diff options
Diffstat (limited to 'nixos/modules/services/networking')
138 files changed, 6110 insertions, 1491 deletions
diff --git a/nixos/modules/services/networking/adguardhome.nix b/nixos/modules/services/networking/adguardhome.nix new file mode 100644 index 00000000000..4388ef2b7e5 --- /dev/null +++ b/nixos/modules/services/networking/adguardhome.nix @@ -0,0 +1,78 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.adguardhome; + + args = concatStringsSep " " ([ + "--no-check-update" + "--pidfile /run/AdGuardHome/AdGuardHome.pid" + "--work-dir /var/lib/AdGuardHome/" + "--config /var/lib/AdGuardHome/AdGuardHome.yaml" + "--host ${cfg.host}" + "--port ${toString cfg.port}" + ] ++ cfg.extraArgs); + +in +{ + options.services.adguardhome = with types; { + enable = mkEnableOption "AdGuard Home network-wide ad blocker"; + + host = mkOption { + default = "0.0.0.0"; + type = str; + description = '' + Host address to bind HTTP server to. + ''; + }; + + port = mkOption { + default = 3000; + type = port; + description = '' + Port to serve HTTP pages on. + ''; + }; + + openFirewall = mkOption { + default = false; + type = bool; + description = '' + Open ports in the firewall for the AdGuard Home web interface. Does not + open the port needed to access the DNS resolver. + ''; + }; + + extraArgs = mkOption { + default = [ ]; + type = listOf str; + description = '' + Extra command line parameters to be passed to the adguardhome binary. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.adguardhome = { + description = "AdGuard Home: Network-level blocker"; + after = [ "syslog.target" "network.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + StartLimitIntervalSec = 5; + StartLimitBurst = 10; + }; + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.adguardhome}/bin/adguardhome ${args}"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + Restart = "always"; + RestartSec = 10; + RuntimeDirectory = "AdGuardHome"; + StateDirectory = "AdGuardHome"; + }; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + }; +} diff --git a/nixos/modules/services/networking/amuled.nix b/nixos/modules/services/networking/amuled.nix index 1128ee2c3e6..39320643dd5 100644 --- a/nixos/modules/services/networking/amuled.nix +++ b/nixos/modules/services/networking/amuled.nix @@ -24,13 +24,15 @@ in }; dataDir = mkOption { - default = ''/home/${user}/''; + type = types.str; + default = "/home/${user}/"; description = '' The directory holding configuration, incoming and temporary files. ''; }; user = mkOption { + type = types.nullOr types.str; default = null; description = '' The user the AMule daemon should run as. diff --git a/nixos/modules/services/networking/autossh.nix b/nixos/modules/services/networking/autossh.nix index a8d9a027e9f..245f2bfc2cf 100644 --- a/nixos/modules/services/networking/autossh.nix +++ b/nixos/modules/services/networking/autossh.nix @@ -79,7 +79,7 @@ in systemd.services = - lib.fold ( s : acc : acc // + lib.foldr ( s : acc : acc // { "autossh-${s.name}" = let diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index c876b252e8c..020a817f259 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -86,7 +86,8 @@ in ipv6 = mkOption { type = types.bool; - default = false; + default = config.networking.enableIPv6; + defaultText = "config.networking.enableIPv6"; description = "Whether to use IPv6."; }; @@ -239,8 +240,8 @@ in system.nssModules = optional cfg.nssmdns pkgs.nssmdns; system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [ - [ "mdns_minimal [NOTFOUND=return]" ] - (mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns + (mkBefore [ "mdns_minimal [NOTFOUND=return]" ]) # before resolve + (mkAfter [ "mdns" ]) # after dns ]); environment.systemPackages = [ pkgs.avahi ]; diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix index e62c74d0069..aae6f1498a4 100644 --- a/nixos/modules/services/networking/babeld.nix +++ b/nixos/modules/services/networking/babeld.nix @@ -19,7 +19,10 @@ let "interface ${name} ${paramsString interface}\n"; configFile = with cfg; pkgs.writeText "babeld.conf" ( - (optionalString (cfg.interfaceDefaults != null) '' + '' + skip-kernel-setup true + '' + + (optionalString (cfg.interfaceDefaults != null) '' default ${paramsString cfg.interfaceDefaults} '') + (concatMapStrings interfaceConfig (attrNames cfg.interfaces)) @@ -29,6 +32,8 @@ in { + meta.maintainers = with maintainers; [ hexa ]; + ###### interface options = { @@ -69,6 +74,7 @@ in extraConfig = mkOption { default = ""; + type = types.lines; description = '' Options that will be copied to babeld.conf. See <citerefentry><refentrytitle>babeld</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details. @@ -83,13 +89,56 @@ in config = mkIf config.services.babeld.enable { + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv4.conf.all.forwarding" = 1; + "net.ipv4.conf.all.rp_filter" = 0; + } // lib.mapAttrs' (ifname: _: lib.nameValuePair "net.ipv4.conf.${ifname}.rp_filter" (lib.mkDefault 0)) config.services.babeld.interfaces; + systemd.services.babeld = { description = "Babel routing daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile}"; + serviceConfig = { + ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state"; + AmbientCapabilities = [ "CAP_NET_ADMIN" ]; + CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; + DevicePolicy = "closed"; + DynamicUser = true; + IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ]; + IPAddressDeny = "any"; + LockPersonality = true; + NoNewPrivileges = true; + MemoryDenyWriteExecute = true; + ProtectSystem = "strict"; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET6" "AF_INET" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + ProtectHome = true; + ProtectHostname = true; + ProtectProc = "invisible"; + PrivateMounts = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = false; # kernel_route(ADD): Operation not permitted + ProcSubset = "pid"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged @resources" + ]; + UMask = "0177"; + RuntimeDirectory = "babeld"; + StateDirectory = "babeld"; + }; }; - }; - } diff --git a/nixos/modules/services/networking/bee-clef.nix b/nixos/modules/services/networking/bee-clef.nix new file mode 100644 index 00000000000..719714b2898 --- /dev/null +++ b/nixos/modules/services/networking/bee-clef.nix @@ -0,0 +1,107 @@ +{ config, lib, pkgs, ... }: + +# NOTE for now nothing is installed into /etc/bee-clef/. the config files are used as read-only from the nix store. + +with lib; +let + cfg = config.services.bee-clef; +in { + meta = { + maintainers = with maintainers; [ attila-lendvai ]; + }; + + ### interface + + options = { + services.bee-clef = { + enable = mkEnableOption "clef external signer instance for Ethereum Swarm Bee"; + + dataDir = mkOption { + type = types.nullOr types.str; + default = "/var/lib/bee-clef"; + description = '' + Data dir for bee-clef. Beware that some helper scripts may not work when changed! + The service itself should work fine, though. + ''; + }; + + passwordFile = mkOption { + type = types.nullOr types.str; + default = "/var/lib/bee-clef/password"; + description = "Password file for bee-clef."; + }; + + user = mkOption { + type = types.str; + default = "bee-clef"; + description = '' + User the bee-clef daemon should execute under. + ''; + }; + + group = mkOption { + type = types.str; + default = "bee-clef"; + description = '' + Group the bee-clef daemon should execute under. + ''; + }; + }; + }; + + ### implementation + + config = mkIf cfg.enable { + # if we ever want to have rules.js under /etc/bee-clef/ + # environment.etc."bee-clef/rules.js".source = ${pkgs.bee-clef}/rules.js + + systemd.packages = [ pkgs.bee-clef ]; # include the upstream bee-clef.service file + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}/' 0750 ${cfg.user} ${cfg.group}" + "d '${cfg.dataDir}/keystore' 0700 ${cfg.user} ${cfg.group}" + ]; + + systemd.services.bee-clef = { + path = [ + # these are needed for the ensure-clef-account script + pkgs.coreutils + pkgs.gnused + pkgs.gawk + ]; + + wantedBy = [ "bee.service" "multi-user.target" ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStartPre = ''${pkgs.bee-clef}/share/bee-clef/ensure-clef-account "${cfg.dataDir}" "${pkgs.bee-clef}/share/bee-clef/"''; + ExecStart = [ + "" # this hides/overrides what's in the original entry + "${pkgs.bee-clef}/share/bee-clef/bee-clef-service start" + ]; + ExecStop = [ + "" # this hides/overrides what's in the original entry + "${pkgs.bee-clef}/share/bee-clef/bee-clef-service stop" + ]; + Environment = [ + "CONFIGDIR=${cfg.dataDir}" + "PASSWORD_FILE=${cfg.passwordFile}" + ]; + }; + }; + + users.users = optionalAttrs (cfg.user == "bee-clef") { + bee-clef = { + group = cfg.group; + home = cfg.dataDir; + isSystemUser = true; + description = "Daemon user for the bee-clef service"; + }; + }; + + users.groups = optionalAttrs (cfg.group == "bee-clef") { + bee-clef = {}; + }; + }; +} diff --git a/nixos/modules/services/networking/bee.nix b/nixos/modules/services/networking/bee.nix new file mode 100644 index 00000000000..8a77ce23ab4 --- /dev/null +++ b/nixos/modules/services/networking/bee.nix @@ -0,0 +1,149 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.bee; + format = pkgs.formats.yaml {}; + configFile = format.generate "bee.yaml" cfg.settings; +in { + meta = { + # doc = ./bee.xml; + maintainers = with maintainers; [ attila-lendvai ]; + }; + + ### interface + + options = { + services.bee = { + enable = mkEnableOption "Ethereum Swarm Bee"; + + package = mkOption { + type = types.package; + default = pkgs.bee; + defaultText = "pkgs.bee"; + example = "pkgs.bee-unstable"; + description = "The package providing the bee binary for the service."; + }; + + settings = mkOption { + type = format.type; + description = '' + Ethereum Swarm Bee configuration. Refer to + <link xlink:href="https://gateway.ethswarm.org/bzz/docs.swarm.eth/docs/installation/configuration/"/> + for details on supported values. + ''; + }; + + daemonNiceLevel = mkOption { + type = types.int; + default = 0; + description = '' + Daemon process priority for bee. + 0 is the default Unix process priority, 19 is the lowest. + ''; + }; + + user = mkOption { + type = types.str; + default = "bee"; + description = '' + User the bee binary should execute under. + ''; + }; + + group = mkOption { + type = types.str; + default = "bee"; + description = '' + Group the bee binary should execute under. + ''; + }; + }; + }; + + ### implementation + + config = mkIf cfg.enable { + assertions = [ + { assertion = (hasAttr "password" cfg.settings) != true; + message = '' + `services.bee.settings.password` is insecure. Use `services.bee.settings.password-file` or `systemd.services.bee.serviceConfig.EnvironmentFile` instead. + ''; + } + { assertion = (hasAttr "swap-endpoint" cfg.settings) || (cfg.settings.swap-enable or true == false); + message = '' + In a swap-enabled network a working Ethereum blockchain node is required. You must specify one using `services.bee.settings.swap-endpoint`, or disable `services.bee.settings.swap-enable` = false. + ''; + } + ]; + + warnings = optional (! config.services.bee-clef.enable) "The bee service requires an external signer. Consider setting `config.services.bee-clef.enable` = true"; + + services.bee.settings = { + data-dir = lib.mkDefault "/var/lib/bee"; + password-file = lib.mkDefault "/var/lib/bee/password"; + clef-signer-enable = lib.mkDefault true; + clef-signer-endpoint = lib.mkDefault "/var/lib/bee-clef/clef.ipc"; + swap-endpoint = lib.mkDefault "https://rpc.slock.it/goerli"; + }; + + systemd.packages = [ cfg.package ]; # include the upstream bee.service file + + systemd.tmpfiles.rules = [ + "d '${cfg.settings.data-dir}' 0750 ${cfg.user} ${cfg.group}" + ]; + + systemd.services.bee = { + requires = optional config.services.bee-clef.enable + "bee-clef.service"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Nice = cfg.daemonNiceLevel; + User = cfg.user; + Group = cfg.group; + ExecStart = [ + "" # this hides/overrides what's in the original entry + "${cfg.package}/bin/bee --config=${configFile} start" + ]; + }; + + preStart = with cfg.settings; '' + if ! test -f ${password-file}; then + < /dev/urandom tr -dc _A-Z-a-z-0-9 2> /dev/null | head -c32 > ${password-file} + chmod 0600 ${password-file} + echo "Initialized ${password-file} from /dev/urandom" + fi + if [ ! -f ${data-dir}/keys/libp2p.key ]; then + ${cfg.package}/bin/bee init --config=${configFile} >/dev/null + echo " +Logs: journalctl -f -u bee.service + +Bee has SWAP enabled by default and it needs ethereum endpoint to operate. +It is recommended to use external signer with bee. +Check documentation for more info: +- SWAP https://docs.ethswarm.org/docs/installation/manual#swap-bandwidth-incentives +- External signer https://docs.ethswarm.org/docs/installation/bee-clef + +After you finish configuration run 'sudo bee-get-addr'." + fi + ''; + }; + + users.users = optionalAttrs (cfg.user == "bee") { + bee = { + group = cfg.group; + home = cfg.settings.data-dir; + isSystemUser = true; + description = "Daemon user for Ethereum Swarm Bee"; + extraGroups = optional config.services.bee-clef.enable + config.services.bee-clef.group; + }; + }; + + users.groups = optionalAttrs (cfg.group == "bee") { + bee = {}; + }; + }; +} diff --git a/nixos/modules/services/networking/biboumi.nix b/nixos/modules/services/networking/biboumi.nix new file mode 100644 index 00000000000..66ddca93d81 --- /dev/null +++ b/nixos/modules/services/networking/biboumi.nix @@ -0,0 +1,269 @@ +{ config, lib, pkgs, options, ... }: +with lib; +let + cfg = config.services.biboumi; + inherit (config.environment) etc; + rootDir = "/run/biboumi/mnt-root"; + stateDir = "/var/lib/biboumi"; + settingsFile = pkgs.writeText "biboumi.cfg" ( + generators.toKeyValue { + mkKeyValue = k: v: + if v == null then "" + else generators.mkKeyValueDefault {} "=" k v; + } cfg.settings); + need_CAP_NET_BIND_SERVICE = cfg.settings.identd_port != 0 && cfg.settings.identd_port < 1024; +in +{ + options = { + services.biboumi = { + enable = mkEnableOption "the Biboumi XMPP gateway to IRC"; + + settings = mkOption { + description = '' + See <link xlink:href="https://lab.louiz.org/louiz/biboumi/blob/8.5/doc/biboumi.1.rst">biboumi 8.5</link> + for documentation. + ''; + default = {}; + type = types.submodule { + freeformType = with types; + (attrsOf (nullOr (oneOf [str int bool]))) // { + description = "settings option"; + }; + options.admin = mkOption { + type = with types; listOf str; + default = []; + example = ["admin@example.org"]; + apply = concatStringsSep ":"; + description = '' + The bare JID of the gateway administrator. This JID will have more + privileges than other standard users, for example some administration + ad-hoc commands will only be available to that JID. + ''; + }; + options.ca_file = mkOption { + type = types.path; + default = "/etc/ssl/certs/ca-certificates.crt"; + description = '' + Specifies which file should be used as the list of trusted CA + when negociating a TLS session. + ''; + }; + options.db_name = mkOption { + type = with types; either path str; + default = "${stateDir}/biboumi.sqlite"; + description = '' + The name of the database to use. + ''; + example = "postgresql://user:secret@localhost"; + }; + options.hostname = mkOption { + type = types.str; + example = "biboumi.example.org"; + description = '' + The hostname served by the XMPP gateway. + This domain must be configured in the XMPP server + as an external component. + ''; + }; + options.identd_port = mkOption { + type = types.port; + default = 113; + example = 0; + description = '' + The TCP port on which to listen for identd queries. + ''; + }; + options.log_level = mkOption { + type = types.ints.between 0 3; + default = 1; + description = '' + Indicate what type of log messages to write in the logs. + 0 is debug, 1 is info, 2 is warning, 3 is error. + ''; + }; + options.password = mkOption { + type = with types; nullOr str; + description = '' + The password used to authenticate the XMPP component to your XMPP server. + This password must be configured in the XMPP server, + associated with the external component on + <link linkend="opt-services.biboumi.settings.hostname">hostname</link>. + + Set it to null and use <link linkend="opt-services.biboumi.credentialsFile">credentialsFile</link> + if you do not want this password to go into the Nix store. + ''; + }; + options.persistent_by_default = mkOption { + type = types.bool; + default = false; + description = '' + Whether all rooms will be persistent by default: + the value of the “persistent” option in the global configuration of each + user will be “true”, but the value of each individual room will still + default to false. This means that a user just needs to change the global + “persistent” configuration option to false in order to override this. + ''; + }; + options.policy_directory = mkOption { + type = types.path; + default = "${pkgs.biboumi}/etc/biboumi"; + description = '' + A directory that should contain the policy files, + used to customize Botan’s behaviour + when negociating the TLS connections with the IRC servers. + ''; + }; + options.port = mkOption { + type = types.port; + default = 5347; + description = '' + The TCP port to use to connect to the local XMPP component. + ''; + }; + options.realname_customization = mkOption { + type = types.bool; + default = true; + description = '' + Whether the users will be able to use + the ad-hoc commands that lets them configure + their realname and username. + ''; + }; + options.realname_from_jid = mkOption { + type = types.bool; + default = false; + description = '' + Whether the realname and username of each biboumi + user will be extracted from their JID. + Otherwise they will be set to the nick + they used to connect to the IRC server. + ''; + }; + options.xmpp_server_ip = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + The IP address to connect to the XMPP server on. + The connection to the XMPP server is unencrypted, + so the biboumi instance and the server should + normally be on the same host. + ''; + }; + }; + }; + + credentialsFile = mkOption { + type = types.path; + description = '' + Path to a configuration file to be merged with the settings. + Beware not to surround "=" with spaces when setting biboumi's options in this file. + Useful to merge a file which is better kept out of the Nix store + because it contains sensible data like + <link linkend="opt-services.biboumi.settings.password">password</link>. + ''; + default = "/dev/null"; + example = "/run/keys/biboumi.cfg"; + }; + + openFirewall = mkEnableOption "opening of the identd port in the firewall"; + }; + }; + + config = mkIf cfg.enable { + networking.firewall = mkIf (cfg.openFirewall && cfg.settings.identd_port != 0) + { allowedTCPPorts = [ cfg.settings.identd_port ]; }; + + systemd.services.biboumi = { + description = "Biboumi, XMPP to IRC gateway"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "notify"; + # Biboumi supports systemd's watchdog. + WatchdogSec = 20; + Restart = "always"; + # Use "+" because credentialsFile may not be accessible to User= or Group=. + ExecStartPre = [("+" + pkgs.writeShellScript "biboumi-prestart" '' + set -eux + cat ${settingsFile} '${cfg.credentialsFile}' | + install -m 644 /dev/stdin /run/biboumi/biboumi.cfg + '')]; + ExecStart = "${pkgs.biboumi}/bin/biboumi /run/biboumi/biboumi.cfg"; + ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; + # Firewalls needing opening for output connections can still do that + # selectively for biboumi with: + # users.users.biboumi.isSystemUser = true; + # and, for example: + # networking.nftables.ruleset = '' + # add rule inet filter output meta skuid biboumi tcp accept + # ''; + DynamicUser = true; + RootDirectory = rootDir; + RootDirectoryStartOnly = true; + InaccessiblePaths = [ "-+${rootDir}" ]; + RuntimeDirectory = [ "biboumi" (removePrefix "/run/" rootDir) ]; + RuntimeDirectoryMode = "700"; + StateDirectory = "biboumi"; + StateDirectoryMode = "700"; + MountAPIVFS = true; + UMask = "0066"; + BindPaths = [ + stateDir + # This is for Type="notify" + # See https://github.com/systemd/systemd/issues/3544 + "/run/systemd/notify" + "/run/systemd/journal/socket" + ]; + BindReadOnlyPaths = [ + builtins.storeDir + "/etc" + ]; + # The following options are only for optimizing: + # systemd-analyze security biboumi + AmbientCapabilities = [ (optionalString need_CAP_NET_BIND_SERVICE "CAP_NET_BIND_SERVICE") ]; + CapabilityBoundingSet = [ (optionalString need_CAP_NET_BIND_SERVICE "CAP_NET_BIND_SERVICE") ]; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateNetwork = mkDefault false; + PrivateTmp = true; + # PrivateUsers=true breaks AmbientCapabilities=CAP_NET_BIND_SERVICE + # See https://bugs.archlinux.org/task/65921 + PrivateUsers = !need_CAP_NET_BIND_SERVICE; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + # AF_UNIX is for /run/systemd/notify + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallFilter = [ + "@system-service" + # Groups in @system-service which do not contain a syscall + # listed by perf stat -e 'syscalls:sys_enter_*' biboumi biboumi.cfg + # in tests, and seem likely not necessary for biboumi. + # To run such a perf in ExecStart=, you have to: + # - AmbientCapabilities="CAP_SYS_ADMIN" + # - mount -o remount,mode=755 /sys/kernel/debug/{,tracing} + "~@aio" "~@chown" "~@ipc" "~@keyring" "~@resources" "~@setuid" "~@timer" + ]; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + }; + }; + }; + + meta.maintainers = with maintainers; [ julm ]; +} diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index faad8863575..480d5a184f2 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -6,8 +6,44 @@ let cfg = config.services.bind; + bindPkg = config.services.bind.package; + bindUser = "named"; + bindZoneCoerce = list: builtins.listToAttrs (lib.forEach list (zone: { name = zone.name; value = zone; })); + + bindZoneOptions = { name, config, ... }: { + options = { + name = mkOption { + type = types.str; + default = name; + description = "Name of the zone."; + }; + master = mkOption { + description = "Master=false means slave server"; + type = types.bool; + }; + file = mkOption { + type = types.either types.str types.path; + description = "Zone file resource records contain columns of data, separated by whitespace, that define the record."; + }; + masters = mkOption { + type = types.listOf types.str; + description = "List of servers for inclusion in stub and secondary zones."; + }; + slaves = mkOption { + type = types.listOf types.str; + description = "Addresses who may request zone transfers."; + default = [ ]; + }; + extraConfig = mkOption { + type = types.str; + description = "Extra zone config to be appended at the end of the zone section."; + default = ""; + }; + }; + }; + confFile = pkgs.writeText "named.conf" '' include "/etc/bind/rndc.key"; @@ -25,7 +61,7 @@ let blackhole { badnetworks; }; forward first; forwarders { ${concatMapStrings (entry: " ${entry}; ") cfg.forwarders} }; - directory "/run/named"; + directory "${cfg.directory}"; pid-file "/run/named/named.pid"; ${cfg.extraOptions} }; @@ -55,7 +91,7 @@ let ${extraConfig} }; '') - cfg.zones } + (attrValues cfg.zones) } ''; in @@ -70,8 +106,17 @@ in enable = mkEnableOption "BIND domain name server"; + + package = mkOption { + type = types.package; + default = pkgs.bind; + defaultText = "pkgs.bind"; + description = "The BIND package to use."; + }; + cacheNetworks = mkOption { - default = ["127.0.0.0/24"]; + default = [ "127.0.0.0/24" ]; + type = types.listOf types.str; description = " What networks are allowed to use us as a resolver. Note that this is for recursive queries -- all networks are @@ -82,7 +127,8 @@ in }; blockedNetworks = mkOption { - default = []; + default = [ ]; + type = types.listOf types.str; description = " What networks are just blocked. "; @@ -90,6 +136,7 @@ in ipv4Only = mkOption { default = false; + type = types.bool; description = " Only use ipv4, even if the host supports ipv6. "; @@ -97,13 +144,14 @@ in forwarders = mkOption { default = config.networking.nameservers; + type = types.listOf types.str; description = " List of servers we should forward requests to. "; }; listenOn = mkOption { - default = ["any"]; + default = [ "any" ]; type = types.listOf types.str; description = " Interfaces to listen on. @@ -111,28 +159,34 @@ in }; listenOnIpv6 = mkOption { - default = ["any"]; + default = [ "any" ]; type = types.listOf types.str; description = " Ipv6 interfaces to listen on. "; }; + directory = mkOption { + type = types.str; + default = "/run/named"; + description = "Working directory of BIND."; + }; + zones = mkOption { - default = []; + default = [ ]; + type = with types; coercedTo (listOf attrs) bindZoneCoerce (attrsOf (types.submodule bindZoneOptions)); description = " List of zones we claim authority over. - master=false means slave server; slaves means addresses - who may request zone transfer. "; - example = [{ - name = "example.com"; - master = false; - file = "/var/dns/example.com"; - masters = ["192.168.0.1"]; - slaves = []; - extraConfig = ""; - }]; + example = { + "example.com" = { + master = false; + file = "/var/dns/example.com"; + masters = [ "192.168.0.1" ]; + slaves = [ ]; + extraConfig = ""; + }; + }; }; extraConfig = mkOption { @@ -174,7 +228,8 @@ in networking.resolvconf.useLocalResolver = mkDefault true; users.users.${bindUser} = - { uid = config.ids.uids.bind; + { + uid = config.ids.uids.bind; description = "BIND daemon user"; }; @@ -186,17 +241,20 @@ in preStart = '' mkdir -m 0755 -p /etc/bind if ! [ -f "/etc/bind/rndc.key" ]; then - ${pkgs.bind.out}/sbin/rndc-confgen -c /etc/bind/rndc.key -u ${bindUser} -a -A hmac-sha256 2>/dev/null + ${bindPkg.out}/sbin/rndc-confgen -c /etc/bind/rndc.key -u ${bindUser} -a -A hmac-sha256 2>/dev/null fi ${pkgs.coreutils}/bin/mkdir -p /run/named chown ${bindUser} /run/named + + ${pkgs.coreutils}/bin/mkdir -p ${cfg.directory} + chown ${bindUser} ${cfg.directory} ''; serviceConfig = { - ExecStart = "${pkgs.bind.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; - ExecReload = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' reload"; - ExecStop = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' stop"; + ExecStart = "${bindPkg.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; + ExecReload = "${bindPkg.out}/sbin/rndc -k '/etc/bind/rndc.key' reload"; + ExecStop = "${bindPkg.out}/sbin/rndc -k '/etc/bind/rndc.key' stop"; }; unitConfig.Documentation = "man:named(8)"; diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix index 4ae35875c0f..1923afdf83f 100644 --- a/nixos/modules/services/networking/bird.nix +++ b/nixos/modules/services/networking/bird.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: let - inherit (lib) mkEnableOption mkIf mkOption types; + inherit (lib) mkEnableOption mkIf mkOption optionalString types; generic = variant: let @@ -26,6 +26,14 @@ let <link xlink:href='http://bird.network.cz/'/> ''; }; + checkConfig = mkOption { + type = types.bool; + default = true; + description = '' + Whether the config should be checked at build time. + Disabling this might become necessary if the config includes files not present during build time. + ''; + }; }; }; @@ -36,7 +44,7 @@ let environment.etc."bird/${variant}.conf".source = pkgs.writeTextFile { name = "${variant}.conf"; text = cfg.config; - checkPhase = '' + checkPhase = optionalString cfg.checkConfig '' ${pkg}/bin/${birdBin} -d -p -c $out ''; }; @@ -50,7 +58,7 @@ let Type = "forking"; Restart = "on-failure"; ExecStart = "${pkg}/bin/${birdBin} -c /etc/bird/${variant}.conf -u ${variant} -g ${variant}"; - ExecReload = "${pkg}/bin/${birdc} configure"; + ExecReload = "/bin/sh -c '${pkg}/bin/${birdBin} -c /etc/bird/${variant}.conf -p && ${pkg}/bin/${birdc} configure'"; ExecStop = "${pkg}/bin/${birdc} down"; CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_SETUID" "CAP_SETGID" # see bird/sysdep/linux/syspriv.h @@ -65,6 +73,7 @@ let users.${variant} = { description = "BIRD Internet Routing Daemon user"; group = variant; + isSystemUser = true; }; groups.${variant} = {}; }; diff --git a/nixos/modules/services/networking/bitlbee.nix b/nixos/modules/services/networking/bitlbee.nix index 9ebf382fce4..59ad9e54686 100644 --- a/nixos/modules/services/networking/bitlbee.nix +++ b/nixos/modules/services/networking/bitlbee.nix @@ -58,6 +58,7 @@ in }; interface = mkOption { + type = types.str; default = "127.0.0.1"; description = '' The interface the BitlBee deamon will be listening to. If `127.0.0.1', @@ -68,6 +69,7 @@ in portNumber = mkOption { default = 6667; + type = types.int; description = '' Number of the port BitlBee will be listening to. ''; @@ -142,6 +144,7 @@ in extraSettings = mkOption { default = ""; + type = types.lines; description = '' Will be inserted in the Settings section of the config file. ''; @@ -149,6 +152,7 @@ in extraDefaults = mkOption { default = ""; + type = types.lines; description = '' Will be inserted in the Default section of the config file. ''; diff --git a/nixos/modules/services/networking/blockbook-frontend.nix b/nixos/modules/services/networking/blockbook-frontend.nix index dde24522756..ca323e495ec 100644 --- a/nixos/modules/services/networking/blockbook-frontend.nix +++ b/nixos/modules/services/networking/blockbook-frontend.nix @@ -158,15 +158,21 @@ let type = types.attrs; default = {}; example = literalExample '' { - alternative_estimate_fee = "whatthefee-disabled"; - alternative_estimate_fee_params = "{\"url\": \"https://whatthefee.io/data.json\", \"periodSeconds\": 60}"; - fiat_rates = "coingecko"; - fiat_rates_params = "{\"url\": \"https://api.coingecko.com/api/v3\", \"coin\": \"bitcoin\", \"periodSeconds\": 60}"; - coin_shortcut = "BTC"; - coin_label = "Bitcoin"; - xpub_magic = 76067358; - xpub_magic_segwit_p2sh = 77429938; - xpub_magic_segwit_native = 78792518; + "alternative_estimate_fee" = "whatthefee-disabled"; + "alternative_estimate_fee_params" = "{\"url\": \"https://whatthefee.io/data.json\", \"periodSeconds\": 60}"; + "fiat_rates" = "coingecko"; + "fiat_rates_params" = "{\"url\": \"https://api.coingecko.com/api/v3\", \"coin\": \"bitcoin\", \"periodSeconds\": 60}"; + "coin_shortcut" = "BTC"; + "coin_label" = "Bitcoin"; + "parse" = true; + "subversion" = ""; + "address_format" = ""; + "xpub_magic" = 76067358; + "xpub_magic_segwit_p2sh" = 77429938; + "xpub_magic_segwit_native" = 78792518; + "mempool_workers" = 8; + "mempool_sub_workers" = 2; + "block_addresses_to_keep" = 300; }''; description = '' Additional configurations to be appended to <filename>coin.conf</filename>. diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index 5f8ac96b229..f1a504b3e3f 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -12,8 +12,18 @@ let { ... }: { options = { password = mkOption { - type = types.str; - description = "Authorized password to the opposite end of the tunnel."; + type = types.str; + description = "Authorized password to the opposite end of the tunnel."; + }; + login = mkOption { + default = ""; + type = types.str; + description = "(optional) name your peer has for you"; + }; + peerName = mkOption { + default = ""; + type = types.str; + description = "(optional) human-readable name for peer"; }; publicKey = mkOption { type = types.str; @@ -245,7 +255,7 @@ in fi if [ -z "$CJDNS_ADMIN_PASSWORD" ]; then - echo "CJDNS_ADMIN_PASSWORD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 96)" \ + echo "CJDNS_ADMIN_PASSWORD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)" \ >> /etc/cjdns.keys fi ''; @@ -264,10 +274,10 @@ in '' ); + startLimitIntervalSec = 0; serviceConfig = { Type = "forking"; Restart = "always"; - StartLimitInterval = 0; RestartSec = 1; CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID"; ProtectSystem = true; diff --git a/nixos/modules/services/networking/cntlm.nix b/nixos/modules/services/networking/cntlm.nix index 5b5068e43d7..eea28e12ce0 100644 --- a/nixos/modules/services/networking/cntlm.nix +++ b/nixos/modules/services/networking/cntlm.nix @@ -36,19 +36,21 @@ in enable = mkEnableOption "cntlm, which starts a local proxy"; username = mkOption { + type = types.str; description = '' Proxy account name, without the possibility to include domain name ('at' sign is interpreted literally). ''; }; domain = mkOption { - description = ''Proxy account domain/workgroup name.''; + type = types.str; + description = "Proxy account domain/workgroup name."; }; password = mkOption { default = "/etc/cntlm.password"; type = types.str; - description = ''Proxy account password. Note: use chmod 0600 on /etc/cntlm.password for security.''; + description = "Proxy account password. Note: use chmod 0600 on /etc/cntlm.password for security."; }; netbios_hostname = mkOption { @@ -60,6 +62,7 @@ in }; proxy = mkOption { + type = types.listOf types.str; description = '' A list of NTLM/NTLMv2 authenticating HTTP proxies. @@ -75,11 +78,13 @@ in A list of domains where the proxy is skipped. ''; default = []; + type = types.listOf types.str; example = [ "*.example.com" "example.com" ]; }; port = mkOption { default = [3128]; + type = types.listOf types.port; description = "Specifies on which ports the cntlm daemon listens."; }; diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix index 6ccc2dffb26..11f66b05df1 100644 --- a/nixos/modules/services/networking/connman.nix +++ b/nixos/modules/services/networking/connman.nix @@ -42,8 +42,7 @@ in { extraConfig = mkOption { type = types.lines; - default = '' - ''; + default = ""; description = '' Configuration lines appended to the generated connman configuration file. ''; diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix index f7d2afead06..ae7998913ee 100644 --- a/nixos/modules/services/networking/consul.nix +++ b/nixos/modules/services/networking/consul.nix @@ -99,6 +99,7 @@ in extraConfig = mkOption { default = { }; + type = types.attrsOf types.anything; description = '' Extra configuration options which are serialized to json and added to the config.json file. @@ -190,7 +191,7 @@ in ExecStop = "${cfg.package}/bin/consul leave"; }); - path = with pkgs; [ iproute gnugrep gawk consul ]; + path = with pkgs; [ iproute2 gnugrep gawk consul ]; preStart = '' mkdir -m 0700 -p ${dataDir} chown -R consul ${dataDir} diff --git a/nixos/modules/services/networking/corerad.nix b/nixos/modules/services/networking/corerad.nix index d90a5923bc6..e76ba9a2d00 100644 --- a/nixos/modules/services/networking/corerad.nix +++ b/nixos/modules/services/networking/corerad.nix @@ -4,13 +4,7 @@ with lib; let cfg = config.services.corerad; - - writeTOML = name: x: - pkgs.runCommandNoCCLocal name { - passAsFile = ["config"]; - config = builtins.toJSON x; - buildInputs = [ pkgs.go-toml ]; - } "jsontoml < $configPath > $out"; + settingsFormat = pkgs.formats.toml {}; in { meta.maintainers = with maintainers; [ mdlayher ]; @@ -19,7 +13,7 @@ in { enable = mkEnableOption "CoreRAD IPv6 NDP RA daemon"; settings = mkOption { - type = types.uniq types.attrs; + type = settingsFormat.type; example = literalExample '' { interfaces = [ @@ -43,7 +37,7 @@ in { } ''; description = '' - Configuration for CoreRAD, see <link xlink:href="https://github.com/mdlayher/corerad/blob/master/internal/config/default.toml"/> + Configuration for CoreRAD, see <link xlink:href="https://github.com/mdlayher/corerad/blob/main/internal/config/reference.toml"/> for supported values. Ignored if configFile is set. ''; }; @@ -64,7 +58,7 @@ in { config = mkIf cfg.enable { # Prefer the config file over settings if both are set. - services.corerad.configFile = mkDefault (writeTOML "corerad.toml" cfg.settings); + services.corerad.configFile = mkDefault (settingsFormat.generate "corerad.toml" cfg.settings); systemd.services.corerad = { description = "CoreRAD IPv6 NDP RA daemon"; diff --git a/nixos/modules/services/networking/coturn.nix b/nixos/modules/services/networking/coturn.nix index 1bfbc307c59..5f7d2893ae2 100644 --- a/nixos/modules/services/networking/coturn.nix +++ b/nixos/modules/services/networking/coturn.nix @@ -16,6 +16,7 @@ ${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"} ${lib.optionalString cfg.no-auth "no-auth"} ${lib.optionalString cfg.use-auth-secret "use-auth-secret"} ${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")} +${lib.optionalString (cfg.static-auth-secret-file != null) ("static-auth-secret=#static-auth-secret#")} realm=${cfg.realm} ${lib.optionalString cfg.no-udp "no-udp"} ${lib.optionalString cfg.no-tcp "no-tcp"} @@ -182,6 +183,13 @@ in { by a separate program, so this is why that other mode is 'dynamic'. ''; }; + static-auth-secret-file = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to the file containing the static authentication secret. + ''; + }; realm = mkOption { type = types.str; default = config.networking.hostName; @@ -293,42 +301,63 @@ in { }; }; - config = mkIf cfg.enable { - users.users.turnserver = - { uid = config.ids.uids.turnserver; - description = "coturn TURN server user"; - }; - users.groups.turnserver = - { gid = config.ids.gids.turnserver; - members = [ "turnserver" ]; - }; + config = mkIf cfg.enable (mkMerge ([ + { assertions = [ + { assertion = cfg.static-auth-secret != null -> cfg.static-auth-secret-file == null ; + message = "static-auth-secret and static-auth-secret-file cannot be set at the same time"; + } + ];} - systemd.services.coturn = { - description = "coturn TURN server"; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; + { + users.users.turnserver = + { uid = config.ids.uids.turnserver; + description = "coturn TURN server user"; + }; + users.groups.turnserver = + { gid = config.ids.gids.turnserver; + members = [ "turnserver" ]; + }; - unitConfig = { - Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)"; - }; + systemd.services.coturn = let + runConfig = "/run/coturn/turnserver.cfg"; + in { + description = "coturn TURN server"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.coturn}/bin/turnserver -c ${configFile}"; - RuntimeDirectory = "turnserver"; - User = "turnserver"; - Group = "turnserver"; - AmbientCapabilities = - mkIf ( - cfg.listening-port < 1024 || - cfg.alt-listening-port < 1024 || - cfg.tls-listening-port < 1024 || - cfg.alt-tls-listening-port < 1024 || - cfg.min-port < 1024 - ) "cap_net_bind_service"; - Restart = "on-abort"; - }; - }; - }; + unitConfig = { + Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)"; + }; + + preStart = '' + cat ${configFile} > ${runConfig} + ${optionalString (cfg.static-auth-secret-file != null) '' + STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)" + sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \ + -i ${runConfig} + '' } + chmod 640 ${runConfig} + ''; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.coturn}/bin/turnserver -c ${runConfig}"; + RuntimeDirectory = "turnserver"; + User = "turnserver"; + Group = "turnserver"; + AmbientCapabilities = + mkIf ( + cfg.listening-port < 1024 || + cfg.alt-listening-port < 1024 || + cfg.tls-listening-port < 1024 || + cfg.alt-tls-listening-port < 1024 || + cfg.min-port < 1024 + ) "cap_net_bind_service"; + Restart = "on-abort"; + }; + }; + systemd.tmpfiles.rules = [ + "d /run/coturn 0700 turnserver turnserver - -" + ]; + }])); } diff --git a/nixos/modules/services/networking/croc.nix b/nixos/modules/services/networking/croc.nix new file mode 100644 index 00000000000..9466adf71d8 --- /dev/null +++ b/nixos/modules/services/networking/croc.