From caf70ceed4f6184a046f3ff6e5dd694b0545ef1b Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 12 Jul 2021 01:34:06 +0200 Subject: nixos/kea: init --- nixos/modules/module-list.nix | 1 + nixos/modules/services/networking/kea.nix | 361 ++++++++++++++++++++++++++++++ 2 files changed, 362 insertions(+) create mode 100644 nixos/modules/services/networking/kea.nix (limited to 'nixos') diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index f510f395161..28f36ca82b9 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -727,6 +727,7 @@ ./services/networking/iwd.nix ./services/networking/jicofo.nix ./services/networking/jitsi-videobridge.nix + ./services/networking/kea.nix ./services/networking/keepalived/default.nix ./services/networking/keybase.nix ./services/networking/kippo.nix diff --git a/nixos/modules/services/networking/kea.nix b/nixos/modules/services/networking/kea.nix new file mode 100644 index 00000000000..72773b83a49 --- /dev/null +++ b/nixos/modules/services/networking/kea.nix @@ -0,0 +1,361 @@ +{ config +, lib +, pkgs +, ... +}: + +with lib; + +let + cfg = config.services.kea; + + format = pkgs.formats.json {}; + + ctrlAgentConfig = format.generate "kea-ctrl-agent.conf" { + Control-agent = cfg.ctrl-agent.settings; + }; + dhcp4Config = format.generate "kea-dhcp4.conf" { + Dhcp4 = cfg.dhcp4.settings; + }; + dhcp6Config = format.generate "kea-dhcp6.conf" { + Dhcp6 = cfg.dhcp6.settings; + }; + dhcpDdnsConfig = format.generate "kea-dhcp-ddns.conf" { + DhcpDdns = cfg.dhcp-ddns.settings; + }; + + package = pkgs.kea; +in +{ + options.services.kea = with types; { + ctrl-agent = mkOption { + description = '' + Kea Control Agent configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea Control Agent"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + description = '' + Kea Control Agent configuration as an attribute set, see . + ''; + }; + }; + }; + }; + + dhcp4 = mkOption { + description = '' + DHCP4 Server configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea DHCP4 server"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + example = { + valid-lifetime = 4000; + renew-timer = 1000; + rebind-timer = 2000; + interfaces-config = { + interfaces = [ + "eth0" + ]; + }; + lease-database = { + type = "memfile"; + persist = true; + name = "/var/lib/kea/dhcp4.leases"; + }; + subnet4 = [ { + subnet = "192.0.2.0/24"; + pools = [ { + pool = "192.0.2.100 - 192.0.2.240"; + } ]; + } ]; + }; + description = '' + Kea DHCP4 configuration as an attribute set, see . + ''; + }; + }; + }; + }; + + dhcp6 = mkOption { + description = '' + DHCP6 Server configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea DHCP6 server"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + example = { + valid-lifetime = 4000; + renew-timer = 1000; + rebind-timer = 2000; + preferred-lifetime = 3000; + interfaces-config = { + interfaces = [ + "eth0" + ]; + }; + lease-database = { + type = "memfile"; + persist = true; + name = "/var/lib/kea/dhcp6.leases"; + }; + subnet6 = [ { + subnet = "2001:db8:1::/64"; + pools = [ { + pool = "2001:db8:1::1-2001:db8:1::ffff"; + } ]; + } ]; + }; + description = '' + Kea DHCP6 configuration as an attribute set, see . + ''; + }; + }; + }; + }; + + dhcp-ddns = mkOption { + description = '' + Kea DHCP-DDNS configuration + ''; + default = {}; + type = submodule { + options = { + enable = mkEnableOption "Kea DDNS server"; + + extraArgs = mkOption { + type = listOf str; + default = []; + description = '' + List of additonal arguments to pass to the daemon. + ''; + }; + + settings = mkOption { + type = format.type; + default = null; + example = { + ip-address = "127.0.0.1"; + port = 53001; + dns-server-timeout = 100; + ncr-protocol = "UDP"; + ncr-format = "JSON"; + tsig-keys = [ ]; + forward-ddns = { + ddns-domains = [ ]; + }; + reverse-ddns = { + ddns-domains = [ ]; + }; + }; + description = '' + Kea DHCP-DDNS configuration as an attribute set, see . + ''; + }; + }; + }; + }; + }; + + config = let + commonServiceConfig = { + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + DynamicUser = true; + User = "kea"; + ConfigurationDirectory = "kea"; + RuntimeDirectory = "kea"; + StateDirectory = "kea"; + UMask = "0077"; + }; + in mkIf (cfg.ctrl-agent.enable || cfg.dhcp4.enable || cfg.dhcp6.enable || cfg.dhcp-ddns.enable) (mkMerge [ + { + environment.systemPackages = [ package ]; + } + + (mkIf cfg.ctrl-agent.enable { + + environment.etc."kea/ctrl-agent.conf".source = ctrlAgentConfig; + + systemd.services.kea-ctrl-agent = { + description = "Kea Control Agent"; + documentation = [ + "man:kea-ctrl-agent(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/agent.