diff options
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy.nix | 98 | ||||
-rw-r--r-- | nixos/modules/services/networking/firewall.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/i2pd.nix | 10 | ||||
-rw-r--r-- | nixos/modules/services/networking/iodined.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/networking/mjpg-streamer.nix | 75 | ||||
-rw-r--r-- | nixos/modules/services/networking/radicale.nix | 15 | ||||
-rw-r--r-- | nixos/modules/services/networking/vsftpd.nix | 9 | ||||
-rw-r--r-- | nixos/modules/services/networking/wpa_supplicant.nix | 2 |
8 files changed, 180 insertions, 34 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 016b6a12cd61..61305f5a755e 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -5,13 +5,17 @@ let apparmorEnabled = config.security.apparmor.enable; dnscrypt-proxy = pkgs.dnscrypt-proxy; cfg = config.services.dnscrypt-proxy; + resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"; localAddress = "${cfg.localAddress}:${toString cfg.localPort}"; + daemonArgs = [ "--local-address=${localAddress}" (optionalString cfg.tcpOnly "--tcp-only") + (optionalString cfg.ephemeralKeys "-E") ] ++ resolverArgs; + resolverArgs = if (cfg.customResolver != null) then [ "--resolver-address=${cfg.customResolver.address}:${toString cfg.customResolver.port}" @@ -27,43 +31,63 @@ in { options = { services.dnscrypt-proxy = { - enable = mkEnableOption '' - Enable dnscrypt-proxy. The proxy relays regular DNS queries to a - DNSCrypt enabled upstream resolver. The traffic between the - client and the upstream resolver is encrypted and authenticated, - which may mitigate the risk of MITM attacks and third-party + enable = mkEnableOption "dnscrypt-proxy" // { description = '' + Whether to enable the DNSCrypt client proxy. The proxy relays + DNS queries to a DNSCrypt enabled upstream resolver. The traffic + between the client and the upstream resolver is encrypted and + authenticated, mitigating the risk of MITM attacks and third-party snooping (assuming the upstream is trustworthy). - ''; + + Enabling this option does not alter the system nameserver; to relay + local queries, prepend <literal>127.0.0.1</literal> to + <option>networking.nameservers</option>. + + The recommended configuration is to run DNSCrypt proxy as a forwarder + for a caching DNS client, as in + <programlisting> + { + services.dnscrypt-proxy.enable = true; + services.dnscrypt-proxy.localPort = 43; + services.dnsmasq.enable = true; + services.dnsmasq.servers = [ "127.0.0.1#43" ]; + services.dnsmasq.resolveLocalQueries = true; # this is the default + } + </programlisting> + ''; }; localAddress = mkOption { default = "127.0.0.1"; type = types.string; description = '' - Listen for DNS queries on this address. + Listen for DNS queries to relay on this address. The only reason to + change this from its default value is to proxy queries on behalf + of other machines (typically on the local network). ''; }; localPort = mkOption { default = 53; type = types.int; description = '' - Listen on this port. + Listen for DNS queries to relay on this port. The default value + assumes that the DNSCrypt proxy should relay DNS queries directly. + When running as a forwarder for another DNS client, set this option + to a different value; otherwise leave the default. ''; }; resolverName = mkOption { - default = "opendns"; + default = "dnscrypt.eu-nl"; type = types.nullOr types.string; description = '' The name of the upstream DNSCrypt resolver to use. See - <literal>${resolverListFile}</literal> for alternative resolvers - (e.g., if you are concerned about logging and/or server - location). + <filename>${resolverListFile}</filename> for alternative resolvers. + The default resolver is located in Holland, supports DNS security + extensions, and claims to not keep logs. ''; }; customResolver = mkOption { default = null; description = '' - Use a resolver not listed in the upstream list (e.g., - a private DNSCrypt provider). For advanced users only. - If specified, this option takes precedence. + Use an unlisted resolver (e.g., a private DNSCrypt provider). For + advanced users only. If specified, this option takes precedence. ''; type = types.nullOr (types.submodule ({ ... }: { options = { address = mkOption { @@ -80,20 +104,31 @@ in type = types.str; description = "Provider fully qualified domain name"; example = "2.dnscrypt-cert.opendns.com"; - }; - key = mkOption { - type = types.str; - description = "Provider public key"; - example = "B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79"; - }; }; })); + }; + key = mkOption { + type = types.str; + description = "Provider public key"; + example = "B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79"; + }; + }; })); }; tcpOnly = mkOption { default = false; type = types.bool; description = '' - Force sending encrypted DNS queries to the upstream resolver - over TCP instead of UDP (on port 443). Enabling this option may - help circumvent filtering, but should not be used otherwise. + Force sending encrypted DNS queries to the upstream resolver over + TCP instead of UDP (on port 443). Use only if the UDP port is blocked. + ''; + }; + ephemeralKeys = mkOption { + default = false; + type = types.bool; + description = '' + Compute a new key pair for every query. Enabling this option + increases CPU usage, but makes it more difficult for the upstream + resolver to track your usage of their service across IP addresses. + The default is to re-use the public key pair for all queries, making + tracking trivial. ''; }; }; @@ -130,16 +165,20 @@ in ${pkgs.xz.out}/lib/liblzma.so.* mr, ${pkgs.libgcrypt.out}/lib/libgcrypt.so.* mr, ${pkgs.libgpgerror.out}/lib/libgpg-error.so.* mr, + ${pkgs.libcap}/lib/libcap.so.* mr, + ${pkgs.lz4}/lib/liblz4.so.* mr, + ${pkgs.attr}/lib/libattr.so.* mr, ${resolverListFile} r, } '')); - users.extraUsers.dnscrypt-proxy = { - uid = config.ids.uids.dnscrypt-proxy; + users.users.dnscrypt-proxy = { description = "dnscrypt-proxy daemon user"; + isSystemUser = true; + group = "dnscrypt-proxy"; }; - users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy; + users.groups.dnscrypt-proxy = {}; systemd.sockets.dnscrypt-proxy = { description = "dnscrypt-proxy listening socket"; @@ -152,16 +191,21 @@ in systemd.services.dnscrypt-proxy = { description = "dnscrypt-proxy daemon"; + after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service"; requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service"; + serviceConfig = { Type = "simple"; NonBlocking = "true"; ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}"; + User = "dnscrypt-proxy"; Group = "dnscrypt-proxy"; + PrivateTmp = true; PrivateDevices = true; + ProtectHome = true; }; }; }; diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index e11fe072be65..9221fe155777 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -338,7 +338,7 @@ in }; networking.firewall.allowPing = mkOption { - default = false; + default = true; type = types.bool; description = '' diff --git a/nixos/modules/services/networking/i2pd.nix b/nixos/modules/services/networking/i2pd.nix index c32b935cf940..0cbf57314c4b 100644 --- a/nixos/modules/services/networking/i2pd.nix +++ b/nixos/modules/services/networking/i2pd.nix @@ -10,9 +10,10 @@ let extip = "EXTIP=\$(${pkgs.curl.bin}/bin/curl -sf \"http://jsonip.com\" | ${pkgs.gawk}/bin/awk -F'\"' '{print $4}')"; - toOneZero = b: if b then "1" else "0"; + toYesNo = b: if b then "yes" else "no"; mkEndpointOpt = name: addr: port: { + enable = mkEnableOption name; name = mkOption { type = types.str; default = name; @@ -63,9 +64,9 @@ let } // mkEndpointOpt name "127.0.0.1" 0; i2pdConf = pkgs.writeText "i2pd.conf" '' - ipv6 = ${toOneZero cfg.enableIPv6} - notransit = ${toOneZero cfg.notransit} - floodfill = ${toOneZero cfg.floodfill} + ipv6 = ${toYesNo cfg.enableIPv6} + notransit = ${toYesNo cfg.notransit} + floodfill = ${toYesNo cfg.floodfill} ${if isNull cfg.port then "" else "port = ${toString cfg.port}"} ${flip concatMapStrings (collect (proto: proto ? port && proto ? address && proto ? name) cfg.proto) @@ -73,6 +74,7 @@ let [${proto.name}] address = ${proto.address} port = ${toString proto.port} + enabled = ${toYesNo proto.enable} '') } ''; diff --git a/nixos/modules/services/networking/iodined.nix b/nixos/modules/services/networking/iodined.nix index 6bfe62e6261c..20d371c4e2d1 100644 --- a/nixos/modules/services/networking/iodined.nix +++ b/nixos/modules/services/networking/iodined.nix @@ -64,8 +64,7 @@ in