diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2021-04-09 00:16:01 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-04-09 00:16:01 +0000 |
commit | c99b6f5343030d7e5e3feef8b6c596f7644310a0 (patch) | |
tree | b8cb5d2d912ff978f8f79e39c159f6c3e0adc459 /nixos | |
parent | 85b57e4446562377e8a81d1818a8fa13d99e4f42 (diff) | |
parent | 77de1a7f9cf6138c51eb491d0684feca7c571b4c (diff) | |
download | nixpkgs-c99b6f5343030d7e5e3feef8b6c596f7644310a0.tar nixpkgs-c99b6f5343030d7e5e3feef8b6c596f7644310a0.tar.gz nixpkgs-c99b6f5343030d7e5e3feef8b6c596f7644310a0.tar.bz2 nixpkgs-c99b6f5343030d7e5e3feef8b6c596f7644310a0.tar.lz nixpkgs-c99b6f5343030d7e5e3feef8b6c596f7644310a0.tar.xz nixpkgs-c99b6f5343030d7e5e3feef8b6c596f7644310a0.tar.zst nixpkgs-c99b6f5343030d7e5e3feef8b6c596f7644310a0.zip |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/doh-proxy-rust.nix | 60 | ||||
-rw-r--r-- | nixos/modules/virtualisation/containers.nix | 58 | ||||
-rw-r--r-- | nixos/modules/virtualisation/libvirtd.nix | 25 | ||||
-rw-r--r-- | nixos/modules/virtualisation/podman.nix | 13 | ||||
-rw-r--r-- | nixos/tests/doh-proxy-rust.nix | 43 |
6 files changed, 147 insertions, 53 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 6f600a608dc..509bccb1ec7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -658,6 +658,7 @@ ./services/networking/dnscrypt-wrapper.nix ./services/networking/dnsdist.nix ./services/networking/dnsmasq.nix + ./services/networking/doh-proxy-rust.nix ./services/networking/ncdns.nix ./services/networking/nomad.nix ./services/networking/ejabberd.nix diff --git a/nixos/modules/services/networking/doh-proxy-rust.nix b/nixos/modules/services/networking/doh-proxy-rust.nix new file mode 100644 index 00000000000..0e55bc38665 --- /dev/null +++ b/nixos/modules/services/networking/doh-proxy-rust.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.doh-proxy-rust; + +in { + + options.services.doh-proxy-rust = { + + enable = mkEnableOption "doh-proxy-rust"; + + flags = mkOption { + type = types.listOf types.str; + default = []; + example = literalExample [ "--server-address=9.9.9.9:53" ]; + description = '' + A list of command-line flags to pass to doh-proxy. For details on the + available options, see <link xlink:href="https://github.com/jedisct1/doh-server#usage"/>. + ''; + }; + + }; + + config = mkIf cfg.enable { + systemd.services.doh-proxy-rust = { + description = "doh-proxy-rust"; + after = [ "network.target" "nss-lookup.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.doh-proxy-rust}/bin/doh-proxy ${escapeShellArgs cfg.flags}"; + Restart = "always"; + RestartSec = 10; + DynamicUser = true; + + CapabilityBoundingSet = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + RemoveIPC = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ "@system-service" "~@privileged @resources" ]; + }; + }; + }; + + meta.maintainers = with maintainers; [ stephank ]; + +} diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 148d0221998..3974caf2233 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -4,15 +4,7 @@ let inherit (lib) mkOption types; - # Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator - toTOML = name: value: pkgs.runCommandNoCC name { - nativeBuildInputs = [ pkgs.remarshal ]; - value = builtins.toJSON value; - passAsFile = [ "value" ]; - } '' - json2toml "$valuePath" "$out" - ''; - + toml = pkgs.formats.toml { }; in { meta = { @@ -26,6 +18,11 @@ in [ "virtualisation" "containers" "users" ] "All