about summary refs log tree commit diff
path: root/nixpkgs/nixos/modules/services/networking
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking')
-rw-r--r--nixpkgs/nixos/modules/services/networking/frp.nix93
-rw-r--r--nixpkgs/nixos/modules/services/networking/frr.nix1
-rw-r--r--nixpkgs/nixos/modules/services/networking/networkmanager.nix42
-rw-r--r--nixpkgs/nixos/modules/services/networking/nftables.nix1
-rw-r--r--nixpkgs/nixos/modules/services/networking/tedicross.nix100
5 files changed, 111 insertions, 126 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/frp.nix b/nixpkgs/nixos/modules/services/networking/frp.nix
new file mode 100644
index 000000000000..e4f9a220b5e8
--- /dev/null
+++ b/nixpkgs/nixos/modules/services/networking/frp.nix
@@ -0,0 +1,93 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.frp;
+  settingsFormat = pkgs.formats.ini { };
+  configFile = settingsFormat.generate "frp.ini" cfg.settings;
+  isClient = (cfg.role == "client");
+  isServer = (cfg.role == "server");
+in
+{
+  options = {
+    services.frp = {
+      enable = mkEnableOption (mdDoc "frp");
+
+      package = mkPackageOptionMD pkgs "frp" { };
+
+      role = mkOption {
+        type = types.enum [ "server" "client" ];
+        description = mdDoc ''
+          The frp consists of `client` and `server`. The server is usually
+          deployed on the machine with a public IP address, and
+          the client is usually deployed on the machine
+          where the Intranet service to be penetrated resides.
+        '';
+      };
+
+      settings = mkOption {
+        type = settingsFormat.type;
+        default = { };
+        description = mdDoc ''
+          Frp configuration, for configuration options
+          see the example of [client](https://github.com/fatedier/frp/blob/dev/conf/frpc_legacy_full.ini)
+          or [server](https://github.com/fatedier/frp/blob/dev/conf/frps_legacy_full.ini) on github.
+        '';
+        example = literalExpression ''
+          {
+            common = {
+              server_addr = "x.x.x.x";
+              server_port = 7000;
+            };
+          }
+        '';
+      };
+    };
+  };
+
+  config =
+    let
+      serviceCapability = optionals isServer [ "CAP_NET_BIND_SERVICE" ];
+      executableFile = if isClient then "frpc" else "frps";
+    in
+    mkIf cfg.enable {
+      systemd.services = {
+        frp = {
+          wants = optionals isClient [ "network-online.target" ];
+          after = if isClient then [ "network-online.target" ] else [ "network.target" ];
+          wantedBy = [ "multi-user.target" ];
+          description = "A fast reverse proxy frp ${cfg.role}";
+          serviceConfig = {
+            Type = "simple";
+            Restart = "on-failure";
+            RestartSec = 15;
+            ExecStart = "${cfg.package}/bin/${executableFile} -c ${configFile}";
+            StateDirectoryMode = optionalString isServer "0700";
+            DynamicUser = true;
+            # Hardening
+            UMask = optionalString isServer "0007";
+            CapabilityBoundingSet = serviceCapability;
+            AmbientCapabilities = serviceCapability;
+            PrivateDevices = true;
+            ProtectHostname = true;
+            ProtectClock = true;
+            ProtectKernelTunables = true;
+            ProtectKernelModules = true;
+            ProtectKernelLogs = true;
+            ProtectControlGroups = true;
+            RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ] ++ optionals isClient [ "AF_UNIX" ];
+            LockPersonality = true;
+            MemoryDenyWriteExecute = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            PrivateMounts = true;
+            SystemCallArchitectures = "native";
+            SystemCallFilter = [ "@system-service" ];
+          };
+        };
+      };
+    };
+
+  meta.maintainers = with maintainers; [ zaldnoay ];
+}
diff --git a/nixpkgs/nixos/modules/services/networking/frr.nix b/nixpkgs/nixos/modules/services/networking/frr.nix
index d350fe3548ae..8488a4e4ef48 100644
--- a/nixpkgs/nixos/modules/services/networking/frr.nix
+++ b/nixpkgs/nixos/modules/services/networking/frr.nix
@@ -23,6 +23,7 @@ let
     "pbr"
     "bfd"
     "fabric"
+    "mgmt"
   ];
 
   allServices = services ++ [ "zebra" ];
diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix
index 6bc46a9a90e4..53c847ee3ca2 100644
--- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix
+++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix
@@ -30,13 +30,11 @@ let
   configFile = pkgs.writeText "NetworkManager.conf" (lib.concatStringsSep "\n" [
     (mkSection "main" {
       plugins = "keyfile";
-      dhcp = cfg.dhcp;
-      dns = cfg.dns;
+      inherit (cfg) dhcp dns;
       # If resolvconf is disabled that means that resolv.conf is managed by some other module.
       rc-manager =
         if config.networking.resolvconf.enable then "resolvconf"
         else "unmanaged";
-      firewall-backend = cfg.firewallBackend;
     })
     (mkSection "keyfile" {
       unmanaged-devices =
@@ -233,15 +231,6 @@ in
         '';
       };
 
