summary refs log tree commit diff
path: root/nixos/modules
diff options
context:
space:
mode:
authorWilliam A. Kennington III <william@wkennington.com>2015-07-13 15:11:31 -0700
committerWilliam A. Kennington III <william@wkennington.com>2015-07-13 15:11:31 -0700
commit333f145d7604f07e3b2164b459b46e075fea81f4 (patch)
treecb9bb91bafeafe64c97fa1054223c0d69cf18848 /nixos/modules
parentd253b3d875d2bae84afbc141754b286e18e2fb7d (diff)
parent7e3c95a0b813394b1a41b73e078d3ffd9e951979 (diff)
downloadnixlib-333f145d7604f07e3b2164b459b46e075fea81f4.tar
nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.tar.gz
nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.tar.bz2
nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.tar.lz
nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.tar.xz
nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.tar.zst
nixlib-333f145d7604f07e3b2164b459b46e075fea81f4.zip
Merge branch 'master.upstream' into staging.upstream
Diffstat (limited to 'nixos/modules')
-rw-r--r--nixos/modules/installer/tools/nixos-generate-config.pl6


-rw-r--r--nixos/modules/misc/ids.nix2


-rw-r--r--nixos/modules/rename.nix3


-rw-r--r--nixos/modules/services/networking/charybdis.nix6


-rw-r--r--nixos/modules/services/networking/dnscrypt-proxy.nix179


-rw-r--r--nixos/modules/services/networking/firefox/sync-server.nix2


-rw-r--r--nixos/modules/services/networking/ssh/sshd.nix5


7 files changed, 116 insertions, 87 deletions
diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl
index b768be6a3e01..a2dbe31e0d8d 100644
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -311,9 +311,9 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
 
     # Maybe this is a bind-mount of a filesystem we saw earlier?
     if (defined $fsByDev{$fields[2]}) {
-        # Make sure this isn't a btrfs subvolume
-        my ($status, @msg) = runCommand("btrfs subvol show $rootDir$mountPoint");
-        if (join("", @msg) =~ /ERROR:/) {
+        # Make sure this isn't a btrfs subvolume.
+        my $msg = `btrfs subvol show $rootDir$mountPoint`;
+        if ($? != 0 || $msg =~ /ERROR:/s) {
             my $path = $fields[3]; $path = "" if $path eq "/";
             my $base = $fsByDev{$fields[2]};
             $base = "" if $base eq "/";
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 88c860110179..fd75db1abe77 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -382,7 +382,7 @@
       seeks = 148;
       prosody = 149;
       i2pd = 150;
-      #dnscrypt-proxy = 151; # unused
+      dnscrypt-proxy = 151;
       systemd-network = 152;
       systemd-resolve = 153;
       systemd-timesync = 154;
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix
index dd80d0065911..a928f47f439e 100644
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -141,6 +141,9 @@ in zipModules ([]
 ++ obsolete [ "services" "xserver" "windowManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ]
 ++ obsolete [ "services" "xserver" "desktopManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ]
 
+# DNSCrypt-proxy
+++ obsolete [ "services" "dnscrypt-proxy" "port" ] [ "services" "dnscrypt-proxy" "localPort" ]
+
 # Options that are obsolete and have no replacement.
 ++ obsolete' [ "boot" "loader" "grub" "bootDevice" ]
 ++ obsolete' [ "boot" "initrd" "luks" "enable" ]
diff --git a/nixos/modules/services/networking/charybdis.nix b/nixos/modules/services/networking/charybdis.nix
index 91729ebd60a5..2f7d006b8816 100644
--- a/nixos/modules/services/networking/charybdis.nix
+++ b/nixos/modules/services/networking/charybdis.nix
@@ -85,10 +85,8 @@ in
         PermissionsStartOnly = true; # preStart needs to run with root permissions
       };
       preStart = ''
-        if ! test -d /var/lib/charybdis; then
-          ${coreutils}/bin/mkdir -p ${cfg.statedir}
-          ${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.statedir}
-        fi
+        ${coreutils}/bin/mkdir -p ${cfg.statedir}
+        ${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.statedir}
       '';
 