users with `isNormalUser = true` set now get appropriate subuid/subgid mappings." ) + ( + lib.mkRemovedOptionModule + [ "virtualisation" "containers" "containersConf" "extraConfig" ] + "Use virtualisation.containers.containersConf.settings instead." + ) ]; options.virtualisation.containers = { @@ -45,23 +42,10 @@ in description = "Enable the OCI seccomp BPF hook"; }; - containersConf = mkOption { - default = {}; + containersConf.settings = mkOption { + type = toml.type; + default = { }; description = "containers.conf configuration"; - type = types.submodule { - options = { - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Extra configuration that should be put in the containers.conf - configuration file - ''; - - }; - }; - }; }; registries = { @@ -113,21 +97,19 @@ in }; config = lib.mkIf cfg.enable { + virtualisation.containers.containersConf.settings = { + network.cni_plugin_dirs = [ "${pkgs.cni-plugins}/bin/" ]; + engine = { + init_path = "${pkgs.catatonit}/bin/catatonit"; + } // lib.optionalAttrs cfg.ociSeccompBpfHook.enable { + hooks_dir = [ config.boot.kernelPackages.oci-seccomp-bpf-hook ]; + }; + }; - environment.etc."containers/containers.conf".text = '' - [network] - cni_plugin_dirs = ["${pkgs.cni-plugins}/bin/"] - - [engine] - init_path = "${pkgs.catatonit}/bin/catatonit" - ${lib.optionalString (cfg.ociSeccompBpfHook.enable) '' - hooks_dir = [ - "${config.boot.kernelPackages.oci-seccomp-bpf-hook}", - ] - ''} - '' + cfg.containersConf.extraConfig; + environment.etc."containers/containers.conf".source = + toml.generate "containers.conf" cfg.containersConf.settings; - environment.etc."containers/registries.conf".source = toTOML "registries.conf" { + environment.etc."containers/registries.conf".source = toml.generate "registries.conf" { registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; }; diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index 6357baf29e0..f43c44f5dca 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -46,6 +46,15 @@ in { ''; }; + package = mkOption { + type = types.package; + default = pkgs.libvirt; + defaultText = "pkgs.libvirt"; + description = '' + libvirt package to use. + ''; + }; + qemuPackage = mkOption { type = types.package; default = pkgs.qemu; @@ -149,7 +158,7 @@ in { # this file is expected in /etc/qemu and not sysconfdir (/var/lib) etc."qemu/bridge.conf".text = lib.concatMapStringsSep "\n" (e: "allow ${e}") cfg.allowedBridges; - systemPackages = with pkgs; [ libvirt libressl.nc iptables cfg.qemuPackage ]; + systemPackages = with pkgs; [ libressl.nc iptables cfg.package cfg.qemuPackage ]; etc.ethertypes.source = "${pkgs.iptables}/etc/ethertypes"; }; @@ -169,26 +178,26 @@ in { source = "/run/${dirName}/nix-helpers/qemu-bridge-helper"; }; - systemd.packages = [ pkgs.libvirt ]; + systemd.packages = [ cfg.package ]; systemd.services.libvirtd-config = { description = "Libvirt Virtual Machine Management Daemon - configuration"; script = '' # Copy default libvirt network config .xml files to /var/lib # Files modified by the user will not be overwritten - for i in $(cd ${pkgs.libvirt}/var/lib && echo \ + for i in $(cd ${cfg.package}/var/lib && echo \ libvirt/qemu/networks/*.xml libvirt/qemu/networks/autostart/*.xml \ libvirt/nwfilter/*.xml ); do mkdir -p /var/lib/$(dirname $i) -m 755 - cp -npd ${pkgs.libvirt}/var/lib/$i /var/lib/$i + cp -npd ${cfg.package}/var/lib/$i /var/lib/$i done # Copy generated qemu config to libvirt directory cp -f ${qemuConfigFile} /var/lib/${dirName}/qemu.conf # stable (not GC'able as in /nix/store) paths for using in <emulator> section of xml configs - for emulator in ${pkgs.libvirt}/libexec/libvirt_lxc ${cfg.qemuPackage}/bin/qemu-kvm ${cfg.qemuPackage}/bin/qemu-system-*; do + for emulator in ${cfg.package}/libexec/libvirt_lxc ${cfg.qemuPackage}/bin/qemu-kvm ${cfg.qemuPackage}/bin/qemu-system-*; do ln -s --force "$emulator" /run/${dirName}/nix-emulators/ done @@ -234,7 +243,7 @@ in { systemd.services.libvirt-guests = { wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ coreutils libvirt gawk ]; + path = with pkgs; [ coreutils gawk cfg.package ]; restartIfChanged = false; environment.ON_BOOT = "${cfg.onBoot}"; @@ -249,7 +258,7 @@ in { systemd.services.virtlogd = { description = "Virtual machine log manager"; - serviceConfig.ExecStart = "@${pkgs.libvirt}/sbin/virtlogd virtlogd"; + serviceConfig.ExecStart = "@${cfg.package}/sbin/virtlogd virtlogd"; restartIfChanged = false; }; @@ -261,7 +270,7 @@ in { systemd.services.virtlockd = { description = "Virtual machine lock manager"; - serviceConfig.ExecStart = "@${pkgs.libvirt}/sbin/virtlockd virtlockd"; + serviceConfig.ExecStart = "@${cfg.package}/sbin/virtlockd virtlockd"; restartIfChanged = false; }; diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix index 0223c0df1f2..d6421d488b8 100644 --- a/nixos/modules/virtualisation/podman.nix +++ b/nixos/modules/virtualisation/podman.nix @@ -96,13 +96,12 @@ in virtualisation.containers = { enable = true; # Enable common /etc/containers configuration - containersConf.extraConfig = lib.optionalString cfg.enableNvidia - (builtins.readFile (toml.generate "podman.nvidia.containers.conf" { - engine = { - conmon_env_vars = [ "PATH=${lib.makeBinPath [ pkgs.nvidia-podman ]}" ]; - runtimes.nvidia = [ "${pkgs.nvidia-podman}/bin/nvidia-container-runtime" ]; - }; - })); + containersConf.settings = lib.optionalAttrs cfg.enableNvidia { + engine = { + conmon_env_vars = [ "PATH=${lib.makeBinPath [ pkgs.nvidia-podman ]}" ]; + runtimes.nvidia = [ "${pkgs.nvidia-podman}/bin/nvidia-container-runtime" ]; + }; + }; }; systemd.packages = [ cfg.package ]; diff --git a/nixos/tests/doh-proxy-rust.nix b/nixos/tests/doh-proxy-rust.nix new file mode 100644 index 00000000000..ca150cafab5 --- /dev/null +++ b/nixos/tests/doh-proxy-rust.nix @@ -0,0 +1,43 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "doh-proxy-rust"; + meta = with lib.maintainers; { + maintainers = [ stephank ]; + }; + + nodes = { + machine = { pkgs, lib, ... }: { + services.bind = { + enable = true; + extraOptions = "empty-zones-enable no;"; + zones = lib.singleton { + name = "."; + master = true; + file = pkgs.writeText "root.zone" '' + $TTL 3600 + . IN SOA ns.example.org. admin.example.org. ( 1 3h 1h 1w 1d ) + . IN NS ns.example.org. + ns.example.org. IN A 192.168.0.1 + ''; + }; + }; + services.doh-proxy-rust = { + enable = true; + flags = [ + "--server-address=127.0.0.1:53" + ]; + }; + }; + }; + + testScript = { nodes, ... }: '' + url = "http://localhost:3000/dns-query" + query = "AAABAAABAAAAAAAAAm5zB2V4YW1wbGUDb3JnAAABAAE=" # IN A ns.example.org. + bin_ip = r"$'\xC0\xA8\x00\x01'" # 192.168.0.1, as shell binary string + + machine.wait_for_unit("bind.service") + machine.wait_for_unit("doh-proxy-rust.service") + machine.wait_for_open_port(53) + machine.wait_for_open_port(3000) + machine.succeed(f"curl --fail '{url}?dns={query}' | grep -qF {bin_ip}") + ''; +}) |