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, ... }: +let + inherit (lib) types; + cfg = config.services.croc; + rootDir = "/run/croc"; +in +{ + options.services.croc = { + enable = lib.mkEnableOption "croc relay"; + ports = lib.mkOption { + type = with types; listOf port; + default = [9009 9010 9011 9012 9013]; + description = "Ports of the relay."; + }; + pass = lib.mkOption { + type = with types; either path str; + default = "pass123"; + description = "Password or passwordfile for the relay."; + }; + openFirewall = lib.mkEnableOption "opening of the peer port(s) in the firewall"; + debug = lib.mkEnableOption "debug logs"; + }; + + config = lib.mkIf cfg.enable { + systemd.services.croc = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.croc}/bin/croc --pass '${cfg.pass}' ${lib.optionalString cfg.debug "--debug"} relay --ports ${lib.concatMapStringsSep "," toString cfg.ports}"; + # The following options are only for optimizing: + # systemd-analyze security croc + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + DynamicUser = true; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + MountAPIVFS = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateNetwork = lib.mkDefault false; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "noaccess"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RootDirectory = rootDir; + # Avoid mounting rootDir in the own rootDir of ExecStart='s mount namespace. + InaccessiblePaths = [ "-+${rootDir}" ]; + BindReadOnlyPaths = [ + builtins.storeDir + ] ++ lib.optional (types.path.check cfg.pass) cfg.pass; + # This is for BindReadOnlyPaths= + # to allow traversal of directories they create in RootDirectory=. + UMask = "0066"; + # Create rootDir in the host's mount namespace. + RuntimeDirectory = [(baseNameOf rootDir)]; + RuntimeDirectoryMode = "700"; + SystemCallFilter = [ + "@system-service" + "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@setuid" "~@sync" "~@timer" + ]; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + }; + }; + + networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall cfg.ports; + }; + + meta.maintainers = with lib.maintainers; [ hax404 julm ]; +} diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index 053efe71270..7820eedd932 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -18,6 +18,7 @@ let ${lib.optionalString (cfg.zone != "") "zone=${cfg.zone}"} ssl=${boolToStr cfg.ssl} wildcard=YES + ipv6=${boolToStr cfg.ipv6} quiet=${boolToStr cfg.quiet} verbose=${boolToStr cfg.verbose} ${cfg.extraConfig} @@ -116,7 +117,15 @@ with lib; default = true; type = bool; description = '' - Whether to use to use SSL/TLS to connect to dynamic DNS provider. + Whether to use SSL/TLS to connect to dynamic DNS provider. + ''; + }; + + ipv6 = mkOption { + default = false; + type = bool; + description = '' + Whether to use IPv6. ''; }; diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix index 0507b739d49..31e4b6ad298 100644 --- a/nixos/modules/services/networking/dhcpcd.nix +++ b/nixos/modules/services/networking/dhcpcd.nix @@ -69,6 +69,11 @@ let if-carrier-up = ""; }.${cfg.wait}} + ${optionalString (config.networking.enableIPv6 == false) '' + # Don't solicit or accept IPv6 Router Advertisements and DHCPv6 if disabled IPv6 + noipv6 + ''} + ${cfg.extraConfig} ''; @@ -186,9 +191,8 @@ in { description = "DHCP Client"; wantedBy = [ "multi-user.target" ] ++ optional (!hasDefaultGatewaySet) "network-online.target"; - wants = [ "network.target" "systemd-udev-settle.service" ]; + wants = [ "network.target" ]; before = [ "network-online.target" ]; - after = [ "systemd-udev-settle.service" ]; restartTriggers = [ exitHook ]; diff --git a/nixos/modules/services/networking/dnscrypt-proxy2.nix b/nixos/modules/services/networking/dnscrypt-proxy2.nix index 28691e83827..72965c267a8 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy2.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy2.nix @@ -11,7 +11,7 @@ in settings = mkOption { description = '' Attrset that is converted and passed as TOML config file. - For available params, see: <link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml"/> + For available params, see: <link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/${pkgs.dnscrypt-proxy2.version}/dnscrypt-proxy/example-dnscrypt-proxy.toml"/> ''; example = literalExample '' { @@ -27,6 +27,16 @@ in default = {}; }; + upstreamDefaults = mkOption { + description = '' + Whether to base the config declared in <literal>services.dnscrypt-proxy2.settings</literal> on the upstream example config (<link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml"/>) + + Disable this if you want to declare your dnscrypt config from scratch. + ''; + type = types.bool; + default = true; + }; + configFile = mkOption { description = '' Path to TOML config file. See: <link xlink:href="https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml"/> @@ -38,7 +48,13 @@ in json = builtins.toJSON cfg.settings; passAsFile = [ "json" ]; } '' - ${pkgs.remarshal}/bin/json2toml < $jsonPath > $out + ${if cfg.upstreamDefaults then '' + ${pkgs.remarshal}/bin/toml2json ${pkgs.dnscrypt-proxy2.src}/dnscrypt-proxy/example-dnscrypt-proxy.toml > example.json + ${pkgs.jq}/bin/jq --slurp add example.json $jsonPath > config.json # merges the two + '' else '' + cp $jsonPath config.json + ''} + ${pkgs.remarshal}/bin/json2toml < config.json > $out ''; defaultText = literalExample "TOML file generated from services.dnscrypt-proxy2.settings"; }; @@ -49,13 +65,56 @@ in networking.nameservers = lib.mkDefault [ "127.0.0.1" ]; systemd.services.dnscrypt-proxy2 = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; + description = "DNSCrypt-proxy client"; + wants = [ + "network-online.target" + "nss-lookup.target" + ]; + before = [ + "nss-lookup.target" + ]; + wantedBy = [ + "multi-user.target" + ]; serviceConfig = { AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CacheDirectory = "dnscrypt-proxy"; DynamicUser = true; ExecStart = "${pkgs.dnscrypt-proxy2}/bin/dnscrypt-proxy -config ${cfg.configFile}"; + LockPersonality = true; + LogsDirectory = "dnscrypt-proxy"; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + NonBlocking = true; + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; Restart = "always"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RuntimeDirectory = "dnscrypt-proxy"; + StateDirectory = "dnscrypt-proxy"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@chown" + "~@aio" + "~@keyring" + "~@memlock" + "~@resources" + "~@setuid" + "~@timer" + ]; }; }; }; diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix index b9333cd19a2..89360f4bf37 100644 --- a/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -55,7 +55,10 @@ let rotateKeys = '' # check if keys are not expired keyValid() { - fingerprint=$(dnscrypt-wrapper --show-provider-publickey | awk '{print $(NF)}') + fingerprint=$(dnscrypt-wrapper \ + --show-provider-publickey \ + --provider-publickey-file=${publicKey} \ + | awk '{print $(NF)}') dnscrypt-proxy --test=${toString (cfg.keys.checkInterval + 1)} \ --resolver-address=127.0.0.1:${toString cfg.port} \ --provider-name=${cfg.providerName} \ @@ -80,7 +83,7 @@ let # correctly implement key rotation of dnscrypt-wrapper ephemeral keys. dnscrypt-proxy1 = pkgs.callPackage ({ stdenv, fetchFromGitHub, autoreconfHook - , pkgconfig, libsodium, ldns, openssl, systemd }: + , pkg-config, libsodium, ldns, openssl, systemd }: stdenv.mkDerivation rec { pname = "dnscrypt-proxy"; @@ -95,7 +98,7 @@ let configureFlags = optional stdenv.isLinux "--with-systemd"; - nativeBuildInputs = [ autoreconfHook pkgconfig ]; + nativeBuildInputs = [ autoreconfHook pkg-config ]; # <ldns/ldns.h> depends on <openssl/ssl.h> buildInputs = [ libsodium openssl.dev ldns ] ++ optional stdenv.isLinux systemd; diff --git a/nixos/modules/services/networking/dnsdist.nix b/nixos/modules/services/networking/dnsdist.nix index 8249da69bc1..c7c6a79864c 100644 --- a/nixos/modules/services/networking/dnsdist.nix +++ b/nixos/modules/services/networking/dnsdist.nix @@ -4,10 +4,10 @@ with lib; let cfg = config.services.dnsdist; - configFile = pkgs.writeText "dndist.conf" '' + configFile = pkgs.writeText "dnsdist.conf" '' setLocal('${cfg.listenAddress}:${toString cfg.listenPort}') ${cfg.extraConfig} - ''; + ''; in { options = { services.dnsdist = { @@ -26,8 +26,7 @@ in { extraConfig = mkOption { type = types.lines; - default = '' - ''; + default = ""; description = '' Extra lines to be added verbatim to dnsdist.conf. ''; @@ -35,25 +34,19 @@ in { }; }; - config = mkIf config.services.dnsdist.enable { + config = mkIf cfg.enable { + systemd.packages = [ pkgs.dnsdist ]; + systemd.services.dnsdist = { - description = "dnsdist load balancer"; wantedBy = [ "multi-user.target" ]; - after = ["network.target"]; + startLimitIntervalSec = 0; serviceConfig = { - Restart="on-failure"; - RestartSec="1"; DynamicUser = true; - StartLimitInterval="0"; - PrivateDevices=true; - AmbientCapabilities="CAP_NET_BIND_SERVICE"; - CapabilityBoundingSet="CAP_NET_BIND_SERVICE"; - ExecStart = "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}"; - ProtectHome=true; - RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6"; - LimitNOFILE="16384"; - TasksMax="8192"; + + # upstream overrides for better nixos compatibility + ExecStartPre = [ "" "${pkgs.dnsdist}/bin/dnsdist --check-config --config ${configFile}" ]; + ExecStart = [ "" "${pkgs.dnsdist}/bin/dnsdist --supervised --disable-syslog --config ${configFile}" ]; }; }; }; diff --git a/nixos/modules/services/networking/doh-proxy-rust.nix b/nixos/modules/services/networking/doh-proxy-rust.nix new file mode 100644 index 00000000000..0e55bc38665 --- /dev/null +++ b/nixos/modules/services/networking/doh-proxy-rust.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.doh-proxy-rust; + +in { + + options.services.doh-proxy-rust = { + + enable = mkEnableOption "doh-proxy-rust"; + + flags = mkOption { + type = types.listOf types.str; + default = []; + example = literalExample [ "--server-address=9.9.9.9:53" ]; + description = '' + A list of command-line flags to pass to doh-proxy. For details on the + available options, see <link xlink:href="https://github.com/jedisct1/doh-server#usage"/>. + ''; + }; + + }; + + config = mkIf cfg.enable { + systemd.services.doh-proxy-rust = { + description = "doh-proxy-rust"; + after = [ "network.target" "nss-lookup.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.doh-proxy-rust}/bin/doh-proxy ${escapeShellArgs cfg.flags}"; + Restart = "always"; + RestartSec = 10; + DynamicUser = true; + + CapabilityBoundingSet = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + RemoveIPC = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ "@system-service" "~@privileged @resources" ]; + }; + }; + }; + + meta.maintainers = with maintainers; [ stephank ]; + +} diff --git a/nixos/modules/services/networking/epmd.nix b/nixos/modules/services/networking/epmd.nix index 692b75e4f08..f7cdc0fe79c 100644 --- a/nixos/modules/services/networking/epmd.nix +++ b/nixos/modules/services/networking/epmd.nix @@ -53,4 +53,6 @@ in }; }; }; + + meta.maintainers = teams.beam.members; } diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix index 6842aa73561..24f76864953 100644 --- a/nixos/modules/services/networking/firefox/sync-server.nix +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -67,7 +67,7 @@ in }; listen.port = mkOption { - type = types.int; + type = types.port; default = 5000; description = '' Port on which the sync server listen to. diff --git a/nixos/modules/services/networking/flannel.nix b/nixos/modules/services/networking/flannel.nix index 4c040112d28..32a7eb3ed69 100644 --- a/nixos/modules/services/networking/flannel.nix +++ b/nixos/modules/services/networking/flannel.nix @@ -162,10 +162,7 @@ in { NODE_NAME = cfg.nodeName; }; path = [ pkgs.iptables ]; - preStart = '' - mkdir -p /run/flannel - touch /run/flannel/docker - '' + optionalString (cfg.storageBackend == "etcd") '' + preStart = optionalString (cfg.storageBackend == "etcd") '' echo "setting network configuration" until ${pkgs.etcdctl}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}' do @@ -177,6 +174,7 @@ in { ExecStart = "${cfg.package}/bin/flannel"; Restart = "always"; RestartSec = "10s"; + RuntimeDirectory = "flannel"; }; }; diff --git a/nixos/modules/services/networking/flashpolicyd.nix b/nixos/modules/services/networking/flashpolicyd.nix deleted file mode 100644 index 7f25083307c..00000000000 --- a/nixos/modules/services/networking/flashpolicyd.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.flashpolicyd; - - flashpolicyd = pkgs.stdenv.mkDerivation { - name = "flashpolicyd-0.6"; - - src = pkgs.fetchurl { - name = "flashpolicyd_v0.6.zip"; - url = "https://download.adobe.com/pub/adobe/devnet/flashplayer/articles/socket_policy_files/flashpolicyd_v0.6.zip"; - sha256 = "16zk237233npwfq1m4ksy4g5lzy1z9fp95w7pz0cdlpmv0fv9sm3"; - }; - - buildInputs = [ pkgs.unzip pkgs.perl ]; - - installPhase = "mkdir $out; cp -pr * $out/; chmod +x $out/*/*.pl"; - }; - - flashpolicydWrapper = pkgs.writeScriptBin "flashpolicyd" - '' - #! ${pkgs.runtimeShell} - exec ${flashpolicyd}/Perl_xinetd/in.flashpolicyd.pl \ - --file=${pkgs.writeText "flashpolixy.xml" cfg.policy} \ - 2> /dev/null - ''; - -in - -{ - - ###### interface - - options = { - - services.flashpolicyd = { - - enable = mkOption { - type = types.bool; - default = false; - description = - '' - Whether to enable the Flash Policy server. This is - necessary if you want Flash applications to make - connections to your server. - ''; - }; - - policy = mkOption { - default = - '' - <?xml version="1.0"?> - <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> - <cross-domain-policy> - <site-control permitted-cross-domain-policies="master-only"/> - <allow-access-from domain="*" to-ports="*" /> - </cross-domain-policy> - ''; - description = "The policy to be served. The default is to allow connections from any domain to any port."; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - services.xinetd.enable = true; - - services.xinetd.services = singleton - { name = "flashpolicy"; - port = 843; - unlisted = true; - server = "${flashpolicydWrapper}/bin/flashpolicyd"; - }; - - }; - -} diff --git a/nixos/modules/services/networking/gale.nix b/nixos/modules/services/networking/gale.nix deleted file mode 100644 index cb954fd836b..00000000000 --- a/nixos/modules/services/networking/gale.nix +++ /dev/null @@ -1,181 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.gale; - # we convert the path to a string to avoid it being copied to the nix store, - # otherwise users could read the private key as all files in the store are - # world-readable - keyPath = toString cfg.keyPath; - # ...but we refer to the pubkey file using a path so that we can ensure the - # config gets rebuilt if the public key changes (we can assume the private key - # will never change without the public key having changed) - gpubFile = cfg.keyPath + "/${cfg.domain}.gpub"; - home = "/var/lib/gale"; - keysPrepared = cfg.keyPath != null && lib.pathExists cfg.keyPath; -in -{ - options = { - services.gale = { - enable = mkEnableOption "the Gale messaging daemon"; - - user = mkOption { - default = "gale"; - type = types.str; - description = "Username for the Gale daemon."; - }; - - group = mkOption { - default = "gale"; - type = types.str; - description = "Group name for the Gale daemon."; - }; - - setuidWrapper = mkOption { - default = null; - description = "Configuration for the Gale gksign setuid wrapper."; - }; - - domain = mkOption { - default = ""; - type = types.str; - description = "Domain name for the Gale system."; - }; - - keyPath = mkOption { - default = null; - type = types.nullOr types.path; - description = '' - Directory containing the key pair for this Gale domain. The expected - filename will be taken from the domain option with ".gpri" and ".gpub" - appended. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Additional text to be added to <filename>/etc/gale/conf</filename>. - ''; - }; - }; - }; - - config = mkMerge [ - (mkIf cfg.enable { - assertions = [{ - assertion = cfg.domain != ""; - message = "A domain must be set for Gale."; - }]; - - warnings = mkIf (!keysPrepared) [ - "You must run gale-install in order to generate a domain key." - ]; - - system.activationScripts.gale = mkIf cfg.enable ( - stringAfter [ "users" "groups" ] '' - chmod 755 ${home} - mkdir -m 0777 -p ${home}/auth/cache - mkdir -m 1777 -p ${home}/auth/local # GALE_DOMAIN.gpub - mkdir -m 0700 -p ${home}/auth/private # ROOT.gpub - mkdir -m 0755 -p ${home}/auth/trusted # ROOT - mkdir -m 0700 -p ${home}/.gale - mkdir -m 0700 -p ${home}/.gale/auth - mkdir -m 0700 -p ${home}/.gale/auth/private # GALE_DOMAIN.gpri - - ln -sf ${pkgs.gale}/etc/gale/auth/trusted/ROOT "${home}/auth/trusted/ROOT" - chown ${cfg.user}:${cfg.group} ${home} ${home}/auth ${home}/auth/* - chown ${cfg.user}:${cfg.group} ${home}/.gale ${home}/.gale/auth ${home}/.gale/auth/private - '' - ); - - environment = { - etc = { - "gale/auth".source = home + "/auth"; # symlink /var/lib/gale/auth - "gale/conf".text = '' - GALE_USER ${cfg.user} - GALE_DOMAIN ${cfg.domain} - ${cfg.extraConfig} - ''; - }; - - systemPackages = [ pkgs.gale ]; - }; - - users.users.${cfg.user} = { - description = "Gale daemon"; - uid = config.ids.uids.gale; - group = cfg.group; - home = home; - createHome = true; - }; - - users.groups = [{ - name = cfg.group; - gid = config.ids.gids.gale; - }]; - }) - (mkIf (cfg.enable && keysPrepared) { - assertions = [ - { - assertion = cfg.keyPath != null - && lib.pathExists (cfg.keyPath + "/${cfg.domain}.gpub"); - message = "Couldn't find a Gale public key for ${cfg.domain}."; - } - { - assertion = cfg.keyPath != null - && lib.pathExists (cfg.keyPath + "/${cfg.domain}.gpri"); - message = "Couldn't find a Gale private key for ${cfg.domain}."; - } - ]; - - services.gale.setuidWrapper = { - program = "gksign"; - source = "${pkgs.gale}/bin/gksign"; - owner = cfg.user; - group = cfg.group; - setuid = true; - setgid = false; - }; - - security.wrappers.gksign = cfg.setuidWrapper; - - systemd.services.gale-galed = { - description = "Gale messaging daemon"; - wantedBy = [ "multi-user.target" ]; - wants = [ "gale-gdomain.service" ]; - after = [ "network.target" ]; - - preStart = '' - install -m 0640 -o ${cfg.user} -g ${cfg.group} ${keyPath}/${cfg.domain}.gpri "${home}/.gale/auth/private/" - install -m 0644 -o ${cfg.user} -g ${cfg.group} ${gpubFile} "${home}/.gale/auth/private/${cfg.domain}.gpub" - install -m 0644 -o ${cfg.user} -g ${cfg.group} ${gpubFile} "${home}/auth/local/${cfg.domain}.gpub" - ''; - - serviceConfig = { - Type = "forking"; - ExecStart = "@${pkgs.gale}/bin/galed galed"; - User = cfg.user; - Group = cfg.group; - PermissionsStartOnly = true; - }; - }; - - systemd.services.gale-gdomain = { - description = "Gale AKD daemon"; - wantedBy = [ "multi-user.target" ]; - requires = [ "gale-galed.service" ]; - after = [ "gale-galed.service" ]; - - serviceConfig = { - Type = "forking"; - ExecStart = "@${pkgs.gale}/bin/gdomain gdomain"; - User = cfg.user; - Group = cfg.group; - }; - }; - }) - ]; -} diff --git a/nixos/modules/services/networking/gateone.nix b/nixos/modules/services/networking/gateone.nix index 56f2ba21a12..3e3a3c1aa94 100644 --- a/nixos/modules/services/networking/gateone.nix +++ b/nixos/modules/services/networking/gateone.nix @@ -10,12 +10,12 @@ options = { pidDir = mkOption { default = "/run/gateone"; type = types.path; - description = ''Path of pid files for GateOne.''; + description = "Path of pid files for GateOne."; }; settingsDir = mkOption { default = "/var/lib/gateone"; type = types.path; - description = ''Path of configuration files for GateOne.''; + description = "Path of configuration files for GateOne."; }; }; }; diff --git a/nixos/modules/services/networking/ghostunnel.nix b/nixos/modules/services/networking/ghostunnel.nix new file mode 100644 index 00000000000..58a51df6cca --- /dev/null +++ b/nixos/modules/services/networking/ghostunnel.nix @@ -0,0 +1,242 @@ +{ config, lib, pkgs, ... }: +let + inherit (lib) + attrValues + concatMap + concatStringsSep + escapeShellArg + literalExample + mapAttrs' + mkDefault + mkEnableOption + mkIf + mkOption + nameValuePair + optional + types + ; + + mainCfg = config.services.ghostunnel; + + module = { config, name, ... }: + { + options = { + + listen = mkOption { + description = '' + Address and port to listen on (can be HOST:PORT, unix:PATH). + ''; + type = types.str; + }; + + target = mkOption { + description = '' + Address to forward connections to (can be HOST:PORT or unix:PATH). + ''; + type = types.str; + }; + + keystore = mkOption { + description = '' + Path to keystore (combined PEM with cert/key, or PKCS12 keystore). + + NB: storepass is not supported because it would expose credentials via <code>/proc/*/cmdline</code>. + + Specify this or <code>cert</code> and <code>key</code>. + ''; + type = types.nullOr types.str; + default = null; + }; + + cert = mkOption { + description = '' + Path to certificate (PEM with certificate chain). + + Not required if <code>keystore</code> is set. + ''; + type = types.nullOr types.str; + default = null; + }; + + key = mkOption { + description = '' + Path to certificate private key (PEM with private key). + + Not required if <code>keystore</code> is set. + ''; + type = types.nullOr types.str; + default = null; + }; + + cacert = mkOption { + description = '' + Path to CA bundle file (PEM/X509). Uses system trust store if <code>null</code>. + ''; + type = types.nullOr types.str; + }; + + disableAuthentication = mkOption { + description = '' + Disable client authentication, no client certificate will be required. + ''; + type = types.bool; + default = false; + }; + + allowAll = mkOption { + description = '' + If true, allow all clients, do not check client cert subject. + ''; + type = types.bool; + default = false; + }; + + allowCN = mkOption { + description = '' + Allow client if common name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + allowOU = mkOption { + description = '' + Allow client if organizational unit name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + allowDNS = mkOption { + description = '' + Allow client if DNS subject alternative name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + allowURI = mkOption { + description = '' + Allow client if URI subject alternative name appears in the list. + ''; + type = types.listOf types.str; + default = []; + }; + + extraArguments = mkOption { + description = "Extra arguments to pass to <code>ghostunnel server</code>"; + type = types.separatedString " "; + default = ""; + }; + + unsafeTarget = mkOption { + description = '' + If set, does not limit target to localhost, 127.0.0.1, [::1], or UNIX sockets. + + This is meant to protect against accidental unencrypted traffic on + untrusted networks. + ''; + type = types.bool; + default = false; + }; + + # Definitions to apply at the root of the NixOS configuration. + atRoot = mkOption { + internal = true; + }; + }; + + # Clients should not be authenticated with the public root certificates + # (afaict, it doesn't make sense), so we only provide that default when + # client cert auth is disabled. + config.cacert = mkIf config.disableAuthentication (mkDefault null); + + config.atRoot = { + assertions = [ + { message = '' + services.ghostunnel.servers.${name}: At least one access control flag is required. + Set at least one of: + - services.ghostunnel.servers.${name}.disableAuthentication + - services.ghostunnel.servers.${name}.allowAll + - services.ghostunnel.servers.${name}.allowCN + - services.ghostunnel.servers.${name}.allowOU + - services.ghostunnel.servers.${name}.allowDNS + - services.ghostunnel.servers.${name}.allowURI + ''; + assertion = config.disableAuthentication + || config.allowAll + || config.allowCN != [] + || config.allowOU != [] + || config.allowDNS != [] + || config.allowURI != [] + ; + } + ]; + + systemd.services."ghostunnel-server-${name}" = { + after = [ "network.target" ]; + wants = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Restart = "always"; + AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; + DynamicUser = true; + LoadCredential = optional (config.keystore != null) "keystore:${config.keystore}" + ++ optional (config.cert != null) "cert:${config.cert}" + ++ optional (config.key != null) "key:${config.key}" + ++ optional (config.cacert != null) "cacert:${config.cacert}"; + }; + script = concatStringsSep " " ( + [ "${mainCfg.package}/bin/ghostunnel" ] + ++ optional (config.keystore != null) "--keystore=$CREDENTIALS_DIRECTORY/keystore" + ++ optional (config.cert != null) "--cert=$CREDENTIALS_DIRECTORY/cert" + ++ optional (config.key != null) "--key=$CREDENTIALS_DIRECTORY/key" + ++ optional (config.cacert != null) "--cacert=$CREDENTIALS_DIRECTORY/cacert" + ++ [ + "server" + "--listen ${config.listen}" + "--target ${config.target}" + ] ++ optional config.allowAll "--allow-all" + ++ map (v: "--allow-cn=${escapeShellArg v}") config.allowCN + ++ map (v: "--allow-ou=${escapeShellArg v}") config.allowOU + ++ map (v: "--allow-dns=${escapeShellArg v}") config.allowDNS + ++ map (v: "--allow-uri=${escapeShellArg v}") config.allowURI + ++ optional config.disableAuthentication "--disable-authentication" + ++ optional config.unsafeTarget "--unsafe-target" + ++ [ config.extraArguments ] + ); + }; + }; + }; + +in +{ + + options = { + services.ghostunnel.enable = mkEnableOption "ghostunnel"; + + services.ghostunnel.package = mkOption { + description = "The ghostunnel package to use."; + type = types.package; + default = pkgs.ghostunnel; + defaultText = literalExample ''pkgs.ghostunnel''; + }; + + services.ghostunnel.servers = mkOption { + description = '' + Server mode ghostunnels (TLS listener -> plain TCP/UNIX target) + ''; + type = types.attrsOf (types.submodule module); + default = {}; + }; + }; + + config = mkIf mainCfg.enable { + assertions = lib.mkMerge (map (v: v.atRoot.assertions) (attrValues mainCfg.servers)); + systemd = lib.mkMerge (map (v: v.atRoot.systemd) (attrValues mainCfg.servers)); + }; + + meta.maintainers = with lib.maintainers; [ + roberth + ]; +} diff --git a/nixos/modules/services/networking/git-daemon.nix b/nixos/modules/services/networking/git-daemon.nix index 52c895215fb..98f80dd4bc4 100644 --- a/nixos/modules/services/networking/git-daemon.nix +++ b/nixos/modules/services/networking/git-daemon.nix @@ -74,7 +74,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 9418; description = "Port to listen on."; }; diff --git a/nixos/modules/services/networking/globalprotect-vpn.nix b/nixos/modules/services/networking/globalprotect-vpn.nix new file mode 100644 index 00000000000..367a42687e1 --- /dev/null +++ b/nixos/modules/services/networking/globalprotect-vpn.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.globalprotect; + + execStart = if cfg.csdWrapper == null then + "${pkgs.globalprotect-openconnect}/bin/gpservice" + else + "${pkgs.globalprotect-openconnect}/bin/gpservice --csd-wrapper=${cfg.csdWrapper}"; +in + +{ + options.services.globalprotect = { + enable = mkEnableOption "globalprotect"; + + csdWrapper = mkOption { + description = '' + A script that will produce a Host Integrity Protection (HIP) report, + as described at <link xlink:href="https://www.infradead.org/openconnect/hip.html" /> + ''; + default = null; + example = literalExample "\${pkgs.openconnect}/libexec/openconnect/hipreport.sh"; + type = types.nullOr types.path; + }; + }; + + config = mkIf cfg.enable { + services.dbus.packages = [ pkgs.globalprotect-openconnect ]; + + systemd.services.gpservice = { + description = "GlobalProtect openconnect DBus service"; + serviceConfig = { + Type="dbus"; + BusName="com.yuezk.qt.GPService"; + ExecStart=execStart; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + }; + }; +} diff --git a/nixos/modules/services/networking/go-neb.nix b/nixos/modules/services/networking/go-neb.nix index 991ae38f30a..765834fad83 100644 --- a/nixos/modules/services/networking/go-neb.nix +++ b/nixos/modules/services/networking/go-neb.nix @@ -5,7 +5,8 @@ with lib; let cfg = config.services.go-neb; - configFile = pkgs.writeText "config.yml" (builtins.toJSON cfg.config); + settingsFormat = pkgs.formats.yaml {}; + configFile = settingsFormat.generate "config.yaml" cfg.config; in { options.services.go-neb = { enable = mkEnableOption "Extensible matrix bot written in Go"; @@ -16,13 +17,26 @@ in { default = ":4050"; }; + secretFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/go-neb.env"; + description = '' + Environment variables from this file will be interpolated into the + final config file using envsubst with this syntax: <literal>$ENVIRONMENT</literal> + or <literal>''${VARIABLE}</literal>. + The file should contain lines formatted as <literal>SECRET_VAR=SECRET_VALUE</literal>. + This is useful to avoid putting secrets into the nix store. + ''; + }; + baseUrl = mkOption { type = types.str; description = "Public-facing endpoint that can receive webhooks."; }; config = mkOption { - type = types.uniq types.attrs; + inherit (settingsFormat) type; description = '' Your <filename>config.yaml</filename> as a Nix attribute set. See <link xlink:href="https://github.com/matrix-org/go-neb/blob/master/config.sample.yaml">config.sample.yaml</link> @@ -32,18 +46,30 @@ in { }; config = mkIf cfg.enable { - systemd.services.go-neb = { + systemd.services.go-neb = let + finalConfigFile = if cfg.secretFile == null then configFile else "/var/run/go-neb/config.yaml"; + in { description = "Extensible matrix bot written in Go"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; environment = { BASE_URL = cfg.baseUrl; BIND_ADDRESS = cfg.bindAddress; - CONFIG_FILE = configFile; + CONFIG_FILE = finalConfigFile; }; serviceConfig = { + ExecStartPre = lib.optional (cfg.secretFile != null) + (pkgs.writeShellScript "pre-start" '' + umask 077 + export $(xargs < ${cfg.secretFile}) + ${pkgs.envsubst}/bin/envsubst -i "${configFile}" > ${finalConfigFile} + chown go-neb ${finalConfigFile} + ''); + PermissionsStartOnly = true; + RuntimeDirectory = "go-neb"; ExecStart = "${pkgs.go-neb}/bin/go-neb"; + User = "go-neb"; DynamicUser = true; }; }; diff --git a/nixos/modules/services/networking/gobgpd.nix b/nixos/modules/services/networking/gobgpd.nix new file mode 100644 index 00000000000..d3b03471f4e --- /dev/null +++ b/nixos/modules/services/networking/gobgpd.nix @@ -0,0 +1,64 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.gobgpd; + format = pkgs.formats.toml { }; + confFile = format.generate "gobgpd.conf" cfg.settings; +in { + options.services.gobgpd = { + enable = mkEnableOption "GoBGP Routing Daemon"; + + settings = mkOption { + type = format.type; + default = { }; + description = '' + GoBGP configuration. Refer to + <link xlink:href="https://github.com/osrg/gobgp#documentation"/> + for details on supported values. + ''; + example = literalExample '' + { + global = { + config = { + as = 64512; + router-id = "192.168.255.1"; + }; + }; + neighbors = [ + { + config = { + neighbor-address = "10.0.255.1"; + peer-as = 65001; + }; + } + { + config = { + neighbor-address = "10.0.255.2"; + peer-as = 65002; + }; + } + ]; + } + ''; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.gobgpd ]; + systemd.services.gobgpd = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "GoBGP Routing Daemon"; + serviceConfig = { + Type = "notify"; + ExecStartPre = "${pkgs.gobgpd}/bin/gobgpd -f ${confFile} -d"; + ExecStart = "${pkgs.gobgpd}/bin/gobgpd -f ${confFile} --sdnotify"; + ExecReload = "${pkgs.gobgpd}/bin/gobgpd -r"; + DynamicUser = true; + AmbientCapabilities = "cap_net_bind_service"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/gogoclient.nix b/nixos/modules/services/networking/gogoclient.nix index 99455b18314..1205321818b 100644 --- a/nixos/modules/services/networking/gogoclient.nix +++ b/nixos/modules/services/networking/gogoclient.nix @@ -28,6 +28,7 @@ in username = mkOption { default = ""; + type = types.str; description = '' Your Gateway6 login name, if any. ''; @@ -42,6 +43,7 @@ in }; server = mkOption { + type = types.str; default = "anonymous.freenet6.net"; example = "broker.freenet6.net"; description = "The Gateway6 server to be used."; diff --git a/nixos/modules/services/networking/gvpe.nix b/nixos/modules/services/networking/gvpe.nix index 92e87cd4640..4fad37ba15e 100644 --- a/nixos/modules/services/networking/gvpe.nix +++ b/nixos/modules/services/networking/gvpe.nix @@ -3,7 +3,7 @@ {config, pkgs, lib, ...}: let - inherit (lib) mkOption mkIf; + inherit (lib) mkOption mkIf types; cfg = config.services.gvpe; @@ -27,7 +27,7 @@ let text = '' #! /bin/sh - export PATH=$PATH:${pkgs.iproute}/sbin + export PATH=$PATH:${pkgs.iproute2}/sbin ip link set $IFNAME up ip address add ${cfg.ipAddress} dev $IFNAME @@ -46,12 +46,14 @@ in nodename = mkOption { default = null; + type = types.nullOr types.str; description ='' GVPE node name ''; }; configText = mkOption { default = null; + type = types.nullOr types.lines; example = '' tcp-port = 655 udp-port = 655 @@ -72,6 +74,7 @@ in }; configFile = mkOption { default = null; + type = types.nullOr types.path; example = "/root/my-gvpe-conf"; description = '' GVPE config file, if already present @@ -79,12 +82,14 @@ in }; ipAddress = mkOption { default = null; + type = types.nullOr types.str; description = '' IP address to assign to GVPE interface ''; }; subnet = mkOption { default = null; + type = types.nullOr types.str; example = "10.0.0.0/8"; description = '' IP subnet assigned to GVPE network @@ -92,6 +97,7 @@ in }; customIFSetup = mkOption { default = ""; + type = types.lines; description = '' Additional commands to apply in ifup script ''; diff --git a/nixos/modules/services/networking/hans.nix b/nixos/modules/services/networking/hans.nix index 8334dc68d62..84147db00f6 100644 --- a/nixos/modules/services/networking/hans.nix +++ b/nixos/modules/services/networking/hans.nix @@ -141,5 +141,5 @@ in }; }; - meta.maintainers = with maintainers; [ gnidorah ]; + meta.maintainers = with maintainers; [ ]; } diff --git a/nixos/modules/services/networking/heyefi.nix b/nixos/modules/services/networking/heyefi.nix deleted file mode 100644 index fc2b5a84857..00000000000 --- a/nixos/modules/services/networking/heyefi.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.heyefi; -in - -{ - - ###### interface - - options = { - - services.heyefi = { - - enable = mkEnableOption "heyefi"; - - cardMacaddress = mkOption { - default = ""; - description = '' - An Eye-Fi card MAC address. - ''; - }; - - uploadKey = mkOption { - default = ""; - description = '' - An Eye-Fi card's upload key. - ''; - }; - - uploadDir = mkOption { - example = "/home/username/pictures"; - description = '' - The directory to upload the files to. - ''; - }; - - user = mkOption { - default = "root"; - description = '' - heyefi will be run under this user (user must exist, - this can be your user name). - ''; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - systemd.services.heyefi = - { - description = "heyefi service"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "${cfg.user}"; - Restart = "always"; - ExecStart = "${pkgs.heyefi}/bin/heyefi"; - }; - - }; - - environment.etc."heyefi/heyefi.config".text = - '' - # /etc/heyefi/heyefi.conf: DO NOT EDIT -- this file has been generated automatically. - cards = [["${config.services.heyefi.cardMacaddress}","${config.services.heyefi.uploadKey}"]] - upload_dir = "${toString config.services.heyefi.uploadDir}" - ''; - - environment.systemPackages = [ pkgs.heyefi ]; - - }; - -} diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index 5d73038363a..f719ff59cc7 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -20,8 +20,8 @@ let ssid=${cfg.ssid} hw_mode=${cfg.hwMode} channel=${toString cfg.channel} - ${optionalString (cfg.countryCode != null) ''country_code=${cfg.countryCode}''} - ${optionalString (cfg.countryCode != null) ''ieee80211d=1''} + ${optionalString (cfg.countryCode != null) "country_code=${cfg.countryCode}"} + ${optionalString (cfg.countryCode != null) "ieee80211d=1"} # logging (debug level) logger_syslog=-1 @@ -68,6 +68,7 @@ in interface = mkOption { default = ""; example = "wlp2s0"; + type = types.str; description = '' The interfaces <command>hostapd</command> will use. ''; diff --git a/nixos/modules/services/networking/hylafax/faxq-wait.sh b/nixos/modules/services/networking/hylafax/faxq-wait.sh index 8c39e9d20c1..1826aa30e62 100755 --- a/nixos/modules/services/networking/hylafax/faxq-wait.sh +++ b/nixos/modules/services/networking/hylafax/faxq-wait.sh @@ -1,4 +1,4 @@ -#! @shell@ -e +#! @runtimeShell@ -e # skip this if there are no modems at all if ! stat -t "@spoolAreaPath@"/etc/config.