diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2016-05-12 04:03:33 +0200 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2016-05-12 04:53:38 +0200 |
commit | 6c2fbfbd7720446821be2a506cefcd1e0ff3b42d (patch) | |
tree | ef852f77f02c1636e2ee215623d6a20e87174b9e /nixos/modules | |
parent | 81df0354290389128077e00edfd2368eeeea0c24 (diff) | |
parent | 3d932ba135f9fe7eb649269543276dffa7aa563a (diff) | |
download | nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.tar nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.tar.gz nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.tar.bz2 nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.tar.lz nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.tar.xz nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.tar.zst nixlib-6c2fbfbd7720446821be2a506cefcd1e0ff3b42d.zip |
Merge branch 'master' into staging
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/config/krb5.nix | 2 | ||||
-rw-r--r-- | nixos/modules/config/system-path.nix | 1 | ||||
-rw-r--r-- | nixos/modules/config/unix-odbc-drivers.nix | 17 | ||||
-rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 13 | ||||
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy.nix | 21 | ||||
-rw-r--r-- | nixos/modules/services/networking/nat.nix | 13 | ||||
-rw-r--r-- | nixos/modules/services/networking/sniproxy.nix | 99 | ||||
-rw-r--r-- | nixos/modules/services/x11/unclutter.nix | 1 |
10 files changed, 154 insertions, 16 deletions
diff --git a/nixos/modules/config/krb5.nix b/nixos/modules/config/krb5.nix index b845ef69a753..d318b7207429 100644 --- a/nixos/modules/config/krb5.nix +++ b/nixos/modules/config/krb5.nix @@ -173,6 +173,8 @@ in ${cfg.domainRealm} = ${cfg.defaultRealm} .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU + .exchange.mit.edu = EXCHANGE.MIT.EDU + exchange.mit.edu = EXCHANGE.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU diff --git a/nixos/modules/config/system-path.nix b/nixos/modules/config/system-path.nix index 8c4170597826..3054439da655 100644 --- a/nixos/modules/config/system-path.nix +++ b/nixos/modules/config/system-path.nix @@ -40,6 +40,7 @@ let pkgs.time pkgs.texinfoInteractive pkgs.utillinux + pkgs.which # 88K size ]; in diff --git a/nixos/modules/config/unix-odbc-drivers.nix b/nixos/modules/config/unix-odbc-drivers.nix index eea6477fff23..9565a09b3a1e 100644 --- a/nixos/modules/config/unix-odbc-drivers.nix +++ b/nixos/modules/config/unix-odbc-drivers.nix @@ -5,14 +5,21 @@ with lib; # unixODBC drivers (this solution is not perfect.. Because the user has to # ask the admin to add a driver.. but it's simple and works -{ +let + iniDescription = pkg: '' + [${pkg.fancyName}] + Description = ${pkg.meta.description} + Driver = ${pkg}/${pkg.driver} + ''; + +in { ###### interface options = { environment.unixODBCDrivers = mkOption { type = types.listOf types.package; default = []; - example = literalExample "with pkgs.unixODBCDrivers; [ mysql psql psqlng ]"; + example = literalExample "with pkgs.unixODBCDrivers; [ sqlite psql ]"; description = '' Specifies Unix ODBC drivers to be registered in <filename>/etc/odbcinst.ini</filename>. You may also want to @@ -25,11 +32,7 @@ with lib; ###### implementation config = mkIf (config.environment.unixODBCDrivers != []) { - - environment.etc."odbcinst.ini".text = - let inis = map (x : x.ini) config.environment.unixODBCDrivers; - in lib.concatStringsSep "\n" inis; - + environment.etc."odbcinst.ini".text = concatMapStringsSep "\n" iniDescription config.environment.unixODBCDrivers; }; } diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 7e40c1366677..8ee13fea7790 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -265,6 +265,7 @@ factorio = 241; emby = 242; graylog = 243; + sniproxy = 244; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -500,6 +501,7 @@ taskd = 240; factorio = 241; emby = 242; + sniproxy = 244; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b92361f628be..df720e86f5b7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -379,6 +379,7 @@ ./services/networking/skydns.nix ./services/networking/shairport-sync.nix ./services/networking/shout.nix + ./services/networking/sniproxy.nix ./services/networking/softether.nix ./services/networking/spiped.nix ./services/networking/sslh.nix diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 12401f044a7f..3f24118ea1cb 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -126,6 +126,19 @@ in ''; }; + denyChrootCaps = mkOption { + type = types.bool; + default = false; + description = '' + Whether to lower capabilities of all processes within a chroot, + preventing commands that require <literal>CAP_SYS_ADMIN</literal>. + + This protection is disabled by default because it breaks + <literal>nixos-rebuild</literal>. Whenever possible, it is + highly recommended to enable this protection. + ''; + }; + denyUSB = mkOption { type = types.bool; default = false; diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 3961088c4b07..eb43e83c95f0 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -6,7 +6,6 @@ let dnscrypt-proxy = pkgs.dnscrypt-proxy; cfg = config.services.dnscrypt-proxy; - resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"; localAddress = "${cfg.localAddress}:${toString cfg.localPort}"; daemonArgs = @@ -23,7 +22,7 @@ let "--provider-key=${cfg.customResolver.key}" ] else - [ "--resolvers-list=${resolverListFile}" + [ "--resolvers-list=${cfg.resolverList}" "--resolver-name=${toString cfg.resolverName}" ]; in @@ -77,12 +76,24 @@ in default = "dnscrypt.eu-nl"; type = types.nullOr types.string; description = '' - The name of the upstream DNSCrypt resolver to use. See - <filename>${resolverListFile}</filename> for alternative resolvers. + The name of the upstream DNSCrypt resolver to use, taken from the + list named in the <literal>resolverList</literal> option. The default resolver is located in Holland, supports DNS security extensions, and claims to not keep logs. ''; }; + resolverList = mkOption { + description = '' + The list of upstream DNSCrypt resolvers. By default, we use the most + recent list published by upstream. + ''; + example = literalExample "${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"; + default = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv"; + sha256 = "07kbbisrvrqdxif3061hxj3whin3llg4nh50ln7prisi2vbd76xd"; + }; + defaultText = "pkgs.fetchurl { url = ...; sha256 = ...; }"; + }; customResolver = mkOption { default = null; description = '' @@ -169,7 +180,7 @@ in ${pkgs.lz4}/lib/liblz4.so.* mr, ${pkgs.attr.out}/lib/libattr.so.* mr, - ${resolverListFile} r, + ${cfg.resolverList} r, } '')); diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index 9d163e60d5ea..f35b0f68e3ef 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -12,6 +12,9 @@ let dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}"; + externalInterfaceFilter = param: + optionalString (cfg.externalInterface != null) "${param} ${cfg.externalInterface}"; + flushNat = '' iptables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true iptables -w -t nat -F nixos-nat-pre 2>/dev/null || true @@ -36,19 +39,20 @@ let # NAT the marked packets. ${optionalString (cfg.internalInterfaces != []) '' iptables -w -t nat -A nixos-nat-post -m mark --mark 1 \ - -o ${cfg.externalInterface} ${dest} + ${externalInterfaceFilter "-o"} ${dest} ''} # NAT packets coming from the internal IPs. ${concatMapStrings (range: '' iptables -w -t nat -A nixos-nat-post \ - -s '${range}' -o ${cfg.externalInterface} ${dest} + -s '${range}' \! -d '${range}' + ${externalInterfaceFilter "-o"} ${dest} '') cfg.internalIPs} # NAT from external ports to internal ports. ${concatMapStrings (fwd: '' iptables -w -t nat -A nixos-nat-pre \ - -i ${cfg.externalInterface} -p tcp \ + ${externalInterfaceFilter "-i"} -p tcp \ --dport ${builtins.toString fwd.sourcePort} \ -j DNAT --to-destination ${fwd.destination} '') cfg.forwardPorts} @@ -100,7 +104,8 @@ in }; networking.nat.externalInterface = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; example = "eth1"; description = '' diff --git a/nixos/modules/services/networking/sniproxy.nix b/nixos/modules/services/networking/sniproxy.nix new file mode 100644 index 000000000000..4d0f36923293 --- /dev/null +++ b/nixos/modules/services/networking/sniproxy.nix @@ -0,0 +1,99 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + + cfg = config.services.sniproxy; + + configFile = pkgs.writeText "sniproxy.conf" '' + user ${cfg.user} + pidfile /run/sniproxy.pid + ${cfg.config} + ''; + +in +{ + options = { + services.sniproxy = { + enable = mkEnableOption "sniproxy server"; + + user = mkOption { + type = types.str; + default = "sniproxy"; + description = "User account under which sniproxy runs."; + }; + + group = mkOption { + type = types.str; + default = "sniproxy"; + description = "Group under which sniproxy runs."; + }; + + config = mkOption { + type = types.lines; + default = ""; + description = "sniproxy.conf configuration excluding the daemon username and pid file."; + example = literalExample '' + error_log { + filename /var/log/sniproxy/error.log + } + access_log { + filename /var/log/sniproxy/access.log + } + listen 443 { + proto tls + } + table { + example.com 192.0.2.10 + example.net 192.0.2.20 + } + ''; + }; + + logDir = mkOption { + type = types.str; + default = "/var/log/sniproxy/"; + description = "Location of the log directory for sniproxy."; + }; + + }; + + }; + + config = mkIf cfg.enable { + systemd.services.sniproxy = { + description = "sniproxy server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + test -d ${cfg.logDir} || { + echo "Creating initial log directory for sniproxy in ${cfg.logDir}" + mkdir -p ${cfg.logDir} + chmod 640 ${cfg.logDir} + } + chown -R ${cfg.user}:${cfg.group} ${cfg.logDir} + ''; + + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.sniproxy}/bin/sniproxy -c ${configFile}"; + Restart = "always"; + }; + }; + + users.extraUsers = mkIf (cfg.user == "sniproxy") { + sniproxy = { + group = cfg.group; + uid = config.ids.uids.sniproxy; + }; + }; + + users.extraGroups = mkIf (cfg.group == "sniproxy") { + sniproxy = { + gid = config.ids.gids.sniproxy; + }; + }; + + }; +} diff --git a/nixos/modules/services/x11/unclutter.nix b/nixos/modules/services/x11/unclutter.nix index 65532c7a32b9..3260fdb3d54d 100644 --- a/nixos/modules/services/x11/unclutter.nix +++ b/nixos/modules/services/x11/unclutter.nix @@ -73,6 +73,7 @@ in { ${concatMapStrings (x: " -"+x) cfg.extraOptions} \ -not ${concatStringsSep " " cfg.excluded} \ ''; + serviceConfig.RestartSec = 3; serviceConfig.Restart = "always"; }; }; |