diff options
Diffstat (limited to 'nixos/modules/services/networking')
23 files changed, 567 insertions, 59 deletions
diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index 56113bd3459..3933ed5a231 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -106,13 +106,14 @@ in default = true; description = lib.mdDoc '' Whether to open the firewall for UDP port 5353. + Disabling this setting also disables discovering of network devices. ''; }; allowPointToPoint = mkOption { type = types.bool; default = false; - description= lib.mdDoc '' + description = lib.mdDoc '' Whether to use POINTTOPOINT interfaces. Might make mDNS unreliable due to usually large latencies with such links and opens a potential security hole by allowing mDNS access from Internet connections. diff --git a/nixos/modules/services/networking/cloudflared.nix b/nixos/modules/services/networking/cloudflared.nix new file mode 100644 index 00000000000..c8fc9fafee6 --- /dev/null +++ b/nixos/modules/services/networking/cloudflared.nix @@ -0,0 +1,332 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.cloudflared; + + originRequest = { + connectTimeout = mkOption { + type = with types; nullOr str; + default = null; + example = "30s"; + description = lib.mdDoc '' + Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/#tlstimeout](tlsTimeout). + ''; + }; + + tlsTimeout = mkOption { + type = with types; nullOr str; + default = null; + example = "10s"; + description = lib.mdDoc '' + Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. + ''; + }; + + tcpKeepAlive = mkOption { + type = with types; nullOr str; + default = null; + example = "30s"; + description = lib.mdDoc '' + The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. + ''; + }; + + noHappyEyeballs = mkOption { + type = with types; nullOr bool; + default = null; + example = false; + description = lib.mdDoc '' + Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. + ''; + }; + + keepAliveConnections = mkOption { + type = with types; nullOr int; + default = null; + example = 100; + description = lib.mdDoc '' + Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. + ''; + }; + + keepAliveTimeout = mkOption { + type = with types; nullOr str; + default = null; + example = "1m30s"; + description = lib.mdDoc '' + Timeout after which an idle keepalive connection can be discarded. + ''; + }; + + httpHostHeader = mkOption { + type = with types; nullOr str; + default = null; + example = ""; + description = lib.mdDoc '' + Sets the HTTP `Host` header on requests sent to the local service. + ''; + }; + + originServerName = mkOption { + type = with types; nullOr str; + default = null; + example = ""; + description = lib.mdDoc '' + Hostname that `cloudflared` should expect from your origin server certificate. + ''; + }; + + caPool = mkOption { + type = with types; nullOr (either str path); + default = null; + example = ""; + description = lib.mdDoc '' + Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. + ''; + }; + + noTLSVerify = mkOption { + type = with types; nullOr bool; + default = null; + example = false; + description = lib.mdDoc '' + Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. + ''; + }; + + disableChunkedEncoding = mkOption { + type = with types; nullOr bool; + default = null; + example = false; + description = lib.mdDoc '' + Disables chunked transfer encoding. Useful if you are running a WSGI server. + ''; + }; + + proxyAddress = mkOption { + type = with types; nullOr str; + default = null; + example = "127.0.0.1"; + description = lib.mdDoc '' + `cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures the listen address for that proxy. + ''; + }; + + proxyPort = mkOption { + type = with types; nullOr int; + default = null; + example = 0; + description = lib.mdDoc '' + `cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures the listen port for that proxy. If set to zero, an unused port will randomly be chosen. + ''; + }; + + proxyType = mkOption { + type = with types; nullOr (enum [ "" "socks" ]); + default = null; + example = ""; + description = lib.mdDoc '' + `cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: + + - `""` for the regular proxy + - `"socks"` for a SOCKS5 proxy. Refer to the [https://developers.cloudflare.com/cloudflare-one/tutorials/kubectl/](tutorial on connecting through Cloudflare Access using kubectl) for more information. + ''; + }; + }; +in +{ + options.services.cloudflared = { + enable = mkEnableOption (lib.mdDoc "Cloudflare Tunnel client daemon (formerly Argo Tunnel)"); + + user = mkOption { + type = types.str; + default = "cloudflared"; + description = lib.mdDoc "User account under which Cloudflared runs."; + }; + + group = mkOption { + type = types.str; + default = "cloudflared"; + description = lib.mdDoc "Group under which cloudflared runs."; + }; + + package = mkOption { + type = types.package; + default = pkgs.cloudflared; + defaultText = "pkgs.cloudflared"; + description = lib.mdDoc "The package to use for Cloudflared."; + }; + + tunnels = mkOption { + description = lib.mdDoc '' + Cloudflare tunnels. + ''; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + inherit originRequest; + + credentialsFile = mkOption { + type = with types; nullOr str; + default = null; + description = lib.mdDoc '' + Credential file. + + See [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-terms/#credentials-file](Credentials file). + ''; + }; + + warp-routing = { + enabled = mkOption { + type = with types; nullOr bool; + default = null; + description = lib.mdDoc '' + Enable warp routing. + + See [https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel/](Connect from WARP to a private network on Cloudflare using Cloudflare Tunnel). + ''; + }; + }; + + default = mkOption { + type = with types; nullOr str; + default = null; + description = lib.mdDoc '' + Catch-all service if no ingress matches. + + See `service`. + ''; + example = "http_status:404"; + }; + + ingress = mkOption { + type = with types; attrsOf (either str (submodule ({ hostname, ... }: { + options = { + inherit originRequest; + + service = mkOption { + type = with types; nullOr str; + default = null; + description = lib.mdDoc '' + Service to pass the traffic. + + See [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/#supported-protocols](Supported protocols). + ''; + example = "http://localhost:80, tcp://localhost:8000, unix:/home/production/echo.sock, hello_world or http_status:404"; + }; + + path = mkOption { + type = with types; nullOr str; + default = null; + description = lib.mdDoc '' + Path filter. + + If not specified, all paths will be matched. + ''; + example = "/*.(jpg|png|css|js)"; + }; + + }; + }))); + default = { }; + description = lib.mdDoc '' + Ingress rules. + + See [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/](Ingress rules). + ''; + example = { + "*.domain.com" = "http://localhost:80"; + "*.anotherone.com" = "http://localhost:80"; + }; + }; + }; + })); + + default = { }; + example = { + "00000000-0000-0000-0000-000000000000" = { + credentialsFile = "/tmp/test"; + ingress = { + "*.domain1.com" = { + service = "http://localhost:80"; + }; + }; + default = "http_status:404"; + }; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.targets = + mapAttrs' + (name: tunnel: + nameValuePair "cloudflared-tunnel-${name}" ({ + description = lib.mdDoc "Cloudflare tunnel '${name}' target"; + requires = [ "cloudflared-tunnel-${name}.service" ]; + after = [ "cloudflared-tunnel-${name}.service" ]; + unitConfig.StopWhenUnneeded = true; + }) + ) + config.services.cloudflared.tunnels; + + systemd.services = + mapAttrs' + (name: tunnel: + let + filterConfig = lib.attrsets.filterAttrsRecursive (_: v: ! builtins.elem v [ null [ ] { } ]); + + filterIngressSet = filterAttrs (_: v: builtins.typeOf v == "set"); + filterIngressStr = filterAttrs (_: v: builtins.typeOf v == "string"); + + ingressesSet = filterIngressSet tunnel.ingress; + ingressesStr = filterIngressStr tunnel.ingress; + + fullConfig = { + tunnel = name; + "credentials-file" = tunnel.credentialsFile; + ingress = + (map + (key: { + hostname = key; + } // getAttr key (filterConfig (filterConfig ingressesSet))) + (attrNames ingressesSet)) + ++ + (map + (key: { + hostname = key; + service = getAttr key ingressesStr; + }) + (attrNames ingressesStr)) + ++ [{ service = tunnel.default; }]; + }; + mkConfigFile = pkgs.writeText "cloudflared.yml" (builtins.toJSON fullConfig); + in + nameValuePair "cloudflared-tunnel-${name}" ({ + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${cfg.package}/bin/cloudflared tunnel --config=${mkConfigFile} --no-autoupdate run"; + Restart = "always"; + }; + }) + ) + config.services.cloudflared.tunnels; + + users.users = mkIf (cfg.user == "cloudflared") { + cloudflared = { + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = mkIf (cfg.group == "cloudflared") { + cloudflared = { }; + }; + }; + + meta.maintainers = with maintainers; [ bbigras ]; +} diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index 5c32817979a..4d843641f58 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -71,7 +71,7 @@ with lib; package = mkOption { type = package; default = pkgs.ddclient; - defaultText = "pkgs.ddclient"; + defaultText = lib.literalExpression "pkgs.ddclient"; description = lib.mdDoc '' The ddclient executable package run by the service. ''; diff --git a/nixos/modules/services/networking/dnsmasq.nix b/nixos/modules/services/networking/dnsmasq.nix index cfc37b74b9a..4886654e8c0 100644 --- a/nixos/modules/services/networking/dnsmasq.nix +++ b/nixos/modules/services/networking/dnsmasq.nix @@ -7,15 +7,27 @@ let dnsmasq = pkgs.dnsmasq; stateDir = "/var/lib/dnsmasq"; + # True values are just put as `name` instead of `name=true`, and false values + # are turned to comments (false values are expected to be overrides e.g. + # mkForce) + formatKeyValue = + name: value: + if value == true + then name + else if value == false + then "# setting `${name}` explicitly set to false" + else generators.mkKeyValueDefault { } "=" name value; + + settingsFormat = pkgs.formats.keyValue { + mkKeyValue = formatKeyValue; + listsAsDuplicateKeys = true; + }; + + # Because formats.generate is outputting a file, we use of conf-file. Once + # `extraConfig` is deprecated we can just use + # `dnsmasqConf = format.generate "dnsmasq.conf" cfg.settings` dnsmasqConf = pkgs.writeText "dnsmasq.conf" '' - dhcp-leasefile=${stateDir}/dnsmasq.leases - ${optionalString cfg.resolveLocalQueries '' - conf-file=/etc/dnsmasq-conf.conf - resolv-file=/etc/dnsmasq-resolv.conf - ''} - ${flip concatMapStrings cfg.servers (server: '' - server=${server} - '')} + conf-file=${settingsFormat.generate "dnsmasq.conf" cfg.settings} ${cfg.extraConfig} ''; @@ -23,6 +35,10 @@ in { + imports = [ + (mkRenamedOptionModule [ "services" "dnsmasq" "servers" ] [ "services" "dnsmasq" "settings" "server" ]) + ]; + ###### interface options = { @@ -46,15 +62,6 @@ in ''; }; - servers = mkOption { - type = types.listOf types.str; - default = []; - example = [ "8.8.8.8" "8.8.4.4" ]; - description = lib.mdDoc '' - The DNS servers which dnsmasq should query. - ''; - }; - alwaysKeepRunning = mkOption { type = types.bool; default = false; @@ -63,12 +70,49 @@ in ''; }; + settings = mkOption { + type = types.submodule { + + freeformType = settingsFormat.type; + + options.server = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "8.8.8.8" "8.8.4.4" ]; + description = lib.mdDoc '' + The DNS servers which dnsmasq should query. + ''; + }; + + }; + default = { }; + description = lib.mdDoc '' + Configuration of dnsmasq. Lists get added one value per line (empty + lists and false values don't get added, though false values get + turned to comments). Gets merged with + + { + dhcp-leasefile = "${stateDir}/dnsmasq.leases"; + conf-file = optional cfg.resolveLocalQueries "/etc/dnsmasq-conf.conf"; + resolv-file = optional cfg.resolveLocalQueries "/etc/dnsmasq-resolv.conf"; + } + ''; + example = literalExpression '' + { + domain-needed = true; + dhcp-range = [ "192.168.0.2,192.168.0.254" ]; + } + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; description = lib.mdDoc '' Extra configuration directives that should be added to `dnsmasq.conf`. + + This option is deprecated, please use {option}`settings` instead. ''; }; @@ -81,6 +125,14 @@ in config = mkIf cfg.enable { + warnings = lib.optional (cfg.extraConfig != "") "Text based config is deprecated, dnsmasq now supports `services.dnsmasq.settings` for an attribute-set based config"; + + services.dnsmasq.settings = { + dhcp-leasefile = mkDefault "${stateDir}/dnsmasq.leases"; + conf-file = mkDefault (optional cfg.resolveLocalQueries "/etc/dnsmasq-conf.conf"); + resolv-file = mkDefault (optional cfg.resolveLocalQueries "/etc/dnsmasq-resolv.conf"); + }; + networking.nameservers = optional cfg.resolveLocalQueries "127.0.0.1"; diff --git a/nixos/modules/services/networking/ergochat.nix b/nixos/modules/services/networking/ergochat.nix index 1a70b1f8613..a003512677e 100644 --- a/nixos/modules/services/networking/ergochat.nix +++ b/nixos/modules/services/networking/ergochat.nix @@ -17,10 +17,10 @@ in { configFile = lib.mkOption { type = lib.types.path; default = (pkgs.formats.yaml {}).generate "ergo.conf" cfg.settings; - defaultText = "generated config file from <literal>.settings</literal>"; + defaultText = lib.literalMD "generated config file from `settings`"; description = lib.mdDoc '' Path to configuration file. - Setting this will skip any configuration done via `.settings` + Setting this will skip any configuration done via `settings` ''; }; diff --git a/nixos/modules/services/networking/mmsd.nix b/nixos/modules/services/networking/mmsd.nix new file mode 100644 index 00000000000..7e262a9326c --- /dev/null +++ b/nixos/modules/services/networking/mmsd.nix @@ -0,0 +1,38 @@ +{ pkgs, lib, config, ... }: +with lib; +let + cfg = config.services.mmsd; + dbusServiceFile = pkgs.writeTextDir "share/dbus-1/services/org.ofono.mms.service" '' + [D-BUS Service] + Name=org.ofono.mms + SystemdService=dbus-org.ofono.mms.service + + # Exec= is still required despite SystemdService= being used: + # https://github.com/freedesktop/dbus/blob/ef55a3db0d8f17848f8a579092fb05900cc076f5/test/data/systemd-activation/com.example.SystemdActivatable1.service + Exec=${pkgs.coreutils}/bin/false mmsd + ''; +in +{ + options.services.mmsd = { + enable = mkEnableOption (mdDoc "Multimedia Messaging Service Daemon"); + extraArgs = mkOption { + type = with types; listOf str; + description = mdDoc "Extra arguments passed to `mmsd-tng`"; + default = []; + example = ["--debug"]; + }; + }; + config = mkIf cfg.enable { + services.dbus.packages = [ dbusServiceFile ]; + systemd.user.services.mmsd = { + after = [ "ModemManager.service" ]; + aliases = [ "dbus-org.ofono.mms.service" ]; + serviceConfig = { + Type = "dbus"; + ExecStart = "${pkgs.mmsd-tng}/bin/mmsdtng " + escapeShellArgs cfg.extraArgs; + BusName = "org.ofono.mms"; + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/morty.nix b/nixos/modules/services/networking/morty.nix index 4b20c34cfc9..72514764a7c 100644 --- a/nixos/modules/services/networking/morty.nix +++ b/nixos/modules/services/networking/morty.nix @@ -50,7 +50,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 3000; description = lib.mdDoc "Listing port"; }; diff --git a/nixos/modules/services/networking/multipath.nix b/nixos/modules/services/networking/multipath.nix index cb6b6db272c..54ee2a01568 100644 --- a/nixos/modules/services/networking/multipath.nix +++ b/nixos/modules/services/networking/multipath.nix @@ -28,7 +28,7 @@ in { type = package; description = lib.mdDoc "multipath-tools package to use"; default = pkgs.multipath-tools; - defaultText = "pkgs.multipath-tools"; + defaultText = lib.literalExpression "pkgs.multipath-tools"; }; devices = mkOption { diff --git a/nixos/modules/services/networking/nomad.nix b/nixos/modules/services/networking/nomad.nix index 5e5d9469efc..890ee0b7d8d 100644 --- a/nixos/modules/services/networking/nomad.nix +++ b/nixos/modules/services/networking/nomad.nix @@ -67,7 +67,7 @@ in Additional plugins dir used to configure nomad. ''; example = literalExpression '' - [ "<pluginDir>" "pkgs.