diff options
author | William A. Kennington III <william@wkennington.com> | 2015-07-13 15:11:31 -0700 |
---|---|---|
committer | William A. Kennington III <william@wkennington.com> | 2015-07-13 15:11:31 -0700 |
commit | 333f145d7604f07e3b2164b459b46e075fea81f4 (patch) | |
tree | cb9bb91bafeafe64c97fa1054223c0d69cf18848 /nixos/modules | |
parent | d253b3d875d2bae84afbc141754b286e18e2fb7d (diff) | |
parent | 7e3c95a0b813394b1a41b73e078d3ffd9e951979 (diff) | |
download | nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.tar nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.tar.gz nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.tar.bz2 nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.tar.lz nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.tar.xz nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.tar.zst nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.zip |
Merge branch 'master.upstream' into staging.upstream
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/installer/tools/nixos-generate-config.pl | 6 | ||||
-rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
-rw-r--r-- | nixos/modules/rename.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/networking/charybdis.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy.nix | 179 | ||||
-rw-r--r-- | nixos/modules/services/networking/firefox/sync-server.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 5 |
7 files changed, 116 insertions, 87 deletions
diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index b768be6a3e01..a2dbe31e0d8d 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -311,9 +311,9 @@ foreach my $fs (read_file("/proc/self/mountinfo")) { # Maybe this is a bind-mount of a filesystem we saw earlier? if (defined $fsByDev{$fields[2]}) { - # Make sure this isn't a btrfs subvolume - my ($status, @msg) = runCommand("btrfs subvol show $rootDir$mountPoint"); - if (join("", @msg) =~ /ERROR:/) { + # Make sure this isn't a btrfs subvolume. + my $msg = `btrfs subvol show $rootDir$mountPoint`; + if ($? != 0 || $msg =~ /ERROR:/s) { my $path = $fields[3]; $path = "" if $path eq "/"; my $base = $fsByDev{$fields[2]}; $base = "" if $base eq "/"; diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 88c860110179..fd75db1abe77 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -382,7 +382,7 @@ seeks = 148; prosody = 149; i2pd = 150; - #dnscrypt-proxy = 151; # unused + dnscrypt-proxy = 151; systemd-network = 152; systemd-resolve = 153; systemd-timesync = 154; diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index dd80d0065911..a928f47f439e 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -141,6 +141,9 @@ in zipModules ([] ++ obsolete [ "services" "xserver" "windowManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ] ++ obsolete [ "services" "xserver" "desktopManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ] +# DNSCrypt-proxy +++ obsolete [ "services" "dnscrypt-proxy" "port" ] [ "services" "dnscrypt-proxy" "localPort" ] + # Options that are obsolete and have no replacement. ++ obsolete' [ "boot" "loader" "grub" "bootDevice" ] ++ obsolete' [ "boot" "initrd" "luks" "enable" ] diff --git a/nixos/modules/services/networking/charybdis.nix b/nixos/modules/services/networking/charybdis.nix index 91729ebd60a5..2f7d006b8816 100644 --- a/nixos/modules/services/networking/charybdis.nix +++ b/nixos/modules/services/networking/charybdis.nix @@ -85,10 +85,8 @@ in PermissionsStartOnly = true; # preStart needs to run with root permissions }; preStart = '' - if ! test -d /var/lib/charybdis; then - ${coreutils}/bin/mkdir -p ${cfg.statedir} - ${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.statedir} - fi + ${coreutils}/bin/mkdir -p ${cfg.statedir} + ${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.statedir} ''; }; diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 5cc33f35adb2..c724ee979c2d 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -5,38 +5,35 @@ let apparmorEnabled = config.security.apparmor.enable; dnscrypt-proxy = pkgs.dnscrypt-proxy; cfg = config.services.dnscrypt-proxy; - uid = config.ids.uids.dnscrypt-proxy; + resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"; + localAddress = "${cfg.localAddress}:${toString cfg.localPort}"; daemonArgs = - [ "--daemonize" - "--user=dnscrypt-proxy" - "--local-address=${cfg.localAddress}:${toString cfg.port}" + [ "--local-address=${localAddress}" (optionalString cfg.tcpOnly "--tcp-only") - "--resolvers-list=${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv" - "--resolver-name=${cfg.resolverName}" - ]; + ] + ++ resolverArgs; + resolverArgs = if (cfg.customResolver != null) + then + [ "--resolver-address=${cfg.customResolver.address}:${toString cfg.customResolver.port}" + "--provider-name=${cfg.customResolver.name}" + "--provider-key=${cfg.customResolver.key}" + ] + else + [ "--resolvers-list=${resolverListFile}" + "--resolver-name=${toString cfg.resolverName}" + ]; in { - ##### interface - options = { - services.dnscrypt-proxy = { - - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enable dnscrypt-proxy. - The proxy relays regular DNS queries to a DNSCrypt enabled - upstream resolver. - The traffic between the client and the upstream resolver is - encrypted and authenticated, which may mitigate the risk of MITM - attacks and third-party snooping (assuming the upstream is - trustworthy). - ''; - }; - + enable = mkEnableOption '' + Enable dnscrypt-proxy. The proxy relays regular DNS queries to a + DNSCrypt enabled upstream resolver. The traffic between the + client and the upstream resolver is encrypted and authenticated, + which may mitigate the risk of MITM attacks and third-party + snooping (assuming the upstream is trustworthy). + ''; localAddress = mkOption { default = "127.0.0.1"; type = types.string; @@ -44,96 +41,128 @@ in Listen for DNS queries on this address. ''; }; - - port = mkOption { + localPort = mkOption { default = 53; type = types.int; description = '' Listen on this port. ''; }; - resolverName = mkOption { default = "opendns"; - type = types.string; + type = types.nullOr types.string; description = '' - The name of the upstream DNSCrypt resolver to use. - See <literal>${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv</literal> - for alternative resolvers (e.g., if you are concerned about logging - and/or server location). + The name of the upstream DNSCrypt resolver to use. See + <literal>${resolverListFile}</literal> for alternative resolvers + (e.g., if you are concerned about logging and/or server + location). ''; }; - + customResolver = mkOption { + default = null; + description = '' + Use a resolver not listed in the upstream list (e.g., + a private DNSCrypt provider). For advanced users only. + If specified, this option takes precedence. + ''; + type = types.nullOr (types.submodule ({ ... }: { options = { + address = mkOption { + type = types.str; + description = "Resolver IP address"; + example = "208.67.220.220"; + }; + port = mkOption { + type = types.int; + description = "Resolver port"; + default = 443; + }; + name = mkOption { + type = types.str; + description = "Provider fully qualified domain name"; + example = "2.dnscrypt-cert.opendns.com"; + }; + key = mkOption { + type = types.str; + description = "Provider public key"; + example = "B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79"; + }; }; })); + }; tcpOnly = mkOption { default = false; type = types.bool; description = '' Force sending encrypted DNS queries to the upstream resolver - over TCP instead of UDP (on port 443). - Enabling this option may help circumvent filtering, but should - not be used otherwise. + over TCP instead of UDP (on port 443). Enabling this option may + help circumvent filtering, but should not be used otherwise. ''; }; - }; - }; - ##### implementation - config = mkIf cfg.enable { - ### AppArmor profile - - security.apparmor.profiles = mkIf apparmorEnabled [ - (pkgs.writeText "apparmor-dnscrypt-proxy" '' + assertions = [ + { assertion = (cfg.customResolver != null) || (cfg.resolverName != null); + message = "please configure upstream DNSCrypt resolver"; + } + ]; - ${dnscrypt-proxy}/bin/dnscrypt-proxy { - network inet stream, - network inet6 stream, - network inet dgram, - network inet6 dgram, + security.apparmor.profiles = mkIf apparmorEnabled (singleton (pkgs.writeText "apparmor-dnscrypt-proxy" '' + ${dnscrypt-proxy}/bin/dnscrypt-proxy { + /dev/null rw, + /dev/urandom r, - capability ipc_lock, - capability net_bind_service, - capability net_admin, - capability sys_chroot, - capability setgid, - capability setuid, + /etc/passwd r, + /etc/group r, + ${config.environment.etc."nsswitch.conf".source} r, - /dev/null rw, - /dev/urandom r, + ${pkgs.glibc}/lib/*.so mr, + ${pkgs.tzdata}/share/zoneinfo/** r, - ${pkgs.glibc}/lib/*.so mr, - ${pkgs.tzdata}/share/zoneinfo/** r, + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, - ${dnscrypt-proxy}/share/dnscrypt-proxy/** r, - ${pkgs.gcc.cc}/lib/libssp.so.* mr, - ${pkgs.libsodium}/lib/libsodium.so.* mr, - } - '') - ]; + ${pkgs.gcc.cc}/lib/libssp.so.* mr, + ${pkgs.libsodium}/lib/libsodium.so.* mr, + ${pkgs.systemd}/lib/libsystemd.so.* mr, + ${pkgs.xz}/lib/liblzma.so.* mr, + ${pkgs.libgcrypt}/lib/libgcrypt.so.* mr, + ${pkgs.libgpgerror}/lib/libgpg-error.so.* mr, - ### User + ${resolverListFile} r, + } + '')); - users.extraUsers = singleton { - inherit uid; - name = "dnscrypt-proxy"; + users.extraUsers.dnscrypt-proxy = { + uid = config.ids.uids.dnscrypt-proxy; description = "dnscrypt-proxy daemon user"; }; + users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy; - ### Service definition + systemd.sockets.dnscrypt-proxy = { + description = "dnscrypt-proxy listening socket"; + socketConfig = { + ListenStream = "${localAddress}"; + ListenDatagram = "${localAddress}"; + }; + wantedBy = [ "sockets.target" ]; + }; systemd.services.dnscrypt-proxy = { description = "dnscrypt-proxy daemon"; after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service"; - requires = mkIf apparmorEnabled [ "apparmor.service" ]; - wantedBy = [ "multi-user.target" ]; + requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service"; serviceConfig = { - Type = "forking"; + Type = "simple"; + NonBlocking = "true"; ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}"; + User = "dnscrypt-proxy"; + Group = "dnscrypt-proxy"; + PrivateTmp = true; + PrivateDevices = true; }; }; - }; } diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix index 79f32f3358cb..70d2d72ca8b7 100644 --- a/nixos/modules/services/networking/firefox/sync-server.nix +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -135,7 +135,7 @@ in echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" fi ''; - serviceConfig.ExecStart = "paster serve ${syncServerIni}"; + serviceConfig.ExecStart = "${pkgs.pythonPackages.pasteScript}/bin/paster serve ${syncServerIni}"; }; }; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index bc89ea2d3cd3..4be2b5fe0c0c 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -244,13 +244,12 @@ in publicKey = mkOption { default = null; type = types.nullOr types.str; + example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="; description = '' The public key data for the host. You can fetch a public key from a running SSH server with the <command>ssh-keyscan</command> command. The public key should not include any host names, only - the key type and the key itself. It is allowed to add several - lines here, each line will be treated as type/key pair and the - host names will be prepended to each line. + the key type and the key itself. ''; }; publicKeyFile = mkOption { |