systemd.services.iodined = { description = "iodine, ip over dns daemon"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = [ "ip-up.target" ]; serviceConfig.ExecStart = "${pkgs.iodine}/sbin/iodined -f -u ${iodinedUser} ${cfg.extraConfig} ${cfg.ip} ${cfg.domain}"; }; diff --git a/nixos/modules/services/networking/mjpg-streamer.nix b/nixos/modules/services/networking/mjpg-streamer.nix new file mode 100644 index 000000000000..9986f549aecf --- /dev/null +++ b/nixos/modules/services/networking/mjpg-streamer.nix @@ -0,0 +1,75 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.mjpg-streamer; + +in { + + options = { + + services.mjpg-streamer = { + + enable = mkEnableOption "mjpg-streamer webcam streamer"; + + inputPlugin = mkOption { + type = types.str; + default = "input_uvc.so"; + description = '' + Input plugin. See plugins documentation for more information. + ''; + }; + + outputPlugin = mkOption { + type = types.str; + default = "output_http.so -w @www@ -n -p 5050"; + description = '' + Output plugin. <literal>@www@</literal> is substituted for default mjpg-streamer www directory. + See plugins documentation for more information. + ''; + }; + + user = mkOption { + type = types.str; + default = "mjpg-streamer"; + description = "mjpg-streamer user name."; + }; + + group = mkOption { + type = types.str; + default = "video"; + description = "mjpg-streamer group name."; + }; + + }; + + }; + + config = mkIf cfg.enable { + + users.extraUsers = optional (cfg.user == "mjpg-streamer") { + name = "mjpg-streamer"; + uid = config.ids.uids.mjpg-streamer; + group = cfg.group; + }; + + systemd.services.mjpg-streamer = { + description = "mjpg-streamer webcam streamer"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.User = cfg.user; + serviceConfig.Group = cfg.group; + + script = '' + IPLUGIN="${cfg.inputPlugin}" + OPLUGIN="${cfg.outputPlugin}" + OPLUGIN="''${OPLUGIN//@www@/${pkgs.mjpg-streamer}/share/mjpg-streamer/www}" + exec ${pkgs.mjpg-streamer}/bin/mjpg_streamer -i "$IPLUGIN" -o "$OPLUGIN" + ''; + }; + + }; + +} diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix index 4b77ef22ac12..19762f4e570c 100644 --- a/nixos/modules/services/networking/radicale.nix +++ b/nixos/modules/services/networking/radicale.nix @@ -35,12 +35,27 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.pythonPackages.radicale ]; + users.extraUsers = singleton + { name = "radicale"; + uid = config.ids.uids.radicale; + description = "radicale user"; + home = "/var/lib/radicale"; + createHome = true; + }; + + users.extraGroups = singleton + { name = "radicale"; + gid = config.ids.gids.radicale; + }; + systemd.services.radicale = { description = "A Simple Calendar and Contact Server"; after = [ "network-interfaces.target" ]; wantedBy = [ "multi-user.target" ]; script = "${pkgs.pythonPackages.radicale}/bin/radicale -C ${confFile} -d"; serviceConfig.Type = "forking"; + serviceConfig.User = "radicale"; + serviceConfig.Group = "radicale"; }; }; } diff --git a/nixos/modules/services/networking/vsftpd.nix b/nixos/modules/services/networking/vsftpd.nix index e7301e9ef5f5..7ec484941ede 100644 --- a/nixos/modules/services/networking/vsftpd.nix +++ b/nixos/modules/services/networking/vsftpd.nix @@ -85,6 +85,9 @@ let ssl_enable=YES rsa_cert_file=${cfg.rsaCertFile} ''} + ${optionalString (cfg.rsaKeyFile != null) '' + rsa_private_key_file=${cfg.rsaKeyFile} + ''} ${optionalString (cfg.userlistFile != null) '' userlist_file=${cfg.userlistFile} ''} @@ -147,6 +150,12 @@ in description = "RSA certificate file."; }; + rsaKeyFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "RSA private key file."; + }; + anonymousUmask = mkOption { type = types.string; default = "077"; diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index a8f445a2c73c..53648aef1e04 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -125,10 +125,12 @@ in { # FIXME: start a separate wpa_supplicant instance per interface. systemd.services.wpa_supplicant = let ifaces = cfg.interfaces; + deviceUnit = interface: [ "sys-subsystem-net-devices-${interface}.device" ]; in { description = "WPA Supplicant"; after = [ "network-interfaces.target" ]; + requires = lib.concatMap deviceUnit ifaces; wantedBy = [ "network.target" ]; path = [ pkgs.wpa_supplicant ]; |