<plugins-name>"] + [ "<pluginDir>" pkgs.<plugins-name> ] ''; }; diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index 57da208bd7a..0ded9265209 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -588,7 +588,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 53; description = lib.mdDoc '' Port the service should bind do. @@ -825,7 +825,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 8952; description = lib.mdDoc '' Port number for remote control operations (uses TLS over TCP). diff --git a/nixos/modules/services/networking/nylon.nix b/nixos/modules/services/networking/nylon.nix index 6ed832b6fa1..401dbe97c52 100644 --- a/nixos/modules/services/networking/nylon.nix +++ b/nixos/modules/services/networking/nylon.nix @@ -81,7 +81,7 @@ let }; port = mkOption { - type = types.int; + type = types.port; default = 1080; description = lib.mdDoc '' What port to listen for client requests, default is 1080. diff --git a/nixos/modules/services/networking/pdns-recursor.nix b/nixos/modules/services/networking/pdns-recursor.nix index 473c2a1f1fb..2f07cefc736 100644 --- a/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixos/modules/services/networking/pdns-recursor.nix @@ -38,7 +38,7 @@ in { }; dns.port = mkOption { - type = types.int; + type = types.port; default = 53; description = lib.mdDoc '' Port number Recursor DNS server will bind to. @@ -67,7 +67,7 @@ in { }; api.port = mkOption { - type = types.int; + type = types.port; default = 8082; description = lib.mdDoc '' Port number Recursor REST API server will bind to. diff --git a/nixos/modules/services/networking/redsocks.nix b/nixos/modules/services/networking/redsocks.nix index 85ae3125ded..45feb1313c9 100644 --- a/nixos/modules/services/networking/redsocks.nix +++ b/nixos/modules/services/networking/redsocks.nix @@ -81,7 +81,7 @@ in }; port = mkOption { - type = types.int; + type = types.port; default = 12345; description = lib.mdDoc "Port on which redsocks should listen."; }; diff --git a/nixos/modules/services/networking/resilio.nix b/nixos/modules/services/networking/resilio.nix index cc9495bf238..7f6358d00d0 100644 --- a/nixos/modules/services/networking/resilio.nix +++ b/nixos/modules/services/networking/resilio.nix @@ -52,17 +52,22 @@ let runConfigPath = "/run/rslsync/config.json"; - createConfig = pkgs.writeShellScriptBin "create-resilio-config" '' - ${pkgs.jq}/bin/jq \ - '.shared_folders |= map(.secret = $ARGS.named[.dir])' \ - ${ - lib.concatMapStringsSep " \\\n " - (entry: ''--arg '${entry.dir}' "$(cat '${entry.secretFile}')"'') - sharedFoldersSecretFiles - } \ - <${configFile} \ - >${runConfigPath} - ''; + createConfig = pkgs.writeShellScriptBin "create-resilio-config" ( + if cfg.sharedFolders != [ ] then '' + ${pkgs.jq}/bin/jq \ + '.shared_folders |= map(.secret = $ARGS.named[.dir])' \ + ${ + lib.concatMapStringsSep " \\\n " + (entry: ''--arg '${entry.dir}' "$(cat '${entry.secretFile}')"'') + sharedFoldersSecretFiles + } \ + <${configFile} \ + >${runConfigPath} + '' else '' + # no secrets, passing through config + cp ${configFile} ${runConfigPath}; + '' + ); in { diff --git a/nixos/modules/services/networking/sabnzbd.nix b/nixos/modules/services/networking/sabnzbd.nix index 8486be1bc66..8f3545df899 100644 --- a/nixos/modules/services/networking/sabnzbd.nix +++ b/nixos/modules/services/networking/sabnzbd.nix @@ -20,7 +20,7 @@ in package = mkOption { type = types.package; default = pkgs.sabnzbd; - defaultText = "pkgs.sabnzbd"; + defaultText = lib.literalExpression "pkgs.sabnzbd"; description = lib.mdDoc "The sabnzbd executable package run by the service."; }; diff --git a/nixos/modules/services/networking/supplicant.nix b/nixos/modules/services/networking/supplicant.nix index 0a48e73932e..13d84736e2c 100644 --- a/nixos/modules/services/networking/supplicant.nix +++ b/nixos/modules/services/networking/supplicant.nix @@ -13,7 +13,7 @@ let serviceName = iface: "supplicant-${if (iface=="WLAN") then "wlan@" else ( if (iface=="LAN") then "lan@" else ( if (iface=="DBUS") then "dbus" - else (replaceChars [" "] ["-"] iface)))}"; + else (replaceStrings [" "] ["-"] iface)))}"; # TODO: Use proper privilege separation for wpa_supplicant supplicantService = iface: suppl: @@ -27,7 +27,7 @@ let driverArg = optionalString (suppl.driver != null) "-D${suppl.driver}"; bridgeArg = optionalString (suppl.bridge!