diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-12-15 19:32:38 +0100 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-12-15 19:32:38 +0100 |
commit | 6b8e2555ef013b579cda57025b17d662e0f1fe1f (patch) | |
tree | 5a83c673af26c9976acd5a5dfa20e09e06898047 /nixpkgs/nixos/modules/services/networking | |
parent | 66ca7a150b5c051f0728f13134e6265cc46f370c (diff) | |
parent | 02357adddd0889782362d999628de9d309d202dc (diff) | |
download | nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.tar nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.tar.gz nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.tar.bz2 nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.tar.lz nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.tar.xz nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.tar.zst nixlib-6b8e2555ef013b579cda57025b17d662e0f1fe1f.zip |
Merge branch 'nixos-unstable-small' of https://github.com/NixOS/nixpkgs
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking')
12 files changed, 336 insertions, 23 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/avahi-daemon.nix b/nixpkgs/nixos/modules/services/networking/avahi-daemon.nix index de51843ba6f9..89b30996e8fa 100644 --- a/nixpkgs/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixpkgs/nixos/modules/services/networking/avahi-daemon.nix @@ -42,6 +42,7 @@ in { imports = [ (lib.mkRenamedOptionModule [ "services" "avahi" "interfaces" ] [ "services" "avahi" "allowInterfaces" ]) + (lib.mkRenamedOptionModule [ "services" "avahi" "nssmdns" ] [ "services" "avahi" "nssmdns4" ]) ]; options.services.avahi = { @@ -93,7 +94,7 @@ in ipv6 = mkOption { type = types.bool; - default = config.networking.enableIPv6; + default = false; defaultText = literalExpression "config.networking.enableIPv6"; description = lib.mdDoc "Whether to use IPv6."; }; @@ -218,13 +219,28 @@ in }; }; - nssmdns = mkOption { + nssmdns4 = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to enable the mDNS NSS (Name Service Switch) plug-in for IPv4. + Enabling it allows applications to resolve names in the `.local` + domain by transparently querying the Avahi daemon. + ''; + }; + + nssmdns6 = mkOption { type = types.bool; default = false; description = lib.mdDoc '' - Whether to enable the mDNS NSS (Name Service Switch) plug-in. + Whether to enable the mDNS NSS (Name Service Switch) plug-in for IPv6. Enabling it allows applications to resolve names in the `.local` domain by transparently querying the Avahi daemon. + + ::: {.note} + Due to the fact that most mDNS responders only register local IPv4 addresses, + most user want to leave this option disabled to avoid long timeouts when applications first resolve the none existing IPv6 address. + ::: ''; }; @@ -256,9 +272,18 @@ in users.groups.avahi = { }; - system.nssModules = optional cfg.nssmdns pkgs.nssmdns; - system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [ - (mkBefore [ "mdns_minimal [NOTFOUND=return]" ]) # before resolve + system.nssModules = optional (cfg.nssmdns4 || cfg.nssmdns6) pkgs.nssmdns; + system.nssDatabases.hosts = let + mdnsMinimal = if (cfg.nssmdns4 && cfg.nssmdns6) then + "mdns_minimal" + else if (!cfg.nssmdns4 && cfg.nssmdns6) then + "mdns6_minimal" + else if (cfg.nssmdns4 && !cfg.nssmdns6) then + "mdns4_minimal" + else + ""; + in optionals (cfg.nssmdns4 || cfg.nssmdns6) (mkMerge [ + (mkBefore [ "${mdnsMinimal} [NOTFOUND=return]" ]) # before resolve (mkAfter [ "mdns" ]) # after dns ]); diff --git a/nixpkgs/nixos/modules/services/networking/ddclient.nix b/nixpkgs/nixos/modules/services/networking/ddclient.nix index 8f4fb0bc78d4..a67f0c5de9ba 100644 --- a/nixpkgs/nixos/modules/services/networking/ddclient.nix +++ b/nixpkgs/nixos/modules/services/networking/ddclient.nix @@ -126,7 +126,7 @@ with