     };
diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix
index 5cc33f35adb2..c724ee979c2d 100644
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@@ -5,38 +5,35 @@ let
   apparmorEnabled = config.security.apparmor.enable;
   dnscrypt-proxy = pkgs.dnscrypt-proxy;
   cfg = config.services.dnscrypt-proxy;
-  uid = config.ids.uids.dnscrypt-proxy;
+  resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv";
+  localAddress = "${cfg.localAddress}:${toString cfg.localPort}";
   daemonArgs =
-    [ "--daemonize"
-      "--user=dnscrypt-proxy"
-      "--local-address=${cfg.localAddress}:${toString cfg.port}"
+    [ "--local-address=${localAddress}"
       (optionalString cfg.tcpOnly "--tcp-only")
-      "--resolvers-list=${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
-      "--resolver-name=${cfg.resolverName}"
-    ];
+    ]
+    ++ resolverArgs;
+  resolverArgs = if (cfg.customResolver != null)
+    then
+      [ "--resolver-address=${cfg.customResolver.address}:${toString cfg.customResolver.port}"
+        "--provider-name=${cfg.customResolver.name}"
+        "--provider-key=${cfg.customResolver.key}"
+      ]
+    else
+      [ "--resolvers-list=${resolverListFile}"
+        "--resolver-name=${toString cfg.resolverName}"
+      ];
 in
 
 {
-  ##### interface
-
   options = {
-
     services.dnscrypt-proxy = {
-
-      enable = mkOption {
-        default = false;
-        type = types.bool;
-        description = ''
-          Enable dnscrypt-proxy.
-          The proxy relays regular DNS queries to a DNSCrypt enabled
-          upstream resolver.
-          The traffic between the client and the upstream resolver is
-          encrypted and authenticated, which may mitigate the risk of MITM
-          attacks and third-party snooping (assuming the upstream is
-          trustworthy).
-        '';
-      };
-
+      enable = mkEnableOption ''
+        Enable dnscrypt-proxy. The proxy relays regular DNS queries to a
+        DNSCrypt enabled upstream resolver. The traffic between the
+        client and the upstream resolver is encrypted and authenticated,
+        which may mitigate the risk of MITM attacks and third-party
+        snooping (assuming the upstream is trustworthy).
+      '';
       localAddress = mkOption {
         default = "127.0.0.1";
         type = types.string;
@@ -44,96 +41,128 @@ in
           Listen for DNS queries on this address.
         '';
       };
-
-      port = mkOption {
+      localPort = mkOption {
         default = 53;
         type = types.int;
         description = ''
           Listen on this port.
         '';
       };
-
       resolverName = mkOption {
         default = "opendns";
-        type = types.string;
+        type = types.nullOr types.string;
         description = ''
-          The name of the upstream DNSCrypt resolver to use.
-          See <literal>${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv</literal>
-          for alternative resolvers (e.g., if you are concerned about logging
-          and/or server location).
+          The name of the upstream DNSCrypt resolver to use. See
+          <literal>${resolverListFile}</literal> for alternative resolvers
+          (e.g., if you are concerned about logging and/or server
+          location).
         '';
       };
-
+      customResolver = mkOption {
+        default = null;
+        description = ''
+          Use a resolver not listed in the upstream list (e.g.,
+          a private DNSCrypt provider). For advanced users only.
+          If specified, this option takes precedence.
+        '';
+        type = types.nullOr (types.submodule ({ ... }: { options = {
+          address = mkOption {
+            type = types.str;
+            description = "Resolver IP address";
+            example = "208.67.220.220";
+          };
+          port = mkOption {
+            type = types.int;
+            description = "Resolver port";
+            default = 443;
+          };
+          name = mkOption {
+            type = types.str;
+            description = "Provider fully qualified domain name";
+            example = "2.dnscrypt-cert.opendns.com";
+         };
+         key = mkOption {
+           type = types.str;
+           description = "Provider public key";
+           example = "B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79";
+         }; }; }));
+      };
       tcpOnly = mkOption {
         default = false;
         type = types.bool;
         description = ''
           Force sending encrypted DNS queries to the upstream resolver
-          over TCP instead of UDP (on port 443).
-          Enabling this option may help circumvent filtering, but should
-          not be used otherwise.
+          over TCP instead of UDP (on port 443). Enabling this option may
+          help circumvent filtering, but should not be used otherwise.
         '';
       };
-
     };
-
   };
 
-  ##### implementation
-
   config = mkIf cfg.enable {
 
-    ### AppArmor profile
-
-    security.apparmor.profiles = mkIf apparmorEnabled [
-      (pkgs.writeText "apparmor-dnscrypt-proxy" ''
+    assertions = [
+      { assertion = (cfg.customResolver != null) || (cfg.resolverName != null);
+        message   = "please configure upstream DNSCrypt resolver";
+      }
+    ];
 
-        ${dnscrypt-proxy}/bin/dnscrypt-proxy {
-          network inet stream,
-          network inet6 stream,
-          network inet dgram,
-          network inet6 dgram,
+    security.apparmor.profiles = mkIf apparmorEnabled (singleton (pkgs.writeText "apparmor-dnscrypt-proxy" ''
+      ${dnscrypt-proxy}/bin/dnscrypt-proxy {
+        /dev/null rw,
+        /dev/urandom r,
 
-          capability ipc_lock,
-          capability net_bind_service,
-          capability net_admin,
-          capability sys_chroot,
-          capability setgid,
-          capability setuid,
+        /etc/passwd r,
+        /etc/group r,
+        ${config.environment.etc."nsswitch.conf".source} r,
 
-          /dev/null rw,
-          /dev/urandom r,
+        ${pkgs.glibc}/lib/*.so mr,
+        ${pkgs.tzdata}/share/zoneinfo/** r,
 
-          ${pkgs.glibc}/lib/*.so mr,
-          ${pkgs.tzdata}/share/zoneinfo/** r,
+        network inet stream,
+        network inet6 stream,
+        network inet dgram,
+        network inet6 dgram,
 
-          ${dnscrypt-proxy}/share/dnscrypt-proxy/** r,
-          ${pkgs.gcc.cc}/lib/libssp.so.* mr,
-          ${pkgs.libsodium}/lib/libsodium.so.* mr,
-        }
-      '')
-    ];
+        ${pkgs.gcc.cc}/lib/libssp.so.* mr,
+        ${pkgs.libsodium}/lib/libsodium.so.* mr,
+        ${pkgs.systemd}/lib/libsystemd.so.* mr,
+        ${pkgs.xz}/lib/liblzma.so.* mr,
+        ${pkgs.libgcrypt}/lib/libgcrypt.so.* mr,
+        ${pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
 
-    ### User
+        ${resolverListFile} r,
+      }
+    ''));
 
-    users.extraUsers = singleton {
-      inherit uid;
-      name = "dnscrypt-proxy";
+    users.extraUsers.dnscrypt-proxy = {
+      uid = config.ids.uids.dnscrypt-proxy;
       description = "dnscrypt-proxy daemon user";
     };
+    users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy;
 
-    ### Service definition
+    systemd.sockets.dnscrypt-proxy = {
+      description = "dnscrypt-proxy listening socket";
+      socketConfig = {
+        ListenStream = "${localAddress}";
+        ListenDatagram = "${localAddress}";
+      };
+      wantedBy = [ "sockets.target" ];
+    };
 
     systemd.services.dnscrypt-proxy = {
       description = "dnscrypt-proxy daemon";
       after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service";
-      requires = mkIf apparmorEnabled [ "apparmor.service" ];
-      wantedBy = [ "multi-user.target" ];
+      requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service";
       serviceConfig = {
-        Type = "forking";
+        Type = "simple";
+        NonBlocking = "true";
         ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
+        User = "dnscrypt-proxy";
+        Group = "dnscrypt-proxy";
+        PrivateTmp = true;
+        PrivateDevices = true;
       };
     };
-
   };
 }
diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix
index 79f32f3358cb..70d2d72ca8b7 100644
--- a/nixos/modules/services/networking/firefox/sync-server.nix
+++ b/nixos/modules/services/networking/firefox/sync-server.nix
@@ -135,7 +135,7 @@ in
           echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')"
         fi
       '';
-      serviceConfig.ExecStart = "paster serve ${syncServerIni}";
+      serviceConfig.ExecStart = "${pkgs.pythonPackages.pasteScript}/bin/paster serve ${syncServerIni}";
     };
 
   };
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index bc89ea2d3cd3..4be2b5fe0c0c 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -244,13 +244,12 @@ in
           publicKey = mkOption {
             default = null;
             type = types.nullOr types.str;
+            example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
             description = ''
               The public key data for the host. You can fetch a public key
               from a running SSH server with the <command>ssh-keyscan</command>
               command. The public key should not include any host names, only
-              the key type and the key itself. It is allowed to add several
-              lines here, each line will be treated as type/key pair and the
-              host names will be prepended to each line.
+              the key type and the key itself.
             '';
           };
           publicKeyFile = mkOption {

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-08-04 13:34:15 +0000