="") "-b${suppl.bridge}"; confFileArg = optionalString (suppl.configFile.path!=null) "-c${suppl.configFile.path}"; - extraConfFile = pkgs.writeText "supplicant-extra-conf-${replaceChars [" "] ["-"] iface}" '' + extraConfFile = pkgs.writeText "supplicant-extra-conf-${replaceStrings [" "] ["-"] iface}" '' ${optionalString suppl.userControlled.enable "ctrl_interface=DIR=${suppl.userControlled.socketDir} GROUP=${suppl.userControlled.group}"} ${optionalString suppl.configFile.writable "update_config=1"} ${suppl.extraConf} @@ -223,7 +223,7 @@ in text = '' ${flip (concatMapStringsSep "\n") (filter (n: n!="WLAN" && n!="LAN" && n!="DBUS") (attrNames cfg)) (iface: flip (concatMapStringsSep "\n") (splitString " " iface) (i: '' - ACTION=="add", SUBSYSTEM=="net", ENV{INTERFACE}=="${i}", TAG+="systemd", ENV{SYSTEMD_WANTS}+="supplicant-${replaceChars [" "] ["-"] iface}.service", TAG+="SUPPLICANT_ASSIGNED"''))} + ACTION=="add", SUBSYSTEM=="net", ENV{INTERFACE}=="${i}", TAG+="systemd", ENV{SYSTEMD_WANTS}+="supplicant-${replaceStrings [" "] ["-"] iface}.service", TAG+="SUPPLICANT_ASSIGNED"''))} ${optionalString (hasAttr "WLAN" cfg) '' ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", TAG!="SUPPLICANT_ASSIGNED", TAG+="systemd", PROGRAM="/run/current-system/systemd/bin/systemd-escape -p %E{INTERFACE}", ENV{SYSTEMD_WANTS}+="supplicant-wlan@$result.service" diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index 26997dd9601..233bfdf9ebf 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -4,10 +4,7 @@ with lib; let cfg = config.services.tailscale; - firewallOn = config.networking.firewall.enable; - rpfMode = config.networking.firewall.checkReversePath; isNetworkd = config.networking.useNetworkd; - rpfIsStrict = rpfMode == true || rpfMode == "strict"; in { meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ]; @@ -38,14 +35,23 @@ in { defaultText = literalExpression "pkgs.tailscale"; description = lib.mdDoc "The package to use for tailscale"; }; + + useRoutingFeatures = mkOption { + type = types.enum [ "none" "client" "server" "both" ]; + default = "none"; + example = "server"; + description = lib.mdDoc '' + Enables settings required for Tailscale's routing features like subnet routers and exit nodes. + + To use these these features, you will still need to call `sudo tailscale up` with the relevant flags like `--advertise-exit-node` and `--exit-node`. + + When set to `client` or `both`, reverse path filtering will be set to loose instead of strict. + When set to `server` or `both`, IP forwarding will be enabled. + ''; + }; }; config = mkIf cfg.enable { - warnings = optional (firewallOn && rpfIsStrict) '' - Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting: - - networking.firewall.checkReversePath = "loose"; - ''; environment.systemPackages = [ cfg.package ]; # for the CLI systemd.packages = [ cfg.package ]; systemd.services.tailscaled = { @@ -75,6 +81,13 @@ in { stopIfChanged = false; }; + boot.kernel.sysctl = mkIf (cfg.useRoutingFeatures == "server" || cfg.useRoutingFeatures == "both") { + "net.ipv4.conf.all.forwarding" = mkDefault true; + "net.ipv6.conf.all.forwarding" = mkDefault true; + }; + + networking.firewall.checkReversePath = mkIf (cfg.useRoutingFeatures == "client" || cfg.useRoutingFeatures == "both") "loose"; + networking.dhcpcd.denyInterfaces = [ cfg.interfaceName ]; systemd.network.networks."50-tailscale" = mkIf isNetworkd { diff --git a/nixos/modules/services/networking/tmate-ssh-server.nix b/nixos/modules/services/networking/tmate-ssh-server.nix index 1b8f6662ef4..f7740b1ddfc 100644 --- a/nixos/modules/services/networking/tmate-ssh-server.nix +++ b/nixos/modules/services/networking/tmate-ssh-server.nix @@ -44,7 +44,7 @@ in openFirewall = mkOption { type = types.bool; - default = true; + default = false; description = mdDoc "Whether to automatically open the specified ports in the firewall."; }; diff --git a/nixos/modules/services/networking/twingate.nix b/nixos/modules/services/networking/twingate.nix new file mode 100644 index 00000000000..17140bffd21 --- /dev/null +++ b/nixos/modules/services/networking/twingate.