diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2016-05-12 04:03:33 +0200 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2016-05-12 04:53:38 +0200 |
| commit | 6c2fbfbd7720446821be2a506cefcd1e0ff3b42d (patch) | |
| tree | ef852f77f02c1636e2ee215623d6a20e87174b9e /nixos/modules/services/networking | |
| parent | 81df0354290389128077e00edfd2368eeeea0c24 (diff) | |
| parent | 3d932ba135f9fe7eb649269543276dffa7aa563a (diff) | |
| download | nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.tar nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.tar.gz nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.tar.bz2 nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.tar.lz nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.tar.xz nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.tar.zst nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.zip | |
Merge branch 'master' into staging
Diffstat (limited to 'nixos/modules/services/networking')
| -rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy.nix | 21 | ||||
| -rw-r--r-- | nixos/modules/services/networking/nat.nix | 13 | ||||
| -rw-r--r-- | nixos/modules/services/networking/sniproxy.nix | 99 |
3 files changed, 124 insertions, 9 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 3961088c4b07..eb43e83c95f0 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -6,7 +6,6 @@ let dnscrypt-proxy = pkgs.dnscrypt-proxy; cfg = config.services.dnscrypt-proxy; - resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"; localAddress = "${cfg.localAddress}:${toString cfg.localPort}"; daemonArgs = @@ -23,7 +22,7 @@ let "--provider-key=${cfg.customResolver.key}" ] else - [ "--resolvers-list=${resolverListFile}" + [ "--resolvers-list=${cfg.resolverList}" "--resolver-name=${toString cfg.resolverName}" ]; in @@ -77,12 +76,24 @@ in default = "dnscrypt.eu-nl"; type = types.nullOr types.string; description = '' - The name of the upstream DNSCrypt resolver to use. See - <filename>${resolverListFile}</filename> for alternative resolvers. + The name of the upstream DNSCrypt resolver to use, taken from the + list named in the <literal>resolverList</literal> option. The default resolver is located in Holland, supports DNS security extensions, and claims to not keep logs. ''; }; + resolverList = mkOption { + description = '' + The list of upstream DNSCrypt resolvers. By default, we use the most + recent list published by upstream. + ''; + example = literalExample "${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"; + default = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv"; + sha256 = "07kbbisrvrqdxif3061hxj3whin3llg4nh50ln7prisi2vbd76xd"; + }; + defaultText = "pkgs.fetchurl { url = ...; sha256 = ...; }"; + }; customResolver = mkOption { default = null; description = '' @@ -169,7 +180,7 @@ in ${pkgs.lz4}/lib/liblz4.so.* mr, ${pkgs.attr.out}/lib/libattr.so.* mr, - ${resolverListFile} r, + ${cfg.resolverList} r, } '')); diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index 9d163e60d5ea..f35b0f68e3ef 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -12,6 +12,9 @@ let dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}"; + externalInterfaceFilter = param: + optionalString (cfg.externalInterface != null) "${param} ${cfg.externalInterface}"; + flushNat = '' iptables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true iptables -w -t nat -F nixos-nat-pre 2>/dev/null || true @@ -36,19 +39,20 @@ let # NAT the marked packets. ${optionalString (cfg.internalInterfaces != []) '' iptables -w -t nat -A nixos-nat-post -m mark --mark 1 \ - -o ${cfg.externalInterface} ${dest} + ${externalInterfaceFilter "-o"} ${dest} ''} # NAT packets coming from the internal IPs. ${concatMapStrings (range: '' iptables -w -t nat -A nixos-nat-post \ - -s '${range}' -o ${cfg.externalInterface} ${dest} + -s '${range}' \! -d '${range}' + ${externalInterfaceFilter "-o"} ${dest} '') cfg.internalIPs} # NAT from external ports to internal ports. ${concatMapStrings (fwd: '' iptables -w -t nat -A nixos-nat-pre \ - -i ${cfg.externalInterface} -p tcp \ + ${externalInterfaceFilter "-i"} -p tcp \ --dport ${builtins.toString fwd.sourcePort} \ -j DNAT --to-destination ${fwd.destination} '') cfg.forwardPorts} @@ -100,7 +104,8 @@ in }; networking.nat.externalInterface = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; example = "eth1"; description = '' diff --git a/nixos/modules/services/networking/sniproxy.nix b/nixos/modules/services/networking/sniproxy.nix new file mode 100644 index 000000000000..4d0f36923293 --- /dev/null +++ b/nixos/modules/services/networking/sniproxy.nix @@ -0,0 +1,99 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + + cfg = config.services.sniproxy; + + configFile = pkgs.writeText "sniproxy.conf" '' + user ${cfg.user} + pidfile /run/sniproxy.pid + ${cfg.config} + ''; + +in +{ + options = { + services.sniproxy = { + enable = mkEnableOption "sniproxy server"; + + user = mkOption { + type = types.str; + default = "sniproxy"; + description = "User account under which sniproxy runs."; + }; + + group = mkOption { + type = types.str; + default = "sniproxy"; + description = "Group under which sniproxy runs."; + }; + + config = mkOption { + type = types.lines; + default = ""; + description = "sniproxy.conf configuration excluding the daemon username and pid file."; + example = literalExample '' + error_log { + filename /var/log/sniproxy/error.log + } + access_log { + filename /var/log/sniproxy/access.log + } + listen 443 { + proto tls + } + table { + example.com 192.0.2.10 + example.net 192.0.2.20 + } + ''; + }; + + logDir = mkOption { + type = types.str; + default = "/var/log/sniproxy/"; + description = "Location of the log directory for sniproxy."; + }; + + }; + + }; + + config = mkIf cfg.enable { + systemd.services.sniproxy = { + description = "sniproxy server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + test -d ${cfg.logDir} || { + echo "Creating initial log directory for sniproxy in ${cfg.logDir}" + mkdir -p ${cfg.logDir} + chmod 640 ${cfg.logDir} + } + chown -R ${cfg.user}:${cfg.group} ${cfg.logDir} + ''; + + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.sniproxy}/bin/sniproxy -c ${configFile}"; + Restart = "always"; + }; + }; + + users.extraUsers = mkIf (cfg.user == "sniproxy") { + sniproxy = { + group = cfg.group; + uid = config.ids.uids.sniproxy; + }; + }; + + users.extraGroups = mkIf (cfg.group == "sniproxy") { + sniproxy = { + gid = config.ids.gids.sniproxy; + }; + }; + + }; +} |