* >/dev/null 2>&1 diff --git a/nixos/modules/services/networking/hylafax/modem-default.nix b/nixos/modules/services/networking/hylafax/modem-default.nix index 7529b5b0aaf..707b8209282 100644 --- a/nixos/modules/services/networking/hylafax/modem-default.nix +++ b/nixos/modules/services/networking/hylafax/modem-default.nix @@ -5,7 +5,7 @@ { TagLineFont = "etc/LiberationSans-25.pcf"; - TagLineLocale = ''en_US.UTF-8''; + TagLineLocale = "en_US.UTF-8"; AdminGroup = "root"; # groups that can change server config AnswerRotary = "fax"; # don't accept anything else but faxes @@ -16,7 +16,7 @@ SessionTracing = "0x78701"; UUCPLockDir = "/var/lock"; - SendPageCmd = ''${pkgs.coreutils}/bin/false''; # prevent pager transmit - SendUUCPCmd = ''${pkgs.coreutils}/bin/false''; # prevent UUCP transmit + SendPageCmd = "${pkgs.coreutils}/bin/false"; # prevent pager transmit + SendUUCPCmd = "${pkgs.coreutils}/bin/false"; # prevent UUCP transmit } diff --git a/nixos/modules/services/networking/hylafax/options.nix b/nixos/modules/services/networking/hylafax/options.nix index 4ac6d3fa843..74960e69b9a 100644 --- a/nixos/modules/services/networking/hylafax/options.nix +++ b/nixos/modules/services/networking/hylafax/options.nix @@ -3,7 +3,7 @@ let inherit (lib.options) literalExample mkEnableOption mkOption; - inherit (lib.types) bool enum int lines loaOf nullOr path str submodule; + inherit (lib.types) bool enum ints lines attrsOf nullOr path str submodule; inherit (lib.modules) mkDefault mkIf mkMerge; commonDescr = '' @@ -18,7 +18,6 @@ let ''; str1 = lib.types.addCheck str (s: s!=""); # non-empty string - int1 = lib.types.addCheck int (i: i>0); # positive integer configAttrType = # Options in HylaFAX configuration files can be @@ -27,7 +26,7 @@ let # This type definition resolves all # those types into a list of strings. let - inherit (lib.types) attrsOf coercedTo listOf; + inherit (lib.types) attrsOf coercedTo int listOf; innerType = coercedTo bool (x: if x then "Yes" else "No") (coercedTo int (toString) str); in @@ -85,8 +84,8 @@ let # Otherwise, we use `false` to provoke # an error if hylafax tries to use it. c.sendmailPath = mkMerge [ - (mkIfDefault noWrapper ''${pkgs.coreutils}/bin/false'') - (mkIfDefault (!noWrapper) ''${wrapperDir}/${program}'') + (mkIfDefault noWrapper "${pkgs.coreutils}/bin/false") + (mkIfDefault (!noWrapper) "${wrapperDir}/${program}") ]; importDefaultConfig = file: lib.attrsets.mapAttrs @@ -121,7 +120,7 @@ in options.services.hylafax = { - enable = mkEnableOption ''HylaFAX server''; + enable = mkEnableOption "HylaFAX server"; autostart = mkOption { type = bool; @@ -139,28 +138,28 @@ in type = nullOr str1; default = null; example = "49"; - description = ''Country code for server and all modems.''; + description = "Country code for server and all modems."; }; areaCode = mkOption { type = nullOr str1; default = null; example = "30"; - description = ''Area code for server and all modems.''; + description = "Area code for server and all modems."; }; longDistancePrefix = mkOption { type = nullOr str; default = null; example = "0"; - description = ''Long distance prefix for server and all modems.''; + description = "Long distance prefix for server and all modems."; }; internationalPrefix = mkOption { type = nullOr str; default = null; example = "00"; - description = ''International prefix for server and all modems.''; + description = "International prefix for server and all modems."; }; spoolAreaPath = mkOption { @@ -248,7 +247,7 @@ in }; modems = mkOption { - type = loaOf (submodule [ modemConfigOptions ]); + type = attrsOf (submodule [ modemConfigOptions ]); default = {}; example.ttyS1 = { type = "cirrus"; @@ -267,7 +266,7 @@ in spoolExtraInit = mkOption { type = lines; default = ""; - example = ''chmod 0755 . # everyone may read my faxes''; + example = "chmod 0755 . # everyone may read my faxes"; description = '' Additional shell code that is executed within the spooling area directory right after its setup. @@ -290,7 +289,7 @@ in ''; }; faxcron.infoDays = mkOption { - type = int1; + type = ints.positive; default = 30; description = '' Set the expiration time for data in the @@ -298,7 +297,7 @@ in ''; }; faxcron.logDays = mkOption { - type = int1; + type = ints.positive; default = 30; description = '' Set the expiration time for @@ -306,7 +305,7 @@ in ''; }; faxcron.rcvDays = mkOption { - type = int1; + type = ints.positive; default = 7; description = '' Set the expiration time for files in @@ -343,9 +342,9 @@ in ''; }; faxqclean.doneqMinutes = mkOption { - type = int1; + type = ints.positive; default = 15; - example = literalExample ''24*60''; + example = literalExample "24*60"; description = '' Set the job age threshold (in minutes) that controls how long @@ -353,9 +352,9 @@ in ''; }; faxqclean.docqMinutes = mkOption { - type = int1; + type = ints.positive; default = 60; - example = literalExample ''24*60''; + example = literalExample "24*60"; description = '' Set the document age threshold (in minutes) that controls how long diff --git a/nixos/modules/services/networking/hylafax/spool.sh b/nixos/modules/services/networking/hylafax/spool.sh index 31e930e8c59..8b723df77df 100755 --- a/nixos/modules/services/networking/hylafax/spool.sh +++ b/nixos/modules/services/networking/hylafax/spool.sh @@ -1,4 +1,4 @@ -#! @shell@ -e +#! @runtimeShell@ -e # The following lines create/update the HylaFAX spool directory: # Subdirectories/files with persistent data are kept, @@ -80,7 +80,7 @@ touch clientlog faxcron.lastrun xferfaxlog chown @faxuser@:@faxgroup@ clientlog faxcron.lastrun xferfaxlog # create symlinks for frozen directories/files -lnsym --target-directory=. "@hylafax@"/spool/{COPYRIGHT,bin,config} +lnsym --target-directory=. "@hylafaxplus@"/spool/{COPYRIGHT,bin,config} # create empty temporary directories update --mode=0700 -d client dev status @@ -93,7 +93,7 @@ install -d "@spoolAreaPath@/etc" cd "@spoolAreaPath@/etc" # create symlinks to all files in template's etc -lnsym --target-directory=. "@hylafax@/spool/etc"/* +lnsym --target-directory=. "@hylafaxplus@/spool/etc"/* # set LOCKDIR in setup.cache sed --regexp-extended 's|^(UUCP_LOCKDIR=).*$|\1'"'@lockPath@'|g" --in-place setup.cache diff --git a/nixos/modules/services/networking/hylafax/systemd.nix b/nixos/modules/services/networking/hylafax/systemd.nix index b9b9b9dca4f..4506bbbc5eb 100644 --- a/nixos/modules/services/networking/hylafax/systemd.nix +++ b/nixos/modules/services/networking/hylafax/systemd.nix @@ -13,15 +13,14 @@ let # creates hylafax config file, # makes sure "Include" is listed *first* let - mkLines = conf: - (lib.concatLists - (lib.flip lib.mapAttrsToList conf - (k: map (v: ''${k}: ${v}'') - ))); + mkLines = lib.flip lib.pipe [ + (lib.mapAttrsToList (key: map (val: "${key}: ${val}"))) + lib.concatLists + ]; include = mkLines { Include = conf.Include or []; }; other = mkLines ( conf // { Include = []; } ); in - pkgs.writeText ''hylafax-config${name}'' + pkgs.writeText "hylafax-config${name}" (concatStringsSep "\n" (include ++ other)); globalConfigPath = mkConfigFile "" cfg.faxqConfig; @@ -29,7 +28,7 @@ let modemConfigPath = let mkModemConfigFile = { config, name, ... }: - mkConfigFile ''.${name}'' + mkConfigFile ".${name}" (cfg.commonModemConfig // config); mkLine = { name, type, ... }@modem: '' # check if modem config file exists: @@ -48,13 +47,12 @@ let name = "hylafax-setup-spool.sh"; src = ./spool.sh; isExecutable = true; - inherit (pkgs.stdenv) shell; - hylafax = pkgs.hylafaxplus; faxuser = "uucp"; faxgroup = "uucp"; lockPath = "/var/lock"; inherit globalConfigPath modemConfigPath; inherit (cfg) sendmailPath spoolAreaPath userAccessFile; + inherit (pkgs) hylafaxplus runtimeShell; }; waitFaxqScript = pkgs.substituteAll { @@ -64,8 +62,8 @@ let src = ./faxq-wait.sh; isExecutable = true; timeoutSec = toString 10; - inherit (pkgs.stdenv) shell; inherit (cfg) spoolAreaPath; + inherit (pkgs) runtimeShell; }; sockets.hylafax-hfaxd = { @@ -81,7 +79,7 @@ let description = "HylaFAX queue manager sendq watch"; documentation = [ "man:faxq(8)" "man:sendq(5)" ]; wantedBy = [ "multi-user.target" ]; - pathConfig.PathExistsGlob = [ ''${cfg.spoolAreaPath}/sendq/q*'' ]; + pathConfig.PathExistsGlob = [ "${cfg.spoolAreaPath}/sendq/q*" ]; }; timers = mkMerge [ @@ -108,8 +106,10 @@ let PrivateDevices = true; # breaks /dev/tty... PrivateNetwork = true; PrivateTmp = true; + #ProtectClock = true; # breaks /dev/tty... (why?) ProtectControlGroups = true; #ProtectHome = true; # breaks custom spool dirs + ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; #ProtectSystem = "strict"; # breaks custom spool dirs @@ -134,7 +134,7 @@ let exit 1 fi ''; - serviceConfig.ExecStop = ''${setupSpoolScript}''; + serviceConfig.ExecStop = "${setupSpoolScript}"; serviceConfig.RemainAfterExit = true; serviceConfig.Type = "oneshot"; unitConfig.RequiresMountsFor = [ cfg.spoolAreaPath ]; @@ -145,7 +145,7 @@ let documentation = [ "man:faxq(8)" ]; requires = [ "hylafax-spool.service" ]; after = [ "hylafax-spool.service" ]; - wants = mapModems ( { name, ... }: ''hylafax-faxgetty@${name}.service'' ); + wants = mapModems ( { name, ... }: "hylafax-faxgetty@${name}.service" ); wantedBy = mkIf cfg.autostart [ "multi-user.target" ]; serviceConfig.Type = "forking"; serviceConfig.ExecStart = ''${pkgs.hylafaxplus}/spool/bin/faxq -q "${cfg.spoolAreaPath}"''; @@ -155,7 +155,7 @@ let # stopped will always yield a failed send attempt: # The fax service is started when the job is created with # `sendfax`, but modems need some time to initialize. - serviceConfig.ExecStartPost = [ ''${waitFaxqScript}'' ]; + serviceConfig.ExecStartPost = [ "${waitFaxqScript}" ]; # faxquit fails if the pipe is already gone # (e.g. the service is already stopping) serviceConfig.ExecStop = ''-${pkgs.hylafaxplus}/spool/bin/faxquit -q "${cfg.spoolAreaPath}"''; @@ -186,7 +186,7 @@ let wantedBy = mkIf cfg.faxcron.enable.spoolInit requires; startAt = mkIf (cfg.faxcron.enable.frequency!=null) cfg.faxcron.enable.frequency; serviceConfig.ExecStart = concatStringsSep " " [ - ''${pkgs.hylafaxplus}/spool/bin/faxcron'' + "${pkgs.hylafaxplus}/spool/bin/faxcron" ''-q "${cfg.spoolAreaPath}"'' ''-info ${toString cfg.faxcron.infoDays}'' ''-log ${toString cfg.faxcron.logDays}'' @@ -202,18 +202,18 @@ let wantedBy = mkIf cfg.faxqclean.enable.spoolInit requires; startAt = mkIf (cfg.faxqclean.enable.frequency!=null) cfg.faxqclean.enable.frequency; serviceConfig.ExecStart = concatStringsSep " " [ - ''${pkgs.hylafaxplus}/spool/bin/faxqclean'' + "${pkgs.hylafaxplus}/spool/bin/faxqclean" ''-q "${cfg.spoolAreaPath}"'' - ''-v'' - (optionalString (cfg.faxqclean.archiving!="never") ''-a'') - (optionalString (cfg.faxqclean.archiving=="always") ''-A'') + "-v" + (optionalString (cfg.faxqclean.archiving!="never") "-a") + (optionalString (cfg.faxqclean.archiving=="always") "-A") ''-j ${toString (cfg.faxqclean.doneqMinutes*60)}'' ''-d ${toString (cfg.faxqclean.docqMinutes*60)}'' ]; }; mkFaxgettyService = { name, ... }: - lib.nameValuePair ''hylafax-faxgetty@${name}'' rec { + lib.nameValuePair "hylafax-faxgetty@${name}" rec { description = "HylaFAX faxgetty for %I"; documentation = [ "man:faxgetty(8)" ]; bindsTo = [ "dev-%i.device" ]; @@ -221,7 +221,7 @@ let after = bindsTo ++ requires; before = [ "hylafax-faxq.service" "getty.target" ]; unitConfig.StopWhenUnneeded = true; - unitConfig.AssertFileNotEmpty = ''${cfg.spoolAreaPath}/etc/config.%I''; + unitConfig.AssertFileNotEmpty = "${cfg.spoolAreaPath}/etc/config.%I"; serviceConfig.UtmpIdentifier = "%I"; serviceConfig.TTYPath = "/dev/%I"; serviceConfig.Restart = "always"; diff --git a/nixos/modules/services/networking/icecream/daemon.nix b/nixos/modules/services/networking/icecream/daemon.nix new file mode 100644 index 00000000000..2975696f9c2 --- /dev/null +++ b/nixos/modules/services/networking/icecream/daemon.nix @@ -0,0 +1,155 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.icecream.daemon; +in { + + ###### interface + + options = { + + services.icecream.daemon = { + + enable = mkEnableOption "Icecream Daemon"; + + openFirewall = mkOption { + type = types.bool; + description = '' + Whether to automatically open receive port in the firewall. + ''; + }; + + openBroadcast = mkOption { + type = types.bool; + description = '' + Whether to automatically open the firewall for scheduler discovery. + ''; + }; + + cacheLimit = mkOption { + type = types.ints.u16; + default = 256; + description = '' + Maximum size in Megabytes of cache used to store compile environments of compile clients. + ''; + }; + + netName = mkOption { + type = types.str; + default = "ICECREAM"; + description = '' + Network name to connect to. A scheduler with the same name needs to be running. + ''; + }; + + noRemote = mkOption { + type = types.bool; + default = false; + description = '' + Prevent jobs from other nodes being scheduled on this daemon. + ''; + }; + + schedulerHost = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Explicit scheduler hostname, useful in firewalled environments. + + Uses scheduler autodiscovery via broadcast if set to null. + ''; + }; + + maxProcesses = mkOption { + type = types.nullOr types.ints.u16; + default = null; + description = '' + Maximum number of compile jobs started in parallel for this daemon. + + Uses the number of CPUs if set to null. + ''; + }; + + nice = mkOption { + type = types.int; + default = 5; + description = '' + The level of niceness to use. + ''; + }; + + hostname = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Hostname of the daemon in the icecream infrastructure. + + Uses the hostname retrieved via uname if set to null. + ''; + }; + + user = mkOption { + type = types.str; + default = "icecc"; + description = '' + User to run the icecream daemon as. Set to root to enable receive of + remote compile environments. + ''; + }; + + package = mkOption { + default = pkgs.icecream; + defaultText = "pkgs.icecream"; + type = types.package; + description = "Icecream package to use."; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = "Additional command line parameters."; + example = [ "-v" ]; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ 10245 ]; + networking.firewall.allowedUDPPorts = mkIf cfg.openBroadcast [ 8765 ]; + + systemd.services.icecc-daemon = { + description = "Icecream compile daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = escapeShellArgs ([ + "${getBin cfg.package}/bin/iceccd" + "-b" "$STATE_DIRECTORY" + "-u" "icecc" + (toString cfg.nice) + ] + ++ optionals (cfg.schedulerHost != null) ["-s" cfg.schedulerHost] + ++ optionals (cfg.netName != null) [ "-n" cfg.netName ] + ++ optionals (cfg.cacheLimit != null) [ "--cache-limit" (toString cfg.cacheLimit) ] + ++ optionals (cfg.maxProcesses != null) [ "-m" (toString cfg.maxProcesses) ] + ++ optionals (cfg.hostname != null) [ "-N" (cfg.hostname) ] + ++ optional cfg.noRemote "--no-remote" + ++ cfg.extraArgs); + DynamicUser = true; + User = "icecc"; + Group = "icecc"; + StateDirectory = "icecc"; + RuntimeDirectory = "icecc"; + AmbientCapabilities = "CAP_SYS_CHROOT"; + CapabilityBoundingSet = "CAP_SYS_CHROOT"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ emantor ]; +} diff --git a/nixos/modules/services/networking/icecream/scheduler.nix b/nixos/modules/services/networking/icecream/scheduler.nix new file mode 100644 index 00000000000..4ccbf27015d --- /dev/null +++ b/nixos/modules/services/networking/icecream/scheduler.nix @@ -0,0 +1,101 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.icecream.scheduler; +in { + + ###### interface + + options = { + + services.icecream.scheduler = { + enable = mkEnableOption "Icecream Scheduler"; + + netName = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Network name for the icecream scheduler. + + Uses the default ICECREAM if null. + ''; + }; + + port = mkOption { + type = types.port; + default = 8765; + description = '' + Server port to listen for icecream daemon requests. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + description = '' + Whether to automatically open the daemon port in the firewall. + ''; + }; + + openTelnet = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the telnet TCP port on 8766. + ''; + }; + + persistentClientConnection = mkOption { + type = types.bool; + default = false; + description = '' + Whether to prevent clients from connecting to a better scheduler. + ''; + }; + + package = mkOption { + default = pkgs.icecream; + defaultText = "pkgs.icecream"; + type = types.package; + description = "Icecream package to use."; + }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = "Additional command line parameters"; + example = [ "-v" ]; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkMerge [ + (mkIf cfg.openFirewall [ cfg.port ]) + (mkIf cfg.openTelnet [ 8766 ]) + ]; + + systemd.services.icecc-scheduler = { + description = "Icecream scheduling server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = escapeShellArgs ([ + "${getBin cfg.package}/bin/icecc-scheduler" + "-p" (toString cfg.port) + ] + ++ optionals (cfg.netName != null) [ "-n" (toString cfg.netName) ] + ++ optional cfg.persistentClientConnection "-r" + ++ cfg.extraArgs); + + DynamicUser = true; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ emantor ]; +} diff --git a/nixos/modules/services/networking/inspircd.nix b/nixos/modules/services/networking/inspircd.nix new file mode 100644 index 00000000000..8cb2b406ee2 --- /dev/null +++ b/nixos/modules/services/networking/inspircd.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.inspircd; + + configFile = pkgs.writeText "inspircd.conf" cfg.config; + +in { + meta = { + maintainers = [ lib.maintainers.sternenseemann ]; + }; + + options = { + services.inspircd = { + enable = lib.mkEnableOption "InspIRCd"; + + package = lib.mkOption { + type = lib.types.package; + default = pkgs.inspircd; + defaultText = lib.literalExample "pkgs.inspircd"; + example = lib.literalExample "pkgs.inspircdMinimal"; + description = '' + The InspIRCd package to use. This is mainly useful + to specify an overridden version of the + <literal>pkgs.inspircd</literal> dervivation, for + example if you want to use a more minimal InspIRCd + distribution with less modules enabled or with + modules enabled which can't be distributed in binary + form due to licensing issues. + ''; + }; + + config = lib.mkOption { + type = lib.types.lines; + description = '' + Verbatim <literal>inspircd.conf</literal> file. + For a list of options, consult the + <link xlink:href="https://docs.inspircd.org/3/configuration/">InspIRCd documentation</link>, the + <link xlink:href="https://docs.inspircd.org/3/modules/">Module documentation</link> + and the example configuration files distributed + with <literal>pkgs.inspircd.doc</literal> + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.inspircd = { + description = "InspIRCd - the stable, high-performance and modular Internet Relay Chat Daemon"; + wantedBy = [ "multi-user.target" ]; + requires = [ "network.target" ]; + + serviceConfig = { + Type = "simple"; + ExecStart = '' + ${lib.getBin cfg.package}/bin/inspircd start --config ${configFile} --nofork --nopid + ''; + DynamicUser = true; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/ircd-hybrid/default.nix b/nixos/modules/services/networking/ircd-hybrid/default.nix index 91d0bf437d6..1f5636e4e3a 100644 --- a/nixos/modules/services/networking/ircd-hybrid/default.nix +++ b/nixos/modules/services/networking/ircd-hybrid/default.nix @@ -10,7 +10,7 @@ let name = "ircd-hybrid-service"; scripts = [ "=>/bin" ./control.in ]; substFiles = [ "=>/conf" ./ircd.conf ]; - inherit (pkgs) ircdHybrid coreutils su iproute gnugrep procps; + inherit (pkgs) ircdHybrid coreutils su iproute2 gnugrep procps; ipv6Enabled = boolToString config.networking.enableIPv6; @@ -40,6 +40,7 @@ in serverName = mkOption { default = "hades.arpa"; + type = types.str; description = " IRCD server name. "; @@ -47,6 +48,7 @@ in sid = mkOption { default = "0NL"; + type = types.str; description = " IRCD server unique ID in a net of servers. "; @@ -54,6 +56,7 @@ in description = mkOption { default = "Hybrid-7 IRC server."; + type = types.str; description = " IRCD server description. "; @@ -62,6 +65,7 @@ in rsaKey = mkOption { default = null; example = literalExample "/root/certificates/irc.key"; + type = types.nullOr types.path; description = " IRCD server RSA key. "; @@ -70,6 +74,7 @@ in certificate = mkOption { default = null; example = literalExample "/root/certificates/irc.pem"; + type = types.nullOr types.path; description = " IRCD server SSL certificate. There are some limitations - read manual. "; @@ -77,6 +82,7 @@ in adminEmail = mkOption { default = "<bit-bucket@example.com>"; + type = types.str; example = "<name@domain.tld>"; description = " IRCD server administrator e-mail. @@ -86,6 +92,7 @@ in extraIPs = mkOption { default = []; example = ["127.0.0.1"]; + type = types.listOf types.str; description = " Extra IP's to bind. "; @@ -93,6 +100,7 @@ in extraPort = mkOption { default = "7117"; + type = types.str; description = " Extra port to avoid filtering. "; diff --git a/nixos/modules/services/networking/iscsi/initiator.nix b/nixos/modules/services/networking/iscsi/initiator.nix new file mode 100644 index 00000000000..cbc919a2f76 --- /dev/null +++ b/nixos/modules/services/networking/iscsi/initiator.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: with lib; +let + cfg = config.services.openiscsi; +in +{ + options.services.openiscsi = with types; { + enable = mkEnableOption "the openiscsi iscsi daemon"; + enableAutoLoginOut = mkEnableOption '' + automatic login and logout of all automatic targets. + You probably do not want this. + ''; + discoverPortal = mkOption { + type = nullOr str; + default = null; + description = "Portal to discover targets on"; + }; + name = mkOption { + type = str; + description = "Name of this iscsi initiator"; + example = "iqn.2020-08.org.linux-iscsi.initiatorhost:example"; + }; + package = mkOption { + type = package; + description = "openiscsi package to use"; + default = pkgs.openiscsi; + defaultText = "pkgs.openiscsi"; + }; + + extraConfig = mkOption { + type = str; + default = ""; + description = "Lines to append to default iscsid.conf"; + }; + + extraConfigFile = mkOption { + description = '' + Append an additional file's contents to /etc/iscsid.conf. Use a non-store path + and store passwords in this file. + ''; + default = null; + type = nullOr str; + }; + }; + + config = mkIf cfg.enable { + environment.etc."iscsi/iscsid.conf.fragment".source = pkgs.runCommand "iscsid.conf" {} '' + cat "${cfg.package}/etc/iscsi/iscsid.conf" > $out + cat << 'EOF' >> $out + ${cfg.extraConfig} + ${optionalString cfg.enableAutoLoginOut "node.startup = automatic"} + EOF + ''; + environment.etc."iscsi/initiatorname.iscsi".text = "InitiatorName=${cfg.name}"; + + system.activationScripts.iscsid = let + extraCfgDumper = optionalString (cfg.extraConfigFile != null) '' + if [ -f "${cfg.extraConfigFile}" ]; then + printf "\n# The following is from ${cfg.extraConfigFile}:\n" + cat "${cfg.extraConfigFile}" + else + echo "Warning: services.openiscsi.extraConfigFile ${cfg.extraConfigFile} does not exist!" >&2 + fi + ''; + in '' + ( + cat ${config.environment.etc."iscsi/iscsid.conf.fragment".source} + ${extraCfgDumper} + ) > /etc/iscsi/iscsid.conf + ''; + + systemd.packages = [ cfg.package ]; + + systemd.services."iscsid".wantedBy = [ "multi-user.target" ]; + systemd.sockets."iscsid".wantedBy = [ "sockets.target" ]; + + systemd.services."iscsi" = mkIf cfg.enableAutoLoginOut { + wantedBy = [ "remote-fs.target" ]; + serviceConfig.ExecStartPre = mkIf (cfg.discoverPortal != null) "${cfg.package}/bin/iscsiadm --mode discoverydb --type sendtargets --portal ${escapeShellArg cfg.discoverPortal} --discover"; + }; + + environment.systemPackages = [ cfg.package ]; + boot.kernelModules = [ "iscsi_tcp" ]; + }; +} diff --git a/nixos/modules/services/networking/iscsi/root-initiator.nix b/nixos/modules/services/networking/iscsi/root-initiator.nix new file mode 100644 index 00000000000..3274878c4fa --- /dev/null +++ b/nixos/modules/services/networking/iscsi/root-initiator.nix @@ -0,0 +1,181 @@ +{ config, lib, pkgs, ... }: with lib; +let + cfg = config.boot.iscsi-initiator; +in +{ + # If you're booting entirely off another machine you may want to add + # this snippet to always boot the latest "system" version. It is not + # enabled by default in case you have an initrd on a local disk: + # + # boot.initrd.postMountCommands = '' + # ln -sfn /nix/var/nix/profiles/system/init /mnt-root/init + # stage2Init=/init + # ''; + # + # Note: Theoretically you might want to connect to multiple portals and + # log in to multiple targets, however the authors of this module so far + # don't have the need or expertise to reasonably implement it. Also, + # consider carefully before making your boot chain depend on multiple + # machines to be up. + options.boot.iscsi-initiator = with types; { + name = mkOption { + description = '' + Name of the iSCSI initiator to boot from. Note, booting from iscsi + requires networkd based networking. + ''; + default = null; + example = "iqn.2020-08.org.linux-iscsi.initiatorhost:example"; + type = nullOr str; + }; + + discoverPortal = mkOption { + description = '' + iSCSI portal to boot from. + ''; + default = null; + example = "192.168.1.1:3260"; + type = nullOr str; + }; + + target = mkOption { + description = '' + Name of the iSCSI target to boot from. + ''; + default = null; + example = "iqn.2020-08.org.linux-iscsi.targethost:example"; + type = nullOr str; + }; + + logLevel = mkOption { + description = '' + Higher numbers elicits more logs. + ''; + default = 1; + example = 8; + type = int; + }; + + loginAll = mkOption { + description = '' + Do not log into a specific target on the portal, but to all that we discover. + This overrides setting target. + ''; + type = bool; + default = false; + }; + + extraConfig = mkOption { + description = "Extra lines to append to /etc/iscsid.conf"; + default = null; + type = nullOr lines; + }; + + extraConfigFile = mkOption { + description = '' + Append an additional file's contents to `/etc/iscsid.conf`. Use a non-store path + and store passwords in this file. Note: the file specified here must be available + in the initrd, see: `boot.initrd.secrets`. + ''; + default = null; + type = nullOr str; + }; + }; + + config = mkIf (cfg.name != null) { + # The "scripted" networking configuration (ie: non-networkd) + # doesn't properly order the start and stop of the interfaces, and the + # network interfaces are torn down before unmounting disks. Since this + # module is specifically for very-early-boot network mounts, we need + # the network to stay on. + # + # We could probably fix the scripted options to properly order, but I'm + # not inclined to invest that time today. Hopefully this gets users far + # enough along and they can just use networkd. + networking.useNetworkd = true; + networking.useDHCP = false; # Required to set useNetworkd = true + + boot.initrd = { + network.enable = true; + + # By default, the stage-1 disables the network and resets the interfaces + # on startup. Since our startup disks are on the network, we can't let + # the network not work. + network.flushBeforeStage2 = false; + + kernelModules = [ "iscsi_tcp" ]; + + extraUtilsCommands = '' + copy_bin_and_libs ${pkgs.openiscsi}/bin/iscsid + copy_bin_and_libs ${pkgs.openiscsi}/bin/iscsiadm + ${optionalString (!config.boot.initrd.network.ssh.enable) "cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib"} + + mkdir -p $out/etc/iscsi + cp ${config.environment.etc.hosts.source} $out/etc/hosts + cp ${pkgs.openiscsi}/etc/iscsi/iscsid.conf $out/etc/iscsi/iscsid.fragment.conf + chmod +w $out/etc/iscsi/iscsid.fragment.conf + cat << 'EOF' >> $out/etc/iscsi/iscsid.fragment.conf + ${optionalString (cfg.extraConfig != null) cfg.extraConfig} + EOF + ''; + + extraUtilsCommandsTest = '' + $out/bin/iscsiadm --version + ''; + + preLVMCommands = let + extraCfgDumper = optionalString (cfg.extraConfigFile != null) '' + if [ -f "${cfg.extraConfigFile}" ]; then + printf "\n# The following is from ${cfg.extraConfigFile}:\n" + cat "${cfg.extraConfigFile}" + else + echo "Warning: boot.iscsi-initiator.extraConfigFile ${cfg.extraConfigFile} does not exist!" >&2 + fi + ''; + in '' + ${optionalString (!config.boot.initrd.network.ssh.enable) '' + # stolen from initrd-ssh.nix + echo 'root:x:0:0:root:/root:/bin/ash' > /etc/passwd + echo 'passwd: files' > /etc/nsswitch.conf + ''} + + cp -f $extraUtils/etc/hosts /etc/hosts + + mkdir -p /etc/iscsi /run/lock/iscsi + echo "InitiatorName=${cfg.name}" > /etc/iscsi/initiatorname.iscsi + + ( + cat "$extraUtils/etc/iscsi/iscsid.fragment.conf" + printf "\n" + ${optionalString cfg.loginAll ''echo "node.startup = automatic"''} + ${extraCfgDumper} + ) > /etc/iscsi/iscsid.conf + + iscsid --foreground --no-pid-file --debug ${toString cfg.logLevel} & + iscsiadm --mode discoverydb \ + --type sendtargets \ + --discover \ + --portal ${escapeShellArg cfg.discoverPortal} \ + --debug ${toString cfg.logLevel} + + ${if cfg.loginAll then '' + iscsiadm --mode node --loginall all + '' else '' + iscsiadm --mode node --targetname ${escapeShellArg cfg.target} --login + ''} + pkill -9 iscsid + ''; + }; + + services.openiscsi = { + enable = true; + inherit (cfg) name; + }; + + assertions = [ + { + assertion = cfg.loginAll -> cfg.target == null; + message = "iSCSI target name is set while login on all portals is enabled."; + } + ]; + }; +} diff --git a/nixos/modules/services/networking/iscsi/target.nix b/nixos/modules/services/networking/iscsi/target.nix new file mode 100644 index 00000000000..8a10e7d346a --- /dev/null +++ b/nixos/modules/services/networking/iscsi/target.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.target; +in +{ + ###### interface + options = { + services.target = with types; { + enable = mkEnableOption "the kernel's LIO iscsi target"; + + config = mkOption { + type = attrs; + default = {}; + description = '' + Content of /etc/target/saveconfig.json + This file is normally read and written by targetcli + ''; + }; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + environment.etc."target/saveconfig.json" = { + text = builtins.toJSON cfg.config; + mode = "0600"; + }; + + environment.systemPackages = with pkgs; [ targetcli ]; + + boot.kernelModules = [ "configfs" "target_core_mod" "iscsi_target_mod" ]; + + systemd.services.iscsi-target = { + enable = true; + after = [ "network.target" "local-fs.target" ]; + requires = [ "sys-kernel-config.mount" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.python3.pkgs.rtslib}/bin/targetctl restore"; + ExecStop = "${pkgs.python3.pkgs.rtslib}/bin/targetctl clear"; + RemainAfterExit = "yes"; + }; + }; + + systemd.tmpfiles.rules = [ + "d /etc/target 0700 root root - -" + ]; + }; +} diff --git a/nixos/modules/services/networking/iwd.nix b/nixos/modules/services/networking/iwd.nix index 6be67a8b96f..8835f7f9372 100644 --- a/nixos/modules/services/networking/iwd.nix +++ b/nixos/modules/services/networking/iwd.nix @@ -4,8 +4,31 @@ with lib; let cfg = config.networking.wireless.iwd; + ini = pkgs.formats.ini { }; + configFile = ini.generate "main.conf" cfg.settings; in { - options.networking.wireless.iwd.enable = mkEnableOption "iwd"; + options.networking.wireless.iwd = { + enable = mkEnableOption "iwd"; + + settings = mkOption { + type = ini.type; + default = { }; + + example = { + Settings.AutoConnect = true; + + Network = { + EnableIPv6 = true; + RoutePriorityOffset = 300; + }; + }; + + description = '' + Options passed to iwd. + See <link xlink:href="https://iwd.wiki.kernel.org/networkconfigurationsettings">here</link> for supported options. + ''; + }; + }; config = mkIf cfg.enable { assertions = [{ @@ -15,6 +38,8 @@ in { ''; }]; + environment.etc."iwd/main.conf".source = configFile; + # for iwctl environment.systemPackages = [ pkgs.iwd ]; @@ -22,7 +47,15 @@ in { systemd.packages = [ pkgs.iwd ]; - systemd.services.iwd.wantedBy = [ "multi-user.target" ]; + systemd.network.links."80-iwd" = { + matchConfig.Type = "wlan"; + linkConfig.NamePolicy = "keep kernel"; + }; + + systemd.services.iwd = { + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ configFile ]; + }; }; meta.maintainers = with lib.maintainers; [ mic92 dtzWill ]; diff --git a/nixos/modules/services/networking/jitsi-videobridge.nix b/nixos/modules/services/networking/jitsi-videobridge.nix index 5482e997a40..80f35d56e2d 100644 --- a/nixos/modules/services/networking/jitsi-videobridge.nix +++ b/nixos/modules/services/networking/jitsi-videobridge.nix @@ -191,6 +191,16 @@ in Whether to open ports in the firewall for the videobridge. ''; }; + + apis = mkOption { + type = with types; listOf str; + description = '' + What is passed as --apis= parameter. If this is empty, "none" is passed. + Needed for monitoring jitsi. + ''; + default = []; + example = literalExample "[ \"colibri\" \"rest\" ]"; + }; }; config = mkIf cfg.enable { @@ -221,7 +231,7 @@ in "export ${toVarName name}=$(cat ${xmppConfig.passwordFile})\n" ) cfg.xmppConfigs)) + '' - ${pkgs.jitsi-videobridge}/bin/jitsi-videobridge --apis=none + ${pkgs.jitsi-videobridge}/bin/jitsi-videobridge --apis=${if (cfg.apis == []) then "none" else concatStringsSep "," cfg.apis} ''; serviceConfig = { diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix new file mode 100644 index 00000000000..72773b83a49 --- /dev/null +++ b/nixos/modules/services/networking/kea.nix @@ -0,0 +1,361 @@ +{ config +, lib +, pkgs +, ... +}: + +with lib; + +let + cfg = config.services.kea; + + format = pkgs.formats.json {}; + + ctrlAgentConfig = format.generate "kea-ctrl-agent.conf" { + Control-agent = cfg.ctrl-agent.settings; + }; + dhcp4Config = format.generate "kea-dhcp4.conf" { + Dhcp4 = cfg.dhcp4.settings; + }; + dhcp6Config = format.generate "kea-dhcp6.conf" { + Dhcp6 = cfg.dhcp6.settings; + }; + dhcpDdnsConfig = format.generate "kea-dhcp-ddns.conf" { + DhcpDdns = cfg.dhcp-ddns.settings; + }; + + package = pkgs.kea; +in +{ + options.services.kea = with types; { + ctrl-agent = mkOption { + description = '' + Kea Control Agent configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea Control Agent"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + description = '' + Kea Control Agent configuration as an attribute set, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html"/>. + ''; + }; + }; + }; + }; + + dhcp4 = mkOption { + description = '' + DHCP4 Server configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea DHCP4 server"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + example = { + valid-lifetime = 4000; + renew-timer = 1000; + rebind-timer = 2000; + interfaces-config = { + interfaces = [ + "eth0" + ]; + }; + lease-database = { + type = "memfile"; + persist = true; + name = "/var/lib/kea/dhcp4.leases"; + }; + subnet4 = [ { + subnet = "192.0.2.0/24"; + pools = [ { + pool = "192.0.2.100 - 192.0.2.240"; + } ]; + } ]; + }; + description = '' + Kea DHCP4 configuration as an attribute set, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html"/>. + ''; + }; + }; + }; + }; + + dhcp6 = mkOption { + description = '' + DHCP6 Server configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea DHCP6 server"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + example = { + valid-lifetime = 4000; + renew-timer = 1000; + rebind-timer = 2000; + preferred-lifetime = 3000; + interfaces-config = { + interfaces = [ + "eth0" + ]; + }; + lease-database = { + type = "memfile"; + persist = true; + name = "/var/lib/kea/dhcp6.leases"; + }; + subnet6 = [ { + subnet = "2001:db8:1::/64"; + pools = [ { + pool = "2001:db8:1::1-2001:db8:1::ffff"; + } ]; + } ]; + }; + description = '' + Kea DHCP6 configuration as an attribute set, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html"/>. + ''; + }; + }; + }; + }; + + dhcp-ddns = mkOption { + description = '' + Kea DHCP-DDNS configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea DDNS server"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + example = { + ip-address = "127.0.0.1"; + port = 53001; + dns-server-timeout = 100; + ncr-protocol = "UDP"; + ncr-format = "JSON"; + tsig-keys = [ ]; + forward-ddns = { + ddns-domains = [ ]; + }; + reverse-ddns = { + ddns-domains = [ ]; + }; + }; + description = '' + Kea DHCP-DDNS configuration as an attribute set, see <link xlink:href="https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html"/>. + ''; + }; + }; + }; + }; + }; + + config = let + commonServiceConfig = { + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + DynamicUser = true; + User = "kea"; + ConfigurationDirectory = "kea"; + RuntimeDirectory = "kea"; + StateDirectory = "kea"; + UMask = "0077"; + }; + in mkIf (cfg.ctrl-agent.enable || cfg.dhcp4.enable || cfg.dhcp6.enable || cfg.dhcp-ddns.enable) (mkMerge [ + { + environment.systemPackages = [ package ]; + } + + (mkIf cfg.ctrl-agent.enable { + + environment.etc."kea/ctrl-agent.conf".source = ctrlAgentConfig; + + systemd.services.kea-ctrl-agent = { + description = "Kea Control Agent"; + documentation = [ + "man:kea-ctrl-agent(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "kea-dhcp4-server.service" + "kea-dhcp6-server.service" + "kea-dhcp-ddns-server.service" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + }; + + serviceConfig = { + ExecStart = "${package}/bin/kea-ctrl-agent -c /etc/kea/ctrl-agent.conf ${lib.escapeShellArgs cfg.dhcp4.extraArgs}"; + KillMode = "process"; + Restart = "on-failure"; + } // commonServiceConfig; + }; + }) + + (mkIf cfg.dhcp4.enable { + + environment.etc."kea/dhcp4-server.conf".source = dhcp4Config; + + systemd.services.kea-dhcp4-server = { + description = "Kea DHCP4 Server"; + documentation = [ + "man:kea-dhcp4(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + }; + + serviceConfig = { + ExecStart = "${package}/bin/kea-dhcp4 -c /etc/kea/dhcp4-server.conf ${lib.escapeShellArgs cfg.dhcp4.extraArgs}"; + # Kea does not request capabilities by itself + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ]; + } // commonServiceConfig; + }; + }) + + (mkIf cfg.dhcp6.enable { + + environment.etc."kea/dhcp6-server.conf".source = dhcp6Config; + + systemd.services.kea-dhcp6-server = { + description = "Kea DHCP6 Server"; + documentation = [ + "man:kea-dhcp6(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + }; + + serviceConfig = { + ExecStart = "${package}/bin/kea-dhcp6 -c /etc/kea/dhcp6-server.conf ${lib.escapeShellArgs cfg.dhcp6.extraArgs}"; + # Kea does not request capabilities by itself + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + ]; + } // commonServiceConfig; + }; + }) + + (mkIf cfg.dhcp-ddns.enable { + + environment.etc."kea/dhcp-ddns.conf".source = dhcpDdnsConfig; + + systemd.services.kea-dhcp-ddns-server = { + description = "Kea DHCP-DDNS Server"; + documentation = [ + "man:kea-dhcp-ddns(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + }; + + serviceConfig = { + ExecStart = "${package}/bin/kea-dhcp-ddns -c /etc/kea/dhcp-ddns.conf ${lib.escapeShellArgs cfg.dhcp-ddns.extraArgs}"; + AmbientCapabilites = [ + "CAP_NET_BIND_SERVICE" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + ]; + } // commonServiceConfig; + }; + }) + + ]); + + meta.maintainers = with maintainers; [ hexa ]; +} diff --git a/nixos/modules/services/networking/kippo.nix b/nixos/modules/services/networking/kippo.nix index 553415a2f32..6fedb0a270f 100644 --- a/nixos/modules/services/networking/kippo.nix +++ b/nixos/modules/services/networking/kippo.nix @@ -17,37 +17,37 @@ in enable = mkOption { default = false; type = types.bool; - description = ''Enable the kippo honeypot ssh server.''; + description = "Enable the kippo honeypot ssh server."; }; port = mkOption { default = 2222; type = types.int; - description = ''TCP port number for kippo to bind to.''; + description = "TCP port number for kippo to bind to."; }; hostname = mkOption { default = "nas3"; type = types.str; - description = ''Hostname for kippo to present to SSH login''; + description = "Hostname for kippo to present to SSH login"; }; varPath = mkOption { default = "/var/lib/kippo"; type = types.path; - description = ''Path of read/write files needed for operation and configuration.''; + description = "Path of read/write files needed for operation and configuration."; }; logPath = mkOption { default = "/var/log/kippo"; type = types.path; - description = ''Path of log files needed for operation and configuration.''; + description = "Path of log files needed for operation and configuration."; }; pidPath = mkOption { default = "/run/kippo"; type = types.path; - description = ''Path of pid files needed for operation.''; + description = "Path of pid files needed for operation."; }; extraConfig = mkOption { default = ""; type = types.lines; - description = ''Extra verbatim configuration added to the end of kippo.cfg.''; + description = "Extra verbatim configuration added to the end of kippo.cfg."; }; }; diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix index ccb34163d5f..6882a315f61 100644 --- a/nixos/modules/services/networking/kresd.nix +++ b/nixos/modules/services/networking/kresd.nix @@ -8,14 +8,14 @@ let # Convert systemd-style address specification to kresd config line(s). # On Nix level we don't attempt to precisely validate the address specifications. mkListen = kind: addr: let - al_v4 = builtins.match "([0-9.]