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.twingate; + +in { + + options.services.twingate = { + enable = mkEnableOption (lib.mdDoc "Twingate Client daemon"); + }; + + config = mkIf cfg.enable { + + networking.firewall.checkReversePath = lib.mkDefault false; + networking.networkmanager.enable = true; + + environment.systemPackages = [ pkgs.twingate ]; # for the CLI + systemd.packages = [ pkgs.twingate ]; + + systemd.services.twingate.preStart = '' + cp -r -n ${pkgs.twingate}/etc/twingate/. /etc/twingate/ + ''; + + systemd.services.twingate.wantedBy = [ "multi-user.target" ]; + }; +} diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index d30f7c89633..f04242d4ab5 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -24,8 +24,8 @@ in services.unifi.jrePackage = mkOption { type = types.package; - default = pkgs.jre8; - defaultText = literalExpression "pkgs.jre8"; + default = if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3") then pkgs.jdk11 else pkgs.jre8; + defaultText = literalExpression ''if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3" then pkgs.jdk11 else pkgs.jre8''; description = lib.mdDoc '' The JRE package to use. Check the release notes to ensure it is supported. ''; diff --git a/nixos/modules/services/networking/v2raya.nix b/nixos/modules/services/networking/v2raya.nix new file mode 100644 index 00000000000..2d697b4fb56 --- /dev/null +++ b/nixos/modules/services/networking/v2raya.nix @@ -0,0 +1,39 @@ +{ config, pkgs, lib, ... }: + +with lib; + +{ + options = { + services.v2raya = { + enable = options.mkEnableOption (mdDoc "the v2rayA service"); + }; + }; + + config = mkIf config.services.v2raya.enable { + environment.systemPackages = [ pkgs.v2raya ]; + + systemd.services.v2raya = { + unitConfig = { + Description = "v2rayA service"; + Documentation = "https://github.com/v2rayA/v2rayA/wiki"; + After = [ "network.target" "nss-lookup.target" "iptables.service" "ip6tables.service" ]; + Wants = [ "network.target" ]; + }; + + serviceConfig = { + User = "root"; + ExecStart = "${getExe pkgs.v2raya} --log-disable-timestamp"; + Environment = [ "V2RAYA_LOG_FILE=/var/log/v2raya/v2raya.log" ]; + LimitNPROC = 500; + LimitNOFILE = 1000000; + Restart = "on-failure"; + Type = "simple"; + }; + + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ iptables bash iproute2 ]; # required by v2rayA TProxy functionality + }; + }; + + meta.maintainers = with maintainers; [ elliot ]; +} diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index ce5616672c1..9c13f8b847d 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -315,7 +315,7 @@ let peerUnitServiceName = interfaceName: publicKey: dynamicRefreshEnabled: let - keyToUnitName = replaceChars + keyToUnitName = replaceStrings [ "/" "-" " " "+" "=" ] [ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ]; unitName = keyToUnitName publicKey; diff --git a/nixos/modules/services/networking/znc/options.nix b/nixos/modules/services/networking/znc/options.nix index ce8e7a89a4d..bd67ec86d51 100644 --- a/nixos/modules/services/networking/znc/options.nix +++ b/nixos/modules/services/networking/znc/options.nix @@ -18,7 +18,7 @@ let }; port = mkOption { - type = types.ints.u16; + type = types.port; default = 6697; description = lib.mdDoc '' IRC server port. @@ -188,7 +188,7 @@ in port = mkOption { default = 5000; - type = types.int; + type = types.port; description = lib.mdDoc '' Specifies the port on which to listen. ''; |