diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking')
7 files changed, 388 insertions, 5 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/pleroma.nix b/nixpkgs/nixos/modules/services/networking/pleroma.nix index 2687230a158d..bd75083a4a78 100644 --- a/nixpkgs/nixos/modules/services/networking/pleroma.nix +++ b/nixpkgs/nixos/modules/services/networking/pleroma.nix @@ -8,7 +8,7 @@ in { package = mkOption { type = types.package; - default = pkgs.pleroma-otp; + default = pkgs.pleroma; description = "Pleroma package to use."; }; diff --git a/nixpkgs/nixos/modules/services/networking/solanum.nix b/nixpkgs/nixos/modules/services/networking/solanum.nix index b6496fb8b35a..dc066a245494 100644 --- a/nixpkgs/nixos/modules/services/networking/solanum.nix +++ b/nixpkgs/nixos/modules/services/networking/solanum.nix @@ -2,7 +2,7 @@ let inherit (lib) mkEnableOption mkIf mkOption types; - inherit (pkgs) solanum; + inherit (pkgs) solanum util-linux; cfg = config.services.solanum; configFile = pkgs.writeText "solanum.conf" cfg.config; @@ -78,12 +78,20 @@ in config = mkIf cfg.enable (lib.mkMerge [ { + + environment.etc."solanum/ircd.conf".source = configFile; + systemd.services.solanum = { description = "Solanum IRC daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + restartTriggers = [ + configFile + ]; serviceConfig = { - ExecStart = "${solanum}/bin/solanum -foreground -logfile /dev/stdout -configfile ${configFile} -pidfile /run/solanum/ircd.pid"; + ExecStart = "${solanum}/bin/solanum -foreground -logfile /dev/stdout -configfile /etc/solanum/ircd.conf -pidfile /run/solanum/ircd.pid"; + ExecReload = "${util-linux}/bin/kill -HUP $MAINPID"; DynamicUser = true; User = "solanum"; StateDirectory = "solanum"; diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix index b3fe496e41c0..7df7bd9a35bc 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix @@ -41,6 +41,10 @@ let Warning: If you are using <literal>NixOps</literal> then don't use this option since it will replace the key required for deployment via ssh. ''; + example = [ + "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host" + "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar" + ]; }; keyFiles = mkOption { @@ -252,7 +256,17 @@ in authorizedKeysFiles = mkOption { type = types.listOf types.str; default = []; - description = "Files from which authorized keys are read."; + description = '' + Specify the rules for which files to read on the host. + + This is an advanced option. If you're looking to configure user + keys, you can generally use <xref linkend="opt-users.users._name_.openssh.authorizedKeys.keys"/> + or <xref linkend="opt-users.users._name_.openssh.authorizedKeys.keyFiles"/>. + + These are paths relative to the host root file system or home + directories and they are subject to certain token expansion rules. + See AuthorizedKeysFile in man sshd_config for details. + ''; }; authorizedKeysCommand = mkOption { diff --git a/nixpkgs/nixos/modules/services/networking/tailscale.nix b/nixpkgs/nixos/modules/services/networking/tailscale.nix index 9a28a266a928..c33a38179ee4 100644 --- a/nixpkgs/nixos/modules/services/networking/tailscale.nix +++ b/nixpkgs/nixos/modules/services/networking/tailscale.nix @@ -15,6 +15,12 @@ in { description = "The port to listen on for tunnel traffic (0=autoselect)."; }; + interfaceName = mkOption { + type = types.str; + default = "tailscale0"; + description = ''The interface name for tunnel traffic. Use "userspace-networking" (beta) to not use TUN.''; + }; + package = mkOption { type = types.package; default = pkgs.tailscale; @@ -29,7 +35,10 @@ in { systemd.services.tailscaled = { wantedBy = [ "multi-user.target" ]; path = [ pkgs.openresolv ]; - serviceConfig.Environment = "PORT=${toString cfg.port}"; + serviceConfig.Environment = [ + "PORT=${toString cfg.port}" + ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName}"'' + ]; }; }; } diff --git a/nixpkgs/nixos/modules/services/networking/ucarp.nix b/nixpkgs/nixos/modules/services/networking/ucarp.nix new file mode 100644 index 000000000000..9b19a19687bc --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/ucarp.nix @@ -0,0 +1,183 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.networking.ucarp; + + ucarpExec = concatStringsSep " " ( + [ + "${cfg.package}/bin/ucarp" + "--interface=${cfg.interface}" + "--srcip=${cfg.srcIp}" + "--vhid=${toString cfg.vhId}" + "--passfile=${cfg.passwordFile}" + "--addr=${cfg.addr}" + "--advbase=${toString cfg.advBase}" + "--advskew=${toString cfg.advSkew}" + "--upscript=${cfg.upscript}" + "--downscript=${cfg.downscript}" + "--deadratio=${toString cfg.deadratio}" + ] + ++ (optional cfg.preempt "--preempt") + ++ (optional cfg.neutral "--neutral") + ++ (optional cfg.shutdown "--shutdown") + ++ (optional cfg.ignoreIfState "--ignoreifstate") + ++ (optional cfg.noMcast "--nomcast") + ++ (optional (cfg.extraParam != null) "--xparam=${cfg.extraParam}") + ); +in { + options.networking.ucarp = { + enable = mkEnableOption "ucarp, userspace implementation of CARP"; + + interface = mkOption { + type = types.str; + description = "Network interface to bind to."; + example = "eth0"; + }; + + srcIp = mkOption { + type = types.str; + description = "Source (real) IP address of this host."; + }; + + vhId = mkOption { + type = types.ints.between 1 255; + description = "Virtual IP identifier shared between CARP hosts."; + example = 1; + }; + + passwordFile = mkOption { + type = types.str; + description = "File containing shared password between CARP hosts."; + example = "/run/keys/ucarp-password"; + }; + + preempt = mkOption { + type = types.bool; + description = '' + Enable preemptive failover. + Thus, this host becomes the CARP master as soon as possible. + ''; + default = false; + }; + + neutral = mkOption { + type = types.bool; + description = "Do not run downscript at start if the host is the backup."; + default = false; + }; + + addr = mkOption { + type = types.str; + description = "Virtual shared IP address."; + }; + + advBase = mkOption { + type = types.ints.unsigned; + description = "Advertisement frequency in seconds."; + default = 1; + }; + + advSkew = mkOption { + type = types.ints.unsigned; + description = "Advertisement skew in seconds."; + default = 0; + }; + + upscript = mkOption { + type = types.path; + description = '' + Command to run after become master, the interface name, virtual address + and optional extra parameters are passed as arguments. + ''; + example = '' + pkgs.writeScript "upscript" ''' + #!/bin/sh + $\{pkgs.iproute2\}/bin/ip addr add "$2"/24 dev "$1" + '''; + ''; + }; + + downscript = mkOption { + type = types.path; + description = '' + Command to run after become backup, the interface name, virtual address + and optional extra parameters are passed as arguments. + ''; + example = '' + pkgs.writeScript "downscript" ''' + #!/bin/sh + $\{pkgs.iproute2\}/bin/ip addr del "$2"/24 dev "$1" + '''; + ''; + }; + + deadratio = mkOption { + type = types.ints.unsigned; + description = "Ratio to consider a host as dead."; + default = 3; + }; + + shutdown = mkOption { + type = types.bool; + description = "Call downscript at exit."; + default = false; + }; + + ignoreIfState = mkOption { + type = types.bool; + description = "Ignore interface state, e.g., down or no carrier."; + default = false; + }; + + noMcast = mkOption { + type = types.bool; + description = "Use broadcast instead of multicast advertisements."; + default = false; + }; + + extraParam = mkOption { + type = types.nullOr types.str; + description = "Extra parameter to pass to the up/down scripts."; + default = null; + }; + + package = mkOption { + type = types.package; + description = '' + Package that should be used for ucarp. + + Please note that the default package, pkgs.ucarp, has not received any + upstream updates for a long time and can be considered as unmaintained. + ''; + default = pkgs.ucarp; + defaultText = "pkgs.ucarp"; + }; + }; + + config = mkIf cfg.enable { + systemd.services.ucarp = { + description = "ucarp, userspace implementation of CARP"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + Type = "exec"; + ExecStart = ucarpExec; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + ProtectClock = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ oxzi ]; +} diff --git a/nixpkgs/nixos/modules/services/networking/x2goserver.nix b/nixpkgs/nixos/modules/services/networking/x2goserver.nix new file mode 100644 index 000000000000..48020fc1ceca --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/x2goserver.nix @@ -0,0 +1,161 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.x2goserver; + + defaults = { + superenicer = { enable = cfg.superenicer.enable; }; + }; + confText = generators.toINI {} (recursiveUpdate defaults cfg.settings); + x2goServerConf = pkgs.writeText "x2goserver.conf" confText; + + x2goAgentOptions = pkgs.writeText "x2goagent.options" '' + X2GO_NXOPTIONS="" + X2GO_NXAGENT_DEFAULT_OPTIONS="${concatStringsSep " " cfg.nxagentDefaultOptions}" + ''; + +in { + imports = [ + (mkRenamedOptionModule [ "programs" "x2goserver" ] [ "services" "x2goserver" ]) + ]; + + options.services.x2goserver = { + enable = mkEnableOption "x2goserver" // { + description = '' + Enables the x2goserver module. + NOTE: This will create a good amount of symlinks in `/usr/local/bin` + ''; + }; + + superenicer = { + enable = mkEnableOption "superenicer" // { + description = '' + Enables the SupeReNicer code in x2gocleansessions, this will renice + suspended sessions to nice level 19 and renice them to level 0 if the + session becomes marked as running again + ''; + }; + }; + + nxagentDefaultOptions = mkOption { + type = types.listOf types.str; + default = [ "-extension GLX" "-nolisten tcp" ]; + example = [ "-extension GLX" "-nolisten tcp" ]; + description = '' + List of default nx agent options. + ''; + }; + + settings = mkOption { + type = types.attrsOf types.attrs; + default = {}; + description = '' + x2goserver.conf ini configuration as nix attributes. See + `x2goserver.conf(5)` for details + ''; + example = literalExample '' + superenicer = { + "enable" = "yes"; + "idle-nice-level" = 19; + }; + telekinesis = { "enable" = "no"; }; + ''; + }; + }; + + config = mkIf cfg.enable { + + # x2goserver can run X11 program even if "services.xserver.enable = false" + xdg = { + autostart.enable = true; + menus.enable = true; + mime.enable = true; + icons.enable = true; + }; + + environment.systemPackages = [ pkgs.x2goserver ]; + + users.groups.x2go = {}; + users.users.x2go = { + home = "/var/lib/x2go/db"; + group = "x2go"; + isSystemUser = true; + }; + + security.wrappers.x2gosqliteWrapper = { + source = "${pkgs.x2goserver}/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl"; + owner = "x2go"; + group = "x2go"; + setgid = true; + }; + security.wrappers.x2goprintWrapper = { + source = "${pkgs.x2goserver}/bin/x2goprint"; + owner = "x2go"; + group = "x2go"; + setgid = true; + }; + + systemd.tmpfiles.rules = with pkgs; [ + "d /var/lib/x2go/ - x2go x2go - -" + "d /var/lib/x2go/db - x2go x2go - -" + "d /var/lib/x2go/conf - x2go x2go - -" + "d /run/x2go 0755 x2go x2go - -" + ] ++ + # x2goclient sends SSH commands with preset PATH set to + # "/usr/local/bin;/usr/bin;/bin". Since we cannot filter arbitrary ssh + # commands, we have to make the following executables available. + map (f: "L+ /usr/local/bin/${f} - - - - ${x2goserver}/bin/${f}") [ + "x2goagent" "x2gobasepath" "x2gocleansessions" "x2gocmdexitmessage" + "x2godbadmin" "x2gofeature" "x2gofeaturelist" "x2gofm" "x2gogetapps" + "x2gogetservers" "x2golistdesktops" "x2golistmounts" "x2golistsessions" + "x2golistsessions_root" "x2golistshadowsessions" "x2gomountdirs" + "x2gopath" "x2goprint" "x2goresume-desktopsharing" "x2goresume-session" + "x2goruncommand" "x2goserver-run-extensions" "x2gosessionlimit" + "x2gosetkeyboard" "x2goshowblocks" "x2gostartagent" + "x2gosuspend-desktopsharing" "x2gosuspend-session" + "x2goterminate-desktopsharing" "x2goterminate-session" + "x2goumount-session" "x2goversion" + ] ++ [ + "L+ /usr/local/bin/awk - - - - ${gawk}/bin/awk" + "L+ /usr/local/bin/chmod - - - - ${coreutils}/bin/chmod" + "L+ /usr/local/bin/cp - - - - ${coreutils}/bin/cp" + "L+ /usr/local/bin/sed - - - - ${gnused}/bin/sed" + "L+ /usr/local/bin/setsid - - - - ${util-linux}/bin/setsid" + "L+ /usr/local/bin/xrandr - - - - ${xorg.xrandr}/bin/xrandr" + "L+ /usr/local/bin/xmodmap - - - - ${xorg.xmodmap}/bin/xmodmap" + ]; + + systemd.services.x2goserver = { + description = "X2Go Server Daemon"; + wantedBy = [ "multi-user.target" ]; + unitConfig.Documentation = "man:x2goserver.conf(5)"; + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.x2goserver}/bin/x2gocleansessions"; + PIDFile = "/run/x2go/x2goserver.pid"; + User = "x2go"; + Group = "x2go"; + RuntimeDirectory = "x2go"; + StateDirectory = "x2go"; + }; + preStart = '' + if [ ! -e /var/lib/x2go/setup_ran ] + then + mkdir -p /var/lib/x2go/conf + cp -r ${pkgs.x2goserver}/etc/x2go/* /var/lib/x2go/conf/ + ln -sf ${x2goServerConf} /var/lib/x2go/conf/x2goserver.conf + ln -sf ${x2goAgentOptions} /var/lib/x2go/conf/x2goagent.options + ${pkgs.x2goserver}/bin/x2godbadmin --createdb + touch /var/lib/x2go/setup_ran + fi + ''; + }; + + # https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=276 + security.sudo.extraConfig = '' + Defaults env_keep+=QT_GRAPHICSSYSTEM + ''; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/xrdp.nix b/nixpkgs/nixos/modules/services/networking/xrdp.nix index b7dd1c5d99dd..9be7c3233e26 100644 --- a/nixpkgs/nixos/modules/services/networking/xrdp.nix +++ b/nixpkgs/nixos/modules/services/networking/xrdp.nix @@ -61,6 +61,12 @@ in ''; }; + openFirewall = mkOption { + default = false; + type = types.bool; + description = "Whether to open the firewall for the specified RDP port."; + }; + sslKey = mkOption { type = types.str; default = "/etc/xrdp/key.pem"; @@ -99,6 +105,8 @@ in config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + # xrdp can run X11 program even if "services.xserver.enable = false" xdg = { autostart.enable = true; |