-      firewallBackend = mkOption {
-        type = types.enum [ "iptables" "nftables" "none" ];
-        default = "iptables";
-        description = lib.mdDoc ''
-          Which firewall backend should be used for configuring masquerading with shared mode.
-          If set to none, NetworkManager doesn't manage the configuration at all.
-        '';
-      };
-
       logLevel = mkOption {
         type = types.enum [ "OFF" "ERR" "WARN" "INFO" "DEBUG" "TRACE" ];
         default = "WARN";
@@ -340,20 +329,20 @@ in
         default = [ ];
         example = literalExpression ''
           [ {
-                source = pkgs.writeText "upHook" '''
-
-                  if [ "$2" != "up" ]; then
-                      logger "exit: event $2 != up"
-                      exit
-                  fi
-
-                  # coreutils and iproute are in PATH too
-                  logger "Device $DEVICE_IFACE coming up"
-              ''';
-              type = "basic";
-          } ]'';
+            source = pkgs.writeText "upHook" '''
+              if [ "$2" != "up" ]; then
+                logger "exit: event $2 != up"
+                exit
+              fi
+
+              # coreutils and iproute are in PATH too
+              logger "Device $DEVICE_IFACE coming up"
+            ''';
+            type = "basic";
+          } ]
+        '';
         description = lib.mdDoc ''
-          A list of scripts which will be executed in response to  network  events.
+          A list of scripts which will be executed in response to network events.
         '';
       };
 
@@ -413,6 +402,9 @@ in
       them via the DNS server in your network, or use environment.etc
       to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir.
     '')
+    (mkRemovedOptionModule [ "networking" "networkmanager" "firewallBackend" ] ''
+      This option was removed as NixOS is now using iptables-nftables-compat even when using iptables, therefore Networkmanager now uses the nftables backend unconditionally.
+    '')
   ];
 
 
diff --git a/nixpkgs/nixos/modules/services/networking/nftables.nix b/nixpkgs/nixos/modules/services/networking/nftables.nix
index 47159ade328c..a0afdb452752 100644
--- a/nixpkgs/nixos/modules/services/networking/nftables.nix
+++ b/nixpkgs/nixos/modules/services/networking/nftables.nix
@@ -248,7 +248,6 @@ in
   config = mkIf cfg.enable {
     boot.blacklistedKernelModules = [ "ip_tables" ];
     environment.systemPackages = [ pkgs.nftables ];
-    networking.networkmanager.firewallBackend = mkDefault "nftables";
     # versionOlder for backportability, remove afterwards
     networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11" || (cfg.rulesetFile != null || cfg.ruleset != ""));
     systemd.services.nftables = {
diff --git a/nixpkgs/nixos/modules/services/networking/tedicross.nix b/nixpkgs/nixos/modules/services/networking/tedicross.nix
deleted file mode 100644
index cee7e11f4fb1..000000000000
--- a/nixpkgs/nixos/modules/services/networking/tedicross.nix
+++ /dev/null
@@ -1,100 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-let
-  dataDir = "/var/lib/tedicross";
-  cfg = config.services.tedicross;
-  configJSON = pkgs.writeText "tedicross-settings.json" (builtins.toJSON cfg.config);
-  configYAML = pkgs.runCommand "tedicross-settings.yaml" { preferLocalBuild = true; } ''
-    ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out
-  '';
-
-in {
-  options = {
-    services.tedicross = {
-      enable = mkEnableOption (lib.mdDoc "the TediCross Telegram-Discord bridge service");
-
-      config = mkOption {
-        type = types.attrs;
-        # from https://github.com/TediCross/TediCross/blob/master/example.settings.yaml
-        example = literalExpression ''
-          {
-            telegram = {
-              useFirstNameInsteadOfUsername = false;
-              colonAfterSenderName = false;
-              skipOldMessages = true;
-              sendEmojiWithStickers = true;
-            };
-            discord = {
-              useNickname = false;
-              skipOldMessages = true;
-              displayTelegramReplies = "embed";
-              replyLength = 100;
-            };
-            bridges = [
-              {
-                name = "Default bridge";
-                direction = "both";
-                telegram = {
-                  chatId = -123456789;
-                  relayJoinMessages = true;
-                  relayLeaveMessages = true;
-                  sendUsernames = true;
-                  ignoreCommands = true;
-                };
-                discord = {
-                  serverId = "DISCORD_SERVER_ID";
-                  channelId = "DISCORD_CHANNEL_ID";
-                  relayJoinMessages = true;
-                  relayLeaveMessages = true;
-                  sendUsernames = true;
-                  crossDeleteOnTelegram = true;
-                };
-              }
-            ];
-
-            debug = false;
-          }
-        '';
-        description = lib.mdDoc ''
-          {file}`settings.yaml` configuration as a Nix attribute set.
-          Secret tokens should be specified using {option}`environmentFile`
-          instead of this world-readable file.
-        '';
-      };
-
-      environmentFile = mkOption {
-        type = types.nullOr types.path;
-        default = null;
-        description = lib.mdDoc ''
-          File containing environment variables to be passed to the TediCross service,
-          in which secret tokens can be specified securely using the
-          `TELEGRAM_BOT_TOKEN` and `DISