diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking')
8 files changed, 292 insertions, 31 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/dae.nix b/nixpkgs/nixos/modules/services/networking/dae.nix new file mode 100644 index 000000000000..231c555b3303 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/dae.nix @@ -0,0 +1,41 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.dae; +in +{ + meta.maintainers = with lib.maintainers; [ pokon548 ]; + + options = { + services.dae = { + enable = lib.options.mkEnableOption (lib.mdDoc "the dae service"); + package = lib.mkPackageOptionMD pkgs "dae" { }; + }; + }; + + config = lib.mkIf config.services.dae.enable { + networking.firewall.allowedTCPPorts = [ 12345 ]; + networking.firewall.allowedUDPPorts = [ 12345 ]; + + systemd.services.dae = { + unitConfig = { + Description = "dae Service"; + Documentation = "https://github.com/daeuniverse/dae"; + After = [ "network-online.target" "systemd-sysctl.service" ]; + Wants = [ "network-online.target" ]; + }; + + serviceConfig = { + User = "root"; + ExecStartPre = "${lib.getExe cfg.package} validate -c /etc/dae/config.dae"; + ExecStart = "${lib.getExe cfg.package} run --disable-timestamp -c /etc/dae/config.dae"; + ExecReload = "${lib.getExe cfg.package} reload $MAINPID"; + LimitNPROC = 512; + LimitNOFILE = 1048576; + Restart = "on-abnormal"; + Type = "notify"; + }; + + wantedBy = [ "multi-user.target" ]; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix index 082e0195093e..741f054cd88b 100644 --- a/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixpkgs/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -71,9 +71,9 @@ let if ! keyValid; then echo "certificate soon to become invalid; backing up old cert" mkdir -p oldkeys - mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key - mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt - systemctl restart dnscrypt-wrapper + mv -v "${cfg.providerName}.key" "oldkeys/${cfg.providerName}-$(date +%F-%T).key" + mv -v "${cfg.providerName}.crt" "oldkeys/${cfg.providerName}-$(date +%F-%T).crt" + kill "$(pidof -s dnscrypt-wrapper)" fi ''; @@ -222,17 +222,6 @@ in { }; users.groups.dnscrypt-wrapper = { }; - security.polkit.extraConfig = '' - // Allow dnscrypt-wrapper user to restart dnscrypt-wrapper.service - polkit.addRule(function(action, subject) { - if (action.id == "org.freedesktop.systemd1.manage-units" && - action.lookup("unit") == "dnscrypt-wrapper.service" && - subject.user == "dnscrypt-wrapper") { - return polkit.Result.YES; - } - }); - ''; - systemd.services.dnscrypt-wrapper = { description = "dnscrypt-wrapper daemon"; after = [ "network.target" ]; @@ -242,7 +231,7 @@ in { serviceConfig = { User = "dnscrypt-wrapper"; WorkingDirectory = dataDir; - Restart = "on-failure"; + Restart = "always"; ExecStart = "${pkgs.dnscrypt-wrapper}/bin/dnscrypt-wrapper ${toString daemonArgs}"; }; @@ -255,7 +244,7 @@ in { requires = [ "dnscrypt-wrapper.service" ]; description = "Rotates DNSCrypt wrapper keys if soon to expire"; - path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk ]; + path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy1 gawk procps ]; script = rotateKeys; serviceConfig.User = "dnscrypt-wrapper"; }; diff --git a/nixpkgs/nixos/modules/services/networking/haproxy.nix b/nixpkgs/nixos/modules/services/networking/haproxy.nix index e0b686434b6e..208eb356d629 100644 --- a/nixpkgs/nixos/modules/services/networking/haproxy.nix +++ b/nixpkgs/nixos/modules/services/networking/haproxy.nix @@ -17,14 +17,9 @@ with lib; options = { services.haproxy = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to enable HAProxy, the reliable, high performance TCP/HTTP - load balancer. - ''; - }; + enable = mkEnableOption (lib.mdDoc "HAProxy, the reliable, high performance TCP/HTTP load balancer."); + + package = mkPackageOptionMD pkgs "haproxy" { }; user = mkOption { type = types.str; @@ -70,15 +65,15 @@ with lib; ExecStartPre = [ # when the master process receives USR2, it reloads itself using exec(argv[0]), # so we create a symlink there and update it before reloading - "${pkgs.coreutils}/bin/ln -sf ${pkgs.haproxy}/sbin/haproxy /run/haproxy/haproxy" + "${pkgs.coreutils}/bin/ln -sf ${lib.getExe cfg.package} /run/haproxy/haproxy" # when running the config test, don't be quiet so we can see what goes wrong "/run/haproxy/haproxy -c -f ${haproxyCfg}" ]; ExecStart = "/run/haproxy/haproxy -Ws -f /etc/haproxy.cfg -p /run/haproxy/haproxy.pid"; # support reloading ExecReload = [ - "${pkgs.haproxy}/sbin/haproxy -c -f ${haproxyCfg}" - "${pkgs.coreutils}/bin/ln -sf ${pkgs.haproxy}/sbin/haproxy /run/haproxy/haproxy" + "${lib.getExe cfg.package} -c -f ${haproxyCfg}" + "${pkgs.coreutils}/bin/ln -sf ${lib.getExe cfg.package} /run/haproxy/haproxy" "${pkgs.coreutils}/bin/kill -USR2 $MAINPID" ]; KillMode = "mixed"; diff --git a/nixpkgs/nixos/modules/services/networking/headscale.nix b/nixpkgs/nixos/modules/services/networking/headscale.nix index 78253dd9d112..03e6f86af53f 100644 --- a/nixpkgs/nixos/modules/services/networking/headscale.nix +++ b/nixpkgs/nixos/modules/services/networking/headscale.nix @@ -292,7 +292,7 @@ in { }; client_secret_path = mkOption { - type = types.nullOr types.path; + type = types.nullOr types.str; default = null; description = lib.mdDoc '' Path to OpenID Connect client secret file. Expands environment variables in format ''${VAR}. diff --git a/nixpkgs/nixos/modules/services/networking/hostapd.nix b/nixpkgs/nixos/modules/services/networking/hostapd.nix index 924abfc2953f..4ec066c2ec97 100644 --- a/nixpkgs/nixos/modules/services/networking/hostapd.nix +++ b/nixpkgs/nixos/modules/services/networking/hostapd.nix @@ -987,7 +987,7 @@ in { } // optionalAttrs (bssCfg.authentication.wpaPassword != null) { wpa_passphrase = bssCfg.authentication.wpaPassword; } // optionalAttrs (bssCfg.authentication.wpaPskFile != null) { - wpa_psk_file = bssCfg.authentication.wpaPskFile; + wpa_psk_file = toString bssCfg.authentication.wpaPskFile; }; dynamicConfigScripts = let diff --git a/nixpkgs/nixos/modules/services/networking/jool.nix b/nixpkgs/nixos/modules/services/networking/jool.nix new file mode 100644 index 000000000000..3aafbe40967c --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/jool.nix @@ -0,0 +1,222 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.networking.jool; + + jool = config.boot.kernelPackages.jool; + jool-cli = pkgs.jool-cli; + + hardening = { + # Run as unprivileged user + User = "jool"; + Group = "jool"; + DynamicUser = true; + + # Restrict filesystem to only read the jool module + TemporaryFileSystem = [ "/" ]; + BindReadOnlyPaths = [ + builtins.storeDir + "/run/current-system/kernel-modules" + ]; + + # Give capabilities to load the module and configure it + AmbientCapabilities = [ "CAP_SYS_MODULE" "CAP_NET_ADMIN" ]; + RestrictAddressFamilies = [ "AF_NETLINK" ]; + + # Other restrictions + RestrictNamespaces = [ "net" ]; + SystemCallFilter = [ "@system-service" "@module" ]; + CapabilityBoundingSet = [ "CAP_SYS_MODULE" "CAP_NET_ADMIN" ]; + }; + + configFormat = pkgs.formats.json {}; + + mkDefaultAttrs = lib.mapAttrs (n: v: lib.mkDefault