diff options
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/connman.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/networking/i2pd.nix | 300 | ||||
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 13 | ||||
-rw-r--r-- | nixos/modules/services/networking/tinc.nix | 12 | ||||
-rw-r--r-- | nixos/modules/services/networking/unifi.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/wpa_supplicant.nix | 28 |
6 files changed, 164 insertions, 197 deletions
diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix index deb1cbfc185..3fecfbb13a0 100644 --- a/nixos/modules/services/networking/connman.nix +++ b/nixos/modules/services/networking/connman.nix @@ -53,13 +53,13 @@ in { config = mkIf cfg.enable { assertions = [{ - assertion = config.networking.useDHCP == false; + assertion = !config.networking.useDHCP; message = "You can not use services.networking.connman with services.networking.useDHCP"; }{ - assertion = config.networking.wireless.enable == true; + assertion = config.networking.wireless.enable; message = "You must use services.networking.connman with services.networking.wireless"; }{ - assertion = config.networking.networkmanager.enable == false; + assertion = !config.networking.networkmanager.enable; message = "You can not use services.networking.connman with services.networking.networkmanager"; }]; diff --git a/nixos/modules/services/networking/i2pd.nix b/nixos/modules/services/networking/i2pd.nix index c467402dbcf..c32b935cf94 100644 --- a/nixos/modules/services/networking/i2pd.nix +++ b/nixos/modules/services/networking/i2pd.nix @@ -12,21 +12,69 @@ let toOneZero = b: if b then "1" else "0"; + mkEndpointOpt = name: addr: port: { + name = mkOption { + type = types.str; + default = name; + description = "The endpoint name."; + }; + address = mkOption { + type = types.str; + default = addr; + description = "Bind address for ${name} endpoint. Default: " + addr; + }; + port = mkOption { + type = types.int; + default = port; + description = "Bind port for ${name} endoint. Default: " + toString port; + }; + }; + + commonTunOpts = let + i2cpOpts = { + length = mkOption { + type = types.int; + description = "Guaranteed minimum hops."; + default = 3; + }; + quantity = mkOption { + type = types.int; + description = "Number of simultaneous tunnels."; + default = 5; + }; + }; + in name: { + outbound = i2cpOpts; + inbound = i2cpOpts; + crypto.tagsToSend = mkOption { + type = types.int; + description = "Number of ElGamal/AES tags to send."; + default = 40; + }; + destination = mkOption { + type = types.str; + description = "Remote endpoint, I2P hostname or b32.i2p address."; + }; + keys = mkOption { + type = types.str; + default = name + "-keys.dat"; + description = "Keyset used for tunnel identity."; + }; + } // mkEndpointOpt name "127.0.0.1" 0; + i2pdConf = pkgs.writeText "i2pd.conf" '' - v6 = ${toOneZero cfg.enableIPv6} - unreachable = ${toOneZero cfg.unreachable} + ipv6 = ${toOneZero cfg.enableIPv6} + notransit = ${toOneZero cfg.notransit} floodfill = ${toOneZero cfg.floodfill} ${if isNull cfg.port then "" else "port = ${toString cfg.port}"} - httpproxyport = ${toString cfg.proxy.httpPort} - socksproxyport = ${toString cfg.proxy.socksPort} - ircaddress = ${cfg.irc.host} - ircport = ${toString cfg.irc.port} - ircdest = ${cfg.irc.dest} - irckeys = ${cfg.irc.keyFile} - eepport = ${toString cfg.eep.port} - ${if isNull cfg.sam.port then "" else "--samport=${toString cfg.sam.port}"} - eephost = ${cfg.eep.host} - eepkeys = ${cfg.eep.keyFile} + ${flip concatMapStrings + (collect (proto: proto ? port && proto ? address && proto ? name) cfg.proto) + (proto: let portStr = toString proto.port; in '' + [${proto.name}] + address = ${proto.address} + port = ${toString proto.port} + '') + } ''; i2pdTunnelConf = pkgs.writeText "i2pd-tunnels.conf" '' @@ -39,10 +87,15 @@ let keys = ${tun.keys} address = ${tun.address} port = ${toString tun.port} + inbound.length = ${toString tun.inbound.length} + outbound.length = ${toString tun.outbound.length} + inbound.quantity = ${toString tun.inbound.quantity} + outbound.quantity = ${toString tun.outbound.quantity} + crypto.tagsToSend = ${toString tun.crypto.tagsToSend} '') } ${flip concatMapStrings - (collect (tun: tun ? port && tun ? host) cfg.outTunnels) + (collect (tun: tun ? port && tun ? host) cfg.inTunnels) (tun: let portStr = toString tun.port; in '' [${tun.name}] type = server @@ -59,10 +112,10 @@ let i2pdSh = pkgs.writeScriptBin "i2pd" '' #!