diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/minidlna.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/skydns.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/apache-httpd/wordpress.nix | 38 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/shellinabox.nix | 122 | ||||
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 13 | ||||
-rw-r--r-- | nixos/modules/virtualisation/xen-dom0.nix | 101 | ||||
-rw-r--r-- | nixos/tests/chromium.nix | 5 |
8 files changed, 244 insertions, 40 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 6d51c668f1d3..c1014bdff2e2 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -384,6 +384,7 @@ ./services/web-servers/lighttpd/gitweb.nix ./services/web-servers/nginx/default.nix ./services/web-servers/phpfpm.nix + ./services/web-servers/shellinabox.nix ./services/web-servers/tomcat.nix ./services/web-servers/uwsgi.nix ./services/web-servers/varnish/default.nix diff --git a/nixos/modules/services/networking/minidlna.nix b/nixos/modules/services/networking/minidlna.nix index 51850496e2c9..aa28502a12c4 100644 --- a/nixos/modules/services/networking/minidlna.nix +++ b/nixos/modules/services/networking/minidlna.nix @@ -97,7 +97,7 @@ in Type = "forking"; PIDFile = "/run/minidlna/pid"; ExecStart = - "@${pkgs.minidlna}/sbin/minidlna minidlna -P /run/minidlna/pid" + + "@${pkgs.minidlna}/sbin/minidlnad minidlnad -P /run/minidlna/pid" + " -f ${pkgs.writeText "minidlna.conf" cfg.config}"; }; }; diff --git a/nixos/modules/services/networking/skydns.nix b/nixos/modules/services/networking/skydns.nix index 045e908a3b18..3b9390914891 100644 --- a/nixos/modules/services/networking/skydns.nix +++ b/nixos/modules/services/networking/skydns.nix @@ -55,7 +55,7 @@ in { }; package = mkOption { - default = pkgs.goPackages.skydns; + default = pkgs.skydns; type = types.package; description = "Skydns package to use."; }; diff --git a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix index df099754b548..8884569c7bc8 100644 --- a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix +++ b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix @@ -43,38 +43,27 @@ let ''; # WP translation can be found here: - # https://make.wordpress.org/polyglots/teams/ - # FIXME: - # - add all these languages: - # sq ar az eu bs bg ca zh-cn zh-tw hr da nl en-au - # en-ca en-gb eo fi fr gl de el he hu is id it ja - # ko lt nb nn oci pl pt-br pt ro ru sr sk es-mx es - # sv th tr uk cy - # - cache the files on github.com/qknight/WordpressLanguages and use fetchFromGithub instead - # note: this implementation of supportedLanguages will only work for me (qknight) as i'm using nix-prefetch-url - # as the sha256 changes like every download. - # note: this is also true for plugins and themes but these are controlled not from withing wordpress.nix + # https://github.com/nixcloud/wordpress-translations supportedLanguages = { - en_GB = "1yf1sb6ji3l4lg8nkkjhckbwl81jly8z93jf06pvk6a1p6bsr6l6"; - de_DE = "3881221f337799b88f9562df8b3f1560f2c49a8f662297561a5b25ce77f22e17"; + en_GB = { revision="d6c005372a5318fd758b710b77a800c86518be13"; sha256="0qbbsi87k47q4rgczxx541xz4z4f4fr49hw4lnaxkdsf5maz8p9p"; }; + de_DE = { revision="3c62955c27baaae98fd99feb35593d46562f4736"; sha256="1shndgd11dk836dakrjlg2arwv08vqx6j4xjh4jshvwmjab6ng6p"; }; + zh_ZN = { revision="12b9f811e8cae4b6ee41de343d35deb0a8fdda6d"; sha256="1339ggsxh0g6lab37jmfxicsax4h702rc3fsvv5azs7mcznvwh47"; }; + fr_FR = { revision="688c8b1543e3d38d9e8f57e0a6f2a2c3c8b588bd"; sha256="1j41iak0i6k7a4wzyav0yrllkdjjskvs45w53db8vfm8phq1n014"; }; }; - downloadLanguagePack = language: sha256: + downloadLanguagePack = language: revision: sha256s: pkgs.stdenv.mkDerivation rec { - name = "wp_${language}-${version}"; - src = pkgs.fetchurl { - url = "https://downloads.wordpress.org/translation/core/${version}/${language}.zip"; - sha256 = "${sha256}"; + name = "wp_${language}"; + src = pkgs.fetchFromGitHub { + owner = "nixcloud"; + repo = "wordpress-translations"; + rev = revision; + sha256 = sha256s; }; - buildInputs = [ pkgs.unzip ]; - unpackPhase = '' - unzip $src - export sourceRoot=. - ''; installPhase = "mkdir -p $out; cp -R * $out/"; }; - selectedLanguages = map (lang: downloadLanguagePack lang supportedLanguages.${lang}) (config.languages); + selectedLanguages = map (lang: downloadLanguagePack lang supportedLanguages.${lang}.revision supportedLanguages.${lang}.sha256) (config.languages); # The wordpress package itself wordpressRoot = pkgs.stdenv.mkDerivation rec { @@ -235,6 +224,7 @@ in documentRoot = wordpressRoot; + # FIXME adding the user has to be done manually for the time being startupScript = pkgs.writeScript "init-wordpress.sh" '' #!