lib; default = "dyndns2"; type = str; description = lib.mdDoc '' - Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols). + Protocol to use with dynamic DNS provider (see https://ddclient.net/protocols.html ). ''; }; diff --git a/nixpkgs/nixos/modules/services/networking/ejabberd.nix b/nixpkgs/nixos/modules/services/networking/ejabberd.nix index b10a3d9f21df..78af256f9c81 100644 --- a/nixpkgs/nixos/modules/services/networking/ejabberd.nix +++ b/nixpkgs/nixos/modules/services/networking/ejabberd.nix @@ -120,6 +120,12 @@ in { if [ -z "$(ls -A '${cfg.spoolDir}')" ]; then touch "${cfg.spoolDir}/.firstRun" fi + + if ! test -e ${cfg.spoolDir}/.erlang.cookie; then + touch ${cfg.spoolDir}/.erlang.cookie + chmod 600 ${cfg.spoolDir}/.erlang.cookie + dd if=/dev/random bs=16 count=1 | base64 > ${cfg.spoolDir}/.erlang.cookie + fi ''; postStart = '' diff --git a/nixpkgs/nixos/modules/services/networking/harmonia.nix b/nixpkgs/nixos/modules/services/networking/harmonia.nix index beaa7d00b6ce..d0f4a8a6e633 100644 --- a/nixpkgs/nixos/modules/services/networking/harmonia.nix +++ b/nixpkgs/nixos/modules/services/networking/harmonia.nix @@ -29,6 +29,11 @@ in config = lib.mkIf cfg.enable { nix.settings.extra-allowed-users = [ "harmonia" ]; + users.users.harmonia = { + isSystemUser = true; + group = "harmonia"; + }; + users.groups.harmonia = { }; systemd.services.harmonia = { description = "harmonia binary cache service"; @@ -50,7 +55,6 @@ in ExecStart = lib.getExe cfg.package; User = "harmonia"; Group = "harmonia"; - DynamicUser = true; PrivateUsers = true; DeviceAllow = [ "" ]; UMask = "0066"; diff --git a/nixpkgs/nixos/modules/services/networking/iwd.nix b/nixpkgs/nixos/modules/services/networking/iwd.nix index b74f5d0bec9b..d46c1a69a619 100644 --- a/nixpkgs/nixos/modules/services/networking/iwd.nix +++ b/nixpkgs/nixos/modules/services/networking/iwd.nix @@ -64,8 +64,10 @@ in }; systemd.services.iwd = { + path = [ config.networking.resolvconf.package ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ configFile ]; + serviceConfig.ReadWritePaths = "-/etc/resolv.conf"; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/jigasi.nix b/nixpkgs/nixos/modules/services/networking/jigasi.nix new file mode 100644 index 000000000000..e701689031b1 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/jigasi.nix @@ -0,0 +1,237 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.jigasi; + homeDirName = "jigasi-home"; + stateDir = "/tmp"; + sipCommunicatorPropertiesFile = "${stateDir}/${homeDirName}/sip-communicator.properties"; + sipCommunicatorPropertiesFileUnsubstituted = "${pkgs.jigasi}/etc/jitsi/jigasi/sip-communicator.properties"; +in +{ + options.services.jigasi = with types; { + enable = mkEnableOption "Jitsi Gateway to SIP - component of Jitsi Meet"; + + xmppHost = mkOption { + type = str; + example = "localhost"; + description = '' + Hostname of the XMPP server to connect to. + ''; + }; + + xmppDomain = mkOption { + type = nullOr str; + example = "meet.example.org"; + description = '' + Domain name of the XMMP server to which to connect as a component. + + If null, <option>xmppHost</option> is used. + ''; + }; + + componentPasswordFile = mkOption { + type = str; + example = "/run/keys/jigasi-component"; + description = '' + Path to file containing component secret. + ''; + }; + + userName = mkOption { + type = str; + default = "callcontrol"; + description = '' + User part of the JID for XMPP user connection. + ''; + }; + + userDomain = mkOption { + type = str; + example = "internal.meet.example.org"; + description = '' + Domain part of the JID for XMPP user connection. + ''; + }; + + userPasswordFile = mkOption { + type = str; + example = "/run/keys/jigasi-user"; + description = '' + Path to file containing password for XMPP