From cc864af9282963af7a7711961aea77e04dcf87e7 Mon Sep 17 00:00:00 2001 From: Jörg Thalheim Date: Fri, 9 Dec 2016 10:48:54 +0100 Subject: bird: refactor module - syntax check before deploying configuration - remove static unnessary static uid/gid (configuration is opened as root) - add service hardening --- nixos/modules/services/networking/bird.nix | 122 ++++++++++++++--------------- 1 file changed, 57 insertions(+), 65 deletions(-) (limited to 'nixos/modules/services/networking/bird.nix') diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix index e76cdac14ca..174354c9eb4 100644 --- a/nixos/modules/services/networking/bird.nix +++ b/nixos/modules/services/networking/bird.nix @@ -1,76 +1,68 @@ { config, lib, pkgs, ... }: let - inherit (lib) mkEnableOption mkIf mkOption singleton types; - inherit (pkgs) bird; - cfg = config.services.bird; - - configFile = pkgs.writeText "bird.conf" '' - ${cfg.config} - ''; -in - -{ - - ###### interface - - options = { - - services.bird = { - - enable = mkEnableOption "BIRD Internet Routing Daemon"; - - config = mkOption { - type = types.string; - description = '' - BIRD Internet Routing Daemon configuration file. - + inherit (lib) mkEnableOption mkIf mkOption types; + + generic = variant: + let + cfg = config.services.${variant}; + pkg = pkgs.${variant}; + birdc = if variant == "bird6" then "birdc6" else "birdc"; + configFile = pkgs.stdenv.mkDerivation { + name = "${variant}.conf"; + text = cfg.config; + preferLocalBuild = true; + buildCommand = '' + echo -n "$text" > $out + ${pkg}/bin/${variant} -d -p -c $out ''; }; - - user = mkOption { - type = types.string; - default = "bird"; - description = '' - BIRD Internet Routing Daemon user. - ''; + in { + ###### interface + options = { + services.${variant} = { + enable = mkEnableOption "BIRD Internet Routing Daemon"; + config = mkOption { + type = types.lines; + description = '' + BIRD Internet Routing Daemon configuration file. + + ''; + }; + }; }; - group = mkOption { - type = types.string; - default = "bird"; - description = '' - BIRD Internet Routing Daemon group. - ''; + ###### implementation + config = mkIf cfg.enable { + systemd.services.${variant} = { + description = "BIRD Internet Routing Daemon"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "forking"; + Restart = "on-failure"; + ExecStart = "${pkg}/bin/${variant} -c ${configFile} -u ${variant} -g ${variant}"; + ExecReload = "${pkg}/bin/${birdc} configure"; + ExecStop = "${pkg}/bin/${birdc} down"; + CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_SETUID" "CAP_SETGID" + # see bird/sysdep/linux/syspriv.h + "CAP_NET_BIND_SERVICE" "CAP_NET_BROADCAST" "CAP_NET_ADMIN" "CAP_NET_RAW" ]; + ProtectSystem = "full"; + ProtectHome = "yes"; + SystemCallFilter="~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io"; + MemoryDenyWriteExecute = "yes"; + }; + }; + users = { + extraUsers.${variant} = { + description = "BIRD Internet Routing Daemon user"; + group = "${variant}"; + }; + extraGroups.${variant} = {}; + }; }; - }; - }; - - - ###### implementation - - config = mkIf cfg.enable { - - users.extraUsers = singleton { - name = cfg.user; - description = "BIRD Internet Routing Daemon user"; - uid = config.ids.uids.bird; - group = cfg.group; - }; - - users.extraGroups = singleton { - name = cfg.group; - gid = config.ids.gids.bird; - }; - - systemd.services.bird = { - description = "BIRD Internet Routing Daemon"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = "${bird}/bin/bird -d -c ${configFile} -s /var/run/bird.ctl -u ${cfg.user} -g ${cfg.group}"; - }; - }; - }; + inherit (config.services) bird bird6; +in { + imports = [(generic "bird") (generic "bird6")]; } -- cgit 1.4.1