/bin/sh mkdir -p ${config.wordpressUploads} diff --git a/nixos/modules/services/web-servers/shellinabox.nix b/nixos/modules/services/web-servers/shellinabox.nix new file mode 100644 index 000000000000..58a02ac59c35 --- /dev/null +++ b/nixos/modules/services/web-servers/shellinabox.nix @@ -0,0 +1,122 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.shellinabox; + + # If a certificate file is specified, shellinaboxd requires + # a file descriptor to retrieve it + fd = "3"; + createFd = optionalString (cfg.certFile != null) "${fd}<${cfg.certFile}"; + + # Command line arguments for the shellinabox daemon + args = [ "--background" ] + ++ optional (! cfg.enableSSL) "--disable-ssl" + ++ optional (cfg.certFile != null) "--cert-fd=${fd}" + ++ optional (cfg.certDirectory != null) "--cert=${cfg.certDirectory}" + ++ cfg.extraOptions; + + # Command to start shellinaboxd + cmd = "${pkgs.shellinabox}/bin/shellinaboxd ${concatStringsSep " " args}"; + + # Command to start shellinaboxd if certFile is specified + wrappedCmd = "${pkgs.bash}/bin/bash -c 'exec ${createFd} && ${cmd}'"; + +in + +{ + + ###### interface + + options = { + services.shellinabox = { + enable = mkEnableOption "shellinabox daemon"; + + user = mkOption { + type = types.str; + default = "root"; + description = '' + User to run shellinaboxd as. If started as root, the server drops + privileges by changing to nobody, unless overridden by the + <literal>--user</literal> option. + ''; + }; + + enableSSL = mkOption { + type = types.bool; + default = false; + description = '' + Whether or not to enable SSL (https) support. + ''; + }; + + certDirectory = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/certs"; + description = '' + The daemon will look in this directory far any certificates. + If the browser negotiated a Server Name Identification the daemon + will look for a matching certificate-SERVERNAME.pem file. If no SNI + handshake takes place, it will fall back on using the certificate in the + certificate.pem file. + + If no suitable certificate is installed, shellinaboxd will attempt to + create a new self-signed certificate. This will only succeed if, after + dropping privileges, shellinaboxd has write permissions for this + directory. + ''; + }; + + certFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/certificate.pem"; + description = "Path to server SSL certificate."; + }; + + extraOptions = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "--port=443" "--service /:LOGIN" ]; + description = '' + A list of strings to be appended to the command line arguments + for shellinaboxd. Please see the manual page + <link xlink:href="https://code.google.com/p/shellinabox/wiki/shellinaboxd_man"/> + for a full list of available arguments. + ''; + }; + + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + + assertions = + [ { assertion = cfg.enableSSL == true + -> cfg.certDirectory != null || cfg.certFile != null; + message = "SSL is enabled for shellinabox, but no certDirectory or certFile has been specefied."; } + { assertion = ! (cfg.certDirectory != null && cfg.certFile != null); + message = "Cannot set both certDirectory and certFile for shellinabox."; } + ]; + + systemd.services.shellinaboxd = { + description = "Shellinabox Web Server Daemon"; + + wantedBy = [ "multi-user.target" ]; + requires = [ "sshd.service" ]; + after = [ "sshd.service" ]; + + serviceConfig = { + Type = "forking"; + User = "${cfg.user}"; + ExecStart = "${if cfg.certFile == null then "${cmd}" else "${wrappedCmd}"}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; + }; + }; +} diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 3799e5d7ddb6..1b4f0d401e6d 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with lib; let luks = config.boot.initrd.luks; - openCommand = { name, device, keyFile, keyFileSize, allowDiscards, yubikey, ... }: '' + openCommand = { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: '' # Wait for luksRoot to appear, e.g. if on a usb drive. # XXX: copied and adapted from stage-1-init.sh - should be # available as a function. @@ -33,6 +33,7 @@ let open_normally() { cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \ + ${optionalString (header != null) "--header=${header}"} \ ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} } @@ -251,6 +252,16 @@ in description = "Path of the underlying block device."; }; + header = mkOption { + default = null; + example = "/root/header.img"; + type = types.nullOr types.string; + description = '' + The name of the file or block device that + should be used as header for the encrypted device. + ''; + }; + keyFile = mkOption { default = null; example = "/dev/sdb1"; diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index 7b5d714622c8..c750286a3970 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -47,13 +47,32 @@ in ''; }; - virtualisation.xen.bridge = - mkOption { - default = "xenbr0"; - description = - '' - Create a bridge for the Xen domUs to connect to. + virtualisation.xen.bridge = { + name = mkOption { + default = "xenbr0"; + description = '' + Name of bridge the Xen domUs connect to. + ''; + }; + + address = mkOption { + type = types.str; + default = "172.16.0.1"; + description = '' + IPv4 address of the bridge. ''; + }; + + prefixLength = mkOption { + type = types.addCheck types.int (n: n >= 0 && n <= 32); + default = 16; + description = '' + Subnet mask of the bridge interface, specified as the number of + bits in the prefix (<literal>24</literal>). + A DHCP server will provide IP addresses for the whole, remaining + subnet. + ''; + }; }; virtualisation.xen.stored = @@ -261,11 +280,71 @@ in description = "Xen bridge"; wantedBy = [ "multi-user.target" ]; before = [ "xen-domains.service" ]; - serviceConfig.RemainAfterExit = "yes"; - serviceConfig.ExecStart = "${pkgs.bridge-utils}/bin/brctl addbr ${cfg.bridge}"; - postStart = "${pkgs.inetutils}/bin/ifconfig ${cfg.bridge} up"; - serviceConfig.ExecStop = "${pkgs.inetutils}/bin/ifconfig ${cfg.bridge} down"; - postStop = "${pkgs.bridge-utils}/bin/brctl delbr ${cfg.bridge}"; + preStart = '' + mkdir -p /var/run/xen + touch /var/run/xen/dnsmasq.pid + touch /var/run/xen/dnsmasq.etherfile + touch /var/run/xen/dnsmasq.leasefile + + IFS='-' read -a data <<< `${pkgs.sipcalc}/bin/sipcalc ${cfg.bridge.address}/${toString cfg.bridge.prefixLength} | grep Usable\ range` + export XEN_BRIDGE_IP_RANGE_START="${"\${data[1]//[[:blank:]]/}"}" + export XEN_BRIDGE_IP_RANGE_END="${"\${data[2]//[[:blank:]]/}"}" + + IFS='-' read -a data <<< `${pkgs.sipcalc}/bin/sipcalc ${cfg.bridge.address}/${toString cfg.bridge.prefixLength} | grep Network\ address` + export XEN_BRIDGE_NETWORK_ADDRESS="${"\${data[1]//[[:blank:]]/}"}" + + echo "${cfg.bridge.address} host gw dns" > /var/run/xen/dnsmasq.hostsfile + + cat <<EOF > /var/run/xen/dnsmasq.conf + no-daemon + pid-file=/var/run/xen/dnsmasq.pid + interface=${cfg.bridge.name} + except-interface=lo + bind-interfaces + auth-server=dns.xen.local,${cfg.bridge.name} + auth-zone=xen.local,$XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} + domain=xen.local + addn-hosts=/var/run/xen/dnsmasq.hostsfile + expand-hosts + strict-order + no-hosts + bogus-priv + no-resolv + no-poll + filterwin2k + clear-on-reload + domain-needed + dhcp-hostsfile=/var/run/xen/dnsmasq.etherfile + dhcp-authoritative + dhcp-range=$XEN_BRIDGE_IP_RANGE_START,$XEN_BRIDGE_IP_RANGE_END,$XEN_BRIDGE_NETWORK_ADDRESS + dhcp-no-override + no-ping + dhcp-leasefile=/var/run/xen/dnsmasq.leasefile + EOF + + # DHCP + ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p tcp -s $XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} --sport 68 --dport 67 -j ACCEPT + ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p udp -s $XEN_BRIDGE_NETWORK_ADDRESS/${toString cfg.bridge.prefixLength} --sport 68 --dport 67 -j ACCEPT + # DNS + ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p tcp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + ${pkgs.iptables}/bin/iptables -I INPUT -i ${cfg.bridge.name} -p udp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + + ${pkgs.bridge-utils}/bin/brctl addbr ${cfg.bridge.name} + ${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} ${cfg.bridge.address} + ${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} up + ''; + serviceConfig.ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq --conf-file=/var/run/xen/dnsmasq.conf"; + postStop = '' + ${pkgs.inetutils}/bin/ifconfig ${cfg.bridge.name} down + ${pkgs.bridge-utils}/bin/brctl delbr ${cfg.bridge.name} + + # DNS + ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p udp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p tcp -d ${cfg.bridge.address} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + # DHCP + ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p udp --sport 68 --dport 67 -j ACCEPT + ${pkgs.iptables}/bin/iptables -D INPUT -i ${cfg.bridge.name} -p tcp --sport 68 --dport 67 -j ACCEPT + ''; }; diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix index 2241bc9c3bca..6c2302594b91 100644 --- a/nixos/tests/chromium.nix +++ b/nixos/tests/chromium.nix @@ -157,10 +157,11 @@ import ./make-test.nix ( my $clipboard = $machine->succeed("${pkgs.xclip}/bin/xclip -o"); die "sandbox not working properly: $clipboard" - unless $clipboard =~ /(?:suid|namespace) sandbox.*yes/mi + unless $clipboard =~ /namespace sandbox.*yes/mi && $clipboard =~ /pid namespaces.*yes/mi && $clipboard =~ /network namespaces.*yes/mi - && $clipboard =~ /seccomp.*sandbox.*yes/mi; + && $clipboard =~ /seccomp.*sandbox.*yes/mi + && $clipboard =~ /you are adequately sandboxed/mi; }; }; } |