user connection. + ''; + }; + + bridgeMuc = mkOption { + type = str; + example = "jigasibrewery@internal.meet.example.org"; + description = '' + JID of the internal MUC used to communicate with Videobridges. + ''; + }; + + defaultJvbRoomName = mkOption { + type = str; + default = ""; + example = "siptest"; + description = '' + Name of the default JVB room that will be joined if no special header is included in SIP invite. + ''; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + File containing environment variables to be passed to the jigasi service, + in which secret tokens can be specified securely by defining values for + <literal>JIGASI_SIPUSER</literal>, + <literal>JIGASI_SIPPWD</literal>, + <literal>JIGASI_SIPSERVER</literal> and + <literal>JIGASI_SIPPORT</literal>. + ''; + }; + + config = mkOption { + type = attrsOf str; + default = { }; + example = literalExpression '' + { + "org.jitsi.jigasi.auth.URL" = "XMPP:jitsi-meet.example.com"; + } + ''; + description = '' + Contents of the <filename>sip-communicator.properties</filename> configuration file for jigasi. + ''; + }; + }; + + config = mkIf cfg.enable { + services.jicofo.config = { + "org.jitsi.jicofo.jigasi.BREWERY" = "${cfg.bridgeMuc}"; + }; + + services.jigasi.config = mapAttrs (_: v: mkDefault v) { + "org.jitsi.jigasi.BRIDGE_MUC" = cfg.bridgeMuc; + }; + + users.groups.jitsi-meet = {}; + + systemd.services.jigasi = let + jigasiProps = { + "-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION" = "${stateDir}"; + "-Dnet.java.sip.communicator.SC_HOME_DIR_NAME" = "${homeDirName}"; + "-Djava.util.logging.config.file" = "${pkgs.jigasi}/etc/jitsi/jigasi/logging.properties"; + }; + in + { + description = "Jitsi Gateway to SIP"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = '' + [ -f "${sipCommunicatorPropertiesFile}" ] && rm -f "${sipCommunicatorPropertiesFile}" + mkdir -p "$(dirname ${sipCommunicatorPropertiesFile})" + temp="${sipCommunicatorPropertiesFile}.unsubstituted" + + export DOMAIN_BASE="${cfg.xmppDomain}" + export JIGASI_XMPP_PASSWORD=$(cat "${cfg.userPasswordFile}") + export JIGASI_DEFAULT_JVB_ROOM_NAME="${cfg.defaultJvbRoomName}" + + # encode the credentials to base64 + export JIGASI_SIPPWD=$(echo -n "$JIGASI_SIPPWD" | base64 -w 0) + export JIGASI_XMPP_PASSWORD_BASE64=$(cat "${cfg.userPasswordFile}" | base64 -w 0) + + cp "${sipCommunicatorPropertiesFileUnsubstituted}" "$temp" + chmod 644 "$temp" + cat <<EOF >>"$temp" + net.java.sip.communicator.impl.protocol.sip.acc1403273890647.SERVER_PORT=$JIGASI_SIPPORT + net.java.sip.communicator.impl.protocol.sip.acc1403273890647.PREFERRED_TRANSPORT=udp + EOF + chmod 444 "$temp" + + # Replace <<$VAR_NAME>> from example config to $VAR_NAME for environment substitution + sed -i -E \ + 's/<<([^>]+)>>/\$\1/g' \ + "$temp" + + sed -i \ + 's|\(net\.java\.sip\.communicator\.impl\.protocol\.jabber\.acc-xmpp-1\.PASSWORD=\).*|\1\$JIGASI_XMPP_PASSWORD_BASE64|g' \ + "$temp" + + sed -i \ + 's|\(#\)\(org.jitsi.jigasi.DEFAULT_JVB_ROOM_NAME=\).*|\2\$JIGASI_DEFAULT_JVB_ROOM_NAME|g' \ + "$temp" + + ${pkgs.envsubst}/bin/envsubst \ + -o "${sipCommunicatorPropertiesFile}" \ + -i "$temp" + + # Set the brewery room name + sed -i \ + 's|\(net\.java\.sip\.communicator\.impl\.protocol\.jabber\.acc-xmpp-1\.BREWERY=\).*|\1${cfg.bridgeMuc}|g' \ + "${sipCommunicatorPropertiesFile}" + sed -i \ + 's|\(org\.jitsi\.jigasi\.ALLOWED_JID=\).