\+):([0-9]\+)" addr; - al_v6 = builtins.match "\\[(.\+)]:([0-9]\+)" addr; - al_portOnly = builtins.match "()([0-9]\+)" addr; + al_v4 = builtins.match "([0-9.]+):([0-9]+)" addr; + al_v6 = builtins.match "\\[(.+)]:([0-9]+)" addr; + al_portOnly = builtins.match "([0-9]+)" addr; al = findFirst (a: a != null) (throw "services.kresd.*: incorrect address specification '${addr}'") [ al_v4 al_v6 al_portOnly ]; port = last al; - addrSpec = if al_portOnly == null then "'${head al}'" else "{'::', '127.0.0.1'}"; + addrSpec = if al_portOnly == null then "'${head al}'" else "{'::', '0.0.0.0'}"; in # freebind is set for compatibility with earlier kresd services; # it could be configurable, for example. '' @@ -23,18 +23,12 @@ let ''; configFile = pkgs.writeText "kresd.conf" ( - optionalString (cfg.listenDoH != []) '' - modules.load('http') - '' + "" + concatMapStrings (mkListen "dns") cfg.listenPlain + concatMapStrings (mkListen "tls") cfg.listenTLS - + concatMapStrings (mkListen "doh") cfg.listenDoH + + concatMapStrings (mkListen "doh2") cfg.listenDoH + cfg.extraConfig ); - - package = if cfg.listenDoH == [] - then pkgs.knot-resolver # never force `extraFeatures = false` - else pkgs.knot-resolver.override { extraFeatures = true; }; in { meta.maintainers = [ maintainers.vcunat /* upstream developer */ ]; @@ -62,6 +56,15 @@ in { and give commands interactively to kresd@1.service. ''; }; + package = mkOption { + type = types.package; + description = " + knot-resolver package to use. + "; + default = pkgs.knot-resolver; + defaultText = "pkgs.knot-resolver"; + example = literalExample "pkgs.knot-resolver.override { extraFeatures = true; }"; + }; extraConfig = mkOption { type = types.lines; default = ""; @@ -92,7 +95,7 @@ in { default = []; example = [ "198.51.100.1:443" "[2001:db8::1]:443" "443" ]; description = '' - Addresses and ports on which kresd should provide DNS over HTTPS (see RFC 8484). + Addresses and ports on which kresd should provide DNS over HTTPS/2 (see RFC 8484). For detailed syntax see ListenStream in man systemd.socket. ''; }; @@ -112,6 +115,8 @@ in { config = mkIf cfg.enable { environment.etc."knot-resolver/kresd.conf".source = configFile; # not required + networking.resolvconf.useLocalResolver = mkDefault true; + users.users.knot-resolver = { isSystemUser = true; group = "knot-resolver"; @@ -119,7 +124,7 @@ in { }; users.groups.knot-resolver.gid = null; - systemd.packages = [ package ]; # the units are patched inside the package a bit + systemd.packages = [ cfg.package ]; # the units are patched inside the package a bit systemd.targets.kresd = { # configure units started by default wantedBy = [ "multi-user.target" ]; @@ -127,8 +132,8 @@ in { ++ map (i: "kresd@${toString i}.service") (range 1 cfg.instances); }; systemd.services."kresd@".serviceConfig = { - ExecStart = "${package}/bin/kresd --noninteractive " - + "-c ${package}/lib/knot-resolver/distro-preconfig.lua -c ${configFile}"; + ExecStart = "${cfg.package}/bin/kresd --noninteractive " + + "-c ${cfg.package}/lib/knot-resolver/distro-preconfig.lua -c ${configFile}"; # Ensure /run/knot-resolver exists RuntimeDirectory = "knot-resolver"; RuntimeDirectoryMode = "0770"; @@ -139,10 +144,7 @@ in { CacheDirectory = "knot-resolver"; CacheDirectoryMode = "0770"; }; - - # Try cleaning up the previously default location of cache file. - # Note that /var/cache/* should always be safe to remove. - # TODO: remove later, probably between 20.09 and 21.03 - systemd.tmpfiles.rules = [ "R /var/cache/kresd" ]; + # We don't mind running stop phase from wrong version. It seems less racy. + systemd.services."kresd@".stopIfChanged = false; }; } diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix index 280158b89f6..1f0423ac3d8 100644 --- a/nixos/modules/services/networking/libreswan.nix +++ b/nixos/modules/services/networking/libreswan.nix @@ -9,21 +9,22 @@ let libexec = "${pkgs.libreswan}/libexec/ipsec"; ipsec = "${pkgs.libreswan}/sbin/ipsec"; - trim = chars: str: let - nonchars = filter (x : !(elem x.value chars)) - (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); - in - if length nonchars == 0 then "" - else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; + trim = chars: str: + let + nonchars = filter (x : !(elem x.value chars)) + (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); + in + if length nonchars == 0 then "" + else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str)); configText = indent (toString cfg.configSetup); connectionText = concatStrings (mapAttrsToList (n: v: '' conn ${n} ${indent v} - '') cfg.connections); - configFile = pkgs.writeText "ipsec.conf" + + configFile = pkgs.writeText "ipsec-nixos.conf" '' config setup ${configText} @@ -31,6 +32,11 @@ let ${connectionText} ''; + policyFiles = mapAttrs' (name: text: + { name = "ipsec.d/policies/${name}"; + value.source = pkgs.writeText "ipsec-policy-${name}" text; + }) cfg.policies; + in { @@ -41,41 +47,71 @@ in services.libreswan = { - enable = mkEnableOption "libreswan ipsec service"; + enable = mkEnableOption "Libreswan IPsec service"; configSetup = mkOption { type = types.lines; default = '' protostack=netkey - nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''; example = '' secretsfile=/root/ipsec.secrets protostack=netkey - nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''; - description = "Options to go in the 'config setup' section of the libreswan ipsec configuration"; + description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration"; }; connections = mkOption { type = types.attrsOf types.lines; default = {}; - example = { - myconnection = '' - auto=add - left=%defaultroute - leftid=@user - - right=my.vpn.com - - ikev2=no - ikelifetime=8h - ''; - }; - description = "A set of connections to define for the libreswan ipsec service"; + example = literalExample '' + { myconnection = ''' + auto=add + left=%defaultroute + leftid=@user + + right=my.vpn.com + + ikev2=no + ikelifetime=8h + '''; + } + ''; + description = "A set of connections to define for the Libreswan IPsec service"; + }; + + policies = mkOption { + type = types.attrsOf types.lines; + default = {}; + example = literalExample '' + { private-or-clear = ''' + # Attempt opportunistic IPsec for the entire Internet + 0.0.0.0/0 + ::/0 + '''; + } + ''; + description = '' + A set of policies to apply to the IPsec connections. + + <note><para> + The policy name must match the one of connection it needs to apply to. + </para></note> + ''; }; + + disableRedirects = mkOption { + type = types.bool; + default = true; + description = '' + Whether to disable send and accept redirects for all nework interfaces. + See the Libreswan <link xlink:href="https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F"> + FAQ</link> page for why this is recommended. + ''; + }; + }; }; @@ -85,43 +121,38 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.libreswan pkgs.iproute ]; + # Install package, systemd units, etc. + environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ]; + systemd.packages = [ pkgs.libreswan ]; + systemd.tmpfiles.packages = [ pkgs.libreswan ]; + + # Install configuration files + environment.etc = { + "ipsec.secrets".source = "${pkgs.libreswan}/etc/ipsec.secrets"; + "ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf"; + "ipsec.d/01-nixos.conf".source = configFile; + } // policyFiles; + + # Create NSS database directory + systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ]; systemd.services.ipsec = { description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; - path = [ - "${pkgs.libreswan}" - "${pkgs.iproute}" - "${pkgs.procps}" - "${pkgs.nssTools}" - "${pkgs.iptables}" - "${pkgs.nettools}" - ]; - - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Type = "simple"; - Restart = "always"; - EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto"; - ExecStartPre = [ - "${libexec}/addconn --config ${configFile} --checkconfig" - "${libexec}/_stackmanager start" - "${ipsec} --checknss" - "${ipsec} --checknflog" - ]; - ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS"; - ExecStop = "${libexec}/whack --shutdown"; - ExecStopPost = [ - "${pkgs.iproute}/bin/ip xfrm policy flush" - "${pkgs.iproute}/bin/ip xfrm state flush" - "${ipsec} --stopnflog" - ]; - ExecReload = "${libexec}/whack --listen"; - }; - + restartTriggers = [ configFile ] ++ mapAttrsToList (n: v: v.source) policyFiles; + path = with pkgs; [ + libreswan + iproute2 + procps + nssTools + iptables + nettools + ]; + preStart = optionalString cfg.disableRedirects '' + # Disable send/receive redirects + echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects + echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects + ''; }; }; diff --git a/nixos/modules/services/networking/mailpile.nix b/nixos/modules/services/networking/mailpile.nix index b79ee11d17d..4673a2580b6 100644 --- a/nixos/modules/services/networking/mailpile.nix +++ b/nixos/modules/services/networking/mailpile.nix @@ -21,11 +21,13 @@ in enable = mkEnableOption "Mailpile the mail client"; hostname = mkOption { + type = types.str; default = "localhost"; description = "Listen to this hostname or ip."; }; port = mkOption { - default = "33411"; + type = types.port; + default = 33411; description = "Listen on this port."; }; }; diff --git a/nixos/modules/services/networking/matterbridge.nix b/nixos/modules/services/networking/matterbridge.nix index b8b4f37c84a..9186eee26ab 100644 --- a/nixos/modules/services/networking/matterbridge.nix +++ b/nixos/modules/services/networking/matterbridge.nix @@ -38,8 +38,8 @@ in # Use services.matterbridge.configPath instead. [irc] - [irc.freenode] - Server="irc.freenode.net:6667" + [irc.libera] + Server="irc.libera.chat:6667" Nick="matterbot" [mattermost] @@ -55,7 +55,7 @@ in name="gateway1" enable=true [[gateway.inout]] - account="irc.freenode" + account="irc.libera" channel="#testing" [[gateway.inout]] diff --git a/nixos/modules/services/networking/monero.nix b/nixos/modules/services/networking/monero.nix index 97af2997839..9a9084e4ce1 100644 --- a/nixos/modules/services/networking/monero.nix +++ b/nixos/modules/services/networking/monero.nix @@ -4,7 +4,6 @@ with lib; let cfg = config.services.monero; - dataDir = "/var/lib/monero"; listToConf = option: list: concatMapStrings (value: "${option}=${value}\n") list; @@ -53,11 +52,19 @@ in enable = mkEnableOption "Monero node daemon"; + dataDir = mkOption { + type = types.str; + default = "/var/lib/monero"; + description = '' + The directory where Monero stores its data files. + ''; + }; + mining.enable = mkOption { type = types.bool; default = false; description = '' - Whether to mine moneroj. + Whether to mine monero. ''; }; @@ -87,7 +94,7 @@ in }; rpc.password = mkOption { - type = types.str; + type = types.nullOr types.str; default = null; description = '' Password for RPC connections. @@ -103,7 +110,7 @@ in }; rpc.port = mkOption { - type = types.int; + type = types.port; default = 18081; description = '' Port the RPC server will bind to. @@ -198,15 +205,14 @@ in config = mkIf cfg.enable { users.users.monero = { - uid = config.ids.uids.monero; + isSystemUser = true; + group = "monero"; description = "Monero daemon user"; - home = dataDir; + home = cfg.dataDir; createHome = true; }; - users.groups.monero = { - gid = config.ids.gids.monero; - }; + users.groups.monero = { }; systemd.services.monero = { description = "monero daemon"; diff --git a/nixos/modules/services/networking/morty.nix b/nixos/modules/services/networking/morty.nix index e3a6444c116..e110a5c8610 100644 --- a/nixos/modules/services/networking/morty.nix +++ b/nixos/modules/services/networking/morty.nix @@ -29,9 +29,11 @@ in key = mkOption { type = types.str; default = ""; - description = "HMAC url validation key (hexadecimal encoded). - Leave blank to disable. Without validation key, anyone can - submit proxy requests. Leave blank to disable."; + description = '' + HMAC url validation key (hexadecimal encoded). + Leave blank to disable. Without validation key, anyone can + submit proxy requests. Leave blank to disable. + ''; defaultText = "No HMAC url validation. Generate with echo -n somevalue | openssl dgst -sha1 -hmac somekey"; }; @@ -85,10 +87,10 @@ in serviceConfig = { User = "morty"; ExecStart = ''${cfg.package}/bin/morty \ - -listen ${cfg.listenAddress}:${toString cfg.port} \ - ${optionalString cfg.ipv6 "-ipv6"} \ - ${optionalString (cfg.key != "") "-key " + cfg.key} \ - ''; + -listen ${cfg.listenAddress}:${toString cfg.port} \ + ${optionalString cfg.ipv6 "-ipv6"} \ + ${optionalString (cfg.key != "") "-key " + cfg.key} \ + ''; }; }; environment.systemPackages = [ cfg.package ]; diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index d2feb93e2b7..8e814ffd0b9 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -20,8 +20,7 @@ let acl_file ${aclFile} persistence true allow_anonymous ${boolToString cfg.allowAnonymous} - bind_address ${cfg.host} - port ${toString cfg.port} + listener ${toString cfg.port} ${cfg.host} ${passwordConf} ${listenerConf} ${cfg.extraConf} @@ -123,12 +122,33 @@ in ''; }; + passwordFile = mkOption { + type = with types; uniq (nullOr str); + example = "/path/to/file"; + default = null; + description = '' + Specifies the path to a file containing the + clear text password for the MQTT user. + ''; + }; + hashedPassword = mkOption { type = with types; uniq (nullOr str); default = null; description = '' Specifies the hashed password for the MQTT User. - <option>hashedPassword</option> overrides <option>password</option>. + To generate hashed password install <literal>mosquitto</literal> + package and use <literal>mosquitto_passwd</literal>. + ''; + }; + + hashedPasswordFile = mkOption { + type = with types; uniq (nullOr str); + example = "/path/to/file"; + default = null; + description = '' + Specifies the path to a file containing the + hashed password for the MQTT user. To generate hashed password install <literal>mosquitto</literal> package and use <literal>mosquitto_passwd</literal>. ''; @@ -190,6 +210,13 @@ in config = mkIf cfg.enable { + assertions = mapAttrsToList (name: cfg: { + assertion = length (filter (s: s != null) (with cfg; [ + password passwordFile hashedPassword hashedPasswordFile + ])) <= 1; + message = "Cannot set more than one password option"; + }) cfg.users; + systemd.services.mosquitto = { description = "Mosquitto MQTT Broker Daemon"; wantedBy = [ "multi-user.target" ]; @@ -204,13 +231,62 @@ in Restart = "on-failure"; ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + # Hardening + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + ReadWritePaths = [ + cfg.dataDir + "/tmp" # mosquitto_passwd creates files in /tmp before moving them + ]; + ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [ + certfile + keyfile + cafile + ]; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_UNIX" # for sd_notify() call + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; }; preStart = '' rm -f ${cfg.dataDir}/passwd touch ${cfg.dataDir}/passwd '' + concatStringsSep "\n" ( mapAttrsToList (n: c: - if c.hashedPassword != null then + if c.hashedPasswordFile != null then + "echo '${n}:'$(cat '${c.hashedPasswordFile}') >> ${cfg.dataDir}/passwd" + else if c.passwordFile != null then + "${pkgs.mosquitto}/bin/mosquitto_passwd -b ${cfg.dataDir}/passwd ${n} $(cat '${c.passwordFile}')" + else if c.hashedPassword != null then "echo '${n}:${c.hashedPassword}' >> ${cfg.dataDir}/passwd" else optionalString (c.password != null) "${pkgs.mosquitto}/bin/mosquitto_passwd -b ${cfg.dataDir}/passwd ${n} '${c.password}'" diff --git a/nixos/modules/services/networking/mullvad-vpn.nix b/nixos/modules/services/networking/mullvad-vpn.nix index cc98414257c..8ce71f26b3e 100644 --- a/nixos/modules/services/networking/mullvad-vpn.nix +++ b/nixos/modules/services/networking/mullvad-vpn.nix @@ -15,6 +15,9 @@ with lib; config = mkIf cfg.enable { boot.kernelModules = [ "tun" ]; + # mullvad-daemon writes to /etc/iproute2/rt_tables + networking.iproute2.enable = true; + systemd.services.mullvad-daemon = { description = "Mullvad VPN daemon"; wantedBy = [ "multi-user.target" ]; @@ -25,13 +28,13 @@ with lib; "systemd-resolved.service" ]; path = [ - pkgs.iproute + pkgs.iproute2 # Needed for ping "/run/wrappers" ]; + startLimitBurst = 5; + startLimitIntervalSec = 20; serviceConfig = { - StartLimitBurst = 5; - StartLimitIntervalSec = 20; ExecStart = "${pkgs.mullvad-vpn}/bin/mullvad-daemon -v --disable-stdout-timestamps"; Restart = "always"; RestartSec = 1; diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index 3054ae1b201..f8bb878ec65 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -98,7 +98,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 64738; description = "Ports to bind to (UDP and TCP)."; }; @@ -109,6 +109,13 @@ in description = "Host to bind to. Defaults binding on all addresses."; }; + package = mkOption { + type = types.package; + default = pkgs.murmur; + defaultText = "pkgs.murmur"; + description = "Overridable attribute of the murmur package to use."; + }; + password = mkOption { type = types.str; default = ""; @@ -241,6 +248,34 @@ in default = ""; description = "Extra configuration to put into murmur.ini."; }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/lib/murmur/murmurd.env"; + description = '' + Environment file as defined in <citerefentry> + <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>. + + Secrets may be passed to the service without adding them to the world-readable + Nix store, by specifying placeholder variables as the option value in Nix and + setting these variables accordingly in the environment file. + + <programlisting> + # snippet of murmur-related config + services.murmur.password = "$MURMURD_PASSWORD"; + </programlisting> + + <programlisting> + # content of the environment file + MURMURD_PASSWORD=verysecretpassword + </programlisting> + + Note that this file needs to be available on the host on which + <literal>murmur</literal> is running. + ''; + }; }; }; @@ -250,20 +285,33 @@ in home = "/var/lib/murmur"; createHome = true; uid = config.ids.uids.murmur; + group = "murmur"; + }; + users.groups.murmur = { + gid = config.ids.gids.murmur; }; systemd.services.murmur = { description = "Murmur Chat Service"; wantedBy = [ "multi-user.target" ]; after = [ "network-online.target "]; + preStart = '' + ${pkgs.envsubst}/bin/envsubst \ + -o /run/murmur/murmurd.ini \ + -i ${configFile} + ''; serviceConfig = { # murmurd doesn't fork when logging to the console. - Type = if forking then "forking" else "simple"; - PIDFile = mkIf forking "/run/murmur/murmurd.pid"; - RuntimeDirectory = mkIf forking "murmur"; - User = "murmur"; - ExecStart = "${pkgs.murmur}/bin/murmurd -ini ${configFile}"; + Type = if forking then "forking" else "simple"; + PIDFile = mkIf forking "/run/murmur/murmurd.pid"; + EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile; + ExecStart = "${cfg.package}/bin/murmurd -ini /run/murmur/murmurd.ini"; + Restart = "always"; + RuntimeDirectory = "murmur"; + RuntimeDirectoryMode = "0700"; + User = "murmur"; + Group = "murmur"; }; }; }; diff --git a/nixos/modules/services/networking/mxisd.nix b/nixos/modules/services/networking/mxisd.nix index 482d6ff456b..f29d190c626 100644 --- a/nixos/modules/services/networking/mxisd.nix +++ b/nixos/modules/services/networking/mxisd.nix @@ -41,8 +41,8 @@ in { package = mkOption { type = types.package; - default = pkgs.mxisd; - defaultText = "pkgs.mxisd"; + default = pkgs.ma1sd; + defaultText = "pkgs.ma1sd"; description = "The mxisd/ma1sd package to use"; }; diff --git a/nixos/modules/services/networking/namecoind.nix b/nixos/modules/services/networking/namecoind.nix index 6ca99e1321b..8f7a5123f7e 100644 --- a/nixos/modules/services/networking/namecoind.nix +++ b/nixos/modules/services/networking/namecoind.nix @@ -89,7 +89,7 @@ in }; rpc.password = mkOption { - type = types.str; + type = types.nullOr types.str; default = null; description = '' Password for RPC connections. @@ -105,7 +105,7 @@ in }; rpc.port = mkOption { - type = types.int; + type = types.port; default = 8332; description = '' Port the RPC server will bind to. @@ -165,6 +165,8 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + startLimitIntervalSec = 120; + startLimitBurst = 5; serviceConfig = { User = "namecoin"; Group = "namecoin"; @@ -176,8 +178,6 @@ in TimeoutStopSec = "60s"; TimeoutStartSec = "2s"; Restart = "always"; - StartLimitInterval = "120s"; - StartLimitBurst = "5"; }; preStart = optionalString (cfg.wallet != "${dataDir}/wallet.dat") '' diff --git a/nixos/modules/services/networking/nar-serve.nix b/nixos/modules/services/networking/nar-serve.nix new file mode 100644 index 00000000000..745138186a2 --- /dev/null +++ b/nixos/modules/services/networking/nar-serve.nix @@ -0,0 +1,55 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + cfg = config.services.nar-serve; +in +{ + meta = { + maintainers = [ maintainers.rizary ]; + }; + options = { + services.nar-serve = { + enable = mkEnableOption "Serve NAR file contents via HTTP"; + + port = mkOption { + type = types.port; + default = 8383; + description = '' + Port number where nar-serve will listen on. + ''; + }; + + cacheURL = mkOption { + type = types.str; + default = "https://cache.nixos.org/"; + description = '' + Binary cache URL to connect to. + + The URL format is compatible with the nix remote url style, such as: + - http://, https:// for binary caches via HTTP or HTTPS + - s3:// for binary caches stored in Amazon S3 + - gs:// for binary caches stored in Google Cloud Storage + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.nar-serve = { + description = "NAR server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment.PORT = toString cfg.port; + environment.NAR_CACHE_URL = cfg.cacheURL; + + serviceConfig = { + Restart = "always"; + RestartSec = "5s"; + ExecStart = "${pkgs.nar-serve}/bin/nar-serve"; + DynamicUser = true; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index 21ae9eb8b6d..45eb500fe8c 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -9,7 +9,14 @@ with lib; let cfg = config.networking.nat; - dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}"; + mkDest = externalIP: if externalIP == null + then "-j MASQUERADE" + else "-j SNAT --to-source ${externalIP}"; + dest = mkDest cfg.externalIP; + destIPv6 = mkDest cfg.externalIPv6; + + # Whether given IP (plus optional port) is an IPv6. + isIPv6 = ip: builtins.length (lib.splitString ":" ip) > 2; helpers = import ./helpers.nix { inherit config lib; }; @@ -28,63 +35,80 @@ let ${cfg.extraStopCommands} ''; - setupNat = '' - ${helpers} - # Create subchain where we store rules - ip46tables -w -t nat -N nixos-nat-pre - ip46tables -w -t nat -N nixos-nat-post - ip46tables -w -t nat -N nixos-nat-out - + mkSetupNat = { iptables, dest, internalIPs, forwardPorts }: '' # We can't match on incoming interface in POSTROUTING, so # mark packets coming from the internal interfaces. ${concatMapStrings (iface: '' - iptables -w -t nat -A nixos-nat-pre \ + ${iptables} -w -t nat -A nixos-nat-pre \ -i '${iface}' -j MARK --set-mark 1 '') cfg.internalInterfaces} # NAT the marked packets. ${optionalString (cfg.internalInterfaces != []) '' - iptables -w -t nat -A nixos-nat-post -m mark --mark 1 \ + ${iptables} -w -t nat -A nixos-nat-post -m mark --mark 1 \ ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest} ''} # NAT packets coming from the internal IPs. ${concatMapStrings (range: '' - iptables -w -t nat -A nixos-nat-post \ + ${iptables} -w -t nat -A nixos-nat-post \ -s '${range}' ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest} - '') cfg.internalIPs} + '') internalIPs} # NAT from external ports to internal ports. ${concatMapStrings (fwd: '' - iptables -w -t nat -A nixos-nat-pre \ + ${iptables} -w -t nat -A nixos-nat-pre \ -i ${toString cfg.externalInterface} -p ${fwd.proto} \ --dport ${builtins.toString fwd.sourcePort} \ -j DNAT --to-destination ${fwd.destination} ${concatMapStrings (loopbackip: let - m = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination; - destinationIP = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0; - destinationPorts = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (elemAt m 1); + matchIP = if isIPv6 fwd.destination then "[[]([0-9a-fA-F:]+)[]]" else "([0-9.]+)"; + m = builtins.match "${matchIP}:([0-9-]+)" fwd.destination; + destinationIP = if m == null then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0; + destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (elemAt m 1); in '' # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from the host itself - iptables -w -t nat -A nixos-nat-out \ + ${iptables} -w -t nat -A nixos-nat-out \ -d ${loopbackip} -p ${fwd.proto} \ --dport ${builtins.toString fwd.sourcePort} \ -j DNAT --to-destination ${fwd.destination} # Allow connections to ${loopbackip}:${toString fwd.sourcePort} from other hosts behind NAT - iptables -w -t nat -A nixos-nat-pre \ + ${iptables} -w -t nat -A nixos-nat-pre \ -d ${loopbackip} -p ${fwd.proto} \ --dport ${builtins.toString fwd.sourcePort} \ -j DNAT --to-destination ${fwd.destination} - iptables -w -t nat -A nixos-nat-post \ + ${iptables} -w -t nat -A nixos-nat-post \ -d ${destinationIP} -p ${fwd.proto} \ --dport ${destinationPorts} \ -j SNAT --to-source ${loopbackip} '') fwd.loopbackIPs} - '') cfg.forwardPorts} + '') forwardPorts} + ''; + + setupNat = '' + ${helpers} + # Create subchains where we store rules + ip46tables -w -t nat -N nixos-nat-pre + ip46tables -w -t nat -N nixos-nat-post + ip46tables -w -t nat -N nixos-nat-out + + ${mkSetupNat { + iptables = "iptables"; + inherit dest; + inherit (cfg) internalIPs; + forwardPorts = filter (x: !(isIPv6 x.destination)) cfg.forwardPorts; + }} + + ${optionalString cfg.enableIPv6 (mkSetupNat { + iptables = "ip6tables"; + dest = destIPv6; + internalIPs = cfg.internalIPv6s; + forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts; + })} ${optionalString (cfg.dmzHost != null) '' iptables -w -t nat -A nixos-nat-pre \ @@ -117,6 +141,15 @@ in ''; }; + networking.nat.enableIPv6 = mkOption { + type = types.bool; + default = false; + description = + '' + Whether to enable IPv6 NAT. + ''; + }; + networking.nat.internalInterfaces = mkOption { type = types.listOf types.str; default = []; @@ -141,6 +174,18 @@ in ''; }; + networking.nat.internalIPv6s = mkOption { + type = types.listOf types.str; + default = []; + example = [ "fc00::/64" ]; + description = + '' + The IPv6 address ranges for which to perform NAT. Packets + coming from these addresses (on any interface) and destined + for the external interface will be rewritten. + ''; + }; + networking.nat.externalInterface = mkOption { type = types.nullOr types.str; default = null; @@ -164,6 +209,19 @@ in ''; }; + networking.nat.externalIPv6 = mkOption { + type = types.nullOr types.str; + default = null; + example = "2001:dc0:2001:11::175"; + description = + '' + The public IPv6 address to which packets from the local + network are to be rewritten. If this is left empty, the + IP address associated with the external interface will be + used. + ''; + }; + networking.nat.forwardPorts = mkOption { type = with types; listOf (submodule { options = { @@ -176,7 +234,7 @@ in destination = mkOption { type = types.str; example = "10.0.0.1:80"; - description = "Forward connection to destination ip:port; to specify a port range, use ip:start-end"; + description = "Forward connection to destination ip:port (or [ipv6]:port); to specify a port range, use ip:start-end"; }; proto = mkOption { @@ -195,11 +253,15 @@ in }; }); default = []; - example = [ { sourcePort = 8080; destination = "10.0.0.1:80"; proto = "tcp"; } ]; + example = [ + { sourcePort = 8080; destination = "10.0.0.1:80"; proto = "tcp"; } + { sourcePort = 8080; destination = "[fc00::2]:80"; proto = "tcp"; } + ]; description = '' List of forwarded ports from the external interface to - internal destinations by using DNAT. + internal destinations by using DNAT. Destination can be + IPv6 if IPv6 NAT is enabled. ''; }; @@ -246,6 +308,9 @@ in (mkIf config.networking.nat.enable { assertions = [ + { assertion = cfg.enableIPv6 -> config.networking.enableIPv6; + message = "networking.nat.enableIPv6 requires networking.enableIPv6"; + } { assertion = (cfg.dmzHost != null) -> (cfg.externalInterface != null); message = "networking.nat.dmzHost requires networking.nat.externalInterface"; } @@ -261,6 +326,15 @@ in kernel.sysctl = { "net.ipv4.conf.all.forwarding" = mkOverride 99 true; "net.ipv4.conf.default.forwarding" = mkOverride 99 true; + } // optionalAttrs cfg.enableIPv6 { + # Do not prevent IPv6 autoconfiguration. + # See <http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/>. + "net.ipv6.conf.all.accept_ra" = mkOverride 99 2; + "net.ipv6.conf.default.accept_ra" = mkOverride 99 2; + + # Forward IPv6 packets. + "net.ipv6.conf.all.forwarding" = mkOverride 99 true; + "net.ipv6.conf.default.forwarding" = mkOverride 99 true; }; }; diff --git a/nixos/modules/services/networking/ncdns.nix b/nixos/modules/services/networking/ncdns.nix index c1832ad1752..d30fe0f6f6d 100644 --- a/nixos/modules/services/networking/ncdns.nix +++ b/nixos/modules/services/networking/ncdns.nix @@ -243,8 +243,10 @@ in xlog.journal = true; }; - users.users.ncdns = - { description = "ncdns daemon user"; }; + users.users.ncdns = { + isSystemUser = true; + description = "ncdns daemon user"; + }; systemd.services.ncdns = { description = "ncdns daemon"; diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix new file mode 100644 index 00000000000..e7ebfe1b4db --- /dev/null +++ b/nixos/modules/services/networking/nebula.nix @@ -0,0 +1,219 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.nebula; + enabledNetworks = filterAttrs (n: v: v.enable) cfg.networks; + + format = pkgs.formats.yaml {}; + + nameToId = netName: "nebula-${netName}"; +in +{ + # Interface + + options = { + services.nebula = { + networks = mkOption { + description = "Nebula network definitions."; + default = {}; + type = types.attrsOf (types.submodule { + options = { + enable = mkOption { + type = types.bool; + default = true; + description = "Enable or disable this network."; + }; + + package = mkOption { + type = types.package; + default = pkgs.nebula; + defaultText = "pkgs.nebula"; + description = "Nebula derivation to use."; + }; + + ca = mkOption { + type = types.path; + description = "Path to the certificate authority certificate."; + example = "/etc/nebula/ca.crt"; + }; + + cert = mkOption { + type = types.path; + description = "Path to the host certificate."; + example = "/etc/nebula/host.crt"; + }; + + key = mkOption { + type = types.path; + description = "Path to the host key."; + example = "/etc/nebula/host.key"; + }; + + staticHostMap = mkOption { + type = types.attrsOf (types.listOf (types.str)); + default = {}; + description = '' + The static host map defines a set of hosts with fixed IP addresses on the internet (or any network). + A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel. + ''; + example = literalExample '' + { "192.168.100.1" = [ "100.64.22.11:4242" ]; } + ''; + }; + + isLighthouse = mkOption { + type = types.bool; + default = false; + description = "Whether this node is a lighthouse."; + }; + + lighthouses = mkOption { + type = types.listOf types.str; + default = []; + description = '' + List of IPs of lighthouse hosts this node should report to and query from. This should be empty on lighthouse + nodes. The IPs should be the lighthouse's Nebula IPs, not their external IPs. + ''; + example = ''[ "192.168.100.1" ]''; + }; + + listen.host = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IP address to listen on."; + }; + + listen.port = mkOption { + type = types.port; + default = 4242; + description = "Port number to listen on."; + }; + + tun.disable = mkOption { + type = types.bool; + default = false; + description = '' + When tun is disabled, a lighthouse can be started without a local tun interface (and therefore without root). + ''; + }; + + tun.device = mkOption { + type = types.nullOr types.str; + default = null; + description = "Name of the tun device. Defaults to nebula.\${networkName}."; + }; + + firewall.outbound = mkOption { + type = types.listOf types.attrs; + default = []; + description = "Firewall rules for outbound traffic."; + example = ''[ { port = "any"; proto = "any"; host = "any"; } ]''; + }; + + firewall.inbound = mkOption { + type = types.listOf types.attrs; + default = []; + description = "Firewall rules for inbound traffic."; + example = ''[ { port = "any"; proto = "any"; host = "any"; } ]''; + }; + + settings = mkOption { + type = format.type; + default = {}; + description = '' + Nebula configuration. Refer to + <link xlink:href="https://github.com/slackhq/nebula/blob/master/examples/config.yml"/> + for details on supported values. + ''; + example = literalExample '' + { + lighthouse.dns = { + host = "0.0.0.0"; + port = 53; + }; + } + ''; + }; + }; + }); + }; + }; + }; + + # Implementation + config = mkIf (enabledNetworks != {}) { + systemd.services = mkMerge (mapAttrsToList (netName: netCfg: + let + networkId = nameToId netName; + settings = recursiveUpdate { + pki = { + ca = netCfg.ca; + cert = netCfg.cert; + key = netCfg.key; + }; + static_host_map = netCfg.staticHostMap; + lighthouse = { + am_lighthouse = netCfg.isLighthouse; + hosts = netCfg.lighthouses; + }; + listen = { + host = netCfg.listen.host; + port = netCfg.listen.port; + }; + tun = { + disabled = netCfg.tun.disable; + dev = if (netCfg.tun.device != null) then netCfg.tun.device else "nebula.${netName}"; + }; + firewall = { + inbound = netCfg.firewall.inbound; + outbound = netCfg.firewall.outbound; + }; + } netCfg.settings; + configFile = format.generate "nebula-config-${netName}.yml" settings; + in + { + # Create systemd service for Nebula. + "nebula@${netName}" = { + description = "Nebula VPN service for ${netName}"; + wants = [ "basic.target" ]; + after = [ "basic.target" "network.target" ]; + before = [ "sshd.