/bin/sh ${if isNull cfg.extIp then extip else ""} - ${pkgs.i2pd}/bin/i2pd --log=1 --daemon=0 --service=0 \ + ${pkgs.i2pd}/bin/i2pd --log=1 \ --host=${if isNull cfg.extIp then "$EXTIP" else cfg.extIp} \ --conf=${i2pdConf} \ - --tunnelscfg=${i2pdTunnelConf} + --tunconf=${i2pdTunnelConf} ''; in @@ -91,11 +144,11 @@ in ''; }; - unreachable = mkOption { + notransit = mkOption { type = types.bool; default = false; description = '' - If the router is declared to be unreachable and needs introduction nodes. + Tells the router to not accept transit tunnels during startup. ''; }; @@ -111,7 +164,7 @@ in type = with types; nullOr int; default = null; description = '' - I2P listen port. If no one is given the router will pick between 9111 and 30777. + I2P listen port. If no one is given the router will pick between 9111 and 30777. ''; }; @@ -123,184 +176,53 @@ in ''; }; - http = { - port = mkOption { - type = types.int; - default = 7070; - description = '' - HTTP listen port. - ''; - }; - }; - - proxy = { - httpPort = mkOption { - type = types.int; - default = 4446; - description = '' - HTTP proxy listen port. - ''; - }; - socksPort = mkOption { - type = types.int; - default = 4447; - description = '' - SOCKS proxy listen port. - ''; - }; - }; - - irc = { - host = mkOption { - type = types.str; - default = "127.0.0.1"; - description = '' - Address to forward incoming traffic to. 127.0.0.1 by default. - ''; - }; - dest = mkOption { - type = types.str; - default = "irc.postman.i2p"; - description = '' - Destination I2P tunnel endpoint address of IRC server. irc.postman.i2p by default. - ''; - }; - port = mkOption { - type = types.int; - default = 6668; - description = '' - Local IRC tunnel endoint port to listen on. 6668 by default. - ''; - }; - keyFile = mkOption { - type = types.str; - default = "privKeys.dat"; - description = '' - File name containing destination keys. privKeys.dat by default. - ''; - }; - }; - - eep = { - host = mkOption { - type = types.str; - default = "127.0.0.1"; - description = '' - Address to forward incoming traffic to. 127.0.0.1 by default. - ''; - }; - port = mkOption { - type = types.int; - default = 80; - description = '' - Port to forward incoming traffic to. 80 by default. - ''; - }; - keyFile = mkOption { - type = types.str; - default = "privKeys.dat"; - description = '' - File name containing destination keys. privKeys.dat by default. - ''; - }; - }; - - sam = { - port = mkOption { - type = with types; nullOr int; - default = null; - description = '' - Local SAM tunnel endpoint. Usually 7656. SAM is disabled if not specified. - ''; - }; - }; + proto.http = mkEndpointOpt "http" "127.0.0.1" 7070; + proto.sam = mkEndpointOpt "sam" "127.0.0.1" 7656; + proto.bob = mkEndpointOpt "bob" "127.0.0.1" 2827; + proto.i2pControl = mkEndpointOpt "i2pcontrol" "127.0.0.1" 7650; + proto.httpProxy = mkEndpointOpt "httpproxy" "127.0.0.1" 4446; + proto.socksProxy = mkEndpointOpt "socksproxy" "127.0.0.1" 4447; outTunnels = mkOption { default = {}; - type = with types; loaOf optionSet; - description = '' - ''; - options = [ ({ name, config, ... }: { - - options = { - name = mkOption { - type = types.str; - description = "The name of the tunnel."; - }; - destination = mkOption { - type = types.str; - description = "Remote endpoint, I2P hostname or b32.i2p address."; - }; - keys = mkOption { - type = types.str; - default = name + "-keys.dat"; - description = "Keyset used for tunnel identity."; - }; - address = mkOption { - type = types.str; - default = "127.0.0.1"; - description = "Local bind address for tunnel."; - }; - port = mkOption { - type = types.int; - default = 0; - description = "Local tunnel listen port."; - }; - }; - - config = { - name = mkDefault name; - }; - - }) ]; + type = with types; loaOf optionSet; + description = '' + Connect to someone as a client and establish a local accept endpoint + ''; + options = [ ({ name, config, ... }: { + options = commonTunOpts name; + config = { + name = mkDefault name; + }; + }) ]; }; inTunnels = mkOption { default = {}; - type = with types; loaOf optionSet; - description = '' - ''; - options = [ ({ name, config, ... }: { - - options = { - - name = mkOption { - type = types.str; - description = "The name of the tunnel."; - }; - keys = mkOption { - type = types.path; - default = name + "-keys.dat"; - description = "Keyset used for tunnel identity."; - }; - address = mkOption { - type = types.str; - default = "127.0.0.1"; - description = "Local service IP address."; - }; - port = mkOption { - type = types.int; - default = 0; - description = "Local tunnel listen port."; - }; - inPort = mkOption { - type = types.int; - default = 0; - description = "I2P service port. Default to the tunnel's listen port."; - }; - accessList = mkOption { - type = with