + default = 0; + example = 5; + type = with types; int; + description = '' + Periodically re-execute the <literal>wg</literal> utility every + this many seconds in order to let WireGuard notice DNS / hostname + changes. + + Setting this to <literal>0</literal> disables periodic reexecution. + ''; + }; + + persistentKeepalive = mkOption { + default = null; + type = with types; nullOr int; + example = 25; + description = ''This is optional and is by default off, because most + users will not need it. It represents, in seconds, between 1 and 65535 + inclusive, how often to send an authenticated empty packet to the peer, + for the purpose of keeping a stateful firewall or NAT mapping valid + persistently. For example, if the interface very rarely sends traffic, + but it might at anytime receive traffic from a peer, and it is behind + NAT, the interface might benefit from having a persistent keepalive + interval of 25 seconds; however, most users will not need this.''; + }; + + }; + + }; + + generateKeyServiceUnit = name: values: + assert values.generatePrivateKeyFile; + nameValuePair "wireguard-${name}-key" + { + description = "WireGuard Tunnel - ${name} - Key Generator"; + wantedBy = [ "wireguard-${name}.service" ]; + requiredBy = [ "wireguard-${name}.service" ]; + before = [ "wireguard-${name}.service" ]; + path = with pkgs; [ wireguard-tools ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + script = '' + set -e + + # If the parent dir does not already exist, create it. + # Otherwise, does nothing, keeping existing permisions intact. + mkdir -p --mode 0755 "${dirOf values.privateKeyFile}" + + if [ ! -f "${values.privateKeyFile}" ]; then + # Write private key file with atomically-correct permissions. + (set -e; umask 077; wg genkey > "${values.privateKeyFile}") + fi + ''; + }; + + peerUnitServiceName = interfaceName: publicKey: dynamicRefreshEnabled: + let + keyToUnitName = replaceChars + [ "/" "-" " " "+" "=" ] + [ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ]; + unitName = keyToUnitName publicKey; + refreshSuffix = optionalString dynamicRefreshEnabled "-refresh"; + in + "wireguard-${interfaceName}-peer-${unitName}${refreshSuffix}"; + + generatePeerUnit = { interfaceName, interfaceCfg, peer }: + let + psk = + if peer.presharedKey != null + then pkgs.writeText "wg-psk" peer.presharedKey + else peer.presharedKeyFile; + src = interfaceCfg.socketNamespace; + dst = interfaceCfg.interfaceNamespace; + ip = nsWrap "ip" src dst; + wg = nsWrap "wg" src dst; + dynamicRefreshEnabled = peer.dynamicEndpointRefreshSeconds != 0; + # We generate a different name (a `-refresh` suffix) when `dynamicEndpointRefreshSeconds` + # to avoid that the same service switches `Type` (`oneshot` vs `simple`), + # with the intent to make scripting more obvious. + serviceName = peerUnitServiceName interfaceName peer.publicKey dynamicRefreshEnabled; + in nameValuePair serviceName + { + description = "WireGuard Peer - ${interfaceName} - ${peer.publicKey}"; + requires = [ "wireguard-${interfaceName}.service" ]; + after = [ "wireguard-${interfaceName}.service" ]; + wantedBy = [ "multi-user.target" "wireguard-${interfaceName}.service" ]; + environment.DEVICE = interfaceName; + environment.WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; + path = with pkgs; [ iproute2 wireguard-tools ]; + + serviceConfig = + if !dynamicRefreshEnabled + then + { + Type = "oneshot"; + RemainAfterExit = true; + } + else + { + Type = "simple"; # re-executes 'wg' indefinitely + # Note that `Type = "oneshot"` services with `RemainAfterExit = true` + # cannot be used with systemd timers (see `man systemd.timer`), + # which is why `simple` with a loop is the best choice here. + # It also makes starting and stopping easiest. + }; + + script = let + wg_setup = concatStringsSep " " ( + [ ''${wg} set ${interfaceName} peer "${peer.publicKey}"'' ] + ++ optional (psk != null) ''preshared-key "${psk}"'' + ++ optional (peer.endpoint != null) ''endpoint "${peer.endpoint}"'' + ++ optional (peer.persistentKeepalive != null) ''persistent-keepalive "${toString peer.persistentKeepalive}"'' + ++ optional (peer.allowedIPs != []) ''allowed-ips "${concatStringsSep "," peer.allowedIPs}"'' + ); + route_setup = + optionalString interfaceCfg.allowedIPsAsRoutes + (concatMapStringsSep "\n" + (allowedIP: + ''${ip} route replace "${allowedIP}" dev "${interfaceName}" table "${interfaceCfg.table}"'' + ) peer.allowedIPs); + in '' + ${wg_setup} + ${route_setup} + + ${optionalString (peer.dynamicEndpointRefreshSeconds != 0) '' + # Re-execute 'wg' periodically to notice DNS / hostname changes. + # Note this will not time out on transient DNS failures such as DNS names + # because we have set 'WG_ENDPOINT_RESOLUTION_RETRIES=infinity'. + # Also note that 'wg' limits its maximum retry delay to 20 seconds as of writing. + while ${wg_setup}; do + sleep "${toString peer.dynamicEndpointRefreshSeconds}"; + done + ''} + ''; + + postStop = let + route_destroy = optionalString interfaceCfg.allowedIPsAsRoutes + (concatMapStringsSep "\n" + (allowedIP: + ''${ip} route delete "${allowedIP}" dev "${interfaceName}" table "${interfaceCfg.table}"'' + ) peer.allowedIPs); + in '' + ${wg} set "${interfaceName}" peer "${peer.publicKey}" remove + ${route_destroy} + ''; + }; + + generateInterfaceUnit = name: values: + # exactly one way to specify the private key must be set + #assert (values.privateKey != null) != (values.privateKeyFile != null); + let privKey = if values.privateKeyFile != null then values.privateKeyFile else pkgs.writeText "wg-key" values.privateKey; + src = values.socketNamespace; + dst = values.interfaceNamespace; + ipPreMove = nsWrap "ip" src null; + ipPostMove = nsWrap "ip" src dst; + wg = nsWrap "wg" src dst; + ns = if dst == "init" then "1" else dst; + + in + nameValuePair "wireguard-${name}" + { + description = "WireGuard Tunnel - ${name}"; + requires = [ "network-online.target" ]; + after = [ "network.target" "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + environment.DEVICE = name; + path = with pkgs; [ kmod iproute2 wireguard-tools ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + + script = '' + ${optionalString (!config.boot.isContainer) "modprobe wireguard || true"} + + ${values.preSetup} + + ${ipPreMove} link add dev "${name}" type wireguard + ${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) ''${ipPreMove} link set "${name}" netns "${ns}"''} + + ${concatMapStringsSep "\n" (ip: + ''${ipPostMove} address add "${ip}" dev "${name}"'' + ) values.ips} + + ${concatStringsSep " " ( + [ ''${wg} set "${name}" private-key "${privKey}"'' ] + ++ optional (values.listenPort != null) ''listen-port "${toString values.listenPort}"'' + )} + + ${ipPostMove} link set up dev "${name}" + + ${values.postSetup} + ''; + + postStop = '' + ${ipPostMove} link del dev "${name}" + ${values.postShutdown} + ''; + }; + + nsWrap = cmd: src: dst: + let + nsList = filter (ns: ns != null) [ src dst ]; + ns = last nsList; + in + if (length nsList > 0 && ns != "init") then ''ip netns exec "${ns}" "${cmd}"'' else cmd; +in + +{ + + ###### interface + + options = { + + networking.wireguard = { + + enable = mkOption { + description = "Whether to enable WireGuard."; + type = types.bool; + # 2019-05-25: Backwards compatibility. + default = cfg.interfaces != {}; + defaultText = literalExpression "config.${opt.interfaces} != { }"; + example = true; + }; + + interfaces = mkOption { + description = "WireGuard interfaces."; + default = {}; + example = { + wg0 = { + ips = [ "192.168.20.4/24" ]; + privateKey = "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="; + peers = [ + { allowedIPs = [ "192.168.20.1/32" ]; + publicKey = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="; + endpoint = "demo.wireguard.io:12913"; } + ]; + }; + }; + type = with types; attrsOf (submodule interfaceOpts); + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable (let + all_peers = flatten + (mapAttrsToList (interfaceName: interfaceCfg: + map (peer: { inherit interfaceName interfaceCfg peer;}) interfaceCfg.peers + ) cfg.interfaces); + in { + + assertions = (attrValues ( + mapAttrs (name: value: { + assertion = (value.privateKey != null) != (value.privateKeyFile != null); + message = "Either networking.wireguard.interfaces.${name}.privateKey or networking.wireguard.interfaces.${name}.privateKeyFile must be set."; + }) cfg.interfaces)) + ++ (attrValues ( + mapAttrs (name: value: { + assertion = value.generatePrivateKeyFile -> (value.privateKey == null); + message = "networking.wireguard.interfaces.${name}.generatePrivateKeyFile must not be set if networking.wireguard.interfaces.${name}.privateKey is set."; + }) cfg.interfaces)) + ++ map ({ interfaceName, peer, ... }: { + assertion = (peer.presharedKey == null) || (peer.presharedKeyFile == null); + message = "networking.wireguard.interfaces.