v); + + defaultNat64 = { + instance = "default"; + framework = "netfilter"; + global.pool6 = "64:ff9b::/96"; + }; + defaultSiit = { + instance = "default"; + framework = "netfilter"; + }; + + nat64Conf = configFormat.generate "jool-nat64.conf" cfg.nat64.config; + siitConf = configFormat.generate "jool-siit.conf" cfg.siit.config; + +in + +{ + ###### interface + + options = { + networking.jool.enable = lib.mkOption { + type = lib.types.bool; + default = false; + relatedPackages = [ "linuxPackages.jool" "jool-cli" ]; + description = lib.mdDoc '' + Whether to enable Jool, an Open Source implementation of IPv4/IPv6 + translation on Linux. + + Jool can perform stateless IP/ICMP translation (SIIT) or stateful + NAT64, analogous to the IPv4 NAPT. Refer to the upstream + [documentation](https://nicmx.github.io/Jool/en/intro-xlat.html) for + the supported modes of translation and how to configure them. + ''; + }; + + networking.jool.nat64.enable = lib.mkEnableOption (lib.mdDoc "a NAT64 instance of Jool."); + networking.jool.nat64.config = lib.mkOption { + type = configFormat.type; + default = defaultNat64; + example = lib.literalExpression '' + { + # custom NAT64 prefix + global.pool6 = "2001:db8:64::/96"; + + # Port forwarding + bib = [ + { # SSH 192.0.2.16 → 2001:db8:a::1 + "protocol" = "TCP"; + "ipv4 address" = "192.0.2.16#22"; + "ipv6 address" = "2001:db8:a::1#22"; + } + { # DNS (TCP) 192.0.2.16 → 2001:db8:a::2 + "protocol" = "TCP"; + "ipv4 address" = "192.0.2.16#53"; + "ipv6 address" = "2001:db8:a::2#53"; + } + { # DNS (UDP) 192.0.2.16 → 2001:db8:a::2 + "protocol" = "UDP"; + "ipv4 address" = "192.0.2.16#53"; + "ipv6 address" = "2001:db8:a::2#53"; + } + ]; + + pool4 = [ + # Ports for dynamic translation + { protocol = "TCP"; prefix = "192.0.2.16/32"; "port range" = "40001-65535"; } + { protocol = "UDP"; prefix = "192.0.2.16/32"; "port range" = "40001-65535"; } + { protocol = "ICMP"; prefix = "192.0.2.16/32"; "port range" = "40001-65535"; } + + # Ports for static BIB entries + { protocol = "TCP"; prefix = "192.0.2.16/32"; "port range" = "22"; } + { protocol = "UDP"; prefix = "192.0.2.16/32"; "port range" = "53"; } + ]; + } + ''; + description = lib.mdDoc '' + The configuration of a stateful NAT64 instance of Jool managed through + NixOS. See https://nicmx.github.io/Jool/en/config-atomic.html for the + available options. + + ::: {.note} + Existing or more instances created manually will not interfere with the + NixOS instance, provided the respective `pool4` addresses and port + ranges are not overlapping. + ::: + + ::: {.warning} + Changes to the NixOS instance performed via `jool instance nixos-nat64` + are applied correctly but will be lost after restarting + `jool-nat64.service`. + ::: + ''; + }; + + networking.jool.siit.enable = lib.mkEnableOption (lib.mdDoc "a SIIT instance of Jool."); + networking.jool.siit.config = lib.mkOption { + type = configFormat.type; + default = defaultSiit; + example = lib.literalExpression '' + { + # Maps any IPv4 address x.y.z.t to 2001:db8::x.y.z.t and v.v. + pool6 = "2001:db8::/96"; + + # Explicit address mappings + eamt = [ + # 2001:db8:1:: ←→ 192.0.2.0 + { "ipv6 prefix": "2001:db8:1::/128", "ipv4 prefix": "192.0.2.0" } + # 2001:db8:1::x ←→ 198.51.100.x + { "ipv6 prefix": "2001:db8:2::/120", "ipv4 prefix": "198.51.100.0/24" } + ] + } + ''; + description = lib.mdDoc '' + The configuration of a SIIT instance of Jool managed through + NixOS. See https://nicmx.github.io/Jool/en/config-atomic.html for the + available options. + + ::: {.note} + Existing or more instances created