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = mkMerge [ + { + Type = "simple"; + Restart = "always"; + ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; + } + # The service needs to launch as root to access the tun device, if it's enabled. + (mkIf netCfg.tun.disable { + User = networkId; + Group = networkId; + }) + ]; + }; + }) enabledNetworks); + + # Open the chosen ports for UDP. + networking.firewall.allowedUDPPorts = + unique (mapAttrsToList (netName: netCfg: netCfg.listen.port) enabledNetworks); + + # Create the service users and groups. + users.users = mkMerge (mapAttrsToList (netName: netCfg: + mkIf netCfg.tun.disable { + ${nameToId netName} = { + group = nameToId netName; + description = "Nebula service user for network ${netName}"; + isSystemUser = true; + }; + }) enabledNetworks); + + users.groups = mkMerge (mapAttrsToList (netName: netCfg: + mkIf netCfg.tun.disable { + ${nameToId netName} = {}; + }) enabledNetworks); + }; +} diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index cc789897b29..064018057cd 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -15,42 +15,58 @@ let networkmanager-openconnect networkmanager-openvpn networkmanager-vpnc + networkmanager-sstp ] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant; delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; enableIwd = cfg.wifi.backend == "iwd"; - configFile = pkgs.writeText "NetworkManager.conf" '' - [main] - plugins=keyfile - dhcp=${cfg.dhcp} - dns=${cfg.dns} - # If resolvconf is disabled that means that resolv.conf is managed by some other module. - rc-manager=${if config.networking.resolvconf.enable then "resolvconf" else "unmanaged"} - - [keyfile] - ${optionalString (cfg.unmanaged != []) - ''unmanaged-devices=${lib.concatStringsSep ";" cfg.unmanaged}''} - - [logging] - level=${cfg.logLevel} - audit=${lib.boolToString config.security.audit.enable} - - [connection] - ipv6.ip6-privacy=2 - ethernet.cloned-mac-address=${cfg.ethernet.macAddress} - wifi.cloned-mac-address=${cfg.wifi.macAddress} - ${optionalString (cfg.wifi.powersave != null) - ''wifi.powersave=${if cfg.wifi.powersave then "3" else "2"}''} - - [device] - wifi.scan-rand-mac-address=${if cfg.wifi.scanRandMacAddress then "yes" else "no"} - wifi.backend=${cfg.wifi.backend} - - ${cfg.extraConfig} + mkValue = v: + if v == true then "yes" + else if v == false then "no" + else if lib.isInt v then toString v + else v; + + mkSection = name: attrs: '' + [${name}] + ${ + lib.concatStringsSep "\n" + (lib.mapAttrsToList + (k: v: "${k}=${mkValue v}") + (lib.filterAttrs + (k: v: v != null) + attrs)) + } ''; + configFile = pkgs.writeText "NetworkManager.conf" (lib.concatStringsSep "\n" [ + (mkSection "main" { + plugins = "keyfile"; + dhcp = cfg.dhcp; + dns = cfg.dns; + # If resolvconf is disabled that means that resolv.conf is managed by some other module. + rc-manager = + if config.networking.resolvconf.enable then "resolvconf" + else "unmanaged"; + }) + (mkSection "keyfile" { + unmanaged-devices = + if cfg.unmanaged == [] then null + else lib.concatStringsSep ";" cfg.unmanaged; + }) + (mkSection "logging" { + audit = config.security.audit.enable; + level = cfg.logLevel; + }) + (mkSection "connection" cfg.connectionConfig) + (mkSection "device" { + "wifi.scan-rand-mac-address" = cfg.wifi.scanRandMacAddress; + "wifi.backend" = cfg.wifi.backend; + }) + cfg.extraConfig + ]); + /* [network-manager] Identity=unix-group:networkmanager @@ -153,6 +169,28 @@ in { ''; }; + connectionConfig = mkOption { + type = with types; attrsOf (nullOr (oneOf [ + bool + int + str + ])); + default = {}; + description = '' + Configuration for the [connection] section of NetworkManager.conf. + Refer to + <link xlink:href="https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html"> + https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html#id-1.2.3.11 + </link> + or + <citerefentry> + <refentrytitle>NetworkManager.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> + for more information. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -386,6 +424,9 @@ in { "NetworkManager/VPN/nm-iodine-service.name".source = "${networkmanager-iodine}/lib/NetworkManager/VPN/nm-iodine-service.name"; + + "NetworkManager/VPN/nm-sstp-service.name".source = + "${networkmanager-sstp}/lib/NetworkManager/VPN/nm-sstp-service.name"; } // optionalAttrs (cfg.appendNameservers != [] || cfg.insertNameservers != []) { @@ -458,10 +499,10 @@ in { systemd.services.NetworkManager-dispatcher = { wantedBy = [ "network.target" ]; - restartTriggers = [ configFile ]; + restartTriggers = [ configFile overrideNameserversScript ]; # useful binaries for user-specified hooks - path = [ pkgs.iproute pkgs.utillinux pkgs.coreutils ]; + path = [ pkgs.iproute2 pkgs.util-linux pkgs.coreutils ]; aliases = [ "dbus-org.freedesktop.nm-dispatcher.service" ]; }; @@ -478,8 +519,22 @@ in { (mkIf enableIwd { wireless.iwd.enable = true; }) + + { + networkmanager.connectionConfig = { + "ipv6.ip6-privacy" = 2; + "ethernet.cloned-mac-address" = cfg.ethernet.macAddress; + "wifi.cloned-mac-address" = cfg.wifi.macAddress; + "wifi.powersave" = + if cfg.wifi.powersave == null then null + else if cfg.wifi.powersave then 3 + else 2; + }; + } ]; + boot.kernelModules = [ "ctr" ]; + security.polkit.extraConfig = polkitConf; services.dbus.packages = cfg.packages diff --git a/nixos/modules/services/networking/nextdns.nix b/nixos/modules/services/networking/nextdns.nix index a633bff62ec..b070eeec894 100644 --- a/nixos/modules/services/networking/nextdns.nix +++ b/nixos/modules/services/networking/nextdns.nix @@ -28,9 +28,9 @@ in { environment = { SERVICE_RUN_MODE = "1"; }; + startLimitIntervalSec = 5; + startLimitBurst = 10; serviceConfig = { - StartLimitInterval = 5; - StartLimitBurst = 10; ExecStart = "${pkgs.nextdns}/bin/nextdns run ${escapeShellArgs config.services.nextdns.arguments}"; RestartSec = 120; LimitMEMLOCK = "infinity"; diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index ec9d9753cfe..cb75142965e 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -99,7 +99,7 @@ in config = mkIf cfg.enable { assertions = [{ assertion = config.networking.firewall.enable == false; - message = "You can not use nftables with services.networking.firewall."; + message = "You can not use nftables and iptables at the same time. networking.firewall.enable must be set to false."; }]; boot.blacklistedKernelModules = [ "ip_tables" ]; environment.systemPackages = [ pkgs.nftables ]; diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix index 347d87b3f38..7fc145f2303 100644 --- a/nixos/modules/services/networking/nix-serve.nix +++ b/nixos/modules/services/networking/nix-serve.nix @@ -11,7 +11,7 @@ in enable = mkEnableOption "nix-serve, the standalone Nix binary cache server"; port = mkOption { - type = types.int; + type = types.port; default = 5000; description = '' Port number where nix-serve will listen on. @@ -69,13 +69,9 @@ in ExecStart = "${pkgs.nix-serve}/bin/nix-serve " + "--listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}"; User = "nix-serve"; - Group = "nogroup"; + Group = "nix-serve"; + DynamicUser = true; }; }; - - users.users.nix-serve = { - description = "Nix-serve user"; - uid = config.ids.uids.nix-serve; - }; }; } diff --git a/nixos/modules/services/networking/nix-store-gcs-proxy.nix b/nixos/modules/services/networking/nix-store-gcs-proxy.nix index 3f2ce5bca4d..0012302db2e 100644 --- a/nixos/modules/services/networking/nix-store-gcs-proxy.nix +++ b/nixos/modules/services/networking/nix-store-gcs-proxy.nix @@ -42,9 +42,9 @@ in description = "A HTTP nix store that proxies requests to Google Storage"; wantedBy = ["multi-user.target"]; + startLimitIntervalSec = 10; serviceConfig = { RestartSec = 5; - StartLimitInterval = 10; ExecStart = '' ${pkgs.nix-store-gcs-proxy}/bin/nix-store-gcs-proxy \ --bucket-name ${cfg.bucketName} \ diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix new file mode 100644 index 00000000000..48689f1195c --- /dev/null +++ b/nixos/modules/services/networking/nomad.nix @@ -0,0 +1,165 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.nomad; + format = pkgs.formats.json { }; +in +{ + ##### interface + options = { + services.nomad = { + enable = mkEnableOption "Nomad, a distributed, highly available, datacenter-aware scheduler"; + + package = mkOption { + type = types.package; + default = pkgs.nomad; + defaultText = "pkgs.nomad"; + description = '' + The package used for the Nomad agent and CLI. + ''; + }; + + extraPackages = mkOption { + type = types.listOf types.package; + default = [ ]; + description = '' + Extra packages to add to <envar>PATH</envar> for the Nomad agent process. + ''; + example = literalExample '' + with pkgs; [ cni-plugins ] + ''; + }; + + dropPrivileges = mkOption { + type = types.bool; + default = true; + description = '' + Whether the nomad agent should be run as a non-root nomad user. + ''; + }; + + enableDocker = mkOption { + type = types.bool; + default = true; + description = '' + Enable Docker support. Needed for Nomad's docker driver. + + Note that the docker group membership is effectively equivalent + to being root, see https://github.com/moby/moby/issues/9976. + ''; + }; + + extraSettingsPaths = mkOption { + type = types.listOf types.path; + default = []; + description = '' + Additional settings paths used to configure nomad. These can be files or directories. + ''; + example = literalExample '' + [ "/etc/nomad-mutable.json" "/run/keys/nomad-with-secrets.json" "/etc/nomad/config.d" ] + ''; + }; + + settings = mkOption { + type = format.type; + default = {}; + description = '' + Configuration for Nomad. See the <link xlink:href="https://www.nomadproject.io/docs/configuration">documentation</link> + for supported values. + + Notes about <literal>data_dir</literal>: + + If <literal>data_dir</literal> is set to a value other than the + default value of <literal>"/var/lib/nomad"</literal> it is the Nomad + cluster manager's responsibility to make sure that this directory + exists and has the appropriate permissions. + + Additionally, if <literal>dropPrivileges</literal> is + <literal>true</literal> then <literal>data_dir</literal> + <emphasis>cannot</emphasis> be customized. Setting + <literal>dropPrivileges</literal> to <literal>true</literal> enables + the <literal>DynamicUser</literal> feature of systemd which directly + manages and operates on <literal>StateDirectory</literal>. + ''; + example = literalExample '' + { + # A minimal config example: + server = { + enabled = true; + bootstrap_expect = 1; # for demo; no fault tolerance + }; + client = { + enabled = true; + }; + } + ''; + }; + }; + }; + + ##### implementation + config = mkIf cfg.enable { + services.nomad.settings = { + # Agrees with `StateDirectory = "nomad"` set below. + data_dir = mkDefault "/var/lib/nomad"; + }; + + environment = { + etc."nomad.json".source = format.generate "nomad.json" cfg.settings; + systemPackages = [ cfg.package ]; + }; + + systemd.services.nomad = { + description = "Nomad"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + restartTriggers = [ config.environment.etc."nomad.json".source ]; + + path = cfg.extraPackages ++ (with pkgs; [ + # Client mode requires at least the following: + coreutils + iproute2 + iptables + ]); + + serviceConfig = mkMerge [ + { + DynamicUser = cfg.dropPrivileges; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStart = "${cfg.package}/bin/nomad agent -config=/etc/nomad.json" + + concatMapStrings (path: " -config=${path}") cfg.extraSettingsPaths; + KillMode = "process"; + KillSignal = "SIGINT"; + LimitNOFILE = 65536; + LimitNPROC = "infinity"; + OOMScoreAdjust = -1000; + Restart = "on-failure"; + RestartSec = 2; + TasksMax = "infinity"; + } + (mkIf cfg.enableDocker { + SupplementaryGroups = "docker"; # space-separated string + }) + (mkIf (cfg.settings.data_dir == "/var/lib/nomad") { + StateDirectory = "nomad"; + }) + ]; + + unitConfig = { + StartLimitIntervalSec = 10; + StartLimitBurst = 3; + }; + }; + + assertions = [ + { + assertion = cfg.dropPrivileges -> cfg.settings.data_dir == "/var/lib/nomad"; + message = "settings.data_dir must be equal to \"/var/lib/nomad\" if dropPrivileges is true"; + } + ]; + + # Docker support requires the Docker daemon to be running. + virtualisation.docker.enable = mkIf cfg.enableDocker true; + }; +} diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index 3ecbd06ee41..2ac0a8c7922 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -20,6 +20,15 @@ let mkZoneFileName = name: if name == "." then "root" else name; + # replaces include: directives for keys with fake keys for nsd-checkconf + injectFakeKeys = keys: concatStrings + (mapAttrsToList + (keyName: keyOptions: '' + fakeKey="$(${pkgs.bind}/bin/tsig-keygen -a ${escapeShellArgs [ keyOptions.algorithm keyName ]} | grep -oP "\s*secret \"\K.*(?=\";)")" + sed "s@^\s*include:\s*\"${stateDir}/private/${keyName}\"\$@secret: $fakeKey@" -i $out/nsd.conf + '') + keys); + nsdEnv = pkgs.buildEnv { name = "nsd-env"; @@ -34,9 +43,9 @@ let echo "|- checking zone '$out/zones/$zoneFile'" ${nsdPkg}/sbin/nsd-checkzone "$zoneFile" "$zoneFile" || { if grep -q \\\\\\$ "$zoneFile"; then - echo zone "$zoneFile" contains escaped dollar signes \\\$ - echo Escaping them is not needed any more. Please make shure \ - to unescape them where they prefix a variable name + echo zone "$zoneFile" contains escaped dollar signs \\\$ + echo Escaping them is not needed any more. Please make sure \ + to unescape them where they prefix a variable name. fi exit 1 @@ -44,7 +53,14 @@ let done echo "checking configuration file" + # Save original config file including key references... + cp $out/nsd.conf{,.orig} + # ...inject mock keys into config + ${injectFakeKeys cfg.keys} + # ...do the checkconf ${nsdPkg}/sbin/nsd-checkconf $out/nsd.conf + # ... and restore original config file. + mv $out/nsd.conf{.orig,} ''; }; @@ -916,14 +932,14 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + startLimitBurst = 4; + startLimitIntervalSec = 5 * 60; # 5 mins serviceConfig = { ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf"; StandardError = "null"; PIDFile = pidFile; Restart = "always"; RestartSec = "4s"; - StartLimitBurst = 4; - StartLimitInterval = "5min"; }; preStart = '' diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index b7e4c89a155..96c6444c23a 100644 --- a/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -4,20 +4,23 @@ with lib; let cfg = config.services.chrony; + chronyPkg = cfg.package; - stateDir = "/var/lib/chrony"; + stateDir = cfg.directory; + driftFile = "${stateDir}/chrony.drift"; keyFile = "${stateDir}/chrony.keys"; configFile = pkgs.writeText "chrony.conf" '' - ${concatMapStringsSep "\n" (server: "server " + server + " iburst") cfg.servers} + ${concatMapStringsSep "\n" (server: "server " + server + " " + cfg.serverOption + optionalString (cfg.enableNTS) " nts") cfg.servers} ${optionalString (cfg.initstepslew.enabled && (cfg.servers != [])) "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.servers}" } - driftfile ${stateDir}/chrony.drift + driftfile ${driftFile} keyfile ${keyFile} + ${optionalString (cfg.enableNTS) "ntsdumpdir ${stateDir}"} ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"} @@ -38,14 +41,48 @@ in ''; }; + package = mkOption { + type = types.package; + default = pkgs.chrony; + defaultText = "pkgs.chrony"; + description = '' + Which chrony package to use. + ''; + }; + servers = mkOption { default = config.networking.timeServers; + type = types.listOf types.str; description = '' The set of NTP servers from which to synchronise. ''; }; + serverOption = mkOption { + default = "iburst"; + type = types.enum [ "iburst" "offline" ]; + description = '' + Set option for server directives. + + Use "iburst" to rapidly poll on startup. Recommended if your machine + is consistently online. + + Use "offline" to prevent polling on startup. Recommended if your + machine boots offline or is otherwise frequently offline. + ''; + }; + + enableNTS = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable Network Time Security authentication. + Make sure it is supported by your selected NTP server(s). + ''; + }; + initstepslew = mkOption { + type = types.attrsOf (types.either types.bool types.int); default = { enabled = true; threshold = 1000; # by default, same threshold as 'ntpd -g' (1000s) @@ -57,6 +94,12 @@ in ''; }; + directory = mkOption { + type = types.str; + default = "/var/lib/chrony"; + description = "Directory where chrony state is stored."; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -78,7 +121,7 @@ in config = mkIf cfg.enable { meta.maintainers = with lib.maintainers; [ thoughtpolice ]; - environment.systemPackages = [ pkgs.chrony ]; + environment.systemPackages = [ chronyPkg ]; users.groups.chrony.gid = config.ids.gids.chrony; @@ -95,6 +138,7 @@ in systemd.tmpfiles.rules = [ "d ${stateDir} 0755 chrony chrony - -" + "f ${driftFile} 0640 chrony chrony -" "f ${keyFile} 0640 chrony chrony -" ]; @@ -107,17 +151,16 @@ in after = [ "network.target" ]; conflicts = [ "ntpd.service" "systemd-timesyncd.service" ]; - path = [ pkgs.chrony ]; + path = [ chronyPkg ]; unitConfig.ConditionCapability = "CAP_SYS_TIME"; serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}"; + ExecStart = "${chronyPkg}/bin/chronyd ${chronyFlags}"; ProtectHome = "yes"; ProtectSystem = "full"; PrivateTmp = "yes"; - StateDirectory = "chrony"; }; }; diff --git a/nixos/modules/services/networking/ntp/ntpd.nix b/nixos/modules/services/networking/ntp/ntpd.nix index 51398851adc..861b0db01a4 100644 --- a/nixos/modules/services/networking/ntp/ntpd.nix +++ b/nixos/modules/services/networking/ntp/ntpd.nix @@ -79,6 +79,7 @@ in servers = mkOption { default = config.networking.timeServers; + type = types.listOf types.str; description = '' The set of NTP servers from which to synchronise. ''; diff --git a/nixos/modules/services/networking/nylon.nix b/nixos/modules/services/networking/nylon.nix index 7c171281a92..a20fa615af8 100644 --- a/nixos/modules/services/networking/nylon.nix +++ b/nixos/modules/services/networking/nylon.nix @@ -140,7 +140,7 @@ in services.nylon = mkOption { default = {}; description = "Collection of named nylon instances"; - type = with types; loaOf (submodule nylonOpts); + type = with types; attrsOf (submodule nylonOpts); internal = true; }; @@ -160,7 +160,7 @@ in users.groups.nylon.gid = config.ids.gids.nylon; - systemd.services = fold (a: b: a // b) {} nylonUnits; + systemd.services = foldr (a: b: a // b) {} nylonUnits; }; } diff --git a/nixos/modules/services/networking/onedrive.nix b/nixos/modules/services/networking/onedrive.nix index 210d2217b27..c52f920bae2 100644 --- a/nixos/modules/services/networking/onedrive.nix +++ b/nixos/modules/services/networking/onedrive.nix @@ -53,7 +53,7 @@ in { serviceConfig = { Type = "simple"; ExecStart = '' - ${cfg.package}/bin/onedrive --monitor --verbose --confdir=%h/.config/%i + ${cfg.package}/bin/onedrive --monitor --confdir=%h/.config/%i ''; Restart="on-failure"; RestartSec=3; diff --git a/nixos/modules/services/networking/openvpn.nix b/nixos/modules/services/networking/openvpn.nix index dcd7e9e5fa4..b4c2c944b6e 100644 --- a/nixos/modules/services/networking/openvpn.nix +++ b/nixos/modules/services/networking/openvpn.nix @@ -11,7 +11,7 @@ let makeOpenVPNJob = cfg: name: let - path = (getAttr "openvpn-${name}" config.systemd.services).path; + path = makeBinPath (getAttr "openvpn-${name}" config.systemd.services).path; upScript = '' #! /bin/sh @@ -63,7 +63,7 @@ let wantedBy = optional cfg.autoStart "multi-user.target"; after = [ "network.target" ]; - path = [ pkgs.iptables pkgs.iproute pkgs.nettools ]; + path = [ pkgs.iptables pkgs.iproute2 pkgs.nettools ]; serviceConfig.ExecStart = "@${openvpn}/sbin/openvpn openvpn --suppress-timestamps --config ${configFile}"; serviceConfig.Restart = "always"; diff --git a/nixos/modules/services/networking/owamp.nix b/nixos/modules/services/networking/owamp.nix index 637ed618b89..baf64347b09 100644 --- a/nixos/modules/services/networking/owamp.nix +++ b/nixos/modules/services/networking/owamp.nix @@ -10,7 +10,7 @@ in ###### interface options = { - services.owamp.enable = mkEnableOption ''Enable OWAMP server''; + services.owamp.enable = mkEnableOption "Enable OWAMP server"; }; diff --git a/nixos/modules/services/networking/pdns-recursor.nix b/nixos/modules/services/networking/pdns-recursor.nix index 6ff181377fc..a326eccfd65 100644 --- a/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixos/modules/services/networking/pdns-recursor.nix @@ -3,9 +3,6 @@ with lib; let - dataDir = "/var/lib/pdns-recursor"; - username = "pdns-recursor"; - cfg = config.services.pdns-recursor; oneOrMore = type: with types; either type (listOf type); @@ -21,7 +18,7 @@ let else if builtins.isList val then (concatMapStringsSep "," serialize val) else ""; - configFile = pkgs.writeText "recursor.conf" + configDir = pkgs.writeTextDir "recursor.conf" (concatStringsSep "\n" (flip mapAttrsToList cfg.settings (name: val: "${name}=${serialize val}"))); @@ -173,45 +170,30 @@ in { serve-rfc1918 = cfg.serveRFC1918; lua-config-file = pkgs.writeText "recursor.lua" cfg.luaConfig; + daemon = false; + write-pid = false; log-timestamp = false; disable-syslog = true; }; - users.users.${username} = { - home = dataDir; - createHome = true; - uid = config.ids.uids.pdns-recursor; - description = "PowerDNS Recursor daemon user"; - }; + systemd.packages = [ pkgs.pdns-recursor ]; systemd.services.pdns-recursor = { - unitConfig.Documentation = "man:pdns_recursor(1) man:rec_control(1)"; - description = "PowerDNS recursive server"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; serviceConfig = { - User = username; - Restart ="on-failure"; - RestartSec = "5"; - PrivateTmp = true; - PrivateDevices = true; - AmbientCapabilities = "cap_net_bind_service"; - ExecStart = ''${pkgs.pdns-recursor}/bin/pdns_recursor \ - --config-dir=${dataDir} \ - --socket-dir=${dataDir} - ''; + ExecStart = [ "" "${pkgs.pdns-recursor}/bin/pdns_recursor --config-dir=${configDir}" ]; }; + }; - preStart = '' - # Link configuration file into recursor home directory - configPath=${dataDir}/recursor.conf - if [ "$(realpath $configPath)" != "${configFile}" ]; then - rm -f $configPath - ln -s ${configFile} $configPath - fi - ''; + users.users.pdns-recursor = { + isSystemUser = true; + group = "pdns-recursor"; + description = "PowerDNS Recursor daemon user"; }; + + users.groups.pdns-recursor = {}; + }; imports = [ diff --git a/nixos/modules/services/networking/pixiecore.nix b/nixos/modules/services/networking/pixiecore.nix index 85aa40784af..d2642c82c2d 100644 --- a/nixos/modules/services/networking/pixiecore.nix +++ b/nixos/modules/services/networking/pixiecore.nix @@ -93,6 +93,7 @@ in users.users.pixiecore = { description = "Pixiecore daemon user"; group = "pixiecore"; + isSystemUser = true; }; networking.firewall = mkIf cfg.openFirewall { diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix new file mode 100644 index 00000000000..bd75083a4a7 --- /dev/null +++ b/nixos/modules/services/networking/pleroma.nix @@ -0,0 +1,141 @@ +{ config, options, lib, pkgs, stdenv, ... }: +let + cfg = config.services.pleroma; +in { + options = { + services.pleroma = with lib; { + enable = mkEnableOption "pleroma"; + + package = mkOption { + type = types.package; + default = pkgs.pleroma; + description = "Pleroma package to use."; + }; + + user = mkOption { + type = types.str; + default = "pleroma"; + description = "User account under which pleroma runs."; + }; + + group = mkOption { + type = types.str; + default = "pleroma"; + description = "Group account under which pleroma runs."; + }; + + stateDir = mkOption { + type = types.str; + default = "/var/lib/pleroma"; + readOnly = true; + description = "Directory where the pleroma service will save the uploads and static files."; + }; + + configs = mkOption { + type = with types; listOf str; + description = '' + Pleroma public configuration. + + This list gets appended from left to + right into /etc/pleroma/config.exs. Elixir evaluates its + configuration imperatively, meaning you can override a + setting by appending a new str to this NixOS option list. + + <emphasis>DO NOT STORE ANY PLEROMA SECRET + HERE</emphasis>, use + <link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link> + instead. + + This setting is going to be stored in a file part of + the Nix store. The Nix store being world-readable, it's not + the right place to store any secret + + Have a look to Pleroma section in the NixOS manual for more + informations. + ''; + }; + + secretConfigFile = mkOption { + type = types.str; + default = "/var/lib/pleroma/secrets.exs"; + description = '' + Path to the file containing your secret pleroma configuration. + + <emphasis>DO NOT POINT THIS OPTION TO THE NIX + STORE</emphasis>, the store being world-readable, it'll + compromise all your secrets. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + users = { + users."${cfg.user}" = { + description = "Pleroma user"; + home = cfg.stateDir; + extraGroups = [ cfg.group ]; + isSystemUser = true; + }; + groups."${cfg.group}" = {}; + }; + + environment.systemPackages = [ cfg.package ]; + + environment.etc."/pleroma/config.exs".text = '' + ${lib.concatMapStrings (x: "${x}") cfg.configs} + + # The lau/tzdata library is trying to download the latest + # timezone database in the OTP priv directory by default. + # This directory being in the store, it's read-only. + # Setting that up to a more appropriate location. + config :tzdata, :data_dir, "/var/lib/pleroma/elixir_tzdata_data" + + import_config "${cfg.secretConfigFile}" + ''; + + systemd.services.pleroma = { + description = "Pleroma social network"; + after = [ "network-online.target" "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "exec"; + WorkingDirectory = "~"; + StateDirectory = "pleroma pleroma/static pleroma/uploads"; + StateDirectoryMode = "700"; + + # Checking the conf file is there then running the database + # migration before each service start, just in case there are + # some pending ones. + # + # It's sub-optimal as we'll always run this, even if pleroma + # has not been updated. But the no-op process is pretty fast. + # Better be safe than sorry migration-wise. + ExecStartPre = + let preScript = pkgs.writers.writeBashBin "pleromaStartPre" + "${cfg.package}/bin/pleroma_ctl migrate"; + in "${preScript}/bin/pleromaStartPre"; + + ExecStart = "${cfg.package}/bin/pleroma start"; + ExecStop = "${cfg.package}/bin/pleroma stop"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + # Systemd sandboxing directives. + # Taken from the upstream contrib systemd service at + # pleroma/installation/pleroma.service + PrivateTmp = true; + ProtectHome = true; + ProtectSystem = "full"; + PrivateDevices = false; + NoNewPrivileges = true; + CapabilityBoundingSet = "~CAP_SYS_ADMIN"; + }; + }; + + }; + meta.maintainers = with lib.maintainers; [ ninjatrappeur ]; + meta.doc = ./pleroma.xml; +} diff --git a/nixos/modules/services/networking/pleroma.xml b/nixos/modules/services/networking/pleroma.xml new file mode 100644 index 00000000000..9ab0be3d947 --- /dev/null +++ b/nixos/modules/services/networking/pleroma.xml @@ -0,0 +1,132 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-pleroma"> + <title>Pleroma</title> + <para><link xlink:href="https://pleroma.social/">Pleroma</link> is a lightweight activity pub server.</para> + <section xml:id="module-services-pleroma-getting-started"> + <title>Quick Start</title> + <para>To get quickly started, you can use this sample NixOS configuration and adapt it to your use case.</para> + <para><programlisting> + { + security.acme = { + email = "root@tld"; + acceptTerms = true; + certs = { + "social.tld.com" = { + webroot = "/var/www/social.tld.com"; + email = "root@tld"; + group = "nginx"; + }; + }; + }; + services = { + pleroma = { + enable = true; + secretConfigFile = "/var/lib/pleroma/secrets.exs"; + configs = [ + '' + import Config + + config :pleroma, Pleroma.Web.Endpoint, + url: [host: "social.tld.com", scheme: "https", port: 443], + http: [ip: {127, 0, 0, 1}, port: 4000] + + config :pleroma, :instance, + name: "NixOS test pleroma server", + email: "pleroma@social.tld.com", + notify_email: "pleroma@social.tld.com", + limit: 5000, + registrations_open: true + + config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + #base_url: "https://cache.pleroma.social" + + config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "pleroma", + password: "${test-db-passwd}", + database: "pleroma", + hostname: "localhost", + pool_size: 10, + prepare: :named, + parameters: [ + plan_cache_mode: "force_custom_plan" + ] + + config :pleroma, :database, rum_enabled: false + config :pleroma, :instance, static_dir: "/var/lib/pleroma/static" + config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" + config :pleroma, configurable_from_database: false + '' + ]; + }; + postgresql = { + enable = true; + package = pkgs.postgresql_12; + }; + nginx = { + enable = true; + addSSL = true; + sslCertificate = "/var/lib/acme/social.tld.com/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/social.tld.com/key.pem"; + root = "/var/www/social.tld.com"; + # ACME endpoint + locations."/.well-known/acme-challenge" = { + root = "/var/www/social.tld.com/"; + }; + virtualHosts."social.tld.com" = { + addSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:4000"; + extraConfig = '' + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; + add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; + if ($request_method = OPTIONS) { + return 204; + } + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + client_max_body_size 16m; + ''; + }; + }; + }; + }; + }; + </programlisting></para> + <para>Note that you'll need to seed your database and upload your pleroma secrets to the path pointed by <literal>config.pleroma.secretConfigFile</literal>. You can find more informations about how to do that in the <link linkend="module-services-pleroma-generate-config">next</link> section.</para> + </section> + <section xml:id="module-services-pleroma-generate-config"> + <title>Generating the Pleroma Config and Seed the Database</title> + + <para>Before using this service, you'll need to generate your +server configuration and its associated database seed. The +<literal>pleroma_ctl</literal> CLI utility can help you with that. You +can start with <literal>pleroma_ctl instance gen --output config.exs +--output-psql setup.psql</literal>, this will prompt you some +questions and will generate both your config file and database initial +migration. </para> +<para>For more details about this configuration format, please have a look at the <link xlink:href="https://docs-develop.pleroma.social/backend/configuration/cheatsheet/">upstream documentation</link>.</para> +<para>To seed your database, you can use the <literal>setup.psql</literal> file you just generated by running +<programlisting> + sudo -u postgres psql -f setup.psql +</programlisting></para> + <para>In regard of the pleroma service configuration you also just generated, you'll need to split it in two parts. The "public" part, which do not contain any secrets and thus can be safely stored in the Nix store and its "private" counterpart containing some secrets (database password, endpoint secret key, salts, etc.).</para> + + <para>The public part will live in your NixOS machine configuration in the <link linkend="opt-services.pleroma.configs">services.pleroma.configs</link> option. However, it's up to you to upload the secret pleroma configuration to the path pointed by <link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link>. You can do that manually or rely on a third party tool such as <link xlink:href="https://github.com/DBCDK/morph">Morph</link> or <link xlink:href="https://github.com/NixOS/nixops">NixOps</link>.</para> + </section> +</chapter> diff --git a/nixos/modules/services/networking/powerdns.nix b/nixos/modules/services/networking/powerdns.nix index ba05e15389f..8cae61b8354 100644 --- a/nixos/modules/services/networking/powerdns.nix +++ b/nixos/modules/services/networking/powerdns.nix @@ -8,42 +8,40 @@ let in { options = { services.powerdns = { - enable = mkEnableOption "Powerdns domain name server"; + enable = mkEnableOption "PowerDNS domain name server"; extraConfig = mkOption { type = types.lines; default = "launch=bind"; description = '' - Extra lines to be added verbatim to pdns.conf. - Powerdns will chroot to /var/lib/powerdns. - So any file, powerdns is supposed to be read, - should be in /var/lib/powerdns and needs to specified - relative to the chroot. + PowerDNS configuration. Refer to + <link xlink:href="https://doc.powerdns.com/authoritative/settings.html"/> + for details on supported values. ''; }; }; }; - config = mkIf config.services.powerdns.enable { + config = mkIf cfg.enable { + + systemd.packages = [ pkgs.powerdns ]; + systemd.services.pdns = { - unitConfig.Documentation = "man:pdns_server(1) man:pdns_control(1)"; - description = "Powerdns name server"; wantedBy = [ "multi-user.target" ]; - after = ["network.target" "mysql.service" "postgresql.service" "openldap.service"]; + after = [ "network.target" "mysql.service" "postgresql.service" "openldap.service" ]; serviceConfig = { - Restart="on-failure"; - RestartSec="1"; - StartLimitInterval="0"; - PrivateDevices=true; - CapabilityBoundingSet="CAP_CHOWN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT"; - NoNewPrivileges=true; - ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/powerdns"; - ExecStart = "${pkgs.powerdns}/bin/pdns_server --setuid=nobody --setgid=nogroup --chroot=/var/lib/powerdns --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}"; - ProtectSystem="full"; - ProtectHome=true; - RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6"; + ExecStart = [ "" "${pkgs.powerdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; }; }; + + users.users.pdns = { + isSystemUser = true; + group = "pdns"; + description = "PowerDNS"; + }; + + users.groups.pdns = {}; + }; } diff --git a/nixos/modules/services/networking/pppd.nix b/nixos/modules/services/networking/pppd.nix index c1cbdb46176..37f44f07ac4 100644 --- a/nixos/modules/services/networking/pppd.nix +++ b/nixos/modules/services/networking/pppd.nix @@ -82,13 +82,21 @@ in LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; NIX_REDIRECTS = "/var/run=/run/pppd"; }; - serviceConfig = { + serviceConfig = let + capabilities = [ + "CAP_BPF" + "CAP_SYS_TTY_CONFIG" + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ]; + in + { ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; Restart = "always"; RestartSec = 5; - AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; - CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; KeyringMode = "private"; LockPersonality = true; MemoryDenyWriteExecute = true; @@ -103,7 +111,17 @@ in ProtectKernelTunables = false; ProtectSystem = "strict"; RemoveIPC = true; - RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX"; + RestrictAddressFamilies = [ + "AF_ATMPVC" + "AF_ATMSVC" + "AF_INET" + "AF_INET6" + "AF_IPX" + "AF_NETLINK" + "AF_PACKET" + "AF_PPPOX" + "AF_UNIX" + ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; diff --git a/nixos/modules/services/networking/prayer.nix b/nixos/modules/services/networking/prayer.nix index f04dac01d9b..ae9258b2712 100644 --- a/nixos/modules/services/networking/prayer.nix +++ b/nixos/modules/services/networking/prayer.nix @@ -44,7 +44,8 @@ in enable = mkEnableOption "the prayer webmail http server"; port = mkOption { - default = "2080"; + default = 2080; + type = types.port; description = '' Port the prayer http server is listening to. ''; diff --git a/nixos/modules/services/networking/privoxy.nix b/nixos/modules/services/networking/privoxy.nix index 1f41c720adf..df818baa465 100644 --- a/nixos/modules/services/networking/privoxy.nix +++ b/nixos/modules/services/networking/privoxy.nix @@ -4,19 +4,46 @@ with lib; let - inherit (pkgs) privoxy; - cfg = config.services.privoxy; - confFile = pkgs.writeText "privoxy.conf" '' - user-manual ${privoxy}/share/doc/privoxy/user-manual - confdir ${privoxy}/etc/ - listen-address ${cfg.listenAddress} - enable-edit-actions ${if (cfg.enableEditActions == true) then "1" else "0"} - ${concatMapStrings (f: "actionsfile ${f}\n") cfg.actionsFiles} - ${concatMapStrings (f: "filterfile ${f}\n") cfg.filterFiles} - ${cfg.extraConfig} - ''; + serialise = name: val: + if isList val then concatMapStrings (serialise name) val + else if isBool val then serialise name (if val then "1" else "0") + else "${name} ${toString val}\n"; + + configType = with types; + let atom = oneOf [ int bool string path ]; + in attrsOf (either atom (listOf atom)) + // { description = '' + privoxy configuration type. The format consists of an attribute + set of settings. Each setting can be either a value (integer, string, + boolean or path) or a list of such values. + ''; + }; + + ageType = types.str // { + check = x: + isString x && + (builtins.match "([0-9]+([smhdw]|min|ms|us)*)+" x != null); + description = "tmpfiles.d(5) age format"; + }; + + configFile = pkgs.writeText "privoxy.conf" + (concatStrings ( + # Relative paths in some options are relative to confdir. Privoxy seems + # to parse the options in order of appearance, so this must come first. + # Nix however doesn't preserve the order in attrsets, so we have to + # hardcode confdir here. + [ "confdir ${pkgs.privoxy}/etc\n" ] + ++ mapAttrsToList serialise cfg.settings + )); + + inspectAction = pkgs.writeText "inspect-all-https.action" + '' + # Enable HTTPS inspection for all requests + {+https-inspection} + / + ''; in @@ -24,61 +51,144 @@ in ###### interface - options = { + options.services.privoxy = { - services.privoxy = { + enable = mkEnableOption "Privoxy, non-caching filtering proxy"; - enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable the Privoxy non-caching filtering proxy. - ''; - }; + enableTor = mkOption { + type = types.bool; + default = false; + description = '' + Whether to configure Privoxy to use Tor's faster SOCKS port, + suitable for HTTP. + ''; + }; - listenAddress = mkOption { - type = types.str; - default = "127.0.0.1:8118"; - description = '' - Address the proxy server is listening to. - ''; - }; + inspectHttps = mkOption { + type = types.bool; + default = false; + description = '' + Whether to configure Privoxy to inspect HTTPS requests, meaning all + encrypted traffic will be filtered as well. This works by decrypting + and re-encrypting the requests using a per-domain generated certificate. - actionsFiles = mkOption { - type = types.listOf types.str; - example = [ "match-all.action" "default.action" "/etc/privoxy/user.action" ]; - default = [ "match-all.action" "default.action" ]; - description = '' - List of paths to Privoxy action files. - These paths may either be absolute or relative to the privoxy configuration directory. - ''; - }; + To issue per-domain certificates, Privoxy must be provided with a CA + certificate, using the <literal>ca-cert-file</literal>, + <literal>ca-key-file</literal> settings. - filterFiles = mkOption { - type = types.listOf types.str; - example = [ "default.filter" "/etc/privoxy/user.filter" ]; - default = [ "default.filter" ]; - description = '' - List of paths to Privoxy filter files. - These paths may either be absolute or relative to the privoxy configuration directory. - ''; - }; + <warning><para> + The CA certificate must also be added to the system trust roots, + otherwise browsers will reject all Privoxy certificates as invalid. + You can do so by using the option + <option>security.pki.certificateFiles</option>. + </para></warning> + ''; + }; - enableEditActions = mkOption { - type = types.bool; - default = false; - description = '' - Whether or not the web-based actions file editor may be used. - ''; - }; + certsLifetime = mkOption { + type = ageType; + default = "10d"; + example = "12h"; + description = '' + If <literal>inspectHttps</literal> is enabled, the time generated HTTPS + certificates will be stored in a temporary directory for reuse. Once + the lifetime has expired the directory will cleared and the certificate + will have to be generated again, on-demand. - extraConfig = mkOption { - type = types.lines; - default = "" ; - description = '' - Extra configuration. Contents will be added verbatim to the configuration file. - ''; + Depending on the traffic, you may want to reduce the lifetime to limit + the disk usage, since Privoxy itself never deletes the certificates. + + <note><para>The format is that of the <literal>tmpfiles.d(5)</literal> + Age parameter.