${interfaceName} peer «${peer.publicKey}» has both presharedKey and presharedKeyFile set, but only one can be used."; + }) all_peers; + + boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard; + environment.systemPackages = [ pkgs.wireguard-tools ]; + + systemd.services = + (mapAttrs' generateInterfaceUnit cfg.interfaces) + // (listToAttrs (map generatePeerUnit all_peers)) + // (mapAttrs' generateKeyServiceUnit + (filterAttrs (name: value: value.generatePrivateKeyFile) cfg.interfaces)); + + }); + +} diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix new file mode 100644 index 00000000000..c2e1d37e28b --- /dev/null +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -0,0 +1,541 @@ +{ config, lib, options, pkgs, utils, ... }: + +with lib; + +let + package = if cfg.allowAuxiliaryImperativeNetworks + then pkgs.wpa_supplicant_ro_ssids + else pkgs.wpa_supplicant; + + cfg = config.networking.wireless; + opt = options.networking.wireless; + + wpa3Protocols = [ "SAE" "FT-SAE" ]; + hasMixedWPA = opts: + let + hasWPA3 = !mutuallyExclusive opts.authProtocols wpa3Protocols; + others = subtractLists wpa3Protocols opts.authProtocols; + in hasWPA3 && others != []; + + # Gives a WPA3 network higher priority + increaseWPA3Priority = opts: + opts // optionalAttrs (hasMixedWPA opts) + { priority = if opts.priority == null + then 1 + else opts.priority + 1; + }; + + # Creates a WPA2 fallback network + mkWPA2Fallback = opts: + opts // { authProtocols = subtractLists wpa3Protocols opts.authProtocols; }; + + # Networks attrset as a list + networkList = mapAttrsToList (ssid: opts: opts // { inherit ssid; }) + cfg.networks; + + # List of all networks (normal + generated fallbacks) + allNetworks = + if cfg.fallbackToWPA2 + then map increaseWPA3Priority networkList + ++ map mkWPA2Fallback (filter hasMixedWPA networkList) + else networkList; + + # Content of wpa_supplicant.conf + generatedConfig = concatStringsSep "\n" ( + (map mkNetwork allNetworks) + ++ optional cfg.userControlled.enable (concatStringsSep "\n" + [ "ctrl_interface=/run/wpa_supplicant" + "ctrl_interface_group=${cfg.userControlled.group}" + "update_config=1" + ]) + ++ [ "pmf=1" ] + ++ optional cfg.scanOnLowSignal ''bgscan="simple:30:-70:3600"'' + ++ optional (cfg.extraConfig != "") cfg.extraConfig); + + configIsGenerated = with cfg; + networks != {} || extraConfig != "" || userControlled.enable; + + # the original configuration file + configFile = + if configIsGenerated + then pkgs.writeText "wpa_supplicant.conf" generatedConfig + else "/etc/wpa_supplicant.conf"; + # the config file with environment variables replaced + finalConfig = ''"$RUNTIME_DIRECTORY"/wpa_supplicant.conf''; + + # Creates a network block for wpa_supplicant.conf + mkNetwork = opts: + let + quote = x: ''"${x}"''; + indent = x: " " + x; + + pskString = if opts.psk != null + then quote opts.psk + else opts.pskRaw; + + options = [ + "ssid=${quote opts.ssid}" + (if pskString != null || opts.auth != null + then "key_mgmt=${concatStringsSep " " opts.authProtocols}" + else "key_mgmt=NONE") + ] ++ optional opts.hidden "scan_ssid=1" + ++ optional (pskString != null) "psk=${pskString}" + ++ optionals (opts.auth != null) (filter (x: x != "") (splitString "\n" opts.auth)) + ++ optional (opts.priority != null) "priority=${toString opts.priority}" + ++ optional (opts.extraConfig != "") opts.extraConfig; + in '' + network={ + ${concatMapStringsSep "\n" indent options} + } + ''; + + # Creates a systemd unit for wpa_supplicant bound to a given (or any) interface + mkUnit = iface: + let + deviceUnit = optional (iface != null) "sys-subsystem-net-devices-${utils.escapeSystemdPath iface}.device"; + configStr = if cfg.allowAuxiliaryImperativeNetworks + then "-c /etc/wpa_supplicant.conf -I ${finalConfig}" + else "-c ${finalConfig}"; + in { + description = "WPA Supplicant instance" + optionalString (iface != null) " for interface ${iface}"; + + after = deviceUnit; + before = [ "network.target" ]; + wants = [ "network.target" ]; + requires = deviceUnit; + wantedBy = [ "multi-user.target" ]; + stopIfChanged = false; + + path = [ package ]; + serviceConfig.RuntimeDirectory = "wpa_supplicant"; + serviceConfig.RuntimeDirectoryMode = "700"; + serviceConfig.EnvironmentFile = mkIf (cfg.environmentFile != null) + (builtins.toString cfg.environmentFile); + + script = + '' + ${optionalString configIsGenerated '' + if [ -f /etc/wpa_supplicant.conf ]; then + echo >&2 "<3>/etc/wpa_supplicant.conf present but ignored. Generated ${configFile} is used instead." + fi + ''} + + # substitute environment variables + ${pkgs.gawk}/bin/awk '{ + for(varname in ENVIRON) + gsub("@"varname"@", ENVIRON[varname]) + print + }' "${configFile}" > "${finalConfig}" + + iface_args="-s ${optionalString cfg.dbusControlled "-u"} -D${cfg.driver} ${configStr}" + + ${if iface == null then '' + # detect interfaces automatically + + # check if there are no wireless interfaces + if ! find -H /sys/class/net/* -name wireless | grep -q .; then + # if so, wait until one appears + echo "Waiting for wireless interfaces" + grep -q '^ACTION=add' < <(stdbuf -oL -- udevadm monitor -s net/wlan -pu) + # Note: the above line has been carefully written: + # 1. The process substitution avoids udevadm hanging (after grep has quit) + # until it tries to write to the pipe again. Not even pipefail works here. + # 2. stdbuf is needed because udevadm output is buffered by default and grep + # may hang until more udev events enter the pipe. + fi + + # add any interface found to the daemon arguments + for name in $(find -H /sys/class/net/* -name wireless | cut -d/ -f 5); do + echo "Adding interface $name" + args+="''${args:+ -N} -i$name $iface_args" + done + '' else '' + # add known interface to the daemon arguments + args="-i${iface} $iface_args" + ''} + + # finally start daemon + exec wpa_supplicant $args + ''; + }; + + systemctl = "/run/current-system/systemd/bin/systemctl"; + +in { + options = { + networking.wireless = { + enable = mkEnableOption "wpa_supplicant"; + + interfaces = mkOption { + type = types.listOf types.str; + default = []; + example = [ "wlan0" "wlan1" ]; + description = '' + The interfaces <command>wpa_supplicant</command> will use. If empty, it will + automatically use all wireless interfaces. + + <note><para> + A separate wpa_supplicant instance will be started for each interface. + </para></note> + ''; + }; + + driver = mkOption { + type = types.str; + default = "nl80211,wext"; + description = "Force a specific wpa_supplicant driver."; + }; + + allowAuxiliaryImperativeNetworks = mkEnableOption "support for imperative & declarative networks" // { + description = '' + Whether to allow configuring networks "imperatively" (e.g. via + <package>wpa_supplicant_gui</package>) and declaratively via + <xref linkend="opt-networking.wireless.networks" />. + + Please note that this adds a custom patch to <package>wpa_supplicant</package>. + ''; + }; + + scanOnLowSignal = mkOption { + type = types.bool; + default = true; + description = '' + Whether to periodically scan for (better) networks when the signal of + the current one is low. This will make roaming between access points + faster, but will consume more power. + ''; + }; + + fallbackToWPA2 = mkOption { + type = types.bool; + default = true; + description = '' + Whether to fall back to WPA2 authentication protocols if WPA3 failed. + This allows old wireless cards (that lack recent features required by + WPA3) to connect to mixed WPA2/WPA3 access points. + + To avoid possible downgrade attacks, disable this options. + ''; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/secrets/wireless.env"; + description = '' + File consisting of lines of the form <literal>varname=value</literal> + to define variables for the wireless configuration. + + See section "EnvironmentFile=" in <citerefentry> + <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> + </citerefentry> for a syntax reference. + + Secrets (PSKs, passwords, etc.) can be provided without adding them to + the world-readable Nix store by defining them in the environment file and + referring to them in option <option>networking.wireless.networks</option> + with the syntax <literal>@varname@</literal>. Example: + + <programlisting> + # content of /run/secrets/wireless.env + PSK_HOME=mypassword + PASS_WORK=myworkpassword + </programlisting> + + <programlisting> + # wireless-related configuration + networking.wireless.environmentFile = "/run/secrets/wireless.env"; + networking.wireless.networks = { + home.psk = "@PSK_HOME@"; + work.auth = ''' + eap=PEAP + identity="my-user@example.com" + password="@PASS_WORK@" + '''; + }; + </programlisting> + ''; + }; + + networks = mkOption { + type = types.attrsOf (types.submodule { + options = { + psk = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The network's pre-shared key in plaintext defaulting + to being a network without any authentication. + + <warning><para> + Be aware that this will be written to the nix store + in plaintext! Use an environment variable instead. + </para></warning> + + <note><para> + Mutually exclusive with <varname>pskRaw</varname>. + </para></note> + ''; + }; + + pskRaw = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The network's pre-shared key in hex defaulting + to being a network without any authentication. + + <warning><para> + Be aware that this will be written to the nix store + in plaintext! Use an environment variable instead. + </para></warning> + + <note><para> + Mutually exclusive with <varname>psk</varname>. + </para></note> + ''; + }; + + authProtocols = mkOption { + default = [ + # WPA2 and WPA3 + "WPA-PSK" "WPA-EAP" "SAE" + # 802.11r variants of the above + "FT-PSK" "FT-EAP" "FT-SAE" + ]; + # The list can be obtained by running this command + # awk ' + # /^# key_mgmt: /{ run=1 } + # /^#$/{ run=0 } + # /^# [A-Z0-9-]{2,}/{ if(run){printf("\"%s\"\n", $2)} } + # ' /run/current-system/sw/share/doc/wpa_supplicant/wpa_supplicant.conf.example + type = types.listOf (types.enum [ + "WPA-PSK" + "WPA-EAP" + "IEEE8021X" + "NONE" + "WPA-NONE" + "FT-PSK" + "FT-EAP" + "FT-EAP-SHA384" + "WPA-PSK-SHA256" + "WPA-EAP-SHA256" + "SAE" + "FT-SAE" + "WPA-EAP-SUITE-B" + "WPA-EAP-SUITE-B-192" + "OSEN" + "FILS-SHA256" + "FILS-SHA384" + "FT-FILS-SHA256" + "FT-FILS-SHA384" + "OWE" + "DPP" + ]); + description = '' + The list of authentication protocols accepted by this network. + This corresponds to the <literal>key_mgmt</literal> option in wpa_supplicant. + ''; + }; + + auth = mkOption { + type = types.nullOr types.str; + default = null; + example = '' + eap=PEAP + identity="user@example.com" + password="@EXAMPLE_PASSWORD@" + ''; + description = '' + Use this option to configure advanced authentication methods like EAP. + See + <citerefentry> + <refentrytitle>wpa_supplicant.