*|\1${cfg.bridgeMuc}|g' \ + "${sipCommunicatorPropertiesFile}" + + + # Disable certificate verification for self-signed certificates + sed -i \ + 's|\(# \)\(net.java.sip.communicator.service.gui.ALWAYS_TRUST_MODE_ENABLED=true\)|\2|g' \ + "${sipCommunicatorPropertiesFile}" + ''; + + restartTriggers = [ + config.environment.etc."jitsi/jigasi/sip-communicator.properties".source + ]; + environment.JAVA_SYS_PROPS = concatStringsSep " " (mapAttrsToList (k: v: "${k}=${toString v}") jigasiProps); + + script = '' + ${pkgs.jigasi}/bin/jigasi \ + --host="${cfg.xmppHost}" \ + --domain="${if cfg.xmppDomain == null then cfg.xmppHost else cfg.xmppDomain}" \ + --secret="$(cat ${cfg.componentPasswordFile})" \ + --user_name="${cfg.userName}" \ + --user_domain="${cfg.userDomain}" \ + --user_password="$(cat ${cfg.userPasswordFile})" \ + --configdir="${stateDir}" \ + --configdirname="${homeDirName}" + ''; + + serviceConfig = { + Type = "exec"; + + DynamicUser = true; + User = "jigasi"; + Group = "jitsi-meet"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + StateDirectory = baseNameOf stateDir; + EnvironmentFile = cfg.environmentFile; + }; + }; + + environment.etc."jitsi/jigasi/sip-communicator.properties".source = + mkDefault "${sipCommunicatorPropertiesFile}"; + environment.etc."jitsi/jigasi/logging.properties".source = + mkDefault "${stateDir}/logging.properties-journal"; + }; + + meta.maintainers = lib.teams.jitsi.members; +} diff --git a/nixpkgs/nixos/modules/services/networking/nebula.nix b/nixpkgs/nixos/modules/services/networking/nebula.nix index b9ebbfbd9a29..e13876172dac 100644 --- a/nixpkgs/nixos/modules/services/networking/nebula.nix +++ b/nixpkgs/nixos/modules/services/networking/nebula.nix @@ -196,7 +196,7 @@ in before = [ "sshd.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "simple"; + Type = "notify"; Restart = "always"; ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; UMask = "0027"; diff --git a/nixpkgs/nixos/modules/services/networking/syncthing.nix b/nixpkgs/nixos/modules/services/networking/syncthing.nix index 99d4d9eeffcc..e0425792431e 100644 --- a/nixpkgs/nixos/modules/services/networking/syncthing.nix +++ b/nixpkgs/nixos/modules/services/networking/syncthing.nix @@ -559,6 +559,15 @@ in { ''; }; + databaseDir = mkOption { + type = types.path; + description = lib.mdDoc '' + The directory containing the database and logs. + ''; + default = cfg.configDir; + defaultText = literalExpression "config.${opt.configDir}"; + }; + extraFlags = mkOption { type = types.listOf types.str; default = []; @@ -660,7 +669,7 @@ in { -no-browser \ -gui-address=${if isUnixGui then "unix://" else ""}${cfg.guiAddress} \ -config=${cfg.configDir} \ - -data=${cfg.dataDir} \ + -data=${cfg.databaseDir} \ ${escapeShellArgs cfg.extraFlags} ''; MemoryDenyWriteExecute = true; diff --git a/nixpkgs/nixos/modules/services/networking/teamspeak3.nix b/nixpkgs/nixos/modules/services/networking/teamspeak3.nix index f09ef1a959ed..ff41539a6d9b 100644 --- a/nixpkgs/nixos/modules/services/networking/teamspeak3.nix +++ b/nixpkgs/nixos/modules/services/networking/teamspeak3.nix @@ -50,7 +50,7 @@ in }; defaultVoicePort = mkOption { - type = types.int; + type = types.port; default = 9987; description = lib.mdDoc '' Default UDP port for clients to connect to virtual servers - used for first virtual server, subsequent ones will open on incrementing port numbers by default. @@ -67,7 +67,7 @@ in }; fileTransferPort = mkOption { - type = types.int; + type = types.port; default = 30033; description = lib.mdDoc '' TCP port opened for file transfers. @@ -84,10 +84,26 @@ in }; queryPort = mkOption { - type = types.int; + type = types.port; default = 10011; description = lib.mdDoc '' - TCP port opened for ServerQuery connections. + TCP port opened for ServerQuery connections using the raw telnet protocol. + ''; + }; + + querySshPort = mkOption { + type = types.port; + default = 10022; + description = lib.mdDoc '' + TCP port opened for ServerQuery connections using the SSH protocol. + ''; + }; + + queryHttpPort = mkOption { + type = types.port; + default = 10080; + description = lib.mdDoc '' + TCP port opened for ServerQuery