summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorGregor Kleen <pngwjpgh@users.noreply.github.com>2018-04-21 22:34:01 +0200
committerGregor Kleen <pngwjpgh@users.noreply.github.com>2018-04-21 22:34:01 +0200
commite11cb1d2a9846d9bd71773ed113be37c9ffa7311 (patch)
treed69f7102ad7890c3df91044ec8027be01cbafa6e /nixos
parent1eea73eaa8185bd6f4fe2a0facc90652277ea399 (diff)
parent595efb966d38eb9480cf332adc0ffcb92855e685 (diff)
downloadnixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.tar
nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.tar.gz
nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.tar.bz2
nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.tar.lz
nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.tar.xz
nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.tar.zst
nixpkgs-e11cb1d2a9846d9bd71773ed113be37c9ffa7311.zip
Merge branch 'master' of github.com:NixOS/nixpkgs into feat/acme/delay
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/services/computing/boinc/client.nix46


-rw-r--r--nixos/modules/services/networking/nsd.nix135


2 files changed, 175 insertions, 6 deletions
diff --git a/nixos/modules/services/computing/boinc/client.nix b/nixos/modules/services/computing/boinc/client.nix
index e43b6bbb253..8abe3c5b8c9 100644
--- a/nixos/modules/services/computing/boinc/client.nix
+++ b/nixos/modules/services/computing/boinc/client.nix
@@ -6,6 +6,13 @@ let
   cfg = config.services.boinc;
   allowRemoteGuiRpcFlag = optionalString cfg.allowRemoteGuiRpc "--allow_remote_gui_rpc";
 
+  fhsEnv = pkgs.buildFHSUserEnv {
+    name = "boinc-fhs-env";
+    targetPkgs = pkgs': [ cfg.package ] ++ cfg.extraEnvPackages;
+    runScript = "/bin/boinc_client";
+  };
+  fhsEnvExecutable = "${fhsEnv}/bin/${fhsEnv.name}";
+
 in
   {
     options.services.boinc = {
@@ -49,6 +56,43 @@ in
           See also: <link xlink:href="http://boinc.berkeley.edu/wiki/Controlling_BOINC_remotely#Remote_access"/>
         '';
       };
+
+      extraEnvPackages = mkOption {
+        type = types.listOf types.package;
+        default = [];
+        example = "[ pkgs.virtualbox ]";
+        description = ''
+          Additional packages to make available in the environment in which
+          BOINC will run. Common choices are:
+          <variablelist>
+            <varlistentry>
+              <term><varname>pkgs.virtualbox</varname></term>
+              <listitem><para>
+                The VirtualBox virtual machine framework. Required by some BOINC
+                projects, such as ATLAS@home.
+              </para></listitem>
+            </varlistentry>
+            <varlistentry>
+              <term><varname>pkgs.ocl-icd</varname></term>
+              <listitem><para>
+                OpenCL infrastructure library. Required by BOINC projects that
+                use OpenCL, in addition to a device-specific OpenCL driver.
+              </para></listitem>
+            </varlistentry>
+            <varlistentry>
+              <term><varname>pkgs.linuxPackages.nvidia_x11</varname></term>
+              <listitem><para>
+                Provides CUDA libraries. Required by BOINC projects that use
+                CUDA. Note that this requires an NVIDIA graphics device to be
+                present on the system.
+              </para><para>
+                Also provides OpenCL drivers for NVIDIA GPUs;
+                <varname>pkgs.ocl-icd</varname> is also needed in this case.
+              </para></listitem>
+            </varlistentry>
+          </variablelist>
+        '';
+      };
     };
 
     config = mkIf cfg.enable {
@@ -70,7 +114,7 @@ in
           chown boinc ${cfg.dataDir}
         '';
         script = ''
-          ${cfg.package}/bin/boinc_client --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag}
+          ${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag}
         '';
         serviceConfig = {
           PermissionsStartOnly = true; # preStart must be run as root
diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix
index 4241e6fccea..0b52b1d3e30 100644
--- a/nixos/modules/services/networking/nsd.nix
+++ b/nixos/modules/services/networking/nsd.nix
@@ -250,6 +250,46 @@ let
           Use imports or pkgs.lib.readFile if you don't want this data in your config file.
         '';
       };
+      
+      dnssec = mkEnableOption "DNSSEC";
+
+      dnssecPolicy = {
+        algorithm = mkOption {
+          type = types.str;
+          default = "RSASHA256";
+          description = "Which algorithm to use for DNSSEC";
+        };
+        keyttl = mkOption {
+          type = types.str;
+          default = "1h";
+          description = "TTL for dnssec records";
+        };
+        coverage = mkOption {
+          type = types.str;
+          default = "1y";
+          description = ''
+            The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time.
+          '';
+        };
+        zsk = mkOption {
+          type = keyPolicy;
+          default = { keySize = 2048;
+                      prePublish = "1w";
+                      postPublish = "1w";
+                      rollPeriod = "1mo";
+                    };
+          description = "Key policy for zone signing keys";
+        };
+        ksk = mkOption {
+          type = keyPolicy;
+          default = { keySize = 4096;
+                      prePublish = "1mo";
+                      postPublish = "1mo";
+                      rollPeriod = "0";
+                    };
+          description = "Key policy for key signing keys";
+        };
+      };
 
       maxRefreshSecs = mkOption {
         type = types.nullOr types.int;
@@ -367,10 +407,61 @@ let
           and stats_noreset.
         '';
       };
+    };
+  };
 
+  keyPolicy = types.submodule {
+    options = {
+      keySize = mkOption {
+        type = types.int;
+        description = "Key size in bits";
+      };
+      prePublish = mkOption {
+        type = types.str;
+        description = "How long in advance to publish new keys";
+      };
+      postPublish = mkOption {
+        type = types.str;
+        description = "How long after deactivation to keep a key in the zone";
+      };
+      rollPeriod = mkOption {
+        type = types.str;
+        description = "How frequently to change keys";
+      };
     };
   };
 
+  dnssecZones = (filterAttrs (n: v: if v ? dnssec then v.dnssec else false) zoneConfigs);
+
+  dnssec = length (attrNames dnssecZones) != 0; 
+
+  signZones = optionalString dnssec ''
+    mkdir -p ${stateDir}/dnssec
+    chown ${username}:${username} ${stateDir}/dnssec
+    chmod 0600 ${stateDir}/dnssec
+
+    ${concatStrings (mapAttrsToList signZone dnssecZones)}
+  '';
+  signZone = name: zone: ''
+    ${pkgs.bind}/bin/dnssec-keymgr -g ${pkgs.bind}/bin/dnssec-keygen -s ${pkgs.bind}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name}
+    ${pkgs.bind}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name}
+    ${nsdPkg}/sbin/nsd-checkzone ${name} ${stateDir}/zones/${name}.signed && mv -v ${stateDir}/zones/${name}.signed ${stateDir}/zones/${name}
+  '';
+  policyFile = name: policy: pkgs.writeText "${name}.policy" ''
+    zone ${name} {
+      algorithm ${policy.algorithm};
+      key-size zsk ${toString policy.zsk.keySize};
+      key-size ksk ${toString policy.ksk.keySize};
+      keyttl ${policy.keyttl};
+      pre-publish zsk ${policy.zsk.prePublish};
+      pre-publish ksk ${policy.ksk.prePublish};
+      post-publish zsk ${policy.zsk.postPublish};
+      post-publish ksk ${policy.ksk.postPublish};
+      roll-period zsk ${policy.zsk.rollPeriod};
+      roll-period ksk ${policy.ksk.rollPeriod};
+      coverage ${policy.coverage};
+    };
+  '';
 in
 {
   # options are ordered alphanumerically
@@ -380,6 +471,14 @@ in
 
     bind8Stats = mkEnableOption "BIND8 like statistics";
 
+    dnssecInterval = mkOption {
+      type = types.str;
+      default = "1h";
+      description = ''
+        How often to check whether dnssec key rollover is required
+      '';
+    };
+
     extraConfig = mkOption {
       type = types.str;
       default = "";
@@ -741,7 +840,6 @@ in
 
     };
 
-
     zones = mkOption {
       type = types.attrsOf zoneOptions;
       default = {};
@@ -785,7 +883,6 @@ in
         serverGroup1.
       '';
     };
-
   };
 
   config = mkIf cfg.enable {
@@ -832,9 +929,9 @@ in
         mkdir -m 0700 -p "${stateDir}/var"
 
         cat > "${stateDir}/don't touch anything in here" << EOF
-        Everything in this directory except NSD's state in var is
-        automatically generated and will be purged and redeployed
-        by the nsd.service pre-start script.
+        Everything in this directory except NSD's state in var and dnssec
+        is automatically generated and will be purged and redeployed by
+        the nsd.service pre-start script.
         EOF
 
         chown ${username}:${username} -R "${stateDir}/private"
@@ -848,6 +945,34 @@ in
       '';
     };
 
+    nixpkgs.config = mkIf dnssec {
+      bind.enablePython = true;
+    };
+
+    systemd.timers."nsd-dnssec" = mkIf dnssec {
+      description = "Automatic DNSSEC key rollover";
+
+      wantedBy = [ "nsd.service" ];
+
+      timerConfig = {
+        OnActiveSec = cfg.dnssecInterval;
+        OnUnitActiveSec = cfg.dnssecInterval;
+      };
+    };
+
+    systemd.services."nsd-dnssec" = mkIf dnssec {
+      description = "DNSSEC key rollover";
+
+      wantedBy = [ "nsd.service" ];
+      before = [ "nsd.service" ];
+
+      script = signZones;
+
+      postStop = ''
+        ${pkgs.systemd}/bin/systemctl kill -s SIGHUP nsd.service
+      '';
+    };
+
   };
 
   meta.maintainers = with lib.maintainers; [ hrdinka ];

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-02 02:06:56 +0000