types; listOf str; - default = []; - description = "I2P nodes that are allowed to connect to this service."; - }; - - }; - - config = { - name = mkDefault name; - }; - - }) ]; + type = with types; loaOf optionSet; + description = '' + Serve something on I2P network at port and delegate requests to address inPort. + ''; + options = [ ({ name, config, ... }: { + + options = { + inPort = mkOption { + type = types.int; + default = 0; + description = "Service port. Default to the tunnel's listen port."; + }; + accessList = mkOption { + type = with types; listOf str; + default = []; + description = "I2P nodes that are allowed to connect to this service."; + }; + } // commonTunOpts name; + + config = { + name = mkDefault name; + }; + + }) ]; }; }; }; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 5baea4bc6ae..ba3efc8c0c2 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -52,6 +52,8 @@ let )); in listToAttrs (map mkAuthKeyFile usersWithKeys); + supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07"; + in { @@ -177,7 +179,7 @@ in default = [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ] ++ optionals (!versionAtLeast config.system.stateVersion "15.07") + ] ++ optionals supportOldHostKeys [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; } { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; } ]; @@ -347,6 +349,15 @@ in ${flip concatMapStrings cfg.hostKeys (k: '' HostKey ${k.path} '')} + + # Allow DSA client keys for now. (These were deprecated + # in OpenSSH 7.0.) + PubkeyAcceptedKeyTypes +ssh-dss + + # Re-enable DSA host keys for now. + ${optionalString supportOldHostKeys '' + HostKeyAlgorithms +ssh-dss + ''} ''; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index 34f4f6b37b6..9330e6c92ba 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -95,6 +95,16 @@ in ''; }; + chroot = mkOption { + default = true; + type = types.bool; + description = '' + Change process root directory to the directory where the config file is located (/etc/tinc/netname/), for added security. + The chroot is performed after all the initialization is done, after writing pid files and opening network sockets. + + Note that tinc can't run scripts anymore (such as tinc-down or host-up), unless it is setup to be runnable inside chroot environment. + ''; + }; }; }; }; @@ -166,7 +176,7 @@ in fi ''; script = '' - tincd -D -U tinc.${network} -n ${network} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel} + tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel} ''; }) ); diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index be8f12ecd32..4dc0cd96904 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -61,6 +61,8 @@ in partOf = systemdMountPoints; bindsTo = systemdMountPoints; unitConfig.RequiresMountsFor = stateDir; + # This a HACK to fix missing dependencies of dynamic libs extracted from jars + environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc}/lib"; preStart = '' # Ensure privacy of state diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 1b655af6c82..1558c583289 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -8,11 +8,15 @@ let ${optionalString cfg.userControlled.enable '' ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=${cfg.userControlled.group} update_config=1''} - ${concatStringsSep "\n" (mapAttrsToList (ssid: networkConfig: '' + ${concatStringsSep "\n" (mapAttrsToList (ssid: networkConfig: let + psk = if networkConfig.psk != null + then ''"${networkConfig.psk}"'' + else networkConfig.pskRaw; + in '' network={ ssid="${ssid}" - ${optionalString (networkConfig.psk != null) ''psk="${networkConfig.psk}"''} - ${optionalString (networkConfig.psk == null) ''key_mgmt=NONE''} + ${optionalString (psk != null) ''psk=${psk}''} + ${optionalString (psk == null) ''key_mgmt=NONE''} } '') cfg.networks)} '' else "/etc/wpa_supplicant.conf"; @@ -49,6 +53,19 @@ in { Be aware that these will be written to the nix store in plaintext! + + Mutually exclusive with <varname>pskRaw</varname>. + ''; + }; + + pskRaw = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The network's pre-shared key in hex defaulting + to being a network without any authentication. + + Mutually exclusive with <varname>psk</varname>. ''; }; }; @@ -95,6 +112,11 @@ in { config = mkMerge [ (mkIf cfg.enable { + assertions = flip mapAttrsToList cfg.networks (name: cfg: { + assertion = cfg.psk == null || cfg.pskRaw == null; + message = ''networking.wireless."${name}".psk and networking.wireless."${name}".pskRaw are mutually exclusive''; + }); + environment.systemPackages = [ pkgs.wpa_supplicant ]; services.dbus.packages = [ pkgs.wpa_supplicant ]; |