diff options
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/corerad.nix | 46 | ||||
-rw-r--r-- | nixos/modules/services/networking/knot.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/kresd.nix | 34 | ||||
-rw-r--r-- | nixos/modules/services/networking/matterbridge.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/syncthing.nix | 18 | ||||
-rw-r--r-- | nixos/modules/services/networking/zerotierone.nix | 10 |
6 files changed, 102 insertions, 10 deletions
diff --git a/nixos/modules/services/networking/corerad.nix b/nixos/modules/services/networking/corerad.nix new file mode 100644 index 00000000000..1a2c4aec665 --- /dev/null +++ b/nixos/modules/services/networking/corerad.nix @@ -0,0 +1,46 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.corerad; +in { + meta = { + maintainers = with maintainers; [ mdlayher ]; + }; + + options.services.corerad = { + enable = mkEnableOption "CoreRAD IPv6 NDP RA daemon"; + + configFile = mkOption { + type = types.path; + example = literalExample "\"\${pkgs.corerad}/etc/corerad/corerad.toml\""; + description = "Path to CoreRAD TOML configuration file."; + }; + + package = mkOption { + default = pkgs.corerad; + defaultText = literalExample "pkgs.corerad"; + type = types.package; + description = "CoreRAD package to use."; + }; + }; + + config = mkIf cfg.enable { + systemd.services.corerad = { + description = "CoreRAD IPv6 NDP RA daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + LimitNPROC = 512; + LimitNOFILE = 1048576; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; + AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW"; + NoNewPrivileges = true; + DynamicUser = true; + ExecStart = "${getBin cfg.package}/bin/corerad -c=${cfg.configFile}"; + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix index 1cc1dd3f2f6..47364ecb846 100644 --- a/nixos/modules/services/networking/knot.nix +++ b/nixos/modules/services/networking/knot.nix @@ -56,6 +56,7 @@ in { package = mkOption { type = types.package; default = pkgs.knot-dns; + defaultText = "pkgs.knot-dns"; description = '' Which Knot DNS package to use ''; @@ -92,4 +93,3 @@ in { environment.systemPackages = [ knot-cli-wrappers ]; }; } - diff --git a/nixos/modules/services/networking/kresd.nix b/nixos/modules/services/networking/kresd.nix index 5eb50a13ca9..bb941e93e15 100644 --- a/nixos/modules/services/networking/kresd.nix +++ b/nixos/modules/services/networking/kresd.nix @@ -5,12 +5,15 @@ with lib; let cfg = config.services.kresd; - package = pkgs.knot-resolver; + configFile = pkgs.writeText "kresd.conf" '' + ${optionalString (cfg.listenDoH != []) "modules.load('http')"} + ${cfg.extraConfig}; + ''; - configFile = pkgs.writeText "kresd.conf" cfg.extraConfig; -in - -{ + package = pkgs.knot-resolver.override { + extraFeatures = cfg.listenDoH != []; + }; +in { meta.maintainers = [ maintainers.vcunat /* upstream developer */ ]; imports = [ @@ -67,6 +70,15 @@ in For detailed syntax see ListenStream in man systemd.socket. ''; }; + listenDoH = mkOption { + type = with types; listOf str; + default = []; + example = [ "198.51.100.1:443" "[2001:db8::1]:443" "443" ]; + description = '' + Addresses and ports on which kresd should provide DNS over HTTPS (see RFC 7858). + For detailed syntax see ListenStream in man systemd.socket. + ''; + }; # TODO: perhaps options for more common stuff like cache size or forwarding }; @@ -104,6 +116,18 @@ in }; }; + systemd.sockets.kresd-doh = mkIf (cfg.listenDoH != []) rec { + wantedBy = [ "sockets.target" ]; + before = wantedBy; + partOf = [ "kresd.socket" ]; + listenStreams = cfg.listenDoH; + socketConfig = { + FileDescriptorName = "doh"; + FreeBind = true; + Service = "kresd.service"; + }; + }; + systemd.sockets.kresd-control = rec { wantedBy = [ "sockets.target" ]; before = wantedBy; diff --git a/nixos/modules/services/networking/matterbridge.nix b/nixos/modules/services/networking/matterbridge.nix index bad35133459..b8b4f37c84a 100644 --- a/nixos/modules/services/networking/matterbridge.nix +++ b/nixos/modules/services/networking/matterbridge.nix @@ -111,7 +111,7 @@ in serviceConfig = { User = cfg.user; Group = cfg.group; - ExecStart = "${pkgs.matterbridge.bin}/bin/matterbridge -conf ${matterbridgeConfToml}"; + ExecStart = "${pkgs.matterbridge}/bin/matterbridge -conf ${matterbridgeConfToml}"; Restart = "always"; RestartSec = "10"; }; diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index 47b10e408c0..5b3eb6f04b4 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -484,6 +484,24 @@ in { -gui-address=${cfg.guiAddress} \ -home=${cfg.configDir} ''; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + CapabilityBoundingSet = [ + "~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN" + "~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP" + "~CAP_SYS_TIME" "~CAP_KILL" + ]; }; }; syncthing-init = mkIf ( diff --git a/nixos/modules/services/networking/zerotierone.nix b/nixos/modules/services/networking/zerotierone.nix index 764af3846fe..069e15a909b 100644 --- a/nixos/modules/services/networking/zerotierone.nix +++ b/nixos/modules/services/networking/zerotierone.nix @@ -38,10 +38,13 @@ in config = mkIf cfg.enable { systemd.services.zerotierone = { description = "ZeroTierOne"; - path = [ cfg.package ]; - bindsTo = [ "network-online.target" ]; - after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + wants = [ "network-online.target" ]; + + path = [ cfg.package ]; + preStart = '' mkdir -p /var/lib/zerotier-one/networks.d chmod 700 /var/lib/zerotier-one @@ -53,6 +56,7 @@ in ExecStart = "${cfg.package}/bin/zerotier-one -p${toString cfg.port}"; Restart = "always"; KillMode = "process"; + TimeoutStopSec = 5; }; }; |