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + for example configurations. + + <warning><para> + Be aware that this will be written to the nix store + in plaintext! Use an environment variable for secrets. + </para></warning> + + <note><para> + Mutually exclusive with <varname>psk</varname> and + <varname>pskRaw</varname>. + </para></note> + ''; + }; + + hidden = mkOption { + type = types.bool; + default = false; + description = '' + Set this to <literal>true</literal> if the SSID of the network is hidden. + ''; + example = literalExpression '' + { echelon = { + hidden = true; + psk = "abcdefgh"; + }; + } + ''; + }; + + priority = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + By default, all networks will get same priority group (0). If some of the + networks are more desirable, this field can be used to change the order in + which wpa_supplicant goes through the networks when selecting a BSS. The + priority groups will be iterated in decreasing priority (i.e., the larger the + priority value, the sooner the network is matched against the scan results). + Within each priority group, networks will be selected based on security + policy, signal strength, etc. + ''; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + example = '' + bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66 + ''; + description = '' + Extra configuration lines appended to the network block. + See + <citerefentry> + <refentrytitle>wpa_supplicant.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + for available options. + ''; + }; + + }; + }); + description = '' + The network definitions to automatically connect to when + <command>wpa_supplicant</command> is running. If this + parameter is left empty wpa_supplicant will use + /etc/wpa_supplicant.conf as the configuration file. + ''; + default = {}; + example = literalExpression '' + { echelon = { # SSID with no spaces or special characters + psk = "abcdefgh"; # (password will be written to /nix/store!) + }; + + echelon = { # safe version of the above: read PSK from the + psk = "@PSK_ECHELON@"; # variable PSK_ECHELON, defined in environmentFile, + }; # this won't leak into /nix/store + + "echelon's AP" = { # SSID with spaces and/or special characters + psk = "ijklmnop"; # (password will be written to /nix/store!) + }; + + "free.wifi" = {}; # Public wireless network + } + ''; + }; + + userControlled = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli. + This is useful for laptop users that switch networks a lot and don't want + to depend on a large package such as NetworkManager just to pick nearby + access points. + + When using a declarative network specification you cannot persist any + settings via wpa_gui or wpa_cli. + ''; + }; + + group = mkOption { + type = types.str; + default = "wheel"; + example = "network"; + description = "Members of this group can control wpa_supplicant."; + }; + }; + + dbusControlled = mkOption { + type = types.bool; + default = lib.length cfg.interfaces < 2; + defaultText = literalExpression "length config.${opt.interfaces} < 2"; + description = '' + Whether to enable the DBus control interface. + This is only needed when using NetworkManager or connman. + ''; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + example = '' + p2p_disabled=1 + ''; + description = '' + Extra lines appended to the configuration file. + See + <citerefentry> + <refentrytitle>wpa_supplicant.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + for available options. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = flip mapAttrsToList cfg.networks (name: cfg: { + assertion = with cfg; count (x: x != null) [ psk pskRaw auth ] <= 1; + message = ''options networking.wireless."${name}".{psk,pskRaw,auth} are mutually exclusive''; + }) ++ [ + { + assertion = length cfg.interfaces > 1 -> !cfg.dbusControlled; + message = + let daemon = if config.networking.networkmanager.enable then "NetworkManager" else + if config.services.connman.enable then "connman" else null; + n = toString (length cfg.interfaces); + in '' + It's not possible to run multiple wpa_supplicant instances with DBus support. + Note: you're seeing this error because `networking.wireless.interfaces` has + ${n} entries, implying an equal number of wpa_supplicant instances. + '' + optionalString (daemon != null) '' + You don't need to change `networking.wireless.interfaces` when using ${daemon}: + in this case the interfaces will be configured automatically for you. + ''; + } + ]; + + hardware.wirelessRegulatoryDatabase = true; + + environment.systemPackages = [ package ]; + services.dbus.packages = optional cfg.dbusControlled package; + + systemd.services = + if cfg.interfaces == [] + then { wpa_supplicant = mkUnit null; } + else listToAttrs (map (i: nameValuePair "wpa_supplicant-${i}" (mkUnit i)) cfg.interfaces); + + # Restart wpa_supplicant after resuming from sleep + powerManagement.resumeCommands = concatStringsSep "\n" ( + optional (cfg.interfaces == []) "${systemctl} try-restart wpa_supplicant" + ++ map (i: "${systemctl} try-restart wpa_supplicant-${i}") cfg.interfaces + ); + + # Restart wpa_supplicant when a wlan device appears or disappears. This is + # only needed when an interface hasn't been specified by the user. + services.udev.extraRules = optionalString (cfg.interfaces == []) '' + ACTION=="add|remove", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", \ + RUN+="${systemctl} try-restart wpa_supplicant.service" + ''; + }; + + meta.maintainers = with lib.maintainers; [ globin rnhmjoj ]; +} diff --git a/nixos/modules/services/networking/x2goserver.nix b/nixos/modules/services/networking/x2goserver.nix new file mode 100644 index 00000000000..d4adf6c5650 --- /dev/null +++ b/nixos/modules/services/networking/x2goserver.nix @@ -0,0 +1,164 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.x2goserver; + + defaults = { + superenicer = { enable = cfg.superenicer.enable; }; + }; + confText = generators.toINI {} (recursiveUpdate defaults cfg.settings); + x2goServerConf = pkgs.writeText "x2goserver.conf" confText; + + x2goAgentOptions = pkgs.writeText "x2goagent.options" '' + X2GO_NXOPTIONS="" + X2GO_NXAGENT_DEFAULT_OPTIONS="${concatStringsSep " " cfg.nxagentDefaultOptions}" + ''; + +in { + imports = [ + (mkRenamedOptionModule [ "programs" "x2goserver" ] [ "services" "x2goserver" ]) + ]; + + options.services.x2goserver = { + enable = mkEnableOption "x2goserver" // { + description = '' + Enables the x2goserver module. + NOTE: This will create a good amount of symlinks in `/usr/local/bin` + ''; + }; + + superenicer = { + enable = mkEnableOption "superenicer" // { + description = '' + Enables the SupeReNicer code in x2gocleansessions, this will renice + suspended sessions to nice level 19 and renice them to level 0 if the + session becomes marked as running again + ''; + }; + }; + + nxagentDefaultOptions = mkOption { + type = types.listOf types.str; + default = [ "-extension GLX" "-nolisten tcp" ]; + description = '' + List of default nx agent options. + ''; + }; + + settings = mkOption { + type = types.attrsOf types.attrs; + default = {}; + description = '' + x2goserver.conf ini configuration as nix attributes. See + `x2goserver.conf(5)` for details + ''; + example = literalExpression '' + { + superenicer = { + "enable" = "yes"; + "idle-nice-level" = 19; + }; + telekinesis = { "enable" = "no"; }; + } + ''; + }; + }; + + config = mkIf cfg.enable { + + # x2goserver can run X11 program even if "services.xserver.enable = false" + xdg = { + autostart.enable = true; + menus.enable = true; + mime.enable = true; + icons.enable = true; + }; + + environment.systemPackages = [ pkgs.x2goserver ]; + + users.groups.x2go = {}; + users.users.x2go = { + home = "/var/lib/x2go/db"; + group = "x2go"; + isSystemUser = true; + }; + + security.wrappers.x2gosqliteWrapper = { + source = "${pkgs.x2goserver}/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl"; + owner = "x2go"; + group = "x2go"; + setuid = false; + setgid = true; + }; + security.wrappers.x2goprintWrapper = { + source = "${pkgs.x2goserver}/bin/x2goprint"; + owner = "x2go"; + group = "x2go"; + setuid = false; + setgid = true; + }; + + systemd.tmpfiles.rules = with pkgs; [ + "d /var/lib/x2go/ - x2go x2go - -" + "d /var/lib/x2go/db - x2go x2go - -" + "d /var/lib/x2go/conf - x2go x2go - -" + "d /run/x2go 0755 x2go x2go - -" + ] ++ + # x2goclient sends SSH commands with preset PATH set to + # "/usr/local/bin;/usr/bin;/bin". Since we cannot filter arbitrary ssh + # commands, we have to make the following executables available. + map (f: "L+ /usr/local/bin/${f} - - - - ${x2goserver}/bin/${f}") [ + "x2goagent" "x2gobasepath" "x2gocleansessions" "x2gocmdexitmessage" + "x2godbadmin" "x2gofeature" "x2gofeaturelist" "x2gofm" "x2gogetapps" + "x2gogetservers" "x2golistdesktops" "x2golistmounts" "x2golistsessions" + "x2golistsessions_root" "x2golistshadowsessions" "x2gomountdirs" + "x2gopath" "x2goprint" "x2goresume-desktopsharing" "x2goresume-session" + "x2goruncommand" "x2goserver-run-extensions" "x2gosessionlimit" + "x2gosetkeyboard" "x2goshowblocks" "x2gostartagent" + "x2gosuspend-desktopsharing" "x2gosuspend-session" + "x2goterminate-desktopsharing" "x2goterminate-session" + "x2goumount-session" "x2goversion" + ] ++ [ + "L+ /usr/local/bin/awk - - - - ${gawk}/bin/awk" + "L+ /usr/local/bin/chmod - - - - ${coreutils}/bin/chmod" + "L+ /usr/local/bin/cp - - - - ${coreutils}/bin/cp" + "L+ /usr/local/bin/sed - - - - ${gnused}/bin/sed" + "L+ /usr/local/bin/setsid - - - - ${util-linux}/bin/setsid" + "L+ /usr/local/bin/xrandr - - - - ${xorg.xrandr}/bin/xrandr" + "L+ /usr/local/bin/xmodmap - - - - ${xorg.xmodmap}/bin/xmodmap" + ]; + + systemd.services.x2goserver = { + description = "X2Go Server Daemon"; + wantedBy = [ "multi-user.target" ]; + unitConfig.Documentation = "man:x2goserver.conf(5)"; + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.x2goserver}/bin/x2gocleansessions"; + PIDFile = "/run/x2go/x2goserver.pid"; + User = "x2go"; + Group = "x2go"; + RuntimeDirectory = "x2go"; + StateDirectory = "x2go"; + }; + preStart = '' + if [ ! -e /var/lib/x2go/setup_ran ] + then + mkdir -p /var/lib/x2go/conf + cp -r ${pkgs.x2goserver}/etc/x2go/* /var/lib/x2go/conf/ + ln -sf ${x2goServerConf} /var/lib/x2go/conf/x2goserver.conf + ln -sf ${x2goAgentOptions} /var/lib/x2go/conf/x2goagent.options + ${pkgs.x2goserver}/bin/x2godbadmin --createdb + touch /var/lib/x2go/setup_ran + fi + ''; + }; + + # https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=276 + security.sudo.extraConfig = '' + Defaults env_keep+=QT_GRAPHICSSYSTEM + ''; + }; +} diff --git a/nixos/modules/services/networking/xandikos.nix b/nixos/modules/services/networking/xandikos.nix new file mode 100644 index 00000000000..4bd45a76e67 --- /dev/null +++ b/nixos/modules/services/networking/xandikos.nix @@ -0,0 +1,148 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xandikos; +in +{ + + options = { + services.xandikos = { + enable = mkEnableOption "Xandikos CalDAV and CardDAV server"; + + package = mkOption { + type = types.package; + default = pkgs.xandikos; + defaultText = literalExpression "pkgs.xandikos"; + description = "The Xandikos package to use."; + }; + + address = mkOption { + type = types.str; + default = "localhost"; + description = '' + The IP address on which Xandikos will listen. + By default listens on localhost. + ''; + }; + + port = mkOption { + type = types.port; + default = 8080; + description = "The port of the Xandikos web application"; + }; + + routePrefix = mkOption { + type = types.str; + default = "/"; + description = '' + Path to Xandikos. + Useful when Xandikos is behind a reverse proxy. + ''; + }; + + extraOptions = mkOption { + default = []; + type = types.listOf types.str; + example = literalExpression '' + [ "--autocreate" + "--defaults" + "--current-user-principal user" + "--dump-dav-xml" + ] + ''; + description = '' + Extra command line arguments to pass to xandikos. + ''; + }; + + nginx = mkOption { + default = {}; + description = '' + Configuration for nginx reverse proxy. + ''; + + type = types.submodule { + options = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Configure the nginx reverse proxy settings. + ''; + }; + + hostName = mkOption { + type = types.str; + description = '' + The hostname use to setup the virtualhost configuration + ''; + }; + }; + }; + }; + + }; + + }; + + config = mkIf cfg.enable ( + mkMerge [ + { + meta.maintainers = with lib.maintainers; [ _0x4A6F ]; + + systemd.services.xandikos = { + description = "A Simple Calendar and Contact Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "xandikos"; + Group = "xandikos"; + DynamicUser = "yes"; + RuntimeDirectory = "xandikos"; + StateDirectory = "xandikos"; + StateDirectoryMode = "0700"; + PrivateDevices = true; + # Sandboxing + CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN"; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_PACKET AF_NETLINK"; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + ExecStart = '' + ${cfg.package}/bin/xandikos \ + --directory /var/lib/xandikos \ + --listen-address ${cfg.address} \ + --port ${toString cfg.port} \ + --route-prefix ${cfg.routePrefix} \ + ${lib.concatStringsSep " " cfg.extraOptions} + ''; + }; + }; + } + + ( + mkIf cfg.nginx.enable { + services.nginx = { + enable = true; + virtualHosts."${cfg.nginx.hostName}" = { + locations."/" = { + proxyPass = "http://${cfg.address}:${toString cfg.port}/"; + }; + }; + }; + } + ) + ] + ); +} diff --git a/nixos/modules/services/networking/xinetd.nix b/nixos/modules/services/networking/xinetd.nix new file mode 100644 index 00000000000..2f527ab156a --- /dev/null +++ b/nixos/modules/services/networking/xinetd.nix @@ -0,0 +1,147 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.xinetd; + + configFile = pkgs.writeText "xinetd.conf" + '' + defaults + { + log_type = SYSLOG daemon info + log_on_failure = HOST + log_on_success = PID HOST DURATION EXIT + ${cfg.extraDefaults} + } + + ${concatMapStrings makeService cfg.services} + ''; + + makeService = srv: + '' + service ${srv.name} + { + protocol = ${srv.protocol} + ${optionalString srv.unlisted "type = UNLISTED"} + ${optionalString (srv.flags != "") "flags = ${srv.flags}"} + socket_type = ${if srv.protocol == "udp" then "dgram" else "stream"} + ${if srv.port != 0 then "port = ${toString srv.port}" else ""} + wait = ${if srv.protocol == "udp" then "yes" else "no"} + user = ${srv.user} + server = ${srv.server} + ${optionalString (srv.serverArgs != "") "server_args = ${srv.serverArgs}"} + ${srv.extraConfig} + } + ''; + +in + +{ + + ###### interface + + options = { + + services.xinetd.enable = mkEnableOption "the xinetd super-server daemon"; + + services.xinetd.extraDefaults = mkOption { + default = ""; + type = types.lines; + description = '' + Additional configuration lines added to the default section of xinetd's configuration. + ''; + }; + + services.xinetd.services = mkOption { + default = []; + description = '' + A list of services provided by xinetd. + ''; + + type = with types; listOf (submodule ({ + + options = { + + name = mkOption { + type = types.str; + example = "login"; + description = "Name of the service."; + }; + + protocol = mkOption { + type = types.str; + default = "tcp"; + description = + "Protocol of the service. Usually <literal>tcp</literal> or <literal>udp</literal>."; + }; + + port = mkOption { + type = types.int; + default = 0; + example = 123; + description = "Port number of the service."; + }; + + user = mkOption { + type = types.str; + default = "nobody"; + description = "User account for the service"; + }; + + server = mkOption { + type = types.str; + example = "/foo/bin/ftpd"; + description = "Path of the program that implements the service."; + }; + + serverArgs = mkOption { + type = types.separatedString " "; + default = ""; + description = "Command-line arguments for the server program."; + }; + + flags = mkOption { + type = types.str; + default = ""; + description = ""; + }; + + unlisted = mkOption { + type = types.bool; + default = false; + description = '' + Whether this server is listed in + <filename>/etc/services</filename>. If so, the port + number can be omitted. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Extra configuration-lines added to the section of the service."; + }; + + }; + + })); + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + systemd.services.xinetd = { + description = "xinetd server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.xinetd ]; + script = "exec xinetd -syslog daemon -dontfork -stayalive -f ${configFile}"; + }; + }; +} diff --git a/nixos/modules/services/networking/xl2tpd.nix b/nixos/modules/services/networking/xl2tpd.nix new file mode 100644 index 00000000000..7dbe51422d9 --- /dev/null +++ b/nixos/modules/services/networking/xl2tpd.nix @@ -0,0 +1,143 @@ +{ config, pkgs, lib, ... }: + +with lib; + +{ + options = { + services.xl2tpd = { + enable = mkEnableOption "xl2tpd, the Layer 2 Tunnelling Protocol Daemon"; + + serverIp = mkOption { + type = types.str; + description = "The server-side IP address."; + default = "10.125.125.1"; + }; + + clientIpRange = mkOption { + type = types.str; + description = "The range from which client IPs are drawn."; + default = "10.125.125.2-11"; + }; + + extraXl2tpOptions = mkOption { + type = types.lines; + description = "Adds extra lines to the xl2tpd configuration file."; + default = ""; + }; + + extraPppdOptions = mkOption { + type = types.lines; + description = "Adds extra lines to the pppd options file."; + default = ""; + example = '' + ms-dns 8.8.8.8 + ms-dns 8.8.4.4 + ''; + }; + }; + }; + + config = mkIf config.services.xl2tpd.enable { + systemd.services.xl2tpd = let + cfg = config.services.xl2tpd; + + # Config files from https://help.ubuntu.com/community/L2TPServer + xl2tpd-conf = pkgs.writeText "xl2tpd.conf" '' + [global] + ipsec saref = no + + [lns default] + local ip = ${cfg.serverIp} + ip range = ${cfg.clientIpRange} + pppoptfile = ${pppd-options} + length bit = yes + + ; Extra + ${cfg.extraXl2tpOptions} + ''; + + pppd-options = pkgs.writeText "ppp-options-xl2tpd.conf" '' + refuse-pap + refuse-chap + refuse-mschap + require-mschap-v2 + # require-mppe-128 + asyncmap 0 + auth + crtscts + idle 1800 + mtu 1200 + mru 1200 + lock + hide-password + local + # debug + name xl2tpd + # proxyarp + lcp-echo-interval 30 + lcp-echo-failure 4 + + # Extra: + ${cfg.extraPppdOptions} + ''; + + xl2tpd-ppp-wrapped = pkgs.stdenv.mkDerivation { + name = "xl2tpd-ppp-wrapped"; + phases = [ "installPhase" ]; + buildInputs = with pkgs; [ makeWrapper ]; + installPhase = '' + mkdir -p $out/bin + + makeWrapper ${pkgs.ppp}/sbin/pppd $out/bin/pppd \ + --set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \ + --set NIX_REDIRECTS "/etc/ppp=/etc/xl2tpd/ppp" + + makeWrapper ${pkgs.xl2tpd}/bin/xl2tpd $out/bin/xl2tpd \ + --set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \ + --set NIX_REDIRECTS "${pkgs.ppp}/sbin/pppd=$out/bin/pppd" + ''; + }; + in { + description = "xl2tpd server"; + + requires = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + preStart = '' + mkdir -p -m 700 /etc/xl2tpd + + pushd /etc/xl2tpd > /dev/null + + mkdir -p -m 700 ppp + + [ -f ppp/chap-secrets ] || cat > ppp/chap-secrets << EOF + # Secrets for authentication using CHAP + # client server secret IP addresses + #username xl2tpd password * + EOF + + chown root.root ppp/chap-secrets + chmod 600 ppp/chap-secrets + + # The documentation says this file should be present but doesn't explain why and things work even if not there: + [ -f l2tp-secrets ] || (echo -n "* * "; ${pkgs.apg}/bin/apg -n 1 -m 32 -x 32 -a 1 -M LCN) > l2tp-secrets + chown root.root l2tp-secrets + chmod 600 l2tp-secrets + + popd > /dev/null + + mkdir -p /run/xl2tpd + chown root.root /run/xl2tpd + chmod 700 /run/xl2tpd + ''; + + serviceConfig = { + ExecStart = "${xl2tpd-ppp-wrapped}/bin/xl2tpd -D -c ${xl2tpd-conf} -s /etc/xl2tpd/l2tp-secrets -p /run/xl2tpd/pid -C /run/xl2tpd/control"; + KillMode = "process"; + Restart = "on-success"; + Type = "simple"; + PIDFile = "/run/xl2tpd/pid"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/xrdp.nix b/nixos/modules/services/networking/xrdp.nix new file mode 100644 index 00000000000..747fb7a1f9c --- /dev/null +++ b/nixos/modules/services/networking/xrdp.nix @@ -0,0 +1,185 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.xrdp; + confDir = pkgs.runCommand "xrdp.conf" { preferLocalBuild = true; } '' + mkdir $out + + cp ${cfg.package}/etc/xrdp/{km-*,xrdp,sesman,xrdp_keyboard}.ini $out + + cat > $out/startwm.sh <<EOF + #!/bin/sh + . /etc/profile + ${cfg.defaultWindowManager} + EOF + chmod +x $out/startwm.sh + + substituteInPlace $out/xrdp.ini \ + --replace "#rsakeys_ini=" "rsakeys_ini=/run/xrdp/rsakeys.ini" \ + --replace "certificate=" "certificate=${cfg.sslCert}" \ + --replace "key_file=" "key_file=${cfg.sslKey}" \ + --replace LogFile=xrdp.log LogFile=/dev/null \ + --replace EnableSyslog=true EnableSyslog=false + + substituteInPlace $out/sesman.ini \ + --replace LogFile=xrdp-sesman.log LogFile=/dev/null \ + --replace EnableSyslog=1 EnableSyslog=0 + + # Ensure that clipboard works for non-ASCII characters + sed -i -e '/.*SessionVariables.*/ a\ + LANG=${config.i18n.defaultLocale}\ + LOCALE_ARCHIVE=${config.i18n.glibcLocales}/lib/locale/locale-archive + ' $out/sesman.ini + ''; +in +{ + + ###### interface + + options = { + + services.xrdp = { + + enable = mkEnableOption "xrdp, the Remote Desktop Protocol server"; + + package = mkOption { + type = types.package; + default = pkgs.xrdp; + defaultText = literalExpression "pkgs.xrdp"; + description = '' + The package to use for the xrdp daemon's binary. + ''; + }; + + port = mkOption { + type = types.int; + default = 3389; + description = '' + Specifies on which port the xrdp daemon listens. + ''; + }; + + openFirewall = mkOption { + default = false; + type = types.bool; + description = "Whether to open the firewall for the specified RDP port."; + }; + + sslKey = mkOption { + type = types.str; + default = "/etc/xrdp/key.pem"; + example = "/path/to/your/key.pem"; + description = '' + ssl private key path + A self-signed certificate will be generated if file not exists. + ''; + }; + + sslCert = mkOption { + type = types.str; + default = "/etc/xrdp/cert.pem"; + example = "/path/to/your/cert.pem"; + description = '' + ssl certificate path + A self-signed certificate will be generated if file not exists. + ''; + }; + + defaultWindowManager = mkOption { + type = types.str; + default = "xterm"; + example = "xfce4-session"; + description = '' + The script to run when user log in, usually a window manager, e.g. "icewm", "xfce4-session" + This is per-user overridable, if file ~/startwm.sh exists it will be used instead. + ''; + }; + + confDir = mkOption { + type = types.path; + default = confDir; + defaultText = literalDocBook "generated from configuration"; + description = "The location of the config files for xrdp."; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + + # xrdp can run X11 program even if "services.xserver.enable = false" + xdg = { + autostart.enable = true; + menus.enable = true; + mime.enable = true; + icons.enable = true; + }; + + fonts.enableDefaultFonts = mkDefault true; + + systemd = { + services.xrdp = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "xrdp daemon"; + requires = [ "xrdp-sesman.service" ]; + preStart = '' + # prepare directory for unix sockets (the sockets will be owned by loggedinuser:xrdp) + mkdir -p /tmp/.xrdp || true + chown xrdp:xrdp /tmp/.xrdp + chmod 3777 /tmp/.xrdp + + # generate a self-signed certificate + if [ ! -s ${cfg.sslCert} -o ! -s ${cfg.sslKey} ]; then + mkdir -p $(dirname ${cfg.sslCert}) || true + mkdir -p $(dirname ${cfg.sslKey}) || true + ${pkgs.openssl.bin}/bin/openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 365 \ + -subj /C=US/ST=CA/L=Sunnyvale/O=xrdp/CN=www.xrdp.org \ + -config ${cfg.package}/share/xrdp/openssl.conf \ + -keyout ${cfg.sslKey} -out ${cfg.sslCert} + chown root:xrdp ${cfg.sslKey} ${cfg.sslCert} + chmod 440 ${cfg.sslKey} ${cfg.sslCert} + fi + if [ ! -s /run/xrdp/rsakeys.ini ]; then + mkdir -p /run/xrdp + ${cfg.package}/bin/xrdp-keygen xrdp /run/xrdp/rsakeys.ini + fi + ''; + serviceConfig = { + User = "xrdp"; + Group = "xrdp"; + PermissionsStartOnly = true; + ExecStart = "${cfg.package}/bin/xrdp --nodaemon --port ${toString cfg.port} --config ${cfg.confDir}/xrdp.ini"; + }; + }; + + services.xrdp-sesman = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "xrdp session manager"; + restartIfChanged = false; # do not restart on "nixos-rebuild switch". like "display-manager", it can have many interactive programs as children + serviceConfig = { + ExecStart = "${cfg.package}/bin/xrdp-sesman --nodaemon --config ${cfg.confDir}/sesman.ini"; + ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; + }; + }; + + }; + + users.users.xrdp = { + description = "xrdp daemon user"; + isSystemUser = true; + group = "xrdp"; + }; + users.groups.xrdp = {}; + + security.pam.services.xrdp-sesman = { allowNullPassword = true; startSession = true; }; + }; + +} diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix new file mode 100644 index 00000000000..99c18ae6919 --- /dev/null +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -0,0 +1,201 @@ +{ config, lib, pkgs, ... }: +with lib; +let + keysPath = "/var/lib/yggdrasil/keys.json"; + + cfg = config.services.yggdrasil; + configProvided = cfg.config != { }; + configFileProvided = cfg.configFile != null; + +in { + options = with types; { + services.yggdrasil = { + enable = mkEnableOption "the yggdrasil system service"; + + config = mkOption { + type = attrs; + default = {}; + example = { + Peers = [ + "tcp://aa.bb.cc.dd:eeeee" + "tcp://[aaaa:bbbb:cccc:dddd::eeee]:fffff" + ]; + Listen = [ + "tcp://0.0.0.0:xxxxx" + ]; + }; + description = '' + Configuration for yggdrasil, as a Nix attribute set. + + Warning: this is stored in the WORLD-READABLE Nix store! + Therefore, it is not appropriate for private keys. If you + wish to specify the keys, use <option>configFile</option>. + + If the <option>persistentKeys</option> is enabled then the + keys that are generated during activation will override + those in <option>config</option> or + <option>configFile</option>. + + If no keys are specified then ephemeral keys are generated + and the Yggdrasil interface will have a random IPv6 address + each time the service is started, this is the default. + + If both <option>configFile</option> and <option>config</option> + are supplied, they will be combined, with values from + <option>configFile</option> taking precedence. + + You can use the command <code>nix-shell -p yggdrasil --run + "yggdrasil -genconf"</code> to generate default + configuration values with documentation. + ''; + }; + + configFile = mkOption { + type = nullOr path; + default = null; + example = "/run/keys/yggdrasil.conf"; + description = '' + A file which contains JSON configuration for yggdrasil. + See the <option>config</option> option for more information. + ''; + }; + + group = mkOption { + type = types.str; + default = "root"; + example = "wheel"; + description = "Group to grant access to the Yggdrasil control socket."; + }; + + openMulticastPort = mkOption { + type = bool; + default = false; + description = '' + Whether to open the UDP port used for multicast peer + discovery. The NixOS firewall blocks link-local + communication, so in order to make local peering work you + will also need to set <code>LinkLocalTCPPort</code> in your + yggdrasil configuration (<option>config</option> or + <option>configFile</option>) to a port number other than 0, + and then add that port to + <option>networking.firewall.allowedTCPPorts</option>. + ''; + }; + + denyDhcpcdInterfaces = mkOption { + type = listOf str; + default = []; + example = [ "tap*" ]; + description = '' + Disable the DHCP client for any interface whose name matches + any of the shell glob patterns in this list. Use this + option to prevent the DHCP client from broadcasting requests + on the yggdrasil network. It is only necessary to do so + when yggdrasil is running in TAP mode, because TUN + interfaces do not support broadcasting. + ''; + }; + + package = mkOption { + type = package; + default = pkgs.yggdrasil; + defaultText = literalExpression "pkgs.yggdrasil"; + description = "Yggdrasil package to use."; + }; + + persistentKeys = mkEnableOption '' + If enabled then keys will be generated once and Yggdrasil + will retain the same IPv6 address when the service is + restarted. Keys are stored at ${keysPath}. + ''; + + }; + }; + + config = mkIf cfg.enable (let binYggdrasil = cfg.package + "/bin/yggdrasil"; + in { + assertions = [{ + assertion = config.networking.enableIPv6; + message = "networking.enableIPv6 must be true for yggdrasil to work"; + }]; + + system.activationScripts.yggdrasil = mkIf cfg.persistentKeys '' + if [ ! -e ${keysPath} ] + then + mkdir --mode=700 -p ${builtins.dirOf keysPath} + ${binYggdrasil} -genconf -json \ + | ${pkgs.jq}/bin/jq \ + 'to_entries|map(select(.key|endswith("Key")))|from_entries' \ + > ${keysPath} + fi + ''; + + systemd.services.yggdrasil = { + description = "Yggdrasil Network Service"; + bindsTo = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + preStart = + (if configProvided || configFileProvided || cfg.persistentKeys then + "echo " + + + (lib.optionalString configProvided + "'${builtins.toJSON cfg.config}'") + + (lib.optionalString configFileProvided "$(cat ${cfg.configFile})") + + (lib.optionalString cfg.persistentKeys "$(cat ${keysPath})") + + " | ${pkgs.jq}/bin/jq -s add | ${binYggdrasil} -normaliseconf -useconf" + else + "${binYggdrasil} -genconf") + " > /run/yggdrasil/yggdrasil.conf"; + + serviceConfig = { + ExecStart = + "${binYggdrasil} -useconffile /run/yggdrasil/yggdrasil.conf"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + + Group = cfg.group; + RuntimeDirectory = "yggdrasil"; + RuntimeDirectoryMode = "0750"; + BindReadOnlyPaths = lib.optional configFileProvided cfg.configFile + ++ lib.optional cfg.persistentKeys keysPath; + + # TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails + # to set up the network adapter when DynamicUser is set. See + # github.com/yggdrasil-network/yggdrasil-go/issues/557. The + # following options are implied by DynamicUser according to + # the systemd.exec documentation, and can be removed if the + # upstream issue is fixed and DynamicUser is set to true: + PrivateTmp = true; + RemoveIPC = true; + NoNewPrivileges = true; + ProtectSystem = "strict"; + RestrictSUIDSGID = true; + # End of list of options implied by DynamicUser. + + AmbientCapabilities = "CAP_NET_ADMIN"; + CapabilityBoundingSet = "CAP_NET_ADMIN"; + MemoryDenyWriteExecute = true; + ProtectControlGroups = true; + ProtectHome = "tmpfs"; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources"; + }; + }; + + networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces; + networking.firewall.allowedUDPPorts = mkIf cfg.openMulticastPort [ 9001 ]; + + # Make yggdrasilctl available on the command line. + environment.systemPackages = [ cfg.package ]; + }); + meta = { + doc = ./yggdrasil.xml; + maintainers = with lib.maintainers; [ gazally ehmry ]; + }; +} diff --git a/nixos/modules/services/networking/yggdrasil.xml b/nixos/modules/services/networking/yggdrasil.xml new file mode 100644 index 00000000000..a341d5d8153 --- /dev/null +++ b/nixos/modules/services/networking/yggdrasil.xml @@ -0,0 +1,156 @@ +<?xml version="1.0"?> +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="module-services-networking-yggdrasil"> + <title>Yggdrasil</title> + <para> + <emphasis>Source:</emphasis> + <filename>modules/services/networking/yggdrasil/default.nix</filename> + </para> + <para> + <emphasis>Upstream documentation:</emphasis> + <link xlink:href="https://yggdrasil-network.github.io/"/> + </para> + <para> +Yggdrasil is an early-stage implementation of a fully end-to-end encrypted, +self-arranging IPv6 network. +</para> + <section xml:id="module-services-networking-yggdrasil-configuration"> + <title>Configuration</title> + <section xml:id="module-services-networking-yggdrasil-configuration-simple"> + <title>Simple ephemeral node</title> + <para> +An annotated example of a simple configuration: +<programlisting> +{ + services.yggdrasil = { + enable = true; + persistentKeys = false; + # The NixOS module will generate new keys and a new IPv6 address each time + # it is started if persistentKeys is not enabled. + + config = { + Peers = [ + # Yggdrasil will automatically connect and "peer" with other nodes it + # discovers via link-local multicast annoucements. Unless this is the + # case (it probably isn't) a node needs peers within the existing + # network that it can tunnel to. + "tcp://1.2.3.4:1024" + "tcp://1.2.3.5:1024" + # Public peers can be found at + # https://github.com/yggdrasil-network/public-peers + ]; + }; + }; +} +</programlisting> + </para> + </section> + <section xml:id="module-services-networking-yggdrasil-configuration-prefix"> + <title>Persistent node with prefix</title> + <para> +A node with a fixed address that announces a prefix: +<programlisting> +let + address = "210:5217:69c0:9afc:1b95:b9f:8718:c3d2"; + prefix = "310:5217:69c0:9afc"; + # taken from the output of "yggdrasilctl getself". +in { + + services.yggdrasil = { + enable = true; + persistentKeys = true; # Maintain a fixed public key and IPv6 address. + config = { + Peers = [ "tcp://1.2.3.4:1024" "tcp://1.2.3.5:1024" ]; + NodeInfo = { + # This information is visible to the network. + name = config.networking.hostName; + location = "The North Pole"; + }; + }; + }; + + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; + # Forward traffic under the prefix. + + networking.interfaces.${eth0}.ipv6.addresses = [{ + # Set a 300::/8 address on the local physical device. + address = prefix + "::1"; + prefixLength = 64; + }]; + + services.radvd = { + # Annouce the 300::/8 prefix to eth0. + enable = true; + config = '' + interface eth0 + { + AdvSendAdvert on; + prefix ${prefix}::/64 { + AdvOnLink on; + AdvAutonomous on; + }; + route 200::/8 {}; + }; + ''; + }; +} +</programlisting> + </para> + </section> + <section xml:id="module-services-networking-yggdrasil-configuration-container"> + <title>Yggdrasil attached Container</title> + <para> +A NixOS container attached to the Yggdrasil network via a node running on the +host: + <programlisting> +let + yggPrefix64 = "310:5217:69c0:9afc"; + # Again, taken from the output of "yggdrasilctl getself". +in +{ + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; + # Enable IPv6 forwarding. + + networking = { + bridges.br0.interfaces = [ ]; + # A bridge only to containers… + + interfaces.br0 = { + # … configured with a prefix address. + ipv6.addresses = [{ + address = "${yggPrefix64}::1"; + prefixLength = 64; + }]; + }; + }; + + containers.foo = { + autoStart = true; + privateNetwork = true; + hostBridge = "br0"; + # Attach the container to the bridge only. + config = { config, pkgs, ... }: { + networking.interfaces.eth0.ipv6 = { + addresses = [{ + # Configure a prefix address. + address = "${yggPrefix64}::2"; + prefixLength = 64; + }]; + routes = [{ + # Configure the prefix route. + address = "200::"; + prefixLength = 7; + via = "${yggPrefix64}::1"; + }]; + }; + + services.httpd.enable = true; + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + }; + +} +</programlisting> + </para> + </section> + </section> +</chapter> diff --git a/nixos/modules/services/networking/zerobin.nix b/nixos/modules/services/networking/zerobin.nix new file mode 100644 index 00000000000..16db25d6230 --- /dev/null +++ b/nixos/modules/services/networking/zerobin.nix @@ -0,0 +1,102 @@ +{ config, pkgs, lib, ... }: +with lib; +let + cfg = config.services.zerobin; + + zerobin_config = pkgs.writeText "zerobin-config.py" '' + PASTE_FILES_ROOT = "${cfg.dataDir}" + ${cfg.extraConfig} + ''; + +in + { + options = { + services.zerobin = { + enable = mkEnableOption "0bin"; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/zerobin"; + description = '' + Path to the 0bin data directory + ''; + }; + + user = mkOption { + type = types.str; + default = "zerobin"; + description = '' + The user 0bin should run as + ''; + }; + + group = mkOption { + type = types.str; + default = "zerobin"; + description = '' + The group 0bin should run as + ''; + }; + + listenPort = mkOption { + type = types.int; + default = 8000; + example = 1357; + description = '' + The port zerobin should listen on + ''; + }; + + listenAddress = mkOption { + type = types.str; + default = "localhost"; + example = "127.0.0.1"; + description = '' + The address zerobin should listen to + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + MENU = ( + ('Home', '/'), + ) + COMPRESSED_STATIC_FILE = True + ''; + description = '' + Extra configuration to be appended to the 0bin config file + (see https://0bin.readthedocs.org/en/latest/en/options.html) + ''; + }; + }; + }; + + config = mkIf (cfg.enable) { + users.users.${cfg.user} = + if cfg.user == "zerobin" then { + isSystemUser = true; + group = cfg.group; + home = cfg.dataDir; + createHome = true; + } + else {}; + users.groups.