diff options
author | Alexandru Scvortov <code@scvalex.net> | 2022-03-06 13:49:57 +0000 |
---|---|---|
committer | Alexandru Scvortov <code@scvalex.net> | 2022-03-09 12:00:47 +0000 |
commit | 252f20aaa2744d9fe6e3b4ade2d2f44c0448ca06 (patch) | |
tree | 89dc3169e21b3c347009b4a56ac5303e8b3d5516 /nixos/modules | |
parent | 7a622c17fd08a16feff2c022146429c99a3e1639 (diff) | |
download | nixpkgs-252f20aaa2744d9fe6e3b4ade2d2f44c0448ca06.tar nixpkgs-252f20aaa2744d9fe6e3b4ade2d2f44c0448ca06.tar.gz nixpkgs-252f20aaa2744d9fe6e3b4ade2d2f44c0448ca06.tar.bz2 nixpkgs-252f20aaa2744d9fe6e3b4ade2d2f44c0448ca06.tar.lz nixpkgs-252f20aaa2744d9fe6e3b4ade2d2f44c0448ca06.tar.xz nixpkgs-252f20aaa2744d9fe6e3b4ade2d2f44c0448ca06.tar.zst nixpkgs-252f20aaa2744d9fe6e3b4ade2d2f44c0448ca06.zip |
nbd: add programs.nbd, services.nbd, and test
Changes: nbd: Update nixos/modules/services/networking/nbd.nix Co-authored-by: pennae <82953136+pennae@users.noreply.github.com> nbd: Update nixos/modules/services/networking/nbd.nix Co-authored-by: pennae <82953136+pennae@users.noreply.github.com> nbd: Update nixos/tests/nbd.nix Co-authored-by: pennae <82953136+pennae@users.noreply.github.com> nbd: generalize options in nbd service nbd: harden service nbd: Update nixos/modules/services/networking/nbd.nix Co-authored-by: pennae <82953136+pennae@users.noreply.github.com> nbd: Update nixos/modules/services/networking/nbd.nix Co-authored-by: pennae <82953136+pennae@users.noreply.github.com> nbd: refactor code a bit and BindPaths automatically
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
-rw-r--r-- | nixos/modules/programs/nbd.nix | 19 | ||||
-rw-r--r-- | nixos/modules/services/networking/nbd.nix | 146 |
3 files changed, 167 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index f3570c3f123..442bcc39d59 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -179,6 +179,7 @@ ./programs/msmtp.nix ./programs/mtr.nix ./programs/nano.nix + ./programs/nbd.nix ./programs/neovim.nix ./programs/nm-applet.nix ./programs/npm.nix @@ -818,6 +819,7 @@ ./services/networking/nar-serve.nix ./services/networking/nat.nix ./services/networking/nats.nix + ./services/networking/nbd.nix ./services/networking/ndppd.nix ./services/networking/nebula.nix ./services/networking/networkmanager.nix diff --git a/nixos/modules/programs/nbd.nix b/nixos/modules/programs/nbd.nix new file mode 100644 index 00000000000..fea9bc1ff71 --- /dev/null +++ b/nixos/modules/programs/nbd.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.nbd; +in +{ + options = { + programs.nbd = { + enable = mkEnableOption "Network Block Device (nbd) support"; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ nbd ]; + boot.kernelModules = [ "nbd" ]; + }; +} diff --git a/nixos/modules/services/networking/nbd.nix b/nixos/modules/services/networking/nbd.nix new file mode 100644 index 00000000000..87f8c41a8e5 --- /dev/null +++ b/nixos/modules/services/networking/nbd.nix @@ -0,0 +1,146 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.nbd; + configFormat = pkgs.formats.ini { }; + iniFields = with types; attrsOf (oneOf [ bool int float str ]); + serverConfig = configFormat.generate "nbd-server-config" + ({ + generic = + (cfg.server.extraOptions // { + user = "root"; + group = "root"; + port = cfg.server.listenPort; + } // (optionalAttrs (cfg.server.listenAddress != null) { + listenaddr = cfg.server.listenAddress; + })); + } + // (mapAttrs + (_: { path, allowAddresses, extraOptions }: + extraOptions // { + exportname = path; + } // (optionalAttrs (allowAddresses != null) { + authfile = pkgs.writeText "authfile" (concatStringsSep "\n" allowAddresses); + })) + cfg.server.exports) + ); + splitLists = + partition + (path: hasPrefix "/dev/" path) + (mapAttrsToList (_: { path, ... }: path) cfg.server.exports); + allowedDevices = splitLists.right; + boundPaths = splitLists.wrong; +in +{ + options = { + services.nbd = { + server = { + enable = mkEnableOption "the Network Block Device (nbd) server"; + + listenPort = mkOption { + type = types.port; + default = 10809; + description = "Port to listen on. The port is NOT automatically opened in the firewall."; + }; + + extraOptions = mkOption { + type = iniFields; + default = { + allowlist = false; + }; + description = '' + Extra options for the server. See + <citerefentry><refentrytitle>nbd-server</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. + ''; + }; + + exports = mkOption { + description = "Files or block devices to make available over the network."; + default = { }; + type = with types; attrsOf + (submodule { + options = { + path = mkOption { + type = str; + description = "File or block device to export."; + example = "/dev/sdb1"; + }; + + allowAddresses = mkOption { + type = nullOr (listOf str); + default = null; + example = [ "10.10.0.0/24" "127.0.0.1" ]; + description = "IPs and subnets that are authorized to connect for this device. If not specified, the server will allow all connections."; + }; + + extraOptions = mkOption { + type = iniFields; + default = { + flush = true; + fua = true; + }; + description = '' + Extra options for this export. See + <citerefentry><refentrytitle>nbd-server</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. + ''; + }; + }; + }); + }; + + listenAddress = mkOption { + type = with types; nullOr str; + description = "Address to listen on. If not specified, the server will listen on all interfaces."; + default = null; + example = "10.10.0.1"; + }; + }; + }; + }; + + config = mkIf cfg.server.enable { + boot.kernelModules = [ "nbd" ]; + + systemd.services.nbd-server = { + after = [ "network-online.target" ]; + before = [ "multi-user.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.nbd}/bin/nbd-server -C ${serverConfig}"; + Type = "forking"; + + DeviceAllow = map (path: "${path} rw") allowedDevices; + BindPaths = boundPaths; + + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = false; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "noaccess"; + ProtectSystem = "strict"; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + UMask = "0077"; + }; + }; + }; +} |