</para></note> + ''; + }; + + userActions = mkOption { + type = types.lines; + default = ""; + description = '' + Actions to be included in a <literal>user.action</literal> file. This + will have a higher priority and can be used to override all other + actions. + ''; + }; + + userFilters = mkOption { + type = types.lines; + default = ""; + description = '' + Filters to be included in a <literal>user.filter</literal> file. This + will have a higher priority and can be used to override all other + filters definitions. + ''; + }; + + settings = mkOption { + type = types.submodule { + freeformType = configType; + + options.listen-address = mkOption { + type = types.str; + default = "127.0.0.1:8118"; + description = "Pair of address:port the proxy server is listening to."; + }; + + options.enable-edit-actions = mkOption { + type = types.bool; + default = false; + description = "Whether the web-based actions file editor may be used."; + }; + + options.actionsfile = mkOption { + type = types.listOf types.str; + # This must come after all other entries, in order to override the + # other actions/filters installed by Privoxy or the user. + apply = x: x ++ optional (cfg.userActions != "") + (toString (pkgs.writeText "user.actions" cfg.userActions)); + default = [ "match-all.action" "default.action" ]; + description = '' + List of paths to Privoxy action files. These paths may either be + absolute or relative to the privoxy configuration directory. + ''; + }; + + options.filterfile = mkOption { + type = types.listOf types.str; + default = [ "default.filter" ]; + apply = x: x ++ optional (cfg.userFilters != "") + (toString (pkgs.writeText "user.filter" cfg.userFilters)); + description = '' + List of paths to Privoxy filter files. These paths may either be + absolute or relative to the privoxy configuration directory. + ''; + }; }; + default = {}; + example = literalExample '' + { # Listen on IPv6 only + listen-address = "[::]:8118"; + + # Forward .onion requests to Tor + forward-socks5 = ".onion localhost:9050 ."; + + # Log redirects and filters + debug = [ 128 64 ]; + # This is equivalent to writing these lines + # in the Privoxy configuration file: + # debug 128 + # debug 64 + } + ''; + description = '' + This option is mapped to the main Privoxy configuration file. + Check out the Privoxy user manual at + <link xlink:href="https://www.privoxy.org/user-manual/config.html"/> + for available settings and documentation. + + <note><para> + Repeated settings can be represented by using a list. + </para></note> + ''; }; }; @@ -88,27 +198,82 @@ in config = mkIf cfg.enable { users.users.privoxy = { + description = "Privoxy daemon user"; isSystemUser = true; - home = "/var/empty"; group = "privoxy"; }; users.groups.privoxy = {}; + systemd.tmpfiles.rules = optional cfg.inspectHttps + "d ${cfg.settings.certificate-directory} 0770 privoxy privoxy ${cfg.certsLifetime}"; + systemd.services.privoxy = { description = "Filtering web proxy"; after = [ "network.target" "nss-lookup.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${privoxy}/bin/privoxy --no-daemon --user privoxy ${confFile}"; - - serviceConfig.PrivateDevices = true; - serviceConfig.PrivateTmp = true; - serviceConfig.ProtectHome = true; - serviceConfig.ProtectSystem = "full"; + serviceConfig = { + User = "privoxy"; + Group = "privoxy"; + ExecStart = "${pkgs.privoxy}/bin/privoxy --no-daemon ${configFile}"; + PrivateDevices = true; + PrivateTmp = true; + ProtectHome = true; + ProtectSystem = "full"; + }; + unitConfig = mkIf cfg.inspectHttps { + ConditionPathExists = with cfg.settings; + [ ca-cert-file ca-key-file ]; + }; }; + services.tor.settings.SOCKSPort = mkIf cfg.enableTor [ + # Route HTTP traffic over a faster port (without IsolateDestAddr). + { addr = "127.0.0.1"; port = 9063; IsolateDestAddr = false; } + ]; + + services.privoxy.settings = { + user-manual = "${pkgs.privoxy}/share/doc/privoxy/user-manual"; + # This is needed for external filters + temporary-directory = "/tmp"; + filterfile = [ "default.filter" ]; + actionsfile = + [ "match-all.action" + "default.action" + ] ++ optional cfg.inspectHttps (toString inspectAction); + } // (optionalAttrs cfg.enableTor { + forward-socks5 = "/ 127.0.0.1:9063 ."; + toggle = true; + enable-remote-toggle = false; + enable-edit-actions = false; + enable-remote-http-toggle = false; + }) // (optionalAttrs cfg.inspectHttps { + # This allows setting absolute key/crt paths + ca-directory = "/var/empty"; + certificate-directory = "/run/privoxy/certs"; + trusted-cas-file = "/etc/ssl/certs/ca-certificates.crt"; + }); + }; + imports = + let + top = x: [ "services" "privoxy" x ]; + setting = x: [ "services" "privoxy" "settings" x ]; + in + [ (mkRenamedOptionModule (top "enableEditActions") (setting "enable-edit-actions")) + (mkRenamedOptionModule (top "listenAddress") (setting "listen-address")) + (mkRenamedOptionModule (top "actionsFiles") (setting "actionsfile")) + (mkRenamedOptionModule (top "filterFiles") (setting "filterfile")) + (mkRemovedOptionModule (top "extraConfig") + '' + Use services.privoxy.settings instead. + This is part of the general move to use structured settings instead of raw + text for config as introduced by RFC0042: + https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md + '') + ]; + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; } diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix index e53d7093be8..e7a7aa700be 100644 --- a/nixos/modules/services/networking/prosody.nix +++ b/nixos/modules/services/networking/prosody.nix @@ -261,7 +261,7 @@ let toLua = x: if builtins.isString x then ''"${x}"'' - else if builtins.isBool x then (if x == true then "true" else "false") + else if builtins.isBool x then boolToString x else if builtins.isInt x then toString x else if builtins.isList x then ''{ ${lib.concatStringsSep ", " (map (n: toLua n) x) } }'' else throw "Invalid Lua value"; @@ -655,7 +655,7 @@ in description = "Define the virtual hosts"; - type = with types; loaOf (submodule vHostOpts); + type = with types; attrsOf (submodule vHostOpts); example = { myhost = { diff --git a/nixos/modules/services/networking/prosody.xml b/nixos/modules/services/networking/prosody.xml index 7859cb1578b..471240cd147 100644 --- a/nixos/modules/services/networking/prosody.xml +++ b/nixos/modules/services/networking/prosody.xml @@ -43,10 +43,10 @@ services.prosody = { <link linkend="opt-services.prosody.ssl.cert">ssl.cert</link> = "/var/lib/acme/example.org/fullchain.pem"; <link linkend="opt-services.prosody.ssl.key">ssl.key</link> = "/var/lib/acme/example.org/key.pem"; <link linkend="opt-services.prosody.virtualHosts">virtualHosts</link>."example.org" = { - <link linkend="opt-services.prosody.virtualHosts._name__.enabled">enabled</link> = true; - <link linkend="opt-services.prosody.virtualHosts._name__.domain">domain</link> = "example.org"; - <link linkend="opt-services.prosody.virtualHosts._name__.ssl.cert">ssl.cert</link> = "/var/lib/acme/example.org/fullchain.pem"; - <link linkend="opt-services.prosody.virtualHosts._name__.ssl.key">ssl.key</link> = "/var/lib/acme/example.org/key.pem"; + <link linkend="opt-services.prosody.virtualHosts._name_.enabled">enabled</link> = true; + <link linkend="opt-services.prosody.virtualHosts._name_.domain">domain</link> = "example.org"; + <link linkend="opt-services.prosody.virtualHosts._name_.ssl.cert">ssl.cert</link> = "/var/lib/acme/example.org/fullchain.pem"; + <link linkend="opt-services.prosody.virtualHosts._name_.ssl.key">ssl.key</link> = "/var/lib/acme/example.org/key.pem"; }; <link linkend="opt-services.prosody.muc">muc</link> = [ { <link linkend="opt-services.prosody.muc">domain</link> = "conference.example.org"; @@ -65,7 +65,7 @@ services.prosody = { you'll need a single TLS certificate covering your main endpoint, the MUC one as well as the HTTP Upload one. We can generate such a certificate by leveraging the ACME - <link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains</link> module option. + <link linkend="opt-security.acme.certs._name_.extraDomainNames">extraDomainNames</link> module option. </para> <para> Provided the setup detailed in the previous section, you'll need the following acme configuration to generate @@ -78,8 +78,7 @@ security.acme = { "example.org" = { <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/example.org"; <link linkend="opt-security.acme.certs._name_.email">email</link> = "root@example.org"; - <link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains."conference.example.org"</link> = null; - <link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains."upload.example.org"</link> = null; + <link linkend="opt-security.acme.certs._name_.extraDomainNames">extraDomainNames</link> = [ "conference.example.org" "upload.example.org" ]; }; }; };</programlisting> diff --git a/nixos/modules/services/networking/quagga.nix b/nixos/modules/services/networking/quagga.nix deleted file mode 100644 index 5acdd5af8f8..00000000000 --- a/nixos/modules/services/networking/quagga.nix +++ /dev/null @@ -1,185 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.quagga; - - services = [ "babel" "bgp" "isis" "ospf6" "ospf" "pim" "rip" "ripng" ]; - allServices = services ++ [ "zebra" ]; - - isEnabled = service: cfg.${service}.enable; - - daemonName = service: if service == "zebra" then service else "${service}d"; - - configFile = service: - let - scfg = cfg.${service}; - in - if scfg.configFile != null then scfg.configFile - else pkgs.writeText "${daemonName service}.conf" - '' - ! Quagga ${daemonName service} configuration - ! - hostname ${config.networking.hostName} - log syslog - service password-encryption - ! - ${scfg.config} - ! - end - ''; - - serviceOptions = service: - { - enable = mkEnableOption "the Quagga ${toUpper service} routing protocol"; - - configFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/etc/quagga/${daemonName service}.conf"; - description = '' - Configuration file to use for Quagga ${daemonName service}. - By default the NixOS generated files are used. - ''; - }; - - config = mkOption { - type = types.lines; - default = ""; - example = - let - examples = { - rip = '' - router rip - network 10.0.0.0/8 - ''; - - ospf = '' - router ospf - network 10.0.0.0/8 area 0 - ''; - - bgp = '' - router bgp 65001 - neighbor 10.0.0.1 remote-as 65001 - ''; - }; - in - examples.${service} or ""; - description = '' - ${daemonName service} configuration statements. - ''; - }; - - vtyListenAddress = mkOption { - type = types.str; - default = "127.0.0.1"; - description = '' - Address to bind to for the VTY interface. - ''; - }; - - vtyListenPort = mkOption { - type = types.nullOr types.int; - default = null; - description = '' - TCP Port to bind to for the VTY interface. - ''; - }; - }; - -in - -{ - - ###### interface - imports = [ - { - options.services.quagga = { - zebra = (serviceOptions "zebra") // { - enable = mkOption { - type = types.bool; - default = any isEnabled services; - description = '' - Whether to enable the Zebra routing manager. - - The Zebra routing manager is automatically enabled - if any routing protocols are configured. - ''; - }; - }; - }; - } - { options.services.quagga = (genAttrs services serviceOptions); } - ]; - - ###### implementation - - config = mkIf (any isEnabled allServices) { - - environment.systemPackages = [ - pkgs.quagga # for the vtysh tool - ]; - - users.users.quagga = { - description = "Quagga daemon user"; - isSystemUser = true; - group = "quagga"; - }; - - users.groups = { - quagga = {}; - # Members of the quaggavty group can use vtysh to inspect the Quagga daemons - quaggavty = { members = [ "quagga" ]; }; - }; - - systemd.services = - let - quaggaService = service: - let - scfg = cfg.${service}; - daemon = daemonName service; - in - nameValuePair daemon ({ - wantedBy = [ "multi-user.target" ]; - restartTriggers = [ (configFile service) ]; - - serviceConfig = { - Type = "forking"; - PIDFile = "/run/quagga/${daemon}.pid"; - ExecStart = "@${pkgs.quagga}/libexec/quagga/${daemon} ${daemon} -d -f ${configFile service}" - + optionalString (scfg.vtyListenAddress != "") " -A ${scfg.vtyListenAddress}" - + optionalString (scfg.vtyListenPort != null) " -P ${toString scfg.vtyListenPort}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - Restart = "on-abort"; - }; - } // ( - if service == "zebra" then - { - description = "Quagga Zebra routing manager"; - unitConfig.Documentation = "man:zebra(8)"; - after = [ "network.target" ]; - preStart = '' - install -m 0755 -o quagga -g quagga -d /run/quagga - - ${pkgs.iproute}/bin/ip route flush proto zebra - ''; - } - else - { - description = "Quagga ${toUpper service} routing daemon"; - unitConfig.Documentation = "man:${daemon}(8) man:zebra(8)"; - bindsTo = [ "zebra.service" ]; - after = [ "network.target" "zebra.service" ]; - } - )); - in - listToAttrs (map quaggaService (filter isEnabled allServices)); - - }; - - meta.maintainers = with lib.maintainers; [ tavyc ]; - -} diff --git a/nixos/modules/services/networking/quassel.nix b/nixos/modules/services/networking/quassel.nix index da723ec86ad..bfbd3b46ab4 100644 --- a/nixos/modules/services/networking/quassel.nix +++ b/nixos/modules/services/networking/quassel.nix @@ -45,6 +45,7 @@ in }; interfaces = mkOption { + type = types.listOf types.str; default = [ "127.0.0.1" ]; description = '' The interfaces the Quassel daemon will be listening to. If `[ 127.0.0.1 ]', @@ -54,6 +55,7 @@ in }; portNumber = mkOption { + type = types.port; default = 4242; description = '' The port number the Quassel daemon will be listening to. @@ -61,7 +63,8 @@ in }; dataDir = mkOption { - default = ''/home/${user}/.config/quassel-irc.org''; + default = "/home/${user}/.config/quassel-irc.org"; + type = types.str; description = '' The directory holding configuration files, the SQlite database and the SSL Cert. ''; @@ -69,6 +72,7 @@ in user = mkOption { default = null; + type = types.nullOr types.str; description = '' The existing user the Quassel daemon should run as. If left empty, a default "quassel" user will be created. ''; diff --git a/nixos/modules/services/networking/quicktun.nix b/nixos/modules/services/networking/quicktun.nix index fb783c83646..438e67d5ebb 100644 --- a/nixos/modules/services/networking/quicktun.nix +++ b/nixos/modules/services/networking/quicktun.nix @@ -87,7 +87,7 @@ with lib; }; config = mkIf (cfg != []) { - systemd.services = fold (a: b: a // b) {} ( + systemd.services = foldr (a: b: a // b) {} ( mapAttrsToList (name: qtcfg: { "quicktun-${name}" = { wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix index 5af035fd59e..8c632c319d3 100644 --- a/nixos/modules/services/networking/radicale.nix +++ b/nixos/modules/services/networking/radicale.nix @@ -3,56 +3,103 @@ with lib; let - cfg = config.services.radicale; - confFile = pkgs.writeText "radicale.conf" cfg.config; - - defaultPackage = if versionAtLeast config.system.stateVersion "20.09" then { - pkg = pkgs.radicale3; - text = "pkgs.radicale3"; - } else if versionAtLeast config.system.stateVersion "17.09" then { - pkg = pkgs.radicale2; - text = "pkgs.radicale2"; - } else { - pkg = pkgs.radicale1; - text = "pkgs.radicale1"; + format = pkgs.formats.ini { + listToValue = concatMapStringsSep ", " (generators.mkValueStringDefault { }); }; -in -{ + pkg = if isNull cfg.package then + pkgs.radicale + else + cfg.package; + + confFile = if cfg.settings == { } then + pkgs.writeText "radicale.conf" cfg.config + else + format.generate "radicale.conf" cfg.settings; + + rightsFile = format.generate "radicale.rights" cfg.rights; - options = { - services.radicale.enable = mkOption { - type = types.bool; - default = false; + bindLocalhost = cfg.settings != { } && !hasAttrByPath [ "server" "hosts" ] cfg.settings; + +in { + options.services.radicale = { + enable = mkEnableOption "Radicale CalDAV and CardDAV server"; + + package = mkOption { + description = "Radicale package to use."; + # Default cannot be pkgs.radicale because non-null values suppress + # warnings about incompatible configuration and storage formats. + type = with types; nullOr package // { inherit (package) description; }; + default = null; + defaultText = "pkgs.radicale"; + }; + + config = mkOption { + type = types.str; + default = ""; description = '' - Enable Radicale CalDAV and CardDAV server. + Radicale configuration, this will set the service + configuration file. + This option is mutually exclusive with <option>settings</option>. + This option is deprecated. Use <option>settings</option> instead. ''; }; - services.radicale.package = mkOption { - type = types.package; - default = defaultPackage.pkg; - defaultText = defaultPackage.text; + settings = mkOption { + type = format.type; + default = { }; description = '' - Radicale package to use. This defaults to version 1.x if - <literal>system.stateVersion < 17.09</literal>, version 2.x if - <literal>17.09 ≤ system.stateVersion < 20.09</literal>, and - version 3.x otherwise. + Configuration for Radicale. See + <link xlink:href="https://radicale.org/3.0.html#documentation/configuration" />. + This option is mutually exclusive with <option>config</option>. + ''; + example = literalExample '' + server = { + hosts = [ "0.0.0.0:5232" "[::]:5232" ]; + }; + auth = { + type = "htpasswd"; + htpasswd_filename = "/etc/radicale/users"; + htpasswd_encryption = "bcrypt"; + }; + storage = { + filesystem_folder = "/var/lib/radicale/collections"; + }; ''; }; - services.radicale.config = mkOption { - type = types.str; - default = ""; + rights = mkOption { + type = format.type; description = '' - Radicale configuration, this will set the service - configuration file. + Configuration for Radicale's rights file. See + <link xlink:href="https://radicale.org/3.0.html#documentation/authentication-and-rights" />. + This option only works in conjunction with <option>settings</option>. + Setting this will also set <option>settings.rights.type</option> and + <option>settings.rights.file</option> to approriate values. + ''; + default = { }; + example = literalExample '' + root = { + user = ".+"; + collection = ""; + permissions = "R"; + }; + principal = { + user = ".+"; + collection = "{user}"; + permissions = "RW"; + }; + calendars = { + user = ".+"; + collection = "{user}/[^/]+"; + permissions = "rw"; + }; ''; }; - services.radicale.extraArgs = mkOption { + extraArgs = mkOption { type = types.listOf types.str; default = []; description = "Extra arguments passed to the Radicale daemon."; @@ -60,33 +107,94 @@ in }; config = mkIf cfg.enable { - environment.systemPackages = [ cfg.package ]; + assertions = [ + { + assertion = cfg.settings == { } || cfg.config == ""; + message = '' + The options services.radicale.config and services.radicale.settings + are mutually exclusive. + ''; + } + ]; - users.users.radicale = - { uid = config.ids.uids.radicale; - description = "radicale user"; - home = "/var/lib/radicale"; - createHome = true; - }; + warnings = optional (isNull cfg.package && versionOlder config.system.stateVersion "17.09") '' + The configuration and storage formats of your existing Radicale + installation might be incompatible with the newest version. + For upgrade instructions see + https://radicale.org/2.1.html#documentation/migration-from-1xx-to-2xx. + Set services.radicale.package to suppress this warning. + '' ++ optional (isNull cfg.package && versionOlder config.system.stateVersion "20.09") '' + The configuration format of your existing Radicale installation might be + incompatible with the newest version. For upgrade instructions see + https://github.com/Kozea/Radicale/blob/3.0.6/NEWS.md#upgrade-checklist. + Set services.radicale.package to suppress this warning. + '' ++ optional (cfg.config != "") '' + The option services.radicale.config is deprecated. + Use services.radicale.settings instead. + ''; + + services.radicale.settings.rights = mkIf (cfg.rights != { }) { + type = "from_file"; + file = toString rightsFile; + }; + + environment.systemPackages = [ pkg ]; + + users.users.radicale.uid = config.ids.uids.radicale; - users.groups.radicale = - { gid = config.ids.gids.radicale; }; + users.groups.radicale.gid = config.ids.gids.radicale; systemd.services.radicale = { description = "A Simple Calendar and Contact Server"; after = [ "network.target" ]; + requires = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = concatStringsSep " " ([ - "${cfg.package}/bin/radicale" "-C" confFile + "${pkg}/bin/radicale" "-C" confFile ] ++ ( map escapeShellArg cfg.extraArgs )); User = "radicale"; Group = "radicale"; + StateDirectory = "radicale/collections"; + StateDirectoryMode = "0750"; + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "/dev/stdin" ]; + DevicePolicy = "strict"; + IPAddressAllow = mkIf bindLocalhost "localhost"; + IPAddressDeny = mkIf bindLocalhost "any"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = lib.optional + (hasAttrByPath [ "storage" "filesystem_folder" ] cfg.settings) + cfg.settings.storage.filesystem_folder; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0027"; }; }; }; - meta.maintainers = with lib.maintainers; [ aneeshusa infinisil ]; + meta.maintainers = with lib.maintainers; [ aneeshusa infinisil dotlambda ]; } diff --git a/nixos/modules/services/networking/radvd.nix b/nixos/modules/services/networking/radvd.nix index f4b00c9b356..53fac4b7b72 100644 --- a/nixos/modules/services/networking/radvd.nix +++ b/nixos/modules/services/networking/radvd.nix @@ -33,6 +33,7 @@ in }; services.radvd.config = mkOption { + type = types.lines; example = '' interface eth0 { diff --git a/nixos/modules/services/networking/resilio.nix b/nixos/modules/services/networking/resilio.nix index 6193d7340fc..4701b0e8143 100644 --- a/nixos/modules/services/networking/resilio.nix +++ b/nixos/modules/services/networking/resilio.nix @@ -183,6 +183,7 @@ in sharedFolders = mkOption { default = []; + type = types.listOf (types.attrsOf types.anything); example = [ { secret = "AHMYFPCQAHBM7LQPFXQ7WV6Y42IGUXJ5Y"; directory = "/home/user/sync_test"; diff --git a/nixos/modules/services/networking/robustirc-bridge.nix b/nixos/modules/services/networking/robustirc-bridge.nix new file mode 100644 index 00000000000..255af79ec04 --- /dev/null +++ b/nixos/modules/services/networking/robustirc-bridge.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.robustirc-bridge; +in +{ + options = { + services.robustirc-bridge = { + enable = mkEnableOption "RobustIRC bridge"; + + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + description = ''Extra flags passed to the <command>robustirc-bridge</command> command. See <link xlink:href="https://robustirc.net/docs/adminguide.html#_bridge">RobustIRC Documentation</link> or robustirc-bridge(1) for details.''; + example = [ + "-network robustirc.net" + ]; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.robustirc-bridge = { + description = "RobustIRC bridge"; + documentation = [ + "man:robustirc-bridge(1)" + "https://robustirc.net/" + ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.robustirc-bridge}/bin/robustirc-bridge ${concatStringsSep " " cfg.extraFlags}"; + Restart = "on-failure"; + + # Hardening + PrivateDevices = true; + ProtectSystem = true; + ProtectHome = true; + PrivateTmp = true; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/rxe.nix b/nixos/modules/services/networking/rxe.nix index c7d174a00de..868e2c81ccb 100644 --- a/nixos/modules/services/networking/rxe.nix +++ b/nixos/modules/services/networking/rxe.nix @@ -39,11 +39,11 @@ in { Type = "oneshot"; RemainAfterExit = true; ExecStart = map ( x: - "${pkgs.iproute}/bin/rdma link add rxe_${x} type rxe netdev ${x}" + "${pkgs.iproute2}/bin/rdma link add rxe_${x} type rxe netdev ${x}" ) cfg.interfaces; ExecStop = map ( x: - "${pkgs.iproute}/bin/rdma link delete rxe_${x}" + "${pkgs.iproute2}/bin/rdma link delete rxe_${x}" ) cfg.interfaces; }; }; diff --git a/nixos/modules/services/networking/sabnzbd.nix b/nixos/modules/services/networking/sabnzbd.nix index ff5aef7d1cb..43566dfd25c 100644 --- a/nixos/modules/services/networking/sabnzbd.nix +++ b/nixos/modules/services/networking/sabnzbd.nix @@ -18,16 +18,19 @@ in enable = mkEnableOption "the sabnzbd server"; configFile = mkOption { + type = types.path; default = "/var/lib/sabnzbd/sabnzbd.ini"; description = "Path to config file."; }; user = mkOption { default = "sabnzbd"; + type = types.str; description = "User to run the service as"; }; group = mkOption { + type = types.str; default = "sabnzbd"; description = "Group to run the service as"; }; diff --git a/nixos/modules/services/networking/searx.nix b/nixos/modules/services/networking/searx.nix index 60fb3d5d6d4..04f7d7e31f4 100644 --- a/nixos/modules/services/networking/searx.nix +++ b/nixos/modules/services/networking/searx.nix @@ -1,34 +1,116 @@ -{ config, lib, pkgs, ... }: +{ options, config, lib, pkgs, ... }: with lib; let + runDir = "/run/searx"; cfg = config.services.searx; - configFile = cfg.configFile; + settingsFile = pkgs.writeText "settings.yml" + (builtins.toJSON cfg.settings); + + generateConfig = '' + cd ${runDir} + + # write NixOS settings as JSON + ( + umask 077 + cp --no-preserve=mode ${settingsFile} settings.yml + ) + + # substitute environment variables + env -0 | while IFS='=' read -r -d ''' n v; do + sed "s#@$n@#$v#g" -i settings.yml + done + ''; + + settingType = with types; (oneOf + [ bool int float str + (listOf settingType) + (attrsOf settingType) + ]) // { description = "JSON value"; }; in { + imports = [ + (mkRenamedOptionModule + [ "services" "searx" "configFile" ] + [ "services" "searx" "settingsFile" ]) + ]; + ###### interface options = { services.searx = { - enable = mkEnableOption - "the searx server. See https://github.com/asciimoo/searx"; + enable = mkOption { + type = types.bool; + default = false; + relatedPackages = [ "searx" ]; + description = "Whether to enable Searx, the meta search engine."; + }; - configFile = mkOption { + environmentFile = mkOption { type = types.nullOr types.path; default = null; - description = " - The path of the Searx server configuration file. If no file - is specified, a default file is used (default config file has - debug mode enabled). - "; + description = '' + Environment file (see <literal>systemd.exec(5)</literal> + "EnvironmentFile=" section for the syntax) to define variables for + Searx. This option can be used to safely include secret keys into the + Searx configuration. + ''; + }; + + settings = mkOption { + type = types.attrsOf settingType; + default = { }; + example = literalExample '' + { server.port = 8080; + server.bind_address = "0.0.0.0"; + server.secret_key = "@SEARX_SECRET_KEY@"; + + engines = lib.singleton + { name = "wolframalpha"; + shortcut = "wa"; + api_key = "@WOLFRAM_API_KEY@"; + engine = "wolframalpha_api"; + }; + } + ''; + description = '' + Searx settings. These will be merged with (taking precedence over) + the default configuration. It's also possible to refer to + environment variables + (defined in <xref linkend="opt-services.searx.environmentFile"/>) + using the syntax <literal>@VARIABLE_NAME@</literal>. + <note> + <para> + For available settings, see the Searx + <link xlink:href="https://searx.github.io/searx/admin/settings.html">docs</link>. + </para> + </note> + ''; + }; + + settingsFile = mkOption { + type = types.path; + default = "${runDir}/settings.yml"; + description = '' + The path of the Searx server settings.yml file. If no file is + specified, a default file is used (default config file has debug mode + enabled). Note: setting this options overrides + <xref linkend="opt-services.searx.settings"/>. + <warning> + <para> + This file, along with any secret key it contains, will be copied + into the world-readable Nix store. + </para> + </warning> + ''; }; package = mkOption { @@ -38,6 +120,38 @@ in description = "searx package to use."; }; + runInUwsgi = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run searx in uWSGI as a "vassal", instead of using its + built-in HTTP server. This is the recommended mode for public or + large instances, but is unecessary for LAN or local-only use. + <warning> + <para> + The built-in HTTP server logs all queries by default. + </para> + </warning> + ''; + }; + + uwsgiConfig = mkOption { + type = options.services.uwsgi.instance.type; + default = { http = ":8080"; }; + example = literalExample '' + { + disable-logging = true; + http = ":8080"; # serve via HTTP... + socket = "/run/searx/searx.sock"; # ...or UNIX socket + } + ''; + description = '' + Additional configuration of the uWSGI vassal running searx. It + should notably specify on which interfaces and ports the vassal + should listen. + ''; + }; + }; }; @@ -45,36 +159,74 @@ in ###### implementation - config = mkIf config.services.searx.enable { + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; users.users.searx = - { uid = config.ids.uids.searx; - description = "Searx user"; - createHome = true; - home = "/var/lib/searx"; + { description = "Searx daemon user"; + group = "searx"; + isSystemUser = true; }; - users.groups.searx = - { gid = config.ids.gids.searx; + users.groups.searx = { }; + + systemd.services.searx-init = { + description = "Initialise Searx settings"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + User = "searx"; + RuntimeDirectory = "searx"; + RuntimeDirectoryMode = "750"; + } // optionalAttrs (cfg.environmentFile != null) + { EnvironmentFile = builtins.toPath cfg.environmentFile; }; + script = generateConfig; + }; + + systemd.services.searx = mkIf (!cfg.runInUwsgi) { + description = "Searx server, the meta search engine."; + wantedBy = [ "network.target" "multi-user.target" ]; + requires = [ "searx-init.service" ]; + after = [ "searx-init.service" ]; + serviceConfig = { + User = "searx"; + Group = "searx"; + ExecStart = "${cfg.package}/bin/searx-run"; + } // optionalAttrs (cfg.environmentFile != null) + { EnvironmentFile = builtins.toPath cfg.environmentFile; }; + environment.SEARX_SETTINGS_PATH = cfg.settingsFile; + }; + + systemd.services.uwsgi = mkIf (cfg.runInUwsgi) + { requires = [ "searx-init.service" ]; + after = [ "searx-init.service" ]; }; - systemd.services.searx = - { - description = "Searx server, the meta search engine."; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "searx"; - ExecStart = "${cfg.package}/bin/searx-run"; - }; - } // (optionalAttrs (configFile != null) { - environment.SEARX_SETTINGS_PATH = configFile; - }); + services.searx.settings = { + # merge NixOS settings with defaults settings.yml + use_default_settings = mkDefault true; + }; - environment.systemPackages = [ cfg.package ]; + services.uwsgi = mkIf (cfg.runInUwsgi) { + enable = true; + plugins = [ "python3" ]; + + instance.type = "emperor"; + instance.vassals.searx = { + type = "normal"; + strict = true; + immediate-uid = "searx"; + immediate-gid = "searx"; + lazy-apps = true; + enable-threads = true; + module = "searx.webapp"; + env = [ "SEARX_SETTINGS_PATH=${cfg.settingsFile}" ]; + pythonPackages = self: [ cfg.package ]; + } // cfg.uwsgiConfig; + }; }; - meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + meta.maintainers = with maintainers; [ rnhmjoj ]; } diff --git a/nixos/modules/services/networking/seeks.nix b/nixos/modules/services/networking/seeks.nix deleted file mode 100644 index 40729225b6d..00000000000 --- a/nixos/modules/services/networking/seeks.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.services.seeks; - - confDir = cfg.confDir; - - seeks = pkgs.seeks.override { seeks_confDir = confDir; }; - -in - -{ - - ###### interface - - options = { - - services.seeks = { - - enable = mkOption { - default = false; - type = types.bool; - description = " - Whether to enable the Seeks server. - "; - }; - - confDir = mkOption { - default = ""; - type = types.str; - description = " - The Seeks server configuration. If it is not specified, - a default configuration is used. - "; - }; - - }; - - }; - - - ###### implementation - - config = mkIf config.services.seeks.enable { - - users.users.seeks = - { uid = config.ids.uids.seeks; - description = "Seeks user"; - createHome = true; - home = "/var/lib/seeks"; - }; - - users.groups.seeks = - { gid = config.ids.gids.seeks; - }; - - systemd.services.seeks = - { - description = "Seeks server, the p2p search engine."; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "seeks"; - ExecStart = "${seeks}/bin/seeks"; - }; - }; - - environment.systemPackages = [ seeks ]; - - }; - -} diff --git a/nixos/modules/services/networking/shadowsocks.nix b/nixos/modules/services/networking/shadowsocks.nix index af12db590f0..d2541f9a6df 100644 --- a/nixos/modules/services/networking/shadowsocks.nix +++ b/nixos/modules/services/networking/shadowsocks.nix @@ -11,8 +11,13 @@ let method = cfg.encryptionMethod; mode = cfg.mode; user = "nobody"; - fast_open = true; - } // optionalAttrs (cfg.password != null) { password = cfg.password; }; + fast_open = cfg.fastOpen; + } // optionalAttrs (cfg.plugin != null) { + plugin = cfg.plugin; + plugin_opts = cfg.pluginOpts; + } // optionalAttrs (cfg.password != null) { + password = cfg.password; + } // cfg.extraConfig; configFile = pkgs.writeText "shadowsocks.json" (builtins.toJSON opts); @@ -74,6 +79,14 @@ in ''; }; + fastOpen = mkOption { + type = types.bool; + default = true; + description = '' + use TCP fast-open + ''; + }; + encryptionMethod = mkOption { type = types.str; default = "chacha20-ietf-poly1305"; @@ -82,6 +95,41 @@ in ''; }; + plugin = mkOption { + type = types.nullOr types.str; + default = null; + example = "\${pkgs.shadowsocks-v2ray-plugin}/bin/v2ray-plugin"; + description = '' + SIP003 plugin for shadowsocks + ''; + }; + + pluginOpts = mkOption { + type = types.str; + default = ""; + example = "server;host=example.com"; + description = '' + Options to pass to the plugin if one was specified + ''; + }; + + extraConfig = mkOption { + type = types.attrs; + default = {}; + example = '' + { + nameserver = "8.8.8.8"; + } + ''; + description = '' + Additional configuration for shadowsocks that is not covered by the + provided options. The provided attrset will be serialized to JSON and + has to contain valid shadowsocks options. Unfortunately most + additional options are undocumented but it's easy to find out what is + available by looking into the source code of + <link xlink:href="https://github.com/shadowsocks/shadowsocks-libev/blob/master/src/jconf.c"/> + ''; + }; }; }; @@ -99,7 +147,7 @@ in description = "shadowsocks-libev Daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.shadowsocks-libev ] ++ optional (cfg.passwordFile != null) pkgs.jq; + path = [ pkgs.shadowsocks-libev ] ++ optional (cfg.plugin != null) cfg.plugin ++ optional (cfg.passwordFile != null) pkgs.jq; serviceConfig.PrivateTmp = true; script = '' ${optionalString (cfg.passwordFile != null) '' diff --git a/nixos/modules/services/networking/shairport-sync.nix b/nixos/modules/services/networking/shairport-sync.nix index b4b86a2d55b..ac526c0e9f6 100644 --- a/nixos/modules/services/networking/shairport-sync.nix +++ b/nixos/modules/services/networking/shairport-sync.nix @@ -28,6 +28,7 @@ in }; arguments = mkOption { + type = types.str; default = "-v -o pa"; description = '' Arguments to pass to the daemon. Defaults to a local pulseaudio @@ -36,6 +37,7 @@ in }; user = mkOption { + type = types.str; default = "shairport"; description = '' User account name under which to run shairport-sync. The account diff --git a/nixos/modules/services/networking/shellhub-agent.nix b/nixos/modules/services/networking/shellhub-agent.nix new file mode 100644 index 00000000000..4ce4b8250bc --- /dev/null +++ b/nixos/modules/services/networking/shellhub-agent.nix @@ -0,0 +1,91 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.shellhub-agent; +in { + + ###### interface + + options = { + + services.shellhub-agent = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the ShellHub Agent daemon, which allows + secure remote logins. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.shellhub-agent; + defaultText = "pkgs.shellhub-agent"; + description = '' + Which ShellHub Agent package to use. + ''; + }; + + tenantId = mkOption { + type = types.str; + example = "ba0a880c-2ada-11eb-a35e-17266ef329d6"; + description = '' + The tenant ID to use when connecting to the ShellHub + Gateway. + ''; + }; + + server = mkOption { + type = types.str; + default = "https://cloud.shellhub.io"; + description = '' + Server address of ShellHub Gateway to connect. + ''; + }; + + privateKey = mkOption { + type = types.path; + default = "/var/lib/shellhub-agent/private.key"; + description = '' + Location where to store the ShellHub Agent private + key. + ''; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + systemd.services.shellhub-agent = { + description = "ShellHub Agent"; + + wantedBy = [ "multi-user.target" ]; + requires = [ "local-fs.target" ]; + wants = [ "network-online.target" ]; + after = [ + "local-fs.target" + "network.target" + "network-online.target" + "time-sync.target" + ]; + + environment.SERVER_ADDRESS = cfg.server; + environment.PRIVATE_KEY = cfg.privateKey; + environment.TENANT_ID = cfg.tenantId; + + serviceConfig = { + # The service starts sessions for different users. + User = "root"; + Restart = "on-failure"; + ExecStart = "${cfg.package}/bin/agent"; + }; + }; + + environment.systemPackages = [ cfg.package ]; + }; +} diff --git a/nixos/modules/services/networking/smartdns.nix b/nixos/modules/services/networking/smartdns.nix index f1888af7041..f84c727f034 100644 --- a/nixos/modules/services/networking/smartdns.nix +++ b/nixos/modules/services/networking/smartdns.nix @@ -54,6 +54,7 @@ in { systemd.packages = [ pkgs.smartdns ]; systemd.services.smartdns.wantedBy = [ "multi-user.target" ]; + systemd.services.smartdns.restartTriggers = [ confFile ]; environment.etc."smartdns/smartdns.conf".source = confFile; environment.etc."default/smartdns".source = "${pkgs.smartdns}/etc/default/smartdns"; diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index 37ee2a80389..4470c18fd53 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -124,7 +124,8 @@ in }; hostName = mkOption { type = types.str; - default = config.networking.hostName; + default = config.networking.fqdn; + defaultText = "\${config.networking.fqdn}"; example = "somewhere.example.com"; description = "DNS name for the urls generated in the cgi."; }; @@ -156,6 +157,7 @@ in ownerEmail = mkOption { type = types.str; default = "no-reply@${cfg.hostName}"; + defaultText = "no-reply@\${hostName}"; example = "no-reply@yourdomain.com"; description = "Email contact for owner"; }; @@ -239,18 +241,18 @@ in targetConfig = mkOption { type = types.lines; default = '' - probe = FPing - menu = Top - title = Network Latency Grapher - remark = Welcome to the SmokePing website of xxx Company. \ - Here you will learn all about the latency of our network. - + Local - menu = Local - title = Local Network - ++ LocalMachine - menu = Local Machine - title = This host - host = localhost + probe = FPing + menu = Top + title = Network Latency Grapher + remark = Welcome to the SmokePing website of xxx Company. \ + Here you will learn all about the latency of our network. + + Local + menu = Local + title = Local Network + ++ LocalMachine + menu = Local Machine + title = This host + host = localhost ''; description = "Target configuration"; }; @@ -303,7 +305,7 @@ in ${cfg.package}/bin/smokeping --check --config=${configPath} ${cfg.package}/bin/smokeping --static --config=${configPath} ''; - script = ''${cfg.package}/bin/smokeping --config=${configPath} --nodaemon''; + script = "${cfg.package}/bin/smokeping --config=${configPath} --nodaemon"; }; systemd.services.thttpd = mkIf cfg.webService { wantedBy = [ "multi-user.target"]; diff --git a/nixos/modules/services/networking/solanum.nix b/nixos/modules/services/networking/solanum.nix new file mode 100644 index 00000000000..dc066a24549 --- /dev/null +++ b/nixos/modules/services/networking/solanum.nix @@ -0,0 +1,109 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkIf mkOption types; + inherit (pkgs) solanum util-linux; + cfg = config.services.solanum; + + configFile = pkgs.writeText "solanum.conf" cfg.config; +in + +{ + + ###### interface + + options = { + + services.solanum = { + + enable = mkEnableOption "Solanum IRC daemon"; + + config = mkOption { + type = types.str; + default = '' + serverinfo { + name = "irc.example.com"; + sid = "1ix"; + description = "irc!"; + + vhost = "0.0.0.0"; + vhost6 = "::"; + }; + + listen { + host = "0.0.0.0"; + port = 6667; + }; + + auth { + user = "*@*"; + class = "users"; + flags = exceed_limit; + }; + channel { + default_split_user_count = 0; + }; + ''; + description = '' + Solanum IRC daemon configuration file. + check <link xlink:href="https://github.com/solanum-ircd/solanum/blob/main/doc/reference.conf"/> for all options. + ''; + }; + + openFilesLimit = mkOption { + type = types.int; + default = 1024; + description = '' + Maximum number of open files. Limits the clients and server connections. + ''; + }; + + motd = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Solanum MOTD text. + + Solanum will read its MOTD from <literal>/etc/solanum/ircd.motd</literal>. + If set, the value of this option will be written to this path. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable (lib.mkMerge [ + { + + environment.etc."solanum/ircd.conf".source = configFile; + + systemd.services.solanum = { + description = "Solanum IRC daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = [ + configFile + ]; + serviceConfig = { + ExecStart = "${solanum}/bin/solanum -foreground -logfile /dev/stdout -configfile /etc/solanum/ircd.conf -pidfile /run/solanum/ircd.pid"; + ExecReload = "${util-linux}/bin/kill -HUP $MAINPID"; + DynamicUser = true; + User = "solanum"; + StateDirectory = "solanum"; + RuntimeDirectory = "solanum"; + LimitNOFILE = "${toString cfg.openFilesLimit}"; + }; + }; + + } + + (mkIf (cfg.motd != null) { + environment.etc."solanum/ircd.motd".text = cfg.motd; + }) + ]); +} diff --git a/nixos/modules/services/networking/spacecookie.nix b/nixos/modules/services/networking/spacecookie.nix index c4d06df6ad4..e0bef9e9628 100644 --- a/nixos/modules/services/networking/spacecookie.nix +++ b/nixos/modules/services/networking/spacecookie.nix @@ -4,10 +4,22 @@ with lib; let cfg = config.services.spacecookie; - configFile = pkgs.writeText "spacecookie.json" (lib.generators.toJSON {} { - inherit (cfg) hostname port root; - }); + + spacecookieConfig = { + listen = { + inherit (cfg) port; + }; + } // cfg.settings; + + format = pkgs.formats.json {}; + + configFile = format.generate "spacecookie.json" spacecookieConfig; + in { + imports = [ + (mkRenamedOptionModule [ "services" "spacecookie" "root" ] [ "services" "spacecookie" "settings" "root" ]) + (mkRenamedOptionModule [ "services" "spacecookie" "hostname" ] [ "services" "spacecookie" "settings" "hostname" ]) + ]; options = { @@ -15,32 +27,149 @@ in { enable = mkEnableOption "spacecookie"; - hostname = mkOption { - type = types.str; - default = "localhost"; - description = "The hostname the service is reachable via. Clients will use this hostname for further requests after loading the initial gopher menu."; + package = mkOption { + type = types.package; + default = pkgs.spacecookie; + defaultText = literalExample "pkgs.spacecookie"; + example = literalExample "pkgs.haskellPackages.spacecookie"; + description = '' + The spacecookie derivation to use. This can be used to + override the used package or to use another version. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the necessary port in the firewall for spacecookie. + ''; }; port = mkOption { type = types.port; default = 70; - description = "Port the gopher service should be exposed on."; + description = '' + Port the gopher service should be exposed on. + ''; + }; + + address = mkOption { + type = types.str; + default = "[::]"; + description = '' + Address to listen on. Must be in the + <literal>ListenStream=</literal> syntax of + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.socket.html">systemd.socket(5)</link>. + ''; }; - root = mkOption { - type = types.path; - default = "/srv/gopher"; - description = "The root directory spacecookie serves via gopher."; + settings = mkOption { + type = types.submodule { + freeformType = format.type; + + options.hostname = mkOption { + type = types.str; + default = "localhost"; + description = '' + The hostname the service is reachable via. Clients + will use this hostname for further requests after + loading the initial gopher menu. + ''; + }; + + options.root = mkOption { + type = types.path; + default = "/srv/gopher"; + description = '' + The directory spacecookie should serve via gopher. + Files in there need to be world-readable since + the spacecookie service file sets + <literal>DynamicUser=true</literal>. + ''; + }; + + options.log = { + enable = mkEnableOption "logging for spacecookie" + // { default = true; example = false; }; + + hide-ips = mkOption { + type = types.bool; + default = true; + description = '' + If enabled, spacecookie will hide personal + information of users like IP addresses from + log output. + ''; + }; + + hide-time = mkOption { + type = types.bool; + # since we are starting with systemd anyways + # we deviate from the default behavior here: + # journald will add timestamps, so no need + # to double up. + default = true; + description = '' + If enabled, spacecookie will not print timestamps + at the beginning of every log line. + ''; + }; + + level = mkOption { + type = types.enum [ + "info" + "warn" + "error" + ]; + default = "info"; + description = '' + Log level for the spacecookie service. + ''; + }; + }; + }; + + description = '' + Settings for spacecookie. The settings set here are + directly translated to the spacecookie JSON config + file. See + <link xlink:href="https://sternenseemann.github.io/spacecookie/spacecookie.json.5.html">spacecookie.json(5)</link> + for explanations of all options. + ''; }; }; }; config = mkIf cfg.enable { + assertions = [ + { + assertion = !(cfg.settings ? user); + message = '' + spacecookie is started as a normal user, so the setuid + feature doesn't work. If you want to run spacecookie as + a specific user, set: + systemd.services.spacecookie.serviceConfig = { + DynamicUser = false; + User = "youruser"; + Group = "yourgroup"; + } + ''; + } + { + assertion = !(cfg.settings ? listen || cfg.settings ? port); + message = '' + The NixOS spacecookie module uses socket activation, + so the listen options have no effect. Use the port + and address options in services.spacecookie instead. + ''; + } + ]; systemd.sockets.spacecookie = { description = "Socket for the Spacecookie Gopher Server"; wantedBy = [ "sockets.target" ]; - listenStreams = [ "[::]:${toString cfg.port}" ]; + listenStreams = [ "${cfg.address}:${toString cfg.port}" ]; socketConfig = { BindIPv6Only = "both"; }; @@ -53,7 +182,7 @@ in { serviceConfig = { Type = "notify"; - ExecStart = "${pkgs.haskellPackages.spacecookie}/bin/spacecookie ${configFile}"; + ExecStart = "${lib.getBin cfg.package}/bin/spacecookie ${configFile}"; FileDescriptorStoreMax = 1; DynamicUser = true; @@ -79,5 +208,9 @@ in { RestrictAddressFamilies = "AF_UNIX AF_INET6"; }; }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; }; } diff --git a/nixos/modules/services/networking/ssh/lshd.nix b/nixos/modules/services/networking/ssh/lshd.nix index 41d0584080e..862ff7df054 100644 --- a/nixos/modules/services/networking/ssh/lshd.nix +++ b/nixos/modules/services/networking/ssh/lshd.nix @@ -29,6 +29,7 @@ in portNumber = mkOption { default = 22; + type = types.port; description = '' The port on which to listen for connections. ''; @@ -36,6 +37,7 @@ in interfaces = mkOption { default = []; + type = types.listOf types.str; description = '' List of network interfaces where listening for connections. When providing the empty list, `[]', lshd listens on all @@ -46,6 +48,7 @@ in hostKey = mkOption { default = "/etc/lsh/host-key"; + type = types.str; description = '' Path to the server's private key. Note that this key must have been created, e.g., using "lsh-keygen --server | @@ -56,29 +59,30 @@ in syslog = mkOption { type = types.bool; default = true; - description = ''Whether to enable syslog output.''; + description = "Whether to enable syslog output."; }; passwordAuthentication = mkOption { type = types.bool; default = true; - description = ''Whether to enable password authentication.''; + description = "Whether to enable password authentication."; }; publicKeyAuthentication = mkOption { type = types.bool; default = true; - description = ''Whether to enable public key authentication.''; + description = "Whether to enable public key authentication."; }; rootLogin = mkOption { type = types.bool; default = false; - description = ''Whether to enable remote root login.''; + description = "Whether to enable remote root login."; }; loginShell = mkOption { default = null; + type = types.nullOr types.str; description = '' If non-null, override the default login shell with the specified value. @@ -88,6 +92,7 @@ in srpKeyExchange = mkOption { default = false; + type = types.bool; description = '' Whether to enable SRP key exchange and user authentication. ''; @@ -96,16 +101,17 @@ in tcpForwarding = mkOption { type = types.bool; default = true; - description = ''Whether to enable TCP/IP forwarding.''; + description = "Whether to enable TCP/IP forwarding."; }; x11Forwarding = mkOption { type = types.bool; default = true; - description = ''Whether to enable X11 forwarding.''; + description = "Whether to enable X11 forwarding."; }; subsystems = mkOption { + type = types.listOf types.path; description = '' List of subsystem-path pairs, where the head of the pair denotes the subsystem name, and the tail denotes the path to diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 17f31e3a488..2c96b94ca43 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -41,6 +41,10 @@ let Warning: If you are using <literal>NixOps</literal> then don't use this option since it will replace the key required for deployment via ssh. ''; + example = [ + "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host" + "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar" + ]; }; keyFiles = mkOption { @@ -122,6 +126,15 @@ in ''; }; + sftpServerExecutable = mkOption { + type = types.str; + example = "internal-sftp"; + description = '' + The sftp server executable. Can be a path or "internal-sftp" to use + the sftp server built into the sshd binary. + ''; + }; + sftpFlags = mkOption { type = with types; listOf str; default = []; @@ -232,10 +245,28 @@ in ''; }; + banner = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Message to display to the remote user before authentication is allowed. + ''; + }; + authorizedKeysFiles = mkOption { type = types.listOf types.str; default = []; - description = "Files from which authorized keys are read."; + description = '' + Specify the rules for which files to read on the host. + + This is an advanced option. If you're looking to configure user + keys, you can generally use <xref linkend="opt-users.users._name_.openssh.authorizedKeys.keys"/> + or <xref linkend="opt-users.users._name_.openssh.authorizedKeys.keyFiles"/>. + + These are paths relative to the host root file system or home + directories and they are subject to certain token expansion rules. + See AuthorizedKeysFile in man sshd_config for details. + ''; }; authorizedKeysCommand = mkOption { @@ -261,6 +292,7 @@ in kexAlgorithms = mkOption { type = types.listOf types.str; default = [ + "curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; @@ -271,7 +303,7 @@ in Defaults to recommended settings from both <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> and - <link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" /> + <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> ''; }; @@ -292,7 +324,7 @@ in Defaults to recommended settings from both <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> and - <link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" /> + <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> ''; }; @@ -313,21 +345,18 @@ in Defaults to recommended settings from both <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> and - <link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" /> + <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" /> ''; }; logLevel = mkOption { type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ]; - default = "VERBOSE"; + default = "INFO"; # upstream default description = '' Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: - QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is VERBOSE. DEBUG and DEBUG1 + QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended. - - LogLevel VERBOSE logs user's key fingerprint on login. - Needed to have a clear audit track of which key was used to log in. ''; }; @@ -361,7 +390,7 @@ in }; users.users = mkOption { - type = with types; loaOf (submodule userOptions); + type = with types; attrsOf (submodule userOptions); }; }; @@ -377,6 +406,7 @@ in }; services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; + services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server"; environment.etc = authKeysFiles // { "ssh/moduli".source = cfg.moduliFile; @@ -423,6 +453,7 @@ in { ExecStart = (optionalString cfg.startWhenNeeded "-") + "${cfgc.package}/bin/sshd " + (optionalString cfg.startWhenNeeded "-i ") + + "-D " + # don't detach into a daemon process "-f /etc/ssh/sshd_config"; KillMode = "process"; } // (if cfg.startWhenNeeded then { @@ -468,12 +499,14 @@ in # https://github.com/NixOS/nixpkgs/pull/10155 # https://github.com/NixOS/nixpkgs/pull/41745 services.openssh.authorizedKeysFiles = - [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; + [ "%h/.ssh/authorized_keys" "%h/.ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; services.openssh.extraConfig = mkOrder 0 '' UsePAM yes + Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner} + AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} ${concatMapStrings (port: '' Port ${toString port} @@ -494,7 +527,7 @@ in ''} ${optionalString cfg.allowSFTP '' - Subsystem sftp ${cfgc.package}/libexec/sftp-server ${concatStringsSep " " cfg.sftpFlags} + Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags} ''} PermitRootLogin ${cfg.permitRootLogin} diff --git a/nixos/modules/services/networking/sslh.nix b/nixos/modules/services/networking/sslh.nix index 0921febba66..abe96f60f81 100644 --- a/nixos/modules/services/networking/sslh.nix +++ b/nixos/modules/services/networking/sslh.nix @@ -31,7 +31,7 @@ let { name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; }, { name: "xmpp"; host: "localhost"; port: "5222"; probe: "builtin"; }, { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; }, - { name: "ssl"; host: "localhost"; port: "443"; probe: "builtin"; }, + { name: "tls"; host: "localhost"; port: "443"; probe: "builtin"; }, { name: "anyprot"; host: "localhost"; port: "443"; probe: "builtin"; } ); ''; @@ -132,7 +132,7 @@ in { table = "mangle"; command = "OUTPUT ! -o lo -p tcp -m connmark --mark 0x02/0x0f -j CONNMARK --restore-mark --mask 0x0f"; } ]; in { - path = [ pkgs.iptables pkgs.iproute pkgs.procps ]; + path = [ pkgs.iptables pkgs.iproute2 pkgs.procps ]; preStart = '' # Cleanup old iptables entries which might be still there diff --git a/nixos/modules/services/networking/strongswan-swanctl/module.nix b/nixos/modules/services/networking/strongswan-swanctl/module.nix index 0fec3ef00ad..6e619f22546 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/module.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix @@ -63,7 +63,7 @@ in { description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl"; wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; - path = with pkgs; [ kmod iproute iptables utillinux ]; + path = with pkgs; [ kmod iproute2 iptables util-linux ]; environment = { STRONGSWAN_CONF = pkgs.writeTextFile { name = "strongswan.conf"; diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix index 808cb863a9c..8ae62931a8f 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -1173,20 +1173,20 @@ in { ppk = mkPrefixedAttrsOfParams { secret = mkOptionalStrParam '' - Value of the PPK. It may either be an ASCII string, a hex encoded string - if it has a <literal>0x</literal> prefix or a Base64 encoded string if - it has a <literal>0s</literal> prefix in its value. Should have at least - 256 bits of entropy for 128-bit security. + Value of the PPK. It may either be an ASCII string, a hex encoded string + if it has a <literal>0x</literal> prefix or a Base64 encoded string if + it has a <literal>0s</literal> prefix in its value. Should have at least + 256 bits of entropy for 128-bit security. ''; id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' - PPK identity the PPK belongs to. Multiple unique identities may be - specified, each having an <literal>id</literal> prefix, if a secret is - shared between multiple peers. + PPK identity the PPK belongs to. Multiple unique identities may be + specified, each having an <literal>id</literal> prefix, if a secret is + shared between multiple peers. ''; } '' - Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is - defined in a unique section having the <literal>ppk</literal> prefix. + Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is + defined in a unique section having the <literal>ppk</literal> prefix. ''; private = mkPrefixedAttrsOfParams { @@ -1273,7 +1273,7 @@ in { provided the user is prompted during an interactive <literal>--load-creds</literal> call. ''; - } ''Definition for a private key that's stored on a token/smartcard/TPM.''; + } "Definition for a private key that's stored on a token/smartcard/TPM."; }; diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 13a1a897c5e..401f7be4028 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -152,7 +152,7 @@ in systemd.services.strongswan = { description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux + path = with pkgs; [ kmod iproute2 iptables util-linux ]; # XXX Linux after = [ "network-online.target" ]; environment = { STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; diff --git a/nixos/modules/services/networking/stunnel.nix b/nixos/modules/services/networking/stunnel.nix index ab51bba2f6a..fe1616f411f 100644 --- a/nixos/modules/services/networking/stunnel.nix +++ b/nixos/modules/services/networking/stunnel.nix @@ -16,8 +16,12 @@ let serverConfig = { options = { accept = mkOption { - type = types.int; - description = "On which port stunnel should listen for incoming TLS connections."; + type = types.either types.str types.int; + description = '' + On which [host:]port stunnel should listen for incoming TLS connections. + Note that unlike other softwares stunnel ipv6 address need no brackets, + so to listen on all IPv6 addresses on port 1234 one would use ':::1234'. + ''; }; connect = mkOption { @@ -129,7 +133,6 @@ in type = with types; attrsOf (submodule serverConfig); example = { fancyWebserver = { - enable = true; accept = 443; connect = 8080; cert = "/path/to/pem/file"; diff --git a/nixos/modules/services/networking/supplicant.nix b/nixos/modules/services/networking/supplicant.nix index 20704be9b36..4f4b5cef374 100644 --- a/nixos/modules/services/networking/supplicant.nix +++ b/nixos/modules/services/networking/supplicant.nix @@ -44,19 +44,10 @@ let preStart = '' ${optionalString (suppl.configFile.path!=null) '' - touch -a ${suppl.configFile.path} - chmod 600 ${suppl.configFile.path} + (umask 077 && touch -a "${suppl.configFile.path}") ''} ${optionalString suppl.userControlled.enable '' - if ! test -e ${suppl.userControlled.socketDir}; then - mkdir -m 0770 -p ${suppl.userControlled.socketDir} - chgrp ${suppl.userControlled.group} ${suppl.userControlled.socketDir} - fi - - if test "$(stat --printf '%G' ${suppl.userControlled.socketDir})" != "${suppl.userControlled.group}"; then - echo "ERROR: bad ownership on ${suppl.userControlled.socketDir}" >&2 - exit 1 - fi + install -dm770 -g "${suppl.userControlled.group}" "${suppl.userControlled.socketDir}" ''} ''; diff --git a/nixos/modules/services/networking/supybot.nix b/nixos/modules/services/networking/supybot.nix index dc9fb31ffd0..332c3ced06f 100644 --- a/nixos/modules/services/networking/supybot.nix +++ b/nixos/modules/services/networking/supybot.nix @@ -64,13 +64,14 @@ in }; extraPackages = mkOption { + type = types.functionTo (types.listOf types.package); default = p: []; description = '' Extra Python packages available to supybot plugins. The value must be a function which receives the attrset defined in <varname>python3Packages</varname> as the sole argument. ''; - example = literalExample ''p: [ p.lxml p.requests ]''; + example = literalExample "p: [ p.lxml p.requests ]"; }; }; @@ -103,6 +104,8 @@ in rm -f '${cfg.stateDir}/supybot.cfg.bak' ''; + startLimitIntervalSec = 5 * 60; # 5 min + startLimitBurst = 1; serviceConfig = { ExecStart = "${pyEnv}/bin/supybot ${cfg.stateDir}/supybot.cfg"; PIDFile = "/run/supybot.pid"; @@ -110,8 +113,6 @@ in Group = "supybot"; UMask = "0007"; Restart = "on-abort"; - StartLimitInterval = "5m"; - StartLimitBurst = "1"; NoNewPrivileges = true; PrivateDevices = true; diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index e717d78feed..28348c7893a 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -18,6 +18,7 @@ let fsWatcherEnabled = folder.watch; fsWatcherDelayS = folder.watchDelay; ignorePerms = folder.ignorePerms; + ignoreDelete = folder.ignoreDelete; versioning = folder.versioning; }) (filterAttrs ( _: folder: @@ -284,8 +285,6 @@ in { }); }; - - rescanInterval = mkOption { type = types.int; default = 3600; @@ -327,6 +326,16 @@ in { ''; }; + ignoreDelete = mkOption { + type = types.bool; + default = false; + description = '' + Whether to delete files in destination. See <link + xlink:href="https://docs.syncthing.net/advanced/folder-ignoredelete.html"> + upstream's docs</link>. + ''; + }; + }; })); }; diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index 4d6aeb75ebd..3f88ff53dff 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -14,36 +14,31 @@ in { default = 41641; description = "The port to listen on for tunnel traffic (0=autoselect)."; }; + + interfaceName = mkOption { + type = types.str; + default = "tailscale0"; + description = ''The interface name for tunnel traffic. Use "userspace-networking" (beta) to not use TUN.''; + }; + + package = mkOption { + type = types.package; + default = pkgs.tailscale; + defaultText = "pkgs.tailscale"; + description = "The package to use for tailscale"; + }; }; config = mkIf cfg.enable { - systemd.services.tailscale = { - description = "Tailscale client daemon"; - - after = [ "network-pre.target" ]; - wants = [ "network-pre.target" ]; + environment.systemPackages = [ cfg.package ]; # for the CLI + systemd.packages = [ cfg.package ]; + systemd.services.tailscaled = { wantedBy = [ "multi-user.target" ]; - - unitConfig = { - StartLimitIntervalSec = 0; - StartLimitBurst = 0; - }; - - serviceConfig = { - ExecStart = - "${pkgs.tailscale}/bin/tailscaled --port ${toString cfg.port}"; - - RuntimeDirectory = "tailscale"; - RuntimeDirectoryMode = 755; - - StateDirectory = "tailscale"; - StateDirectoryMode = 750; - - CacheDirectory = "tailscale"; - CacheDirectoryMode = 750; - - Restart = "on-failure"; - }; + path = [ pkgs.openresolv pkgs.procps ]; + serviceConfig.Environment = [ + "PORT=${toString cfg.port}" + ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName}"'' + ]; }; }; } diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index 725bd9bf940..9e433ad1a98 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -1,13 +1,156 @@ { config, lib, pkgs, ... }: with lib; - let - cfg = config.services.tinc; -in + mkValueString = value: + if value == true then "yes" + else if value == false then "no" + else generators.mkValueStringDefault { } value; + + toTincConf = generators.toKeyValue { + listsAsDuplicateKeys = true; + mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } "="; + }; + + tincConfType = with types; + let + valueType = oneOf [ bool str int ]; + in + attrsOf (either valueType (listOf valueType)); + + addressSubmodule = { + options = { + address = mkOption { + type = types.str; + description = "The external IP address or hostname where the host can be reached."; + }; + + port = mkOption { + type = types.nullOr types.port; + default = null; + description = '' + The port where the host can be reached. + + If no port is specified, the default Port is used. + ''; + }; + }; + }; + + subnetSubmodule = { + options = { + address = mkOption { + type = types.str; + description = '' + The subnet of this host. + + Subnets can either be single MAC, IPv4 or IPv6 addresses, in which case + a subnet consisting of only that single address is assumed, or they can + be a IPv4 or IPv6 network address with a prefix length. + + IPv4 subnets are notated like 192.168.1.0/24, IPv6 subnets are notated + like fec0:0:0:1::/64. MAC addresses are notated like 0:1a:2b:3c:4d:5e. + + Note that subnets like 192.168.1.1/24 are invalid. + ''; + }; + + prefixLength = mkOption { + type = with types; nullOr (addCheck int (n: n >= 0 && n <= 128)); + default = null; + description = '' + The prefix length of the subnet. + + If null, a subnet consisting of only that single address is assumed. + + This conforms to standard CIDR notation as described in RFC1519. + ''; + }; + + weight = mkOption { + type = types.ints.unsigned; + default = 10; + description = '' + Indicates the priority over identical Subnets owned by different nodes. + + Lower values indicate higher priority. Packets will be sent to the + node with the highest priority, unless that node is not reachable, in + which case the node with the next highest priority will be tried, and + so on. + ''; + }; + }; + }; + + hostSubmodule = { config, ... }: { + options = { + addresses = mkOption { + type = types.listOf (types.submodule addressSubmodule); + default = [ ]; + description = '' + The external address where the host can be reached. This will set this + host's <option>settings.Address</option> option. + + This variable is only required if you want to connect to this host. + ''; + }; + + subnets = mkOption { + type = types.listOf (types.submodule subnetSubmodule); + default = [ ]; + description = '' + The subnets which this tinc daemon will serve. This will set this + host's <option>settings.Subnet</option> option. + Tinc tries to look up which other daemon it should send a packet to by + searching the appropriate subnet. If the packet matches a subnet, it + will be sent to the daemon who has this subnet in his host + configuration file. + ''; + }; + + rsaPublicKey = mkOption { + type = types.str; + default = ""; + description = '' + Legacy RSA public key of the host in PEM format, including start and + end markers. + + This will be appended as-is in the host's configuration file. + + The ed25519 public key can be specified using the + <option>settings.Ed25519PublicKey</option> option instead. + ''; + }; + + settings = mkOption { + default = { }; + type = types.submodule { freeformType = tincConfType; }; + description = '' + Configuration for this host. + + See <link xlink:href="https://tinc-vpn.org/documentation-1.1/Host-configuration-variables.html"/> + for supported values. + ''; + }; + }; + + config.settings = { + Address = mkDefault (map + (address: "${address.address} ${toString address.port}") + config.addresses); + + Subnet = mkDefault (map + (subnet: + if subnet.prefixLength == null then "${subnet.address}#${toString subnet.weight}" + else "${subnet.address}/${toString subnet.prefixLength}#${toString subnet.weight}") + config.subnets); + }; + }; + +in { ###### interface @@ -18,7 +161,7 @@ in networks = mkOption { default = { }; - type = with types; attrsOf (submodule { + type = with types; attrsOf (submodule ({ config, ... }: { options = { extraConfig = mkOption { @@ -26,6 +169,9 @@ in type = types.lines; description = '' Extra lines to add to the tinc service configuration file. + + Note that using the declarative <option>service.tinc.networks.<name>.settings</option> + option is preferred. ''; }; @@ -72,6 +218,40 @@ in description = '' The name of the host in the network as well as the configuration for that host. This name should only contain alphanumerics and underscores. + + Note that using the declarative <option>service.tinc.networks.<name>.hostSettings</option> + option is preferred. + ''; + }; + + hostSettings = mkOption { + default = { }; + example = literalExample '' + { + host1 = { + addresses = [ + { address = "192.168.1.42"; } + { address = "192.168.1.42"; port = 1655; } + ]; + subnets = [ { address = "10.0.0.42"; } ]; + rsaPublicKey = "..."; + settings = { + Ed25519PublicKey = "..."; + }; + }; + host2 = { + subnets = [ { address = "10.0.1.0"; prefixLength = 24; weight = 2; } ]; + rsaPublicKey = "..."; + settings = { + Compression = 10; + }; + }; + } + ''; + type = types.attrsOf (types.submodule hostSubmodule); + description = '' + The name of the host in the network as well as the configuration for that host. + This name should only contain alphanumerics and underscores. ''; }; @@ -79,7 +259,7 @@ in default = "tun"; type = types.enum [ "tun" "tap" ]; description = '' - The type of virtual interface used for the network connection + The type of virtual interface used for the network connection. ''; }; @@ -118,8 +298,44 @@ in Note that tinc can't run scripts anymore (such as tinc-down or host-up), unless it is setup to be runnable inside chroot environment. ''; }; + + settings = mkOption { + default = { }; + type = types.submodule { freeformType = tincConfType; }; + example = literalExample '' + { + Interface = "custom.interface"; + DirectOnly = true; + Mode = "switch"; + } + ''; + description = '' + Configuration of the Tinc daemon for this network. + + See <link xlink:href="https://tinc-vpn.org/documentation-1.1/Main-configuration-variables.html"/> + for supported values. + ''; + }; + }; + + config = { + hosts = mapAttrs + (hostname: host: '' + ${toTincConf host.settings} + ${host.rsaPublicKey} + '') + config.hostSettings; + + settings = { + DeviceType = mkDefault config.interfaceType; + Name = mkDefault (if config.name == null then "$HOST" else config.name); + Ed25519PrivateKeyFile = mkIf (config.ed25519PrivateKeyFile != null) (mkDefault config.ed25519PrivateKeyFile); + PrivateKeyFile = mkIf (config.rsaPrivateKeyFile != null) (mkDefault config.rsaPrivateKeyFile); + ListenAddress = mkIf (config.listenAddress != null) (mkDefault config.listenAddress); + BindToAddress = mkIf (config.bindToAddress != null) (mkDefault config.bindToAddress); + }; }; - }); + })); description = '' Defines the tinc networks which will be started. @@ -135,7 +351,7 @@ in config = mkIf (cfg.networks != { }) { - environment.etc = fold (a: b: a // b) { } + environment.etc = foldr (a: b: a // b) { } (flip mapAttrsToList cfg.networks (network: data: flip mapAttrs' data.hosts (host: text: nameValuePair ("tinc/${network}/hosts/${host}") @@ -144,13 +360,7 @@ in "tinc/${network}/tinc.conf" = { mode = "0444"; text = '' - Name = ${if data.name == null then "$HOST" else data.name} - DeviceType = ${data.interfaceType} - ${optionalString (data.ed25519PrivateKeyFile != null) "Ed25519PrivateKeyFile = ${data.ed25519PrivateKeyFile}"} - ${optionalString (data.rsaPrivateKeyFile != null) "PrivateKeyFile = ${data.rsaPrivateKeyFile}"} - ${optionalString (data.listenAddress != null) "ListenAddress = ${data.listenAddress}"} - ${optionalString (data.bindToAddress != null) "BindToAddress = ${data.bindToAddress}"} - Interface = tinc.${network} + ${toTincConf ({ Interface = "tinc.${network}"; } // data.settings)} ${data.extraConfig} ''; }; @@ -168,6 +378,7 @@ in Type = "simple"; Restart = "always"; RestartSec = "3"; + ExecReload = mkIf (versionAtLeast (getVersion data.package) "1.1pre") "${data.package}/bin/tinc -n ${network} reload"; ExecStart = "${data.package}/bin/tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}"; }; preStart = '' @@ -221,4 +432,5 @@ in }; + meta.maintainers = with maintainers; [ minijackson ]; } diff --git a/nixos/modules/services/networking/ucarp.nix b/nixos/modules/services/networking/ucarp.nix new file mode 100644 index 00000000000..9b19a19687b --- /dev/null +++ b/nixos/modules/services/networking/ucarp.nix @@ -0,0 +1,183 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.networking.ucarp; + + ucarpExec = concatStringsSep " " ( + [ + "${cfg.package}/bin/ucarp" + "--interface=${cfg.interface}" + "--srcip=${cfg.srcIp}" + "--vhid=${toString cfg.vhId}" + "--passfile=${cfg.passwordFile}" + "--addr=${cfg.addr}" + "--advbase=${toString cfg.advBase}" + "--advskew=${toString cfg.advSkew}" + "--upscript=${cfg.upscript}" + "--downscript=${cfg.downscript}" + "--deadratio=${toString cfg.deadratio}" + ] + ++ (optional cfg.preempt "--preempt") + ++ (optional cfg.neutral "--neutral") + ++ (optional cfg.shutdown "--shutdown") + ++ (optional cfg.ignoreIfState "--ignoreifstate") + ++ (optional cfg.noMcast "--nomcast") + ++ (optional (cfg.extraParam != null) "--xparam=${cfg.extraParam}") + ); +in { + options.networking.ucarp = { + enable = mkEnableOption "ucarp, userspace implementation of CARP"; + + interface = mkOption { + type = types.str; + description = "Network interface to bind to."; + example = "eth0"; + }; + + srcIp = mkOption { + type = types.str; + description = "Source (real) IP address of this host."; + }; + + vhId = mkOption { + type = types.ints.between 1 255; + description = "Virtual IP identifier shared between CARP hosts."; + example = 1; + }; + + passwordFile = mkOption { + type = types.str; + description = "File containing shared password between CARP hosts."; + example = "/run/keys/ucarp-password"; + }; + + preempt = mkOption { + type = types.bool; + description = '' + Enable preemptive failover. + Thus, this host becomes the CARP master as soon as possible. + ''; + default = false; + }; + + neutral = mkOption { + type = types.bool; + description = "Do not run downscript at start if the host is the backup."; + default = false; + }; + + addr = mkOption { + type = types.str; + description = "Virtual shared IP address."; + }; + + advBase = mkOption { + type = types.ints.unsigned; + description = "Advertisement frequency in seconds."; + default = 1; + }; + + advSkew = mkOption { + type = types.ints.unsigned; + description = "Advertisement skew in seconds."; + default = 0; + }; + + upscript = mkOption { + type = types.path; + description = '' + Command to run after become master, the interface name, virtual address + and optional extra parameters are passed as arguments. + ''; + example = '' + pkgs.writeScript "upscript" ''' + #!