manually will not interfere with the + NixOS instance, provided the respective `EAMT` address mappings are not + overlapping. + ::: + + ::: {.warning} + Changes to the NixOS instance performed via `jool instance nixos-siit` + are applied correctly but will be lost after restarting + `jool-siit.service`. + ::: + ''; + }; + + }; + + ###### implementation + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ jool-cli ]; + boot.extraModulePackages = [ jool ]; + + systemd.services.jool-nat64 = lib.mkIf cfg.nat64.enable { + description = "Jool, NAT64 setup"; + documentation = [ "https://nicmx.github.io/Jool/en/documentation.html" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStartPre = "${pkgs.kmod}/bin/modprobe jool"; + ExecStart = "${jool-cli}/bin/jool file handle ${nat64Conf}"; + ExecStop = "${jool-cli}/bin/jool -f ${nat64Conf} instance remove"; + } // hardening; + }; + + systemd.services.jool-siit = lib.mkIf cfg.siit.enable { + description = "Jool, SIIT setup"; + documentation = [ "https://nicmx.github.io/Jool/en/documentation.html" ]; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStartPre = "${pkgs.kmod}/bin/modprobe jool_siit"; + ExecStart = "${jool-cli}/bin/jool_siit file handle ${siitConf}"; + ExecStop = "${jool-cli}/bin/jool_siit -f ${siitConf} instance remove"; + } // hardening; + }; + + system.checks = lib.singleton (pkgs.runCommand "jool-validated" { + nativeBuildInputs = [ pkgs.buildPackages.jool-cli ]; + preferLocalBuild = true; + } '' + printf 'Validating Jool configuration... ' + ${lib.optionalString cfg.siit.enable "jool_siit file check ${siitConf}"} + ${lib.optionalString cfg.nat64.enable "jool file check ${nat64Conf}"} + printf 'ok\n' + touch "$out" + ''); + + networking.jool.nat64.config = mkDefaultAttrs defaultNat64; + networking.jool.siit.config = mkDefaultAttrs defaultSiit; + + }; + + meta.maintainers = with lib.maintainers; [ rnhmjoj ]; + +} diff --git a/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix b/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix index 2d421abc8be7..afd721e34da5 100644 --- a/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixpkgs/nixos/modules/services/networking/ntp/chrony.nix @@ -27,7 +27,10 @@ let ${cfg.extraConfig} ''; - chronyFlags = [ "-n" "-m" "-u" "chrony" "-f" "${configFile}" ] ++ cfg.extraFlags; + chronyFlags = + [ "-n" "-u" "chrony" "-f" "${configFile}" ] + ++ optional cfg.enableMemoryLocking "-m" + ++ cfg.extraFlags; in { options = { @@ -73,6 +76,15 @@ in ''; }; + enableMemoryLocking = mkOption { + type = types.bool; + default = config.environment.memoryAllocator.provider != "graphene-hardened"; + defaultText = ''config.environment.memoryAllocator.provider != "graphene-hardened"''; + description = lib.mdDoc '' + Whether to add the `-m` flag to lock memory. + ''; + }; + enableNTS = mkOption { type = types.bool; default = false; diff --git a/nixpkgs/nixos/modules/services/networking/zerotierone.nix b/nixpkgs/nixos/modules/services/networking/zerotierone.nix index 0d9e25cfc52c..f78fd8642ba0 100644 --- a/nixpkgs/nixos/modules/services/networking/zerotierone.nix +++ b/nixpkgs/nixos/modules/services/networking/zerotierone.nix @@ -13,7 +13,9 @@ in example = [ "a8a2c3c10c1a68de" ]; type = types.listOf types.str; description = lib.mdDoc '' - List of ZeroTier Network IDs to join on startup + List of ZeroTier Network IDs to join on startup. + Note that networks are only ever joined, but not automatically left after removing them from the list. + To remove networks, use the ZeroTier CLI: `zerotier-cli leave <network-id>` ''; }; |