connections using the HTTP protocol. ''; }; @@ -128,7 +144,9 @@ in ]; networking.firewall = mkIf cfg.openFirewall { - allowedTCPPorts = [ cfg.fileTransferPort ] ++ optionals (cfg.openFirewallServerQuery) [ cfg.queryPort (cfg.queryPort + 11) ]; + allowedTCPPorts = [ cfg.fileTransferPort ] ++ (map (port: + mkIf cfg.openFirewallServerQuery port + ) [cfg.queryPort cfg.querySshPort cfg.queryHttpPort]); # subsequent vServers will use the incremented voice port, let's just open the next 10 allowedUDPPortRanges = [ { from = cfg.defaultVoicePort; to = cfg.defaultVoicePort + 10; } ]; }; @@ -141,13 +159,19 @@ in serviceConfig = { ExecStart = '' ${ts3}/bin/ts3server \ - dbsqlpath=${ts3}/lib/teamspeak/sql/ logpath=${cfg.logPath} \ - ${optionalString (cfg.voiceIP != null) "voice_ip=${cfg.voiceIP}"} \ + dbsqlpath=${ts3}/lib/teamspeak/sql/ \ + logpath=${cfg.logPath} \ + license_accepted=1 \ default_voice_port=${toString cfg.defaultVoicePort} \ - ${optionalString (cfg.fileTransferIP != null) "filetransfer_ip=${cfg.fileTransferIP}"} \ filetransfer_port=${toString cfg.fileTransferPort} \ + query_port=${toString cfg.queryPort} \ + query_ssh_port=${toString cfg.querySshPort} \ + query_http_port=${toString cfg.queryHttpPort} \ + ${optionalString (cfg.voiceIP != null) "voice_ip=${cfg.voiceIP}"} \ + ${optionalString (cfg.fileTransferIP != null) "filetransfer_ip=${cfg.fileTransferIP}"} \ ${optionalString (cfg.queryIP != null) "query_ip=${cfg.queryIP}"} \ - query_port=${toString cfg.queryPort} license_accepted=1 + ${optionalString (cfg.queryIP != null) "query_ssh_ip=${cfg.queryIP}"} \ + ${optionalString (cfg.queryIP != null) "query_http_ip=${cfg.queryIP}"} \ ''; WorkingDirectory = cfg.dataDir; User = user; diff --git a/nixpkgs/nixos/modules/services/networking/tinyproxy.nix b/nixpkgs/nixos/modules/services/networking/tinyproxy.nix index 42d45c460c2e..8ff12b52f10c 100644 --- a/nixpkgs/nixos/modules/services/networking/tinyproxy.nix +++ b/nixpkgs/nixos/modules/services/networking/tinyproxy.nix @@ -85,7 +85,7 @@ in User = "tinyproxy"; Group = "tinyproxy"; Type = "simple"; - ExecStart = "${getExe pkgs.tinyproxy} -d -c ${configFile}"; + ExecStart = "${getExe cfg.package} -d -c ${configFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; KillSignal = "SIGINT"; TimeoutStopSec = "30s"; diff --git a/nixpkgs/nixos/modules/services/networking/vdirsyncer.nix b/nixpkgs/nixos/modules/services/networking/vdirsyncer.nix index 6a069943434d..165dc70f0876 100644 --- a/nixpkgs/nixos/modules/services/networking/vdirsyncer.nix +++ b/nixpkgs/nixos/modules/services/networking/vdirsyncer.nix @@ -20,9 +20,11 @@ let else pkgs.writeText "vdirsyncer-${name}.conf" (toIniJson ( { - general = cfg'.config.general // (lib.optionalAttrs (cfg'.config.statusPath == null) { - status_path = "/var/lib/vdirsyncer/${name}"; - }); + general = cfg'.config.general // { + status_path = if cfg'.config.statusPath == null + then "/var/lib/vdirsyncer/${name}" + else cfg'.config.statusPath; + }; } // ( mapAttrs' (name: nameValuePair "pair ${name}") cfg'.config.pairs ) // ( diff --git a/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix b/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix index 90d9c68433cf..4586550ed75e 100644 --- a/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix @@ -107,6 +107,10 @@ let stopIfChanged = false; path = [ package ]; + # if `userControl.enable`, the supplicant automatically changes the permissions + # and owning group of the runtime dir; setting `umask` ensures the generated + # config file isn't readable (except to root); see nixpkgs#267693 + serviceConfig.UMask = "066"; serviceConfig.RuntimeDirectory = "wpa_supplicant"; serviceConfig.RuntimeDirectoryMode = "700"; serviceConfig.EnvironmentFile = mkIf (cfg.environmentFile != null) |