diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking')
5 files changed, 111 insertions, 126 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/frp.nix b/nixpkgs/nixos/modules/services/networking/frp.nix new file mode 100644 index 000000000000..e4f9a220b5e8 --- /dev/null +++ b/nixpkgs/nixos/modules/services/networking/frp.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.frp; + settingsFormat = pkgs.formats.ini { }; + configFile = settingsFormat.generate "frp.ini" cfg.settings; + isClient = (cfg.role == "client"); + isServer = (cfg.role == "server"); +in +{ + options = { + services.frp = { + enable = mkEnableOption (mdDoc "frp"); + + package = mkPackageOptionMD pkgs "frp" { }; + + role = mkOption { + type = types.enum [ "server" "client" ]; + description = mdDoc '' + The frp consists of `client` and `server`. The server is usually + deployed on the machine with a public IP address, and + the client is usually deployed on the machine + where the Intranet service to be penetrated resides. + ''; + }; + + settings = mkOption { + type = settingsFormat.type; + default = { }; + description = mdDoc '' + Frp configuration, for configuration options + see the example of [client](https://github.com/fatedier/frp/blob/dev/conf/frpc_legacy_full.ini) + or [server](https://github.com/fatedier/frp/blob/dev/conf/frps_legacy_full.ini) on github. + ''; + example = literalExpression '' + { + common = { + server_addr = "x.x.x.x"; + server_port = 7000; + }; + } + ''; + }; + }; + }; + + config = + let + serviceCapability = optionals isServer [ "CAP_NET_BIND_SERVICE" ]; + executableFile = if isClient then "frpc" else "frps"; + in + mkIf cfg.enable { + systemd.services = { + frp = { + wants = optionals isClient [ "network-online.target" ]; + after = if isClient then [ "network-online.target" ] else [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + description = "A fast reverse proxy frp ${cfg.role}"; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + RestartSec = 15; + ExecStart = "${cfg.package}/bin/${executableFile} -c ${configFile}"; + StateDirectoryMode = optionalString isServer "0700"; + DynamicUser = true; + # Hardening + UMask = optionalString isServer "0007"; + CapabilityBoundingSet = serviceCapability; + AmbientCapabilities = serviceCapability; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ] ++ optionals isClient [ "AF_UNIX" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" ]; + }; + }; + }; + }; + + meta.maintainers = with maintainers; [ zaldnoay ]; +} diff --git a/nixpkgs/nixos/modules/services/networking/frr.nix b/nixpkgs/nixos/modules/services/networking/frr.nix index d350fe3548ae..8488a4e4ef48 100644 --- a/nixpkgs/nixos/modules/services/networking/frr.nix +++ b/nixpkgs/nixos/modules/services/networking/frr.nix @@ -23,6 +23,7 @@ let "pbr" "bfd" "fabric" + "mgmt" ]; allServices = services ++ [ "zebra" ]; diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index 6bc46a9a90e4..53c847ee3ca2 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -30,13 +30,11 @@ let configFile = pkgs.writeText "NetworkManager.conf" (lib.concatStringsSep "\n" [ (mkSection "main" { plugins = "keyfile"; - dhcp = cfg.dhcp; - dns = cfg.dns; + inherit (cfg) dhcp dns; # If resolvconf is disabled that means that resolv.conf is managed by some other module. rc-manager = if config.networking.resolvconf.enable then "resolvconf" else "unmanaged"; - firewall-backend = cfg.firewallBackend; }) (mkSection "keyfile" { unmanaged-devices = @@ -233,15 +231,6 @@ in ''; }; - firewallBackend = mkOption { - type = types.enum [ "iptables" "nftables" "none" ]; - default = "iptables"; - description = lib.mdDoc '' - Which firewall backend should be used for configuring masquerading with shared mode. - If set to none, NetworkManager doesn't manage the configuration at all. - ''; - }; - logLevel = mkOption { type = types.enum [ "OFF" "ERR" "WARN" "INFO" "DEBUG" "TRACE" ]; default = "WARN"; @@ -340,20 +329,20 @@ in default = [ ]; example = literalExpression '' [ { - source = pkgs.writeText "upHook" ''' - - if [ "$2" != "up" ]; then - logger "exit: event $2 != up" - exit - fi - - # coreutils and iproute are in PATH too - logger "Device $DEVICE_IFACE coming up" - '''; - type = "basic"; - } ]''; + source = pkgs.writeText "upHook" ''' + if [ "$2" != "up" ]; then + logger "exit: event $2 != up" + exit + fi + + # coreutils and iproute are in PATH too + logger "Device $DEVICE_IFACE coming up" + '''; + type = "basic"; + } ] + ''; description = lib.mdDoc '' - A list of scripts which will be executed in response to network events. + A list of scripts which will be executed in response to network events. ''; }; @@ -413,6 +402,9 @@ in them via the DNS server in your network, or use environment.etc to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir. '') + (mkRemovedOptionModule [ "networking" "networkmanager" "firewallBackend" ] '' + This option was removed as NixOS is now using iptables-nftables-compat even when using iptables, therefore Networkmanager now uses the nftables backend unconditionally. + '') ]; diff --git a/nixpkgs/nixos/modules/services/networking/nftables.nix b/nixpkgs/nixos/modules/services/networking/nftables.nix index 47159ade328c..a0afdb452752 100644 --- a/nixpkgs/nixos/modules/services/networking/nftables.nix +++ b/nixpkgs/nixos/modules/services/networking/nftables.nix @@ -248,7 +248,6 @@ in config = mkIf cfg.enable { boot.blacklistedKernelModules = [ "ip_tables" ]; environment.systemPackages = [ pkgs.nftables ]; - networking.networkmanager.firewallBackend = mkDefault "nftables"; # versionOlder for backportability, remove afterwards networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11" || (cfg.rulesetFile != null || cfg.ruleset != "")); systemd.services.nftables = { diff --git a/nixpkgs/nixos/modules/services/networking/tedicross.nix b/nixpkgs/nixos/modules/services/networking/tedicross.nix deleted file mode 100644 index cee7e11f4fb1..000000000000 --- a/nixpkgs/nixos/modules/services/networking/tedicross.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - dataDir = "/var/lib/tedicross"; - cfg = config.services.tedicross; - configJSON = pkgs.writeText "tedicross-settings.json" (builtins.toJSON cfg.config); - configYAML = pkgs.runCommand "tedicross-settings.yaml" { preferLocalBuild = true; } '' - ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out - ''; - -in { - options = { - services.tedicross = { - enable = mkEnableOption (lib.mdDoc "the TediCross Telegram-Discord bridge service"); - - config = mkOption { - type = types.attrs; - # from https://github.com/TediCross/TediCross/blob/master/example.settings.yaml - example = literalExpression '' - { - telegram = { - useFirstNameInsteadOfUsername = false; - colonAfterSenderName = false; - skipOldMessages = true; - sendEmojiWithStickers = true; - }; - discord = { - useNickname = false; - skipOldMessages = true; - displayTelegramReplies = "embed"; - replyLength = 100; - }; - bridges = [ - { - name = "Default bridge"; - direction = "both"; - telegram = { - chatId = -123456789; - relayJoinMessages = true; - relayLeaveMessages = true; - sendUsernames = true; - ignoreCommands = true; - }; - discord = { - serverId = "DISCORD_SERVER_ID"; - channelId = "DISCORD_CHANNEL_ID"; - relayJoinMessages = true; - relayLeaveMessages = true; - sendUsernames = true; - crossDeleteOnTelegram = true; - }; - } - ]; - - debug = false; - } - ''; - description = lib.mdDoc '' - {file}`settings.yaml` configuration as a Nix attribute set. - Secret tokens should be specified using {option}`environmentFile` - instead of this world-readable file. - ''; - }; - - environmentFile = mkOption { - type = types.nullOr types.path; - default = null; - description = lib.mdDoc '' - File containing environment variables to be passed to the TediCross service, - in which secret tokens can be specified securely using the - `TELEGRAM_BOT_TOKEN` and `DISCORD_BOT_TOKEN` - keys. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - # from https://github.com/TediCross/TediCross/blob/master/guides/autostart/Linux.md - systemd.services.tedicross = { - description = "TediCross Telegram-Discord bridge service"; - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.nodePackages.tedicross}/bin/tedicross --config='${configYAML}' --data-dir='${dataDir}'"; - Restart = "always"; - DynamicUser = true; - StateDirectory = baseNameOf dataDir; - EnvironmentFile = cfg.environmentFile; - }; - }; - }; - - meta.maintainers = with maintainers; [ pacien ]; -} - |