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "kea-dhcp4-server.service" + "kea-dhcp6-server.service" + "kea-dhcp-ddns-server.service" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + }; + + serviceConfig = { + ExecStart = "${package}/bin/kea-ctrl-agent -c /etc/kea/ctrl-agent.conf ${lib.escapeShellArgs cfg.dhcp4.extraArgs}"; + KillMode = "process"; + Restart = "on-failure"; + } // commonServiceConfig; + }; + }) + + (mkIf cfg.dhcp4.enable { + + environment.etc."kea/dhcp4-server.conf".source = dhcp4Config; + + systemd.services.kea-dhcp4-server = { + description = "Kea DHCP4 Server"; + documentation = [ + "man:kea-dhcp4(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp4-srv.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + }; + + serviceConfig = { + ExecStart = "${package}/bin/kea-dhcp4 -c /etc/kea/dhcp4-server.conf ${lib.escapeShellArgs cfg.dhcp4.extraArgs}"; + # Kea does not request capabilities by itself + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_RAW" + ]; + } // commonServiceConfig; + }; + }) + + (mkIf cfg.dhcp6.enable { + + environment.etc."kea/dhcp6-server.conf".source = dhcp6Config; + + systemd.services.kea-dhcp6-server = { + description = "Kea DHCP6 Server"; + documentation = [ + "man:kea-dhcp6(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/dhcp6-srv.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + }; + + serviceConfig = { + ExecStart = "${package}/bin/kea-dhcp6 -c /etc/kea/dhcp6-server.conf ${lib.escapeShellArgs cfg.dhcp6.extraArgs}"; + # Kea does not request capabilities by itself + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + ]; + } // commonServiceConfig; + }; + }) + + (mkIf cfg.dhcp-ddns.enable { + + environment.etc."kea/dhcp-ddns.conf".source = dhcpDdnsConfig; + + systemd.services.kea-dhcp-ddns-server = { + description = "Kea DHCP-DDNS Server"; + documentation = [ + "man:kea-dhcp-ddns(8)" + "https://kea.readthedocs.io/en/kea-${package.version}/arm/ddns.html" + ]; + + after = [ + "network-online.target" + "time-sync.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + + environment = { + KEA_PIDFILE_DIR = "/run/kea"; + }; + + serviceConfig = { + ExecStart = "${package}/bin/kea-dhcp-ddns -c /etc/kea/dhcp-ddns.conf ${lib.escapeShellArgs cfg.dhcp-ddns.extraArgs}"; + AmbientCapabilites = [ + "CAP_NET_BIND_SERVICE" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + ]; + } // commonServiceConfig; + }; + }) + + ]); + + meta.maintainers = with maintainers; [ hexa ]; +} -- cgit 1.4.1 From 508408559ad2be029623dab18fbb8508340a3c41 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 12 Jul 2021 01:34:56 +0200 Subject: nixos/prometheus: allow overriding default export user --- nixos/modules/services/monitoring/prometheus/exporters.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix index 46015c9ec1e..6bd075697fa 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -180,7 +180,7 @@ let serviceConfig.PrivateTmp = mkDefault true; serviceConfig.WorkingDirectory = mkDefault /tmp; serviceConfig.DynamicUser = mkDefault enableDynamicUser; - serviceConfig.User = conf.user; + serviceConfig.User = mkDefault conf.user; serviceConfig.Group = conf.group; } serviceOpts ]); }; -- cgit 1.4.1 From cf139f72033e0cd72ddb2f2a8dc2cac144f6d71b Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 12 Jul 2021 01:36:50 +0200 Subject: nixos/tests/prometheus-exporters/kea: migrate to kea nixos module --- .../monitoring/prometheus/exporters/kea.nix | 1 + nixos/tests/prometheus-exporters.nix | 47 ++++++++-------------- 2 files changed, 18 insertions(+), 30 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix index b6cd89c3866..9677281f877 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/kea.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @@ -26,6 +26,7 @@ in { }; serviceOpts = { serviceConfig = { + User = "kea"; ExecStart = '' ${pkgs.prometheus-kea-exporter}/bin/kea-exporter \ --address ${cfg.listenAddress} \ diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index a33aca29fd2..e8bc6339ecf 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -326,49 +326,36 @@ let ''; }; - kea = { + kea = let + controlSocketPath = "/run/kea/dhcp6.sock"; + in + { exporterConfig = { enable = true; controlSocketPaths = [ - "/run/kea/kea-dhcp6.sock" + controlSocketPath ]; }; metricProvider = { - users.users.kea = { - isSystemUser = true; - }; - users.groups.kea = {}; + systemd.services.prometheus-kea-exporter.after = [ "kea-dhcp6-server.service" ]; - systemd.services.prometheus-kea-exporter.after = [ "kea-dhcp6.service" ]; - - systemd.services.kea-dhcp6 = let - configFile = pkgs.writeText "kea-dhcp6.conf" (builtins.toJSON { - Dhcp6 = { - "control-socket" = { - "socket-type" = "unix"; - "socket-name" = "/run/kea/kea-dhcp6.sock"; + services.kea = { + enable = true; + dhcp6 = { + enable = true; + settings = { + control-socket = { + socket-type = "unix"; + socket-name = controlSocketPath; }; }; - }); - in - { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - DynamicUser = false; - User = "kea"; - Group = "kea"; - ExecStart = "${pkgs.kea}/bin/kea-dhcp6 -c ${configFile}"; - StateDirectory = "kea"; - RuntimeDirectory = "kea"; - UMask = "0007"; }; }; }; + exporterTest = '' - wait_for_unit("kea-dhcp6.service") - wait_for_file("/run/kea/kea-dhcp6.sock") + wait_for_unit("kea-dhcp6-server.service") + wait_for_file("${controlSocketPath}") wait_for_unit("prometheus-kea-exporter.service") wait_for_open_port(9547) succeed( -- cgit 1.4.1 From 2a93d57ebb8eea14720deca90f9b6860ae70dfa2 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 14 Jul 2021 00:43:17 +0200 Subject: nixos/tests/kea: init A simple DHCPv4 test case, with borrowed structure from the systemd-networkd-dhcpserver test. --- nixos/tests/all-tests.nix | 1 + nixos/tests/kea.nix | 73 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 nixos/tests/kea.nix (limited to 'nixos') diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 2e4913dca47..e364bbe1bfa 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -203,6 +203,7 @@ in k3s = handleTest ./k3s.nix {}; kafka = handleTest ./kafka.nix {}; kbd-setfont-decompress = handleTest ./kbd-setfont-decompress.nix {}; + kea = handleTest ./kea.nix {}; keepalived = handleTest ./keepalived.nix {}; keepassxc = handleTest ./keepassxc.nix {}; kerberos = handleTest ./kerberos/default.nix {}; diff --git a/nixos/tests/kea.nix b/nixos/tests/kea.nix new file mode 100644 index 00000000000..6b345893108 --- /dev/null +++ b/nixos/tests/kea.nix @@ -0,0 +1,73 @@ +import ./make-test-python.nix ({ pkgs, lib, ...}: { + meta.maintainers = with lib.maintainers; [ hexa ]; + + nodes = { + router = { config, pkgs, ... }: { + virtualisation.vlans = [ 1 ]; + + networking = { + useNetworkd = true; + useDHCP = false; + firewall.allowedUDPPorts = [ 67 ]; + }; + + systemd.network = { + networks = { + "01-eth1" = { + name = "eth1"; + networkConfig = { + Address = "10.0.0.1/30"; + }; + }; + }; + }; + + services.kea.dhcp4 = { + enable = true; + settings = { + valid-lifetime = 3600; + renew-timer = 900; + rebind-timer = 1800; + + lease-database = { + type = "memfile"; + persist = true; + name = "/var/lib/kea/dhcp4.leases"; + }; + + interfaces-config = { + dhcp-socket-type = "raw"; + interfaces = [ + "eth1" + ]; + }; + + subnet4 = [ { + subnet = "10.0.0.0/30"; + pools = [ { + pool = "10.0.0.2 - 10.0.0.2"; + } ]; + } ]; + }; + }; + }; + + client = { config, pkgs, ... }: { + virtualisation.vlans = [ 1 ]; + systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug"; + networking = { + useNetworkd = true; + useDHCP = false; + firewall.enable = false; + interfaces.eth1.useDHCP = true; + }; + }; + }; + testScript = { ... }: '' + start_all() + router.wait_for_unit("kea-dhcp4-server.service") + client.wait_for_unit("systemd-networkd-wait-online.service") + client.wait_until_succeeds("ping -c 5 10.0.0.1") + router.wait_until_succeeds("ping -c 5 10.0.0.2") + ''; +}) -- cgit 1.4.1 From 2ea5a4ce6d7b67902e76a3423e493d603c3ad3f0 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 14 Jul 2021 01:11:18 +0200 Subject: nixos/doc: add release note entry for kea module --- nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 7 +++++++ nixos/doc/manual/release-notes/rl-2111.section.md | 2 ++ 2 files changed, 9 insertions(+) (limited to 'nixos') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 53c1a18a507..91acaf728e2 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -47,6 +47,13 @@ services.geoipupdate. + + + Kea, ISCs + 2nd generation DHCP and DDNS server suite. Available at + services.kea. + + sourcehut, a diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index ad56b5cd7d7..1cef74510db 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -15,6 +15,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [geoipupdate](https://github.com/maxmind/geoipupdate), a GeoIP database updater from MaxMind. Available as [services.geoipupdate](options.html#opt-services.geoipupdate.enable). +- [Kea](https://www.isc.org/kea/), ISCs 2nd generation DHCP and DDNS server suite. Available at [services.kea](options.html#opt-services.kea). + - [sourcehut](https://sr.ht), a collection of tools useful for software development. Available as [services.sourcehut](options.html#opt-services.sourcehut.enable). - [ucarp](https://download.pureftpd.org/pub/ucarp/README), an userspace implementation of the Common Address Redundancy Protocol (CARP). Available as [networking.ucarp](options.html#opt-networking.ucarp.enable). -- cgit 1.4.1