/bin/sh + $\{pkgs.iproute2\}/bin/ip addr add "$2"/24 dev "$1" + '''; + ''; + }; + + downscript = mkOption { + type = types.path; + description = '' + Command to run after become backup, the interface name, virtual address + and optional extra parameters are passed as arguments. + ''; + example = '' + pkgs.writeScript "downscript" ''' + #!/bin/sh + $\{pkgs.iproute2\}/bin/ip addr del "$2"/24 dev "$1" + '''; + ''; + }; + + deadratio = mkOption { + type = types.ints.unsigned; + description = "Ratio to consider a host as dead."; + default = 3; + }; + + shutdown = mkOption { + type = types.bool; + description = "Call downscript at exit."; + default = false; + }; + + ignoreIfState = mkOption { + type = types.bool; + description = "Ignore interface state, e.g., down or no carrier."; + default = false; + }; + + noMcast = mkOption { + type = types.bool; + description = "Use broadcast instead of multicast advertisements."; + default = false; + }; + + extraParam = mkOption { + type = types.nullOr types.str; + description = "Extra parameter to pass to the up/down scripts."; + default = null; + }; + + package = mkOption { + type = types.package; + description = '' + Package that should be used for ucarp. + + Please note that the default package, pkgs.ucarp, has not received any + upstream updates for a long time and can be considered as unmaintained. + ''; + default = pkgs.ucarp; + defaultText = "pkgs.ucarp"; + }; + }; + + config = mkIf cfg.enable { + systemd.services.ucarp = { + description = "ucarp, userspace implementation of CARP"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + Type = "exec"; + ExecStart = ucarpExec; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + ProtectClock = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ oxzi ]; +} diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index baed83591e1..6d7178047ea 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -1,50 +1,39 @@ { config, lib, pkgs, ... }: with lib; - let - cfg = config.services.unbound; - stateDir = "/var/lib/unbound"; - - access = concatMapStringsSep "\n " (x: "access-control: ${x} allow") cfg.allowedAccess; - - interfaces = concatMapStringsSep "\n " (x: "interface: ${x}") cfg.interfaces; - - isLocalAddress = x: substring 0 3 x == "::1" || substring 0 9 x == "127.0.0.1"; + yesOrNo = v: if v then "yes" else "no"; - forward = - optionalString (any isLocalAddress cfg.forwardAddresses) '' - do-not-query-localhost: no - '' + - optionalString (cfg.forwardAddresses != []) '' - forward-zone: - name: . - '' + - concatMapStringsSep "\n" (x: " forward-addr: ${x}") cfg.forwardAddresses; + toOption = indent: n: v: "${indent}${toString n}: ${v}"; - rootTrustAnchorFile = "${stateDir}/root.key"; + toConf = indent: n: v: + if builtins.isFloat v then (toOption indent n (builtins.toJSON v)) + else if isInt v then (toOption indent n (toString v)) + else if isBool v then (toOption indent n (yesOrNo v)) + else if isString v then (toOption indent n v) + else if isList v then (concatMapStringsSep "\n" (toConf indent n) v) + else if isAttrs v then (concatStringsSep "\n" ( + ["${indent}${n}:"] ++ ( + mapAttrsToList (toConf "${indent} ") v + ) + )) + else throw (traceSeq v "services.unbound.settings: unexpected type"); - trustAnchor = optionalString cfg.enableRootTrustAnchor - "auto-trust-anchor-file: ${rootTrustAnchorFile}"; + confNoServer = concatStringsSep "\n" ((mapAttrsToList (toConf "") (builtins.removeAttrs cfg.settings [ "server" ])) ++ [""]); + confServer = concatStringsSep "\n" (mapAttrsToList (toConf " ") (builtins.removeAttrs cfg.settings.server [ "define-tag" ])); confFile = pkgs.writeText "unbound.conf" '' server: - directory: "${stateDir}" - username: unbound - chroot: "${stateDir}" - pidfile: "" - ${interfaces} - ${access} - ${trustAnchor} - ${cfg.extraConfig} - ${forward} + ${optionalString (cfg.settings.server.define-tag != "") (toOption " " "define-tag" cfg.settings.server.define-tag)} + ${confServer} + ${confNoServer} ''; -in + rootTrustAnchorFile = "${cfg.stateDir}/root.key"; -{ +in { ###### interface @@ -55,27 +44,35 @@ in package = mkOption { type = types.package; - default = pkgs.unbound; - defaultText = "pkgs.unbound"; + default = pkgs.unbound-with-systemd; + defaultText = "pkgs.unbound-with-systemd"; description = "The unbound package to use"; }; - allowedAccess = mkOption { - default = [ "127.0.0.0/24" ]; - type = types.listOf types.str; - description = "What networks are allowed to use unbound as a resolver."; + user = mkOption { + type = types.str; + default = "unbound"; + description = "User account under which unbound runs."; }; - interfaces = mkOption { - default = [ "127.0.0.1" ] ++ optional config.networking.enableIPv6 "::1"; - type = types.listOf types.str; - description = "What addresses the server should listen on."; + group = mkOption { + type = types.str; + default = "unbound"; + description = "Group under which unbound runs."; }; - forwardAddresses = mkOption { - default = [ ]; - type = types.listOf types.str; - description = "What servers to forward queries to."; + stateDir = mkOption { + default = "/var/lib/unbound"; + description = "Directory holding all state for unbound to run."; + }; + + resolveLocalQueries = mkOption { + type = types.bool; + default = true; + description = '' + Whether unbound should resolve local queries (i.e. add 127.0.0.1 to + /etc/resolv.conf). + ''; }; enableRootTrustAnchor = mkOption { @@ -84,16 +81,81 @@ in description = "Use and update root trust anchor for DNSSEC validation."; }; - extraConfig = mkOption { - default = ""; - type = types.lines; + localControlSocketPath = mkOption { + default = null; + # FIXME: What is the proper type here so users can specify strings, + # paths and null? + # My guess would be `types.nullOr (types.either types.str types.path)` + # but I haven't verified yet. + type = types.nullOr types.str; + example = "/run/unbound/unbound.ctl"; description = '' - Extra unbound config. See - <citerefentry><refentrytitle>unbound.conf</refentrytitle><manvolnum>8 - </manvolnum></citerefentry>. + When not set to <literal>null</literal> this option defines the path + at which the unbound remote control socket should be created at. The + socket will be owned by the unbound user (<literal>unbound</literal>) + and group will be <literal>nogroup</literal>. + + Users that should be permitted to access the socket must be in the + <literal>config.services.unbound.group</literal> group. + + If this option is <literal>null</literal> remote control will not be + enabled. Unbounds default values apply. ''; }; + settings = mkOption { + default = {}; + type = with types; submodule { + + freeformType = let + validSettingsPrimitiveTypes = oneOf [ int str bool float ]; + validSettingsTypes = oneOf [ validSettingsPrimitiveTypes (listOf validSettingsPrimitiveTypes) ]; + settingsType = oneOf [ str (attrsOf validSettingsTypes) ]; + in attrsOf (oneOf [ settingsType (listOf settingsType) ]) + // { description = '' + unbound.conf configuration type. The format consist of an attribute + set of settings. Each settings can be either one value, a list of + values or an attribute set. The allowed values are integers, + strings, booleans or floats. + ''; + }; + + options = { + remote-control.control-enable = mkOption { + type = bool; + default = false; + internal = true; + }; + }; + }; + example = literalExample '' + { + server = { + interface = [ "127.0.0.1" ]; + }; + forward-zone = [ + { + name = "."; + forward-addr = "1.1.1.1@853#cloudflare-dns.com"; + } + { + name = "example.org."; + forward-addr = [ + "1.1.1.1@853#cloudflare-dns.com" + "1.0.0.1@853#cloudflare-dns.com" + ]; + } + ]; + remote-control.control-enable = true; + }; + ''; + description = '' + Declarative Unbound configuration + See the <citerefentry><refentrytitle>unbound.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> manpage for a list of + available options. + ''; + }; }; }; @@ -101,48 +163,151 @@ in config = mkIf cfg.enable { + services.unbound.settings = { + server = { + directory = mkDefault cfg.stateDir; + username = cfg.user; + chroot = ''""''; + pidfile = ''""''; + # when running under systemd there is no need to daemonize + do-daemonize = false; + interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); + access-control = mkDefault ([ "127.0.0.0/8 allow" ] ++ (optional config.networking.enableIPv6 "::1/128 allow")); + auto-trust-anchor-file = mkIf cfg.enableRootTrustAnchor rootTrustAnchorFile; + tls-cert-bundle = mkDefault "/etc/ssl/certs/ca-certificates.crt"; + # prevent race conditions on system startup when interfaces are not yet + # configured + ip-freebind = mkDefault true; + define-tag = mkDefault ""; + }; + remote-control = { + control-enable = mkDefault false; + control-interface = mkDefault ([ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1")); + server-key-file = mkDefault "${cfg.stateDir}/unbound_server.key"; + server-cert-file = mkDefault "${cfg.stateDir}/unbound_server.pem"; + control-key-file = mkDefault "${cfg.stateDir}/unbound_control.key"; + control-cert-file = mkDefault "${cfg.stateDir}/unbound_control.pem"; + } // optionalAttrs (cfg.localControlSocketPath != null) { + control-enable = true; + control-interface = cfg.localControlSocketPath; + }; + }; + environment.systemPackages = [ cfg.package ]; - users.users.unbound = { - description = "unbound daemon user"; - isSystemUser = true; + users.users = mkIf (cfg.user == "unbound") { + unbound = { + description = "unbound daemon user"; + isSystemUser = true; + group = cfg.group; + }; + }; + + users.groups = mkIf (cfg.group == "unbound") { + unbound = {}; + }; + + networking = mkIf cfg.resolveLocalQueries { + resolvconf = { + useLocalResolver = mkDefault true; + }; + + networkmanager.dns = "unbound"; }; - networking.resolvconf.useLocalResolver = mkDefault true; + environment.etc."unbound/unbound.conf".source = confFile; systemd.services.unbound = { description = "Unbound recursive Domain Name Server"; after = [ "network.target" ]; before = [ "nss-lookup.target" ]; - wants = [ "nss-lookup.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = [ "multi-user.target" "nss-lookup.target" ]; + + path = mkIf cfg.settings.remote-control.control-enable [ pkgs.openssl ]; preStart = '' - mkdir -m 0755 -p ${stateDir}/dev/ - cp ${confFile} ${stateDir}/unbound.conf ${optionalString cfg.enableRootTrustAnchor '' ${cfg.package}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" - chown unbound ${stateDir} ${rootTrustAnchorFile} ''} - touch ${stateDir}/dev/random - ${pkgs.utillinux}/bin/mount --bind -n /dev/urandom ${stateDir}/dev/random + ${optionalString cfg.settings.remote-control.control-enable '' + ${cfg.package}/bin/unbound-control-setup -d ${cfg.stateDir} + ''} ''; - serviceConfig = { - ExecStart = "${cfg.package}/bin/unbound -d -c ${stateDir}/unbound.conf"; - ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random"; + restartTriggers = [ + confFile + ]; - ProtectSystem = true; - ProtectHome = true; + serviceConfig = { + ExecStart = "${cfg.package}/bin/unbound -p -d -c /etc/unbound/unbound.conf"; + ExecReload = "+/run/current-system/sw/bin/kill -HUP $MAINPID"; + + NotifyAccess = "main"; + Type = "notify"; + + # FIXME: Which of these do we actualy need, can we drop the chroot flag? + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + "CAP_SETGID" + "CAP_SETUID" + "CAP_SYS_CHROOT" + "CAP_SYS_RESOURCE" + ]; + + User = cfg.user; + Group = cfg.group; + + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; PrivateDevices = true; - Restart = "always"; + PrivateTmp = true; + ProtectHome = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectSystem = "strict"; + RuntimeDirectory = "unbound"; + ConfigurationDirectory = "unbound"; + StateDirectory = "unbound"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ]; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@clock" + "@cpu-emulation" + "@debug" + "@keyring" + "@module" + "mount" + "@obsolete" + "@resources" + ]; + RestrictNamespaces = true; + LockPersonality = true; + RestrictSUIDSGID = true; + + Restart = "on-failure"; RestartSec = "5s"; }; }; - - # If networkmanager is enabled, ask it to interface with unbound. - networking.networkmanager.dns = "unbound"; - }; + imports = [ + (mkRenamedOptionModule [ "services" "unbound" "interfaces" ] [ "services" "unbound" "settings" "server" "interface" ]) + (mkChangedOptionModule [ "services" "unbound" "allowedAccess" ] [ "services" "unbound" "settings" "server" "access-control" ] ( + config: map (value: "${value} allow") (getAttrFromPath [ "services" "unbound" "allowedAccess" ] config) + )) + (mkRemovedOptionModule [ "services" "unbound" "forwardAddresses" ] '' + Add a new setting: + services.unbound.settings.forward-zone = [{ + name = "."; + forward-addr = [ # Your current services.unbound.forwardAddresses ]; + }]; + If any of those addresses are local addresses (127.0.0.1 or ::1), you must + also set services.unbound.settings.server.do-not-query-localhost to false. + '') + (mkRemovedOptionModule [ "services" "unbound" "extraConfig" ] '' + You can use services.unbound.settings to add any configuration you want. + '') + ]; } diff --git a/nixos/modules/services/networking/wakeonlan.nix b/nixos/modules/services/networking/wakeonlan.nix index ebfba263cd8..f41b6ec2740 100644 --- a/nixos/modules/services/networking/wakeonlan.nix +++ b/nixos/modules/services/networking/wakeonlan.nix @@ -19,7 +19,7 @@ let ${ethtool} -s ${interface} ${methodParameter {inherit method password;}} ''; - concatStrings = fold (x: y: x + y) ""; + concatStrings = foldr (x: y: x + y) ""; lines = concatStrings (map (l: line l) interfaces); in @@ -51,6 +51,6 @@ in ###### implementation - config.powerManagement.powerDownCommands = lines; + config.powerManagement.powerUpCommands = lines; } diff --git a/nixos/modules/services/networking/wasabibackend.nix b/nixos/modules/services/networking/wasabibackend.nix index 6eacffe709b..8482823e197 100644 --- a/nixos/modules/services/networking/wasabibackend.nix +++ b/nixos/modules/services/networking/wasabibackend.nix @@ -21,7 +21,7 @@ let RegTestBitcoinCoreRpcEndPoint = "${cfg.rpc.ip}:${toString cfg.rpc.port}"; }; - configFile = pkgs.writeText "wasabibackend.conf" (builtins.toJSON confOptions); + configFile = pkgs.writeText "wasabibackend.conf" (builtins.toJSON confOptions); in { diff --git a/nixos/modules/services/networking/wg-quick.nix b/nixos/modules/services/networking/wg-quick.nix index 02fe40a22a1..3b76de58548 100644 --- a/nixos/modules/services/networking/wg-quick.nix +++ b/nixos/modules/services/networking/wg-quick.nix @@ -57,7 +57,7 @@ let preUp = mkOption { example = literalExample '' - ${pkgs.iproute}/bin/ip netns add foo + ${pkgs.iproute2}/bin/ip netns add foo ''; default = ""; type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; @@ -68,7 +68,7 @@ let preDown = mkOption { example = literalExample '' - ${pkgs.iproute}/bin/ip netns del foo + ${pkgs.iproute2}/bin/ip netns del foo ''; default = ""; type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; @@ -79,7 +79,7 @@ let postUp = mkOption { example = literalExample '' - ${pkgs.iproute}/bin/ip netns add foo + ${pkgs.iproute2}/bin/ip netns add foo ''; default = ""; type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; @@ -90,7 +90,7 @@ let postDown = mkOption { example = literalExample '' - ${pkgs.iproute}/bin/ip netns del foo + ${pkgs.iproute2}/bin/ip netns del foo ''; default = ""; type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index e07020349cf..2b51770a5aa 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -63,7 +63,7 @@ let preSetup = mkOption { example = literalExample '' - ${pkgs.iproute}/bin/ip netns add foo + ${pkgs.iproute2}/bin/ip netns add foo ''; default = ""; type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; @@ -198,7 +198,32 @@ let example = "demo.wireguard.io:12913"; type = with types; nullOr str; description = ''Endpoint IP or hostname of the peer, followed by a colon, - and then a port number of the peer.''; + and then a port number of the peer. + + Warning for endpoints with changing IPs: + The WireGuard kernel side cannot perform DNS resolution. + Thus DNS resolution is done once by the <literal>wg</literal> userspace + utility, when setting up WireGuard. Consequently, if the IP address + behind the name changes, WireGuard will not notice. + This is especially common for dynamic-DNS setups, but also applies to + any other DNS-based setup. + If you do not use IP endpoints, you likely want to set + <option>networking.wireguard.dynamicEndpointRefreshSeconds</option> + to refresh the IPs periodically. + ''; + }; + + dynamicEndpointRefreshSeconds = mkOption { + default = 0; + example = 5; + type = with types; int; + description = '' + Periodically re-execute the <literal>wg</literal> utility every + this many seconds in order to let WireGuard notice DNS / hostname + changes. + + Setting this to <literal>0</literal> disables periodic reexecution. + ''; }; persistentKeepalive = mkOption { @@ -219,17 +244,6 @@ let }; - generatePathUnit = name: values: - assert (values.privateKey == null); - assert (values.privateKeyFile != null); - nameValuePair "wireguard-${name}" - { - description = "WireGuard Tunnel - ${name} - Private Key"; - requiredBy = [ "wireguard-${name}.service" ]; - before = [ "wireguard-${name}.service" ]; - pathConfig.PathExists = values.privateKeyFile; - }; - generateKeyServiceUnit = name: values: assert values.generatePrivateKeyFile; nameValuePair "wireguard-${name}-key" @@ -238,7 +252,7 @@ let wantedBy = [ "wireguard-${name}.service" ]; requiredBy = [ "wireguard-${name}.service" ]; before = [ "wireguard-${name}.service" ]; - path = with pkgs; [ wireguard ]; + path = with pkgs; [ wireguard-tools ]; serviceConfig = { Type = "oneshot"; @@ -246,22 +260,31 @@ let }; script = '' - mkdir --mode 0644 -p "${dirOf values.privateKeyFile}" + set -e + + # If the parent dir does not already exist, create it. + # Otherwise, does nothing, keeping existing permisions intact. + mkdir -p --mode 0755 "${dirOf values.privateKeyFile}" + if [ ! -f "${values.privateKeyFile}" ]; then - touch "${values.privateKeyFile}" - chmod 0600 "${values.privateKeyFile}" - wg genkey > "${values.privateKeyFile}" - chmod 0400 "${values.privateKeyFile}" + # Write private key file with atomically-correct permissions. + (set -e; umask 077; wg genkey > "${values.privateKeyFile}") fi ''; }; - generatePeerUnit = { interfaceName, interfaceCfg, peer }: + peerUnitServiceName = interfaceName: publicKey: dynamicRefreshEnabled: let keyToUnitName = replaceChars [ "/" "-" " " "+" "=" ] [ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ]; - unitName = keyToUnitName peer.publicKey; + unitName = keyToUnitName publicKey; + refreshSuffix = optionalString dynamicRefreshEnabled "-refresh"; + in + "wireguard-${interfaceName}-peer-${unitName}${refreshSuffix}"; + + generatePeerUnit = { interfaceName, interfaceCfg, peer }: + let psk = if peer.presharedKey != null then pkgs.writeText "wg-psk" peer.presharedKey @@ -270,7 +293,12 @@ let dst = interfaceCfg.interfaceNamespace; ip = nsWrap "ip" src dst; wg = nsWrap "wg" src dst; - in nameValuePair "wireguard-${interfaceName}-peer-${unitName}" + dynamicRefreshEnabled = peer.dynamicEndpointRefreshSeconds != 0; + # We generate a different name (a `-refresh` suffix) when `dynamicEndpointRefreshSeconds` + # to avoid that the same service switches `Type` (`oneshot` vs `simple`), + # with the intent to make scripting more obvious. + serviceName = peerUnitServiceName interfaceName peer.publicKey dynamicRefreshEnabled; + in nameValuePair serviceName { description = "WireGuard Peer - ${interfaceName} - ${peer.publicKey}"; requires = [ "wireguard-${interfaceName}.service" ]; @@ -278,38 +306,61 @@ let wantedBy = [ "multi-user.target" "wireguard-${interfaceName}.service" ]; environment.DEVICE = interfaceName; environment.WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; - path = with pkgs; [ iproute wireguard-tools ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; + path = with pkgs; [ iproute2 wireguard-tools ]; + + serviceConfig = + if !dynamicRefreshEnabled + then + { + Type = "oneshot"; + RemainAfterExit = true; + } + else + { + Type = "simple"; # re-executes 'wg' indefinitely + # Note that `Type = "oneshot"` services with `RemainAfterExit = true` + # cannot be used with systemd timers (see `man systemd.timer`), + # which is why `simple` with a loop is the best choice here. + # It also makes starting and stopping easiest. + }; script = let - wg_setup = "${wg} set ${interfaceName} peer ${peer.publicKey}" + - optionalString (psk != null) " preshared-key ${psk}" + - optionalString (peer.endpoint != null) " endpoint ${peer.endpoint}" + - optionalString (peer.persistentKeepalive != null) " persistent-keepalive ${toString peer.persistentKeepalive}" + - optionalString (peer.allowedIPs != []) " allowed-ips ${concatStringsSep "," peer.allowedIPs}"; + wg_setup = concatStringsSep " " ( + [ ''${wg} set ${interfaceName} peer "${peer.publicKey}"'' ] + ++ optional (psk != null) ''preshared-key "${psk}"'' + ++ optional (peer.endpoint != null) ''endpoint "${peer.endpoint}"'' + ++ optional (peer.persistentKeepalive != null) ''persistent-keepalive "${toString peer.persistentKeepalive}"'' + ++ optional (peer.allowedIPs != []) ''allowed-ips "${concatStringsSep "," peer.allowedIPs}"'' + ); route_setup = optionalString interfaceCfg.allowedIPsAsRoutes (concatMapStringsSep "\n" (allowedIP: - "${ip} route replace ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" + ''${ip} route replace "${allowedIP}" dev "${interfaceName}" table "${interfaceCfg.table}"'' ) peer.allowedIPs); in '' ${wg_setup} ${route_setup} + + ${optionalString (peer.dynamicEndpointRefreshSeconds != 0) '' + # Re-execute 'wg' periodically to notice DNS / hostname changes. + # Note this will not time out on transient DNS failures such as DNS names + # because we have set 'WG_ENDPOINT_RESOLUTION_RETRIES=infinity'. + # Also note that 'wg' limits its maximum retry delay to 20 seconds as of writing. + while ${wg_setup}; do + sleep "${toString peer.dynamicEndpointRefreshSeconds}"; + done + ''} ''; postStop = let route_destroy = optionalString interfaceCfg.allowedIPsAsRoutes (concatMapStringsSep "\n" (allowedIP: - "${ip} route delete ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" + ''${ip} route delete "${allowedIP}" dev "${interfaceName}" table "${interfaceCfg.table}"'' ) peer.allowedIPs); in '' - ${wg} set ${interfaceName} peer ${peer.publicKey} remove + ${wg} set "${interfaceName}" peer "${peer.publicKey}" remove ${route_destroy} ''; }; @@ -333,7 +384,7 @@ let after = [ "network.target" "network-online.target" ]; wantedBy = [ "multi-user.target" ]; environment.DEVICE = name; - path = with pkgs; [ kmod iproute wireguard-tools ]; + path = with pkgs; [ kmod iproute2 wireguard-tools ]; serviceConfig = { Type = "oneshot"; @@ -345,23 +396,25 @@ let ${values.preSetup} - ${ipPreMove} link add dev ${name} type wireguard - ${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) "${ipPreMove} link set ${name} netns ${ns}"} + ${ipPreMove} link add dev "${name}" type wireguard + ${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) ''${ipPreMove} link set "${name}" netns "${ns}"''} ${concatMapStringsSep "\n" (ip: - "${ipPostMove} address add ${ip} dev ${name}" + ''${ipPostMove} address add "${ip}" dev "${name}"'' ) values.ips} - ${wg} set ${name} private-key ${privKey} ${ - optionalString (values.listenPort != null) " listen-port ${toString values.listenPort}"} + ${concatStringsSep " " ( + [ ''${wg} set "${name}" private-key "${privKey}"'' ] + ++ optional (values.listenPort != null) ''listen-port "${toString values.listenPort}"'' + )} - ${ipPostMove} link set up dev ${name} + ${ipPostMove} link set up dev "${name}" ${values.postSetup} ''; postStop = '' - ${ipPostMove} link del dev ${name} + ${ipPostMove} link del dev "${name}" ${values.postShutdown} ''; }; @@ -371,7 +424,7 @@ let nsList = filter (ns: ns != null) [ src dst ]; ns = last nsList; in - if (length nsList > 0 && ns != "init") then "ip netns exec ${ns} ${cmd}" else cmd; + if (length nsList > 0 && ns != "init") then ''ip netns exec "${ns}" "${cmd}"'' else cmd; in { @@ -445,9 +498,6 @@ in // (mapAttrs' generateKeyServiceUnit (filterAttrs (name: value: value.generatePrivateKeyFile) cfg.interfaces)); - systemd.paths = mapAttrs' generatePathUnit - (filterAttrs (name: value: value.privateKeyFile != null) cfg.interfaces); - }); } diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 08a17d20ed7..c0a4ce40760 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -3,6 +3,10 @@ with lib; let + package = if cfg.allowAuxiliaryImperativeNetworks + then pkgs.wpa_supplicant_ro_ssids + else pkgs.wpa_supplicant; + cfg = config.networking.wireless; configFile = if cfg.networks != {} || cfg.extraConfig != "" || cfg.userControlled.enable then pkgs.writeText "wpa_supplicant.conf" '' ${optionalString cfg.userControlled.enable '' @@ -14,8 +18,8 @@ let then ''"${psk}"'' else pskRaw; baseAuth = if key != null - then ''psk=${key}'' - else ''key_mgmt=NONE''; + then "psk=${key}" + else "key_mgmt=NONE"; in '' network={ ssid="${ssid}" @@ -38,6 +42,11 @@ in { description = '' The interfaces <command>wpa_supplicant</command> will use. If empty, it will automatically use all wireless interfaces. + <warning><para> + The automatic discovery of interfaces does not work reliably on boot: + it may fail and leave the system without network. When possible, specify + a known interface name. + </para></warning> ''; }; @@ -47,6 +56,16 @@ in { description = "Force a specific wpa_supplicant driver."; }; + allowAuxiliaryImperativeNetworks = mkEnableOption "support for imperative & declarative networks" // { + description = '' + Whether to allow configuring networks "imperatively" (e.g. via + <package>wpa_supplicant_gui</package>) and declaratively via + <xref linkend="opt-networking.wireless.networks" />. + + Please note that this adds a custom patch to <package>wpa_supplicant</package>. + ''; + }; + networks = mkOption { type = types.attrsOf (types.submodule { options = { @@ -211,9 +230,17 @@ in { message = ''options networking.wireless."${name}".{psk,pskRaw,auth} are mutually exclusive''; }); - environment.systemPackages = [ pkgs.wpa_supplicant ]; + warnings = + optional (cfg.interfaces == [] && config.systemd.services.wpa_supplicant.wantedBy != []) + '' + No network interfaces for wpa_supplicant have been configured: the service + may randomly fail to start at boot. You should specify at least one using the option + networking.wireless.interfaces. + ''; + + environment.systemPackages = [ package ]; - services.dbus.packages = [ pkgs.wpa_supplicant ]; + services.dbus.packages = [ package ]; services.udev.packages = [ pkgs.crda ]; # FIXME: start a separate wpa_supplicant instance per interface. @@ -230,10 +257,17 @@ in { wantedBy = [ "multi-user.target" ]; stopIfChanged = false; - path = [ pkgs.wpa_supplicant ]; + path = [ package ]; - script = '' - iface_args="-s -u -D${cfg.driver} -c ${configFile}" + script = let + configStr = if cfg.allowAuxiliaryImperativeNetworks + then "-c /etc/wpa_supplicant.conf -I ${configFile}" + else "-c ${configFile}"; + in '' + if [ -f /etc/wpa_supplicant.conf -a "/etc/wpa_supplicant.conf" != "${configFile}" ] + then echo >&2 "<3>/etc/wpa_supplicant.conf present but ignored. Generated ${configFile} is used instead." + fi + iface_args="-s -u -D${cfg.driver} ${configStr}" ${if ifaces == [] then '' for i in $(cd /sys/class/net && echo *); do DEVTYPE= diff --git a/nixos/modules/services/networking/x2goserver.nix b/nixos/modules/services/networking/x2goserver.nix new file mode 100644 index 00000000000..48020fc1cec --- /dev/null +++ b/nixos/modules/services/networking/x2goserver.nix @@ -0,0 +1,161 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.x2goserver; + + defaults = { + superenicer = { enable = cfg.superenicer.enable; }; + }; + confText = generators.toINI {} (recursiveUpdate defaults cfg.settings); + x2goServerConf = pkgs.writeText "x2goserver.conf" confText; + + x2goAgentOptions = pkgs.writeText "x2goagent.options" '' + X2GO_NXOPTIONS="" + X2GO_NXAGENT_DEFAULT_OPTIONS="${concatStringsSep " " cfg.nxagentDefaultOptions}" + ''; + +in { + imports = [ + (mkRenamedOptionModule [ "programs" "x2goserver" ] [ "services" "x2goserver" ]) + ]; + + options.services.x2goserver = { + enable = mkEnableOption "x2goserver" // { + description = '' + Enables the x2goserver module. + NOTE: This will create a good amount of symlinks in `/usr/local/bin` + ''; + }; + + superenicer = { + enable = mkEnableOption "superenicer" // { + description = '' + Enables the SupeReNicer code in x2gocleansessions, this will renice + suspended sessions to nice level 19 and renice them to level 0 if the + session becomes marked as running again + ''; + }; + }; + + nxagentDefaultOptions = mkOption { + type = types.listOf types.str; + default = [ "-extension GLX" "-nolisten tcp" ]; + example = [ "-extension GLX" "-nolisten tcp" ]; + description = '' + List of default nx agent options. + ''; + }; + + settings = mkOption { + type = types.attrsOf types.attrs; + default = {}; + description = '' + x2goserver.conf ini configuration as nix attributes. See + `x2goserver.conf(5)` for details + ''; + example = literalExample '' + superenicer = { + "enable" = "yes"; + "idle-nice-level" = 19; + }; + telekinesis = { "enable" = "no"; }; + ''; + }; + }; + + config = mkIf cfg.enable { + + # x2goserver can run X11 program even if "services.xserver.enable = false" + xdg = { + autostart.enable = true; + menus.enable = true; + mime.enable = true; + icons.enable = true; + }; + + environment.systemPackages = [ pkgs.x2goserver ]; + + users.groups.x2go = {}; + users.users.x2go = { + home = "/var/lib/x2go/db"; + group = "x2go"; + isSystemUser = true; + }; + + security.wrappers.x2gosqliteWrapper = { + source = "${pkgs.x2goserver}/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl"; + owner = "x2go"; + group = "x2go"; + setgid = true; + }; + security.wrappers.x2goprintWrapper = { + source = "${pkgs.x2goserver}/bin/x2goprint"; + owner = "x2go"; + group = "x2go"; + setgid = true; + }; + + systemd.tmpfiles.rules = with pkgs; [ + "d /var/lib/x2go/ - x2go x2go - -" + "d /var/lib/x2go/db - x2go x2go - -" + "d /var/lib/x2go/conf - x2go x2go - -" + "d /run/x2go 0755 x2go x2go - -" + ] ++ + # x2goclient sends SSH commands with preset PATH set to + # "/usr/local/bin;/usr/bin;/bin". Since we cannot filter arbitrary ssh + # commands, we have to make the following executables available. + map (f: "L+ /usr/local/bin/${f} - - - - ${x2goserver}/bin/${f}") [ + "x2goagent" "x2gobasepath" "x2gocleansessions" "x2gocmdexitmessage" + "x2godbadmin" "x2gofeature" "x2gofeaturelist" "x2gofm" "x2gogetapps" + "x2gogetservers" "x2golistdesktops" "x2golistmounts" "x2golistsessions" + "x2golistsessions_root" "x2golistshadowsessions" "x2gomountdirs" + "x2gopath" "x2goprint" "x2goresume-desktopsharing" "x2goresume-session" + "x2goruncommand" "x2goserver-run-extensions" "x2gosessionlimit" + "x2gosetkeyboard" "x2goshowblocks" "x2gostartagent" + "x2gosuspend-desktopsharing" "x2gosuspend-session" + "x2goterminate-desktopsharing" "x2goterminate-session" + "x2goumount-session" "x2goversion" + ] ++ [ + "L+ /usr/local/bin/awk - - - - ${gawk}/bin/awk" + "L+ /usr/local/bin/chmod - - - - ${coreutils}/bin/chmod" + "L+ /usr/local/bin/cp - - - - ${coreutils}/bin/cp" + "L+ /usr/local/bin/sed - - - - ${gnused}/bin/sed" + "L+ /usr/local/bin/setsid - - - - ${util-linux}/bin/setsid" + "L+ /usr/local/bin/xrandr - - - - ${xorg.xrandr}/bin/xrandr" + "L+ /usr/local/bin/xmodmap - - - - ${xorg.xmodmap}/bin/xmodmap" + ]; + + systemd.services.x2goserver = { + description = "X2Go Server Daemon"; + wantedBy = [ "multi-user.target" ]; + unitConfig.Documentation = "man:x2goserver.conf(5)"; + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.x2goserver}/bin/x2gocleansessions"; + PIDFile = "/run/x2go/x2goserver.pid"; + User = "x2go"; + Group = "x2go"; + RuntimeDirectory = "x2go"; + StateDirectory = "x2go"; + }; + preStart = '' + if [ ! -e /var/lib/x2go/setup_ran ] + then + mkdir -p /var/lib/x2go/conf + cp -r ${pkgs.x2goserver}/etc/x2go/* /var/lib/x2go/conf/ + ln -sf ${x2goServerConf} /var/lib/x2go/conf/x2goserver.conf + ln -sf ${x2goAgentOptions} /var/lib/x2go/conf/x2goagent.options + ${pkgs.x2goserver}/bin/x2godbadmin --createdb + touch /var/lib/x2go/setup_ran + fi + ''; + }; + + # https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=276 + security.sudo.extraConfig = '' + Defaults env_keep+=QT_GRAPHICSSYSTEM + ''; + }; +} diff --git a/nixos/modules/services/networking/xrdp.nix b/nixos/modules/services/networking/xrdp.nix index b7dd1c5d99d..9be7c3233e2 100644 --- a/nixos/modules/services/networking/xrdp.nix +++ b/nixos/modules/services/networking/xrdp.nix @@ -61,6 +61,12 @@ in ''; }; + openFirewall = mkOption { + default = false; + type = types.bool; + description = "Whether to open the firewall for the specified RDP port."; + }; + sslKey = mkOption { type = types.str; default = "/etc/xrdp/key.pem"; @@ -99,6 +105,8 @@ in config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + # xrdp can run X11 program even if "services.xserver.enable = false" xdg = { autostart.enable = true; diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix index a71c635c9f6..47a7152f6fe 100644 --- a/nixos/modules/services/networking/yggdrasil.nix +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -64,7 +64,7 @@ in { type = types.str; default = "root"; example = "wheel"; - description = "Group to grant acces to the Yggdrasil control socket."; + description = "Group to grant access to the Yggdrasil control socket."; }; openMulticastPort = mkOption { @@ -122,12 +122,11 @@ in { system.activationScripts.yggdrasil = mkIf cfg.persistentKeys '' if [ ! -e ${keysPath} ] then - mkdir -p ${builtins.dirOf keysPath} + mkdir --mode=700 -p ${builtins.dirOf keysPath} ${binYggdrasil} -genconf -json \ | ${pkgs.jq}/bin/jq \ 'to_entries|map(select(.key|endswith("Key")))|from_entries' \ > ${keysPath} - chmod 600 ${keysPath} fi ''; diff --git a/nixos/modules/services/networking/zerobin.nix b/nixos/modules/services/networking/zerobin.nix index 78de246a816..16db25d6230 100644 --- a/nixos/modules/services/networking/zerobin.nix +++ b/nixos/modules/services/networking/zerobin.nix @@ -88,7 +88,7 @@ in enable = true; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.pythonPackages.zerobin}/bin/zerobin ${cfg.listenAddress} ${toString cfg.listenPort} false ${cfg.user} ${cfg.group} ${zerobin_config}"; + serviceConfig.ExecStart = "${pkgs.zerobin}/bin/zerobin ${cfg.listenAddress} ${toString cfg.listenPort} false ${cfg.user} ${cfg.group} ${zerobin_config}"; serviceConfig.PrivateTmp="yes"; serviceConfig.User = cfg.user; serviceConfig.Group = cfg.group; diff --git a/nixos/modules/services/networking/znc/default.nix b/nixos/modules/services/networking/znc/default.nix index a7315896c50..b872b99976c 100644 --- a/nixos/modules/services/networking/znc/default.nix +++ b/nixos/modules/services/networking/znc/default.nix @@ -103,8 +103,8 @@ in }; dataDir = mkOption { - default = "/var/lib/znc/"; - example = "/home/john/.znc/"; + default = "/var/lib/znc"; + example = "/home/john/.znc"; type = types.path; description = '' The state directory for ZNC. The config and the modules will be linked @@ -133,8 +133,8 @@ in Nick = "paul"; AltNick = "paul1"; LoadModule = [ "chansaver" "controlpanel" ]; - Network.freenode = { - Server = "chat.freenode.net +6697"; + Network.libera = { + Server = "irc.libera.chat +6697"; LoadModule = [ "simple_away" ]; Chan = { "#nixos" = { Detached = false; }; @@ -258,6 +258,34 @@ in ExecStart = "${pkgs.znc}/bin/znc --foreground --datadir ${cfg.dataDir} ${escapeShellArgs cfg.extraFlags}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID"; + # Hardening + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ cfg.dataDir ]; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + UMask = "0027"; }; preStart = '' mkdir -p ${cfg.dataDir}/configs @@ -271,9 +299,8 @@ in # Ensure essential files exist. if [[ ! -f ${cfg.dataDir}/configs/znc.conf ]]; then echo "No znc.conf file found in ${cfg.dataDir}. Creating one now." - cp --no-clobber ${cfg.configFile} ${cfg.dataDir}/configs/znc.conf + cp --no-preserve=ownership --no-clobber ${cfg.configFile} ${cfg.dataDir}/configs/znc.conf chmod u+rw ${cfg.dataDir}/configs/znc.conf - chown ${cfg.user} ${cfg.dataDir}/configs/znc.conf fi if [[ ! -f ${cfg.dataDir}/znc.pem ]]; then diff --git a/nixos/modules/services/networking/znc/options.nix b/nixos/modules/services/networking/znc/options.nix index 048dbd73863..be9dc78c86d 100644 --- a/nixos/modules/services/networking/znc/options.nix +++ b/nixos/modules/services/networking/znc/options.nix @@ -11,7 +11,7 @@ let server = mkOption { type = types.str; - example = "chat.freenode.net"; + example = "irc.libera.chat"; description = '' IRC server address. ''; @@ -44,7 +44,7 @@ let modules = mkOption { type = types.listOf types.str; default = [ "simple_away" ]; - example = literalExample "[ simple_away sasl ]"; + example = literalExample ''[ "simple_away" "sasl" ]''; description = '' ZNC network modules to load. ''; @@ -150,8 +150,8 @@ in ''; example = literalExample '' { - "freenode" = { - server = "chat.freenode.net"; + "libera" = { + server = "irc.libera.chat"; port = 6697; useSSL = true; modules = [ "simple_away" ]; |