${cfg.group} = {}; + + systemd.services.zerobin = { + enable = true; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${pkgs.zerobin}/bin/zerobin ${cfg.listenAddress} ${toString cfg.listenPort} false ${cfg.user} ${cfg.group} ${zerobin_config}"; + serviceConfig.PrivateTmp="yes"; + serviceConfig.User = cfg.user; + serviceConfig.Group = cfg.group; + preStart = '' + mkdir -p ${cfg.dataDir} + chown ${cfg.user} ${cfg.dataDir} + ''; + }; + }; + } + diff --git a/nixos/modules/services/networking/zeronet.nix b/nixos/modules/services/networking/zeronet.nix new file mode 100644 index 00000000000..3370390a4c6 --- /dev/null +++ b/nixos/modules/services/networking/zeronet.nix @@ -0,0 +1,94 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) generators literalExpression mkEnableOption mkIf mkOption recursiveUpdate types; + cfg = config.services.zeronet; + dataDir = "/var/lib/zeronet"; + configFile = pkgs.writeText "zeronet.conf" (generators.toINI {} (recursiveUpdate defaultSettings cfg.settings)); + + defaultSettings = { + global = { + data_dir = dataDir; + log_dir = dataDir; + ui_port = cfg.port; + fileserver_port = cfg.fileserverPort; + tor = if !cfg.tor then "disable" else if cfg.torAlways then "always" else "enable"; + }; + }; +in with lib; { + options.services.zeronet = { + enable = mkEnableOption "zeronet"; + + settings = mkOption { + type = with types; attrsOf (oneOf [ str int bool (listOf str) ]); + default = {}; + example = literalExpression "{ global.tor = enable; }"; + + description = '' + <filename>zeronet.conf</filename> configuration. Refer to + <link xlink:href="https://zeronet.readthedocs.io/en/latest/faq/#is-it-possible-to-use-a-configuration-file"/> + for details on supported values; + ''; + }; + + port = mkOption { + type = types.port; + default = 43110; + description = "Optional zeronet web UI port."; + }; + + fileserverPort = mkOption { + # Not optional: when absent zeronet tries to write one to the + # read-only config file and crashes + type = types.port; + default = 12261; + description = "Zeronet fileserver port."; + }; + + tor = mkOption { + type = types.bool; + default = false; + description = "Use TOR for zeronet traffic where possible."; + }; + + torAlways = mkOption { + type = types.bool; + default = false; + description = "Use TOR for all zeronet traffic."; + }; + }; + + config = mkIf cfg.enable { + services.tor = mkIf cfg.tor { + enable = true; + controlPort = 9051; + + extraConfig = '' + CacheDirectoryGroupReadable 1 + CookieAuthentication 1 + CookieAuthFileGroupReadable 1 + ''; + }; + + systemd.services.zeronet = { + description = "zeronet"; + after = [ "network.target" (optionalString cfg.tor "tor.service") ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "zeronet"; + DynamicUser = true; + StateDirectory = "zeronet"; + SupplementaryGroups = mkIf cfg.tor [ "tor" ]; + ExecStart = "${pkgs.zeronet}/bin/zeronet --config_file ${configFile}"; + }; + }; + }; + + imports = [ + (mkRemovedOptionModule [ "services" "zeronet" "dataDir" ] "Zeronet will store data by default in /var/lib/zeronet") + (mkRemovedOptionModule [ "services" "zeronet" "logDir" ] "Zeronet will log by default in /var/lib/zeronet") + ]; + + meta.maintainers = with maintainers; [ chiiruno ]; +} diff --git a/nixos/modules/services/networking/zerotierone.nix b/nixos/modules/services/networking/zerotierone.nix new file mode 100644 index 00000000000..3bc7d3ac0db --- /dev/null +++ b/nixos/modules/services/networking/zerotierone.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.zerotierone; +in +{ + options.services.zerotierone.enable = mkEnableOption "ZeroTierOne"; + + options.services.zerotierone.joinNetworks = mkOption { + default = []; + example = [ "a8a2c3c10c1a68de" ]; + type = types.listOf types.str; + description = '' + List of ZeroTier Network IDs to join on startup + ''; + }; + + options.services.zerotierone.port = mkOption { + default = 9993; + type = types.int; + description = '' + Network port used by ZeroTier. + ''; + }; + + options.services.zerotierone.package = mkOption { + default = pkgs.zerotierone; + defaultText = literalExpression "pkgs.zerotierone"; + type = types.package; + description = '' + ZeroTier One package to use. + ''; + }; + + config = mkIf cfg.enable { + systemd.services.zerotierone = { + description = "ZeroTierOne"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + wants = [ "network-online.target" ]; + + path = [ cfg.package ]; + + preStart = '' + mkdir -p /var/lib/zerotier-one/networks.d + chmod 700 /var/lib/zerotier-one + chown -R root:root /var/lib/zerotier-one + '' + (concatMapStrings (netId: '' + touch "/var/lib/zerotier-one/networks.d/${netId}.conf" + '') cfg.joinNetworks); + serviceConfig = { + ExecStart = "${cfg.package}/bin/zerotier-one -p${toString cfg.port}"; + Restart = "always"; + KillMode = "process"; + TimeoutStopSec = 5; + }; + }; + + # ZeroTier does not issue DHCP leases, but some strangers might... + networking.dhcpcd.denyInterfaces = [ "zt*" ]; + + # ZeroTier receives UDP transmissions + networking.firewall.allowedUDPPorts = [ cfg.port ]; + + environment.systemPackages = [ cfg.package ]; + + # Prevent systemd from potentially changing the MAC address + systemd.network.links."50-zerotier" = { + matchConfig = { + OriginalName = "zt*"; + }; + linkConfig = { + AutoNegotiation = false; + MACAddressPolicy = "none"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/znc/default.nix b/nixos/modules/services/networking/znc/default.nix new file mode 100644 index 00000000000..a98f92d2d71 --- /dev/null +++ b/nixos/modules/services/networking/znc/default.nix @@ -0,0 +1,335 @@ +{ config, lib, pkgs, ...}: + +with lib; + +let + + cfg = config.services.znc; + + defaultUser = "znc"; + + modules = pkgs.buildEnv { + name = "znc-modules"; + paths = cfg.modulePackages; + }; + + listenerPorts = concatMap (l: optional (l ? Port) l.Port) + (attrValues (cfg.config.Listener or {})); + + # Converts the config option to a string + semanticString = let + + sortedAttrs = set: sort (l: r: + if l == "extraConfig" then false # Always put extraConfig last + else if isAttrs set.${l} == isAttrs set.${r} then l < r + else isAttrs set.${r} # Attrsets should be last, makes for a nice config + # This last case occurs when any side (but not both) is an attrset + # The order of these is correct when the attrset is on the right + # which we're just returning + ) (attrNames set); + + # Specifies an attrset that encodes the value according to its type + encode = name: value: { + null = []; + bool = [ "${name} = ${boolToString value}" ]; + int = [ "${name} = ${toString value}" ]; + + # extraConfig should be inserted verbatim + string = [ (if name == "extraConfig" then value else "${name} = ${value}") ]; + + # Values like `Foo = [ "bar" "baz" ];` should be transformed into + # Foo=bar + # Foo=baz + list = concatMap (encode name) value; + + # Values like `Foo = { bar = { Baz = "baz"; Qux = "qux"; Florps = null; }; };` should be transmed into + # <Foo bar> + # Baz=baz + # Qux=qux + # </Foo> + set = concatMap (subname: optionals (value.${subname} != null) ([ + "<${name} ${subname}>" + ] ++ map (line: "\t${line}") (toLines value.${subname}) ++ [ + "</${name}>" + ])) (filter (v: v != null) (attrNames value)); + + }.${builtins.typeOf value}; + + # One level "above" encode, acts upon a set and uses encode on each name,value pair + toLines = set: concatMap (name: encode name set.${name}) (sortedAttrs set); + + in + concatStringsSep "\n" (toLines cfg.config); + + semanticTypes = with types; rec { + zncAtom = nullOr (oneOf [ int bool str ]); + zncAttr = attrsOf (nullOr zncConf); + zncAll = oneOf [ zncAtom (listOf zncAtom) zncAttr ]; + zncConf = attrsOf (zncAll // { + # Since this is a recursive type and the description by default contains + # the description of its subtypes, infinite recursion would occur without + # explicitly breaking this cycle + description = "znc values (null, atoms (str, int, bool), list of atoms, or attrsets of znc values)"; + }); + }; + +in + +{ + + imports = [ ./options.nix ]; + + options = { + services.znc = { + enable = mkEnableOption "ZNC"; + + user = mkOption { + default = "znc"; + example = "john"; + type = types.str; + description = '' + The name of an existing user account to use to own the ZNC server + process. If not specified, a default user will be created. + ''; + }; + + group = mkOption { + default = defaultUser; + example = "users"; + type = types.str; + description = '' + Group to own the ZNC process. + ''; + }; + + dataDir = mkOption { + default = "/var/lib/znc"; + example = "/home/john/.znc"; + type = types.path; + description = '' + The state directory for ZNC. The config and the modules will be linked + to from this directory as well. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open ports in the firewall for ZNC. Does work with + ports for listeners specified in + <option>services.znc.config.Listener</option>. + ''; + }; + + config = mkOption { + type = semanticTypes.zncConf; + default = {}; + example = literalExpression '' + { + LoadModule = [ "webadmin" "adminlog" ]; + User.paul = { + Admin = true; + Nick = "paul"; + AltNick = "paul1"; + LoadModule = [ "chansaver" "controlpanel" ]; + Network.libera = { + Server = "irc.libera.chat +6697"; + LoadModule = [ "simple_away" ]; + Chan = { + "#nixos" = { Detached = false; }; + "##linux" = { Disabled = true; }; + }; + }; + Pass.password = { + Method = "sha256"; + Hash = "e2ce303c7ea75c571d80d8540a8699b46535be6a085be3414947d638e48d9e93"; + Salt = "l5Xryew4g*!oa(ECfX2o"; + }; + }; + } + ''; + description = '' + Configuration for ZNC, see + <link xlink:href="https://wiki.znc.in/Configuration"/> for details. The + Nix value declared here will be translated directly to the xml-like + format ZNC expects. This is much more flexible than the legacy options + under <option>services.znc.confOptions.*</option>, but also can't do + any type checking. + </para> + <para> + You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config</command> + to view the current value. By default it contains a listener for port + 5000 with SSL enabled. + </para> + <para> + Nix attributes called <literal>extraConfig</literal> will be inserted + verbatim into the resulting config file. + </para> + <para> + If <option>services.znc.useLegacyConfig</option> is turned on, the + option values in <option>services.znc.confOptions.*</option> will be + gracefully be applied to this option. + </para> + <para> + If you intend to update the configuration through this option, be sure + to enable <option>services.znc.mutable</option>, otherwise none of the + changes here will be applied after the initial deploy. + ''; + }; + + configFile = mkOption { + type = types.path; + example = literalExpression "~/.znc/configs/znc.conf"; + description = '' + Configuration file for ZNC. It is recommended to use the + <option>config</option> option instead. + </para> + <para> + Setting this option will override any auto-generated config file + through the <option>confOptions</option> or <option>config</option> + options. + ''; + }; + + modulePackages = mkOption { + type = types.listOf types.package; + default = [ ]; + example = literalExpression "[ pkgs.zncModules.fish pkgs.zncModules.push ]"; + description = '' + A list of global znc module packages to add to znc. + ''; + }; + + mutable = mkOption { + default = true; # TODO: Default to true when config is set, make sure to not delete the old config if present + type = types.bool; + description = '' + Indicates whether to allow the contents of the + <literal>dataDir</literal> directory to be changed by the user at + run-time. + </para> + <para> + If enabled, modifications to the ZNC configuration after its initial + creation are not overwritten by a NixOS rebuild. If disabled, the + ZNC configuration is rebuilt on every NixOS rebuild. + </para> + <para> + If the user wants to manage the ZNC service using the web admin + interface, this option should be enabled. + ''; + }; + + extraFlags = mkOption { + default = [ ]; + example = [ "--debug" ]; + type = types.listOf types.str; + description = '' + Extra arguments to use for executing znc. + ''; + }; + }; + }; + + + ###### Implementation + + config = mkIf cfg.enable { + + services.znc = { + configFile = mkDefault (pkgs.writeText "znc-generated.conf" semanticString); + config = { + Version = lib.getVersion pkgs.znc; + Listener.l.Port = mkDefault 5000; + Listener.l.SSL = mkDefault true; + }; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall listenerPorts; + + systemd.services.znc = { + description = "ZNC Server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Restart = "always"; + ExecStart = "${pkgs.znc}/bin/znc --foreground --datadir ${cfg.dataDir} ${escapeShellArgs cfg.extraFlags}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; + # Hardening + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ cfg.dataDir ]; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0027"; + }; + preStart = '' + mkdir -p ${cfg.dataDir}/configs + + # If mutable, regenerate conf file every time. + ${optionalString (!cfg.mutable) '' + echo "znc is set to be system-managed. Now deleting old znc.conf file to be regenerated." + rm -f ${cfg.dataDir}/configs/znc.conf + ''} + + # Ensure essential files exist. + if [[ ! -f ${cfg.dataDir}/configs/znc.conf ]]; then + echo "No znc.conf file found in ${cfg.dataDir}. Creating one now." + cp --no-preserve=ownership --no-clobber ${cfg.configFile} ${cfg.dataDir}/configs/znc.conf + chmod u+rw ${cfg.dataDir}/configs/znc.conf + fi + + if [[ ! -f ${cfg.dataDir}/znc.pem ]]; then + echo "No znc.pem file found in ${cfg.dataDir}. Creating one now." + ${pkgs.znc}/bin/znc --makepem --datadir ${cfg.dataDir} + fi + + # Symlink modules + rm ${cfg.dataDir}/modules || true + ln -fs ${modules}/lib/znc ${cfg.dataDir}/modules + ''; + }; + + users.users = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = + { description = "ZNC server daemon owner"; + group = defaultUser; + uid = config.ids.uids.znc; + home = cfg.dataDir; + createHome = true; + }; + }; + + users.groups = optionalAttrs (cfg.user == defaultUser) { + ${defaultUser} = + { gid = config.ids.gids.znc; + members = [ defaultUser ]; + }; + }; + + }; +} diff --git a/nixos/modules/services/networking/znc/options.nix b/nixos/modules/services/networking/znc/options.nix new file mode 100644 index 00000000000..0db051126e8 --- /dev/null +++ b/nixos/modules/services/networking/znc/options.nix @@ -0,0 +1,270 @@ +{ lib, config, ... }: + +with lib; + +let + + cfg = config.services.znc; + + networkOpts = { + options = { + + server = mkOption { + type = types.str; + example = "irc.libera.chat"; + description = '' + IRC server address. + ''; + }; + + port = mkOption { + type = types.ints.u16; + default = 6697; + description = '' + IRC server port. + ''; + }; + + password = mkOption { + type = types.str; + default = ""; + description = '' + IRC server password, such as for a Slack gateway. + ''; + }; + + useSSL = mkOption { + type = types.bool; + default = true; + description = '' + Whether to use SSL to connect to the IRC server. + ''; + }; + + modules = mkOption { + type = types.listOf types.str; + default = [ "simple_away" ]; + example = literalExpression ''[ "simple_away" "sasl" ]''; + description = '' + ZNC network modules to load. + ''; + }; + + channels = mkOption { + type = types.listOf types.str; + default = []; + example = [ "nixos" ]; + description = '' + IRC channels to join. + ''; + }; + + hasBitlbeeControlChannel = mkOption { + type = types.bool; + default = false; + description = '' + Whether to add the special Bitlbee operations channel. + ''; + }; + + extraConf = mkOption { + default = ""; + type = types.lines; + example = '' + Encoding = ^UTF-8 + FloodBurst = 4 + FloodRate = 1.00 + IRCConnectEnabled = true + Ident = johntron + JoinDelay = 0 + Nick = johntron + ''; + description = '' + Extra config for the network. Consider using + <option>services.znc.config</option> instead. + ''; + }; + }; + }; + +in + +{ + + options = { + services.znc = { + + useLegacyConfig = mkOption { + default = true; + type = types.bool; + description = '' + Whether to propagate the legacy options under + <option>services.znc.confOptions.*</option> to the znc config. If this + is turned on, the znc config will contain a user with the default name + "znc", global modules "webadmin" and "adminlog" will be enabled by + default, and more, all controlled through the + <option>services.znc.confOptions.*</option> options. + You can use <command>nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config</command> + to view the current value of the config. + </para> + <para> + In any case, if you need more flexibility, + <option>services.znc.config</option> can be used to override/add to + all of the legacy options. + ''; + }; + + confOptions = { + modules = mkOption { + type = types.listOf types.str; + default = [ "webadmin" "adminlog" ]; + example = [ "partyline" "webadmin" "adminlog" "log" ]; + description = '' + A list of modules to include in the `znc.conf` file. + ''; + }; + + userModules = mkOption { + type = types.listOf types.str; + default = [ "chansaver" "controlpanel" ]; + example = [ "chansaver" "controlpanel" "fish" "push" ]; + description = '' + A list of user modules to include in the `znc.conf` file. + ''; + }; + + userName = mkOption { + default = "znc"; + example = "johntron"; + type = types.str; + description = '' + The user name used to log in to the ZNC web admin interface. + ''; + }; + + networks = mkOption { + default = { }; + type = with types; attrsOf (submodule networkOpts); + description = '' + IRC networks to connect the user to. + ''; + example = literalExpression '' + { + "libera" = { + server = "irc.libera.chat"; + port = 6697; + useSSL = true; + modules = [ "simple_away" ]; + }; + }; + ''; + }; + + nick = mkOption { + default = "znc-user"; + example = "john"; + type = types.str; + description = '' + The IRC nick. + ''; + }; + + passBlock = mkOption { + example = '' + <Pass password> + Method = sha256 + Hash = e2ce303c7ea75c571d80d8540a8699b46535be6a085be3414947d638e48d9e93 + Salt = l5Xryew4g*!oa(ECfX2o + </Pass> + ''; + type = types.str; + description = '' + Generate with `nix-shell -p znc --command "znc --makepass"`. + This is the password used to log in to the ZNC web admin interface. + You can also set this through + <option>services.znc.config.User.<username>.Pass.Method</option> + and co. + ''; + }; + + port = mkOption { + default = 5000; + type = types.int; + description = '' + Specifies the port on which to listen. + ''; + }; + + useSSL = mkOption { + default = true; + type = types.bool; + description = '' + Indicates whether the ZNC server should use SSL when listening on + the specified port. A self-signed certificate will be generated. + ''; + }; + + uriPrefix = mkOption { + type = types.nullOr types.str; + default = null; + example = "/znc/"; + description = '' + An optional URI prefix for the ZNC web interface. Can be + used to make ZNC available behind a reverse proxy. + ''; + }; + + extraZncConf = mkOption { + default = ""; + type = types.lines; + description = '' + Extra config to `znc.conf` file. + ''; + }; + }; + + }; + }; + + config = mkIf cfg.useLegacyConfig { + + services.znc.config = let + c = cfg.confOptions; + # defaults here should override defaults set in the non-legacy part + mkDefault = mkOverride 900; + in { + LoadModule = mkDefault c.modules; + Listener.l = { + Port = mkDefault c.port; + IPv4 = mkDefault true; + IPv6 = mkDefault true; + SSL = mkDefault c.useSSL; + URIPrefix = c.uriPrefix; + }; + User.${c.userName} = { + Admin = mkDefault true; + Nick = mkDefault c.nick; + AltNick = mkDefault "${c.nick}_"; + Ident = mkDefault c.nick; + RealName = mkDefault c.nick; + LoadModule = mkDefault c.userModules; + Network = mapAttrs (name: net: { + LoadModule = mkDefault net.modules; + Server = mkDefault "${net.server} ${optionalString net.useSSL "+"}${toString net.port} ${net.password}"; + Chan = optionalAttrs net.hasBitlbeeControlChannel { "&bitlbee" = mkDefault {}; } // + listToAttrs (map (n: nameValuePair "#${n}" (mkDefault {})) net.channels); + extraConfig = if net.extraConf == "" then mkDefault null else net.extraConf; + }) c.networks; + extraConfig = [ c.passBlock ]; + }; + extraConfig = optional (c.extraZncConf != "") c.extraZncConf; + }; + }; + + imports = [ + (mkRemovedOptionModule ["services" "znc" "zncConf"] '' + Instead of `services.znc.zncConf = "... foo ...";`, use + `services.znc.configFile = pkgs.writeText "znc.conf" "... foo ...";`. + '') + ]; +} |