diff options
author | Orivej Desh <orivej@gmx.fr> | 2018-06-09 07:41:38 +0000 |
---|---|---|
committer | Orivej Desh <orivej@gmx.fr> | 2018-06-09 07:41:38 +0000 |
commit | a448357dc62b26c95c3df84a156656e54aaf58b1 (patch) | |
tree | f12d66a0b81f2fbaa70db89b516a66bddc1b838c /nixos | |
parent | 06fa8674984e8ab637a29b91bdaa11dc5cbacb80 (diff) | |
parent | 0e07efa3c53b588dcd2efca8fafb35c779869d4e (diff) | |
download | nixlib-a448357dc62b26c95c3df84a156656e54aaf58b1.tar nixlib-a448357dc62b26c95c3df84a156656e54aaf58b1.tar.gz nixlib-a448357dc62b26c95c3df84a156656e54aaf58b1.tar.bz2 nixlib-a448357dc62b26c95c3df84a156656e54aaf58b1.tar.lz nixlib-a448357dc62b26c95c3df84a156656e54aaf58b1.tar.xz nixlib-a448357dc62b26c95c3df84a156656e54aaf58b1.tar.zst nixlib-a448357dc62b26c95c3df84a156656e54aaf58b1.zip |
Merge branch 'master' into staging
* master: (71 commits) xen: enable parallel building spice: 0.13.3 -> 0.14.0 powerline-rs: 0.1.7 -> 0.1.8 (#41736) xidlehook: 0.4.6 -> 0.4.8 (#41094) serf: update scons patch, enable kerberos on darwin firefox-bin: Add ffmpeg to lib path firefox-beta-bin: 61.0b10 -> 61.0b12 firefox-devedition-bin: 61.0b10 -> 61.0b12 wireguard-go: assign yegortimoshenko as maintainer wireguard-go: 0.0.20180519 -> 0.0.20180531 zfs: Fix "zfs-sync" for modern systemd nixos/memcached: added simple set/get test jenkins: 2.89.4 -> 2.107.3 (#41618) focuswriter: 1.6.12 -> 1.6.13 (#41567) ne: 3.0.1 -> 3.1.1 (#41536) libpqxx: 6.2.3 -> 6.2.4 (#41547) mate.mate-applets: 1.20.1 -> 1.20.2 (#41546) mate.mate-themes: 3.22.16 -> 3.22.17 (#41541) nixos/munge: run munge as user munge instead of root. (#41509) pstoedit: 3.71 -> 3.73 (#41528) ...
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1809.xml | 6 | ||||
-rw-r--r-- | nixos/modules/programs/mosh.nix | 18 | ||||
-rw-r--r-- | nixos/modules/services/backup/duplicati.nix | 19 | ||||
-rw-r--r-- | nixos/modules/services/networking/sslh.nix | 114 | ||||
-rw-r--r-- | nixos/modules/services/security/munge.nix | 16 | ||||
-rw-r--r-- | nixos/modules/tasks/filesystems/zfs.nix | 3 | ||||
-rw-r--r-- | nixos/release.nix | 2 | ||||
-rw-r--r-- | nixos/tests/haproxy.nix | 41 | ||||
-rw-r--r-- | nixos/tests/memcached.nix | 28 | ||||
-rw-r--r-- | nixos/tests/slurm.nix | 1 |
10 files changed, 227 insertions, 21 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml index ae0f35046fff..5799354c6e99 100644 --- a/nixos/doc/manual/release-notes/rl-1809.xml +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -121,6 +121,12 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <literal>gnucash24</literal>. </para> </listitem> + <listitem> + <para> + <varname>services.munge</varname> now runs as user (and group) <literal>munge</literal> instead of root. + Make sure the key file is accessible to the daemon. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/programs/mosh.nix b/nixos/modules/programs/mosh.nix index b3aa55e189a3..359fe23e0ecd 100644 --- a/nixos/modules/programs/mosh.nix +++ b/nixos/modules/programs/mosh.nix @@ -16,10 +16,28 @@ in default = false; type = lib.types.bool; }; + withUtempter = mkOption { + description = '' + Whether to enable libutempter for mosh. + This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions). + Note, this will add a guid wrapper for the group utmp! + ''; + default = true; + type = lib.types.bool; + }; }; config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ mosh ]; networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } ]; + security.wrappers = mkIf cfg.withUtempter { + utempter = { + source = "${pkgs.libutempter}/lib/utempter/utempter"; + owner = "nobody"; + group = "utmp"; + setuid = false; + setgid = true; + }; + }; }; } diff --git a/nixos/modules/services/backup/duplicati.nix b/nixos/modules/services/backup/duplicati.nix index 9772ca4d20a7..379fde1fe038 100644 --- a/nixos/modules/services/backup/duplicati.nix +++ b/nixos/modules/services/backup/duplicati.nix @@ -9,6 +9,23 @@ in options = { services.duplicati = { enable = mkEnableOption "Duplicati"; + + port = mkOption { + default = 8200; + type = types.int; + description = '' + Port serving the web interface + ''; + }; + + interface = mkOption { + default = "lo"; + type = types.str; + description = '' + Listening interface for the web UI + Set it to "any" to listen on all available interfaces + ''; + }; }; }; @@ -22,7 +39,7 @@ in serviceConfig = { User = "duplicati"; Group = "duplicati"; - ExecStart = "${pkgs.duplicati}/bin/duplicati-server --webservice-interface=any --webservice-port=8200 --server-datafolder=/var/lib/duplicati"; + ExecStart = "${pkgs.duplicati}/bin/duplicati-server --webservice-interface=${cfg.interface} --webservice-port=${toString cfg.port} --server-datafolder=/var/lib/duplicati"; Restart = "on-failure"; }; }; diff --git a/nixos/modules/services/networking/sslh.nix b/nixos/modules/services/networking/sslh.nix index e3d65c49fbf2..0222e8ce8b58 100644 --- a/nixos/modules/services/networking/sslh.nix +++ b/nixos/modules/services/networking/sslh.nix @@ -4,15 +4,14 @@ with lib; let cfg = config.services.sslh; + user = "sslh"; configFile = pkgs.writeText "sslh.conf" '' verbose: ${boolToString cfg.verbose}; foreground: true; inetd: false; numeric: false; - transparent: false; + transparent: ${boolToString cfg.transparent}; timeout: "${toString cfg.timeout}"; - user: "nobody"; - pidfile: "${cfg.pidfile}"; listen: ( @@ -50,16 +49,16 @@ in description = "Timeout in seconds."; }; - pidfile = mkOption { - type = types.path; - default = "/run/sslh.pid"; - description = "PID file path for sslh daemon."; + transparent = mkOption { + type = types.bool; + default = false; + description = "Will the services behind sslh (Apache, sshd and so on) see the external IP and ports as if the external world connected directly to them"; }; listenAddress = mkOption { type = types.str; - default = config.networking.hostName; - description = "Listening hostname."; + default = "0.0.0.0"; + description = "Listening address or hostname."; }; port = mkOption { @@ -76,14 +75,91 @@ in }; }; - config = mkIf cfg.enable { - systemd.services.sslh = { - description = "Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.sslh}/bin/sslh -F${configFile}"; - serviceConfig.KillMode = "process"; - serviceConfig.PIDFile = "${cfg.pidfile}"; - }; - }; + config = mkMerge [ + (mkIf cfg.enable { + users.users.${user} = { + description = "sslh daemon user"; + isSystemUser = true; + }; + + systemd.services.sslh = { + description = "Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = user; + Group = "nogroup"; + PermissionsStartOnly = true; + Restart = "always"; + RestartSec = "1s"; + ExecStart = "${pkgs.sslh}/bin/sslh -F${configFile}"; + KillMode = "process"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_SETGID CAP_SETUID"; + PrivateTmp = true; + PrivateDevices = true; + ProtectSystem = "full"; + ProtectHome = true; + }; + }; + }) + + # code from https://github.com/yrutschle/sslh#transparent-proxy-support + # the only difference is using iptables mark 0x2 instead of 0x1 to avoid conflicts with nixos/nat module + (mkIf (cfg.enable && cfg.transparent) { + # Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination + boot.kernel.sysctl."net.ipv4.conf.default.route_localnet" = 1; + boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1; + + systemd.services.sslh = let + iptablesCommands = [ + # DROP martian packets as they would have been if route_localnet was zero + # Note: packets not leaving the server aren't affected by this, thus sslh will still work + { table = "raw"; command = "PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP"; } + { table = "mangle"; command = "POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP"; } + # Mark all connections made by ssl for special treatment (here sslh is run as user ${user}) + { table = "nat"; command = "OUTPUT -m owner --uid-owner ${user} -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x02/0x0f"; } + # Outgoing packets that should go to sslh instead have to be rerouted, so mark them accordingly (copying over the connection mark) + { table = "mangle"; command = "OUTPUT ! -o lo -p tcp -m connmark --mark 0x02/0x0f -j CONNMARK --restore-mark --mask 0x0f"; } + ]; + ip6tablesCommands = [ + { table = "raw"; command = "PREROUTING ! -i lo -d ::1/128 -j DROP"; } + { table = "mangle"; command = "POSTROUTING ! -o lo -s ::1/128 -j DROP"; } + { table = "nat"; command = "OUTPUT -m owner --uid-owner ${user} -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x02/0x0f"; } + { table = "mangle"; command = "OUTPUT ! -o lo -p tcp -m connmark --mark 0x02/0x0f -j CONNMARK --restore-mark --mask 0x0f"; } + ]; + in { + path = [ pkgs.iptables pkgs.iproute pkgs.procps ]; + + preStart = '' + # Cleanup old iptables entries which might be still there + ${concatMapStringsSep "\n" ({table, command}: "while iptables -w -t ${table} -D ${command} 2>/dev/null; do echo; done") iptablesCommands} + ${concatMapStringsSep "\n" ({table, command}: "iptables -w -t ${table} -A ${command}" ) iptablesCommands} + + # Configure routing for those marked packets + ip rule add fwmark 0x2 lookup 100 + ip route add local 0.0.0.0/0 dev lo table 100 + + '' + optionalString config.networking.enableIPv6 '' + ${concatMapStringsSep "\n" ({table, command}: "while ip6tables -w -t ${table} -D ${command} 2>/dev/null; do echo; done") ip6tablesCommands} + ${concatMapStringsSep "\n" ({table, command}: "ip6tables -w -t ${table} -A ${command}" ) ip6tablesCommands} + + ip -6 rule add fwmark 0x2 lookup 100 + ip -6 route add local ::/0 dev lo table 100 + ''; + + postStop = '' + ${concatMapStringsSep "\n" ({table, command}: "iptables -w -t ${table} -D ${command}") iptablesCommands} + + ip rule del fwmark 0x2 lookup 100 + ip route del local 0.0.0.0/0 dev lo table 100 + '' + optionalString config.networking.enableIPv6 '' + ${concatMapStringsSep "\n" ({table, command}: "ip6tables -w -t ${table} -D ${command}") ip6tablesCommands} + + ip -6 rule del fwmark 0x2 lookup 100 + ip -6 route del local ::/0 dev lo table 100 + ''; + }; + }) + ]; } diff --git a/nixos/modules/services/security/munge.nix b/nixos/modules/services/security/munge.nix index 919c2c2b0e15..5bca15833544 100644 --- a/nixos/modules/services/security/munge.nix +++ b/nixos/modules/services/security/munge.nix @@ -35,7 +35,15 @@ in environment.systemPackages = [ pkgs.munge ]; - systemd.services.munged = { + users.users.munge = { + description = "Munge daemon user"; + isSystemUser = true; + group = "munge"; + }; + + users.groups.munge = {}; + + systemd.services.munged = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; @@ -44,14 +52,20 @@ in preStart = '' chmod 0700 ${cfg.password} mkdir -p /var/lib/munge -m 0711 + chown -R munge:munge /var/lib/munge mkdir -p /var/log/munge -m 0700 + chown -R munge:munge /var/log/munge mkdir -p /run/munge -m 0755 + chown -R munge:munge /run/munge ''; serviceConfig = { ExecStart = "${pkgs.munge}/bin/munged --syslog --key-file ${cfg.password}"; PIDFile = "/run/munge/munged.pid"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + PermissionsStartOnly = "true"; + User = "munge"; + Group = "munge"; }; }; diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index c3bf897d51fd..de735e9ba11b 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -403,6 +403,9 @@ in nameValuePair "zfs-sync-${pool}" { description = "Sync ZFS pool \"${pool}\""; wantedBy = [ "shutdown.target" ]; + unitConfig = { + DefaultDependencies = false; + }; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; diff --git a/nixos/release.nix b/nixos/release.nix index d2eaa22dc6fc..0fa8b22cc898 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -300,6 +300,7 @@ in rec { tests.grafana = callTest tests/grafana.nix {}; tests.graphite = callTest tests/graphite.nix {}; tests.hardened = callTest tests/hardened.nix { }; + tests.haproxy = callTest tests/haproxy.nix {}; tests.hibernate = callTest tests/hibernate.nix {}; tests.hitch = callTest tests/hitch {}; tests.home-assistant = callTest tests/home-assistant.nix { }; @@ -333,6 +334,7 @@ in rec { #tests.logstash = callTest tests/logstash.nix {}; tests.mathics = callTest tests/mathics.nix {}; tests.matrix-synapse = callTest tests/matrix-synapse.nix {}; + tests.memcached = callTest tests/memcached.nix {}; tests.mesos = callTest tests/mesos.nix {}; tests.misc = callTest tests/misc.nix {}; tests.mongodb = callTest tests/mongodb.nix {}; diff --git a/nixos/tests/haproxy.nix b/nixos/tests/haproxy.nix new file mode 100644 index 000000000000..ce4094237db2 --- /dev/null +++ b/nixos/tests/haproxy.nix @@ -0,0 +1,41 @@ +import ./make-test.nix ({ pkgs, ...}: { + name = "haproxy"; + nodes = { + machine = { config, ...}: { + imports = [ ../modules/profiles/minimal.nix ]; + services.haproxy = { + enable = true; + config = '' + defaults + timeout connect 10s + + backend http_server + mode http + server httpd [::1]:8000 + + frontend http + bind *:80 + mode http + use_backend http_server + ''; + }; + services.httpd = { + enable = true; + documentRoot = pkgs.writeTextDir "index.txt" "We are all good!"; + adminAddr = "notme@yourhost.local"; + listen = [{ + ip = "::1"; + port = 8000; + }]; + }; + }; + }; + testScript = '' + startAll; + $machine->waitForUnit('multi-user.target'); + $machine->waitForUnit('haproxy.service'); + $machine->waitForUnit('httpd.service'); + $machine->succeed('curl -k http://localhost:80/index.txt | grep "We are all good!"'); + + ''; +}) diff --git a/nixos/tests/memcached.nix b/nixos/tests/memcached.nix new file mode 100644 index 000000000000..f9ef3647bd1a --- /dev/null +++ b/nixos/tests/memcached.nix @@ -0,0 +1,28 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "memcached"; + + nodes = { + machine = + { config, pkgs, ... }: + { + imports = [ ../modules/profiles/minimal.nix ]; + services.memcached.enable = true; + }; + }; + + testScript = let + testScript = pkgs.writeScript "testScript.py" '' + #!${pkgs.python3.withPackages (p: [p.memcached])}/bin/python + + import memcache + c = memcache.Client(['localhost:11211']) + c.set('key', 'value') + assert 'value' == c.get('key') + ''; + in '' + startAll; + $machine->waitForUnit("memcached.service"); + $machine->waitForOpenPort("11211"); + $machine->succeed("${testScript}"); + ''; +}) diff --git a/nixos/tests/slurm.nix b/nixos/tests/slurm.nix index c23d85e40020..ec67ea092874 100644 --- a/nixos/tests/slurm.nix +++ b/nixos/tests/slurm.nix @@ -61,6 +61,7 @@ in { $node->succeed("mkdir /etc/munge"); $node->succeed("echo '${mungekey}' > /etc/munge/munge.key"); $node->succeed("chmod 0400 /etc/munge/munge.key"); + $node->succeed("chown munge:munge /etc/munge/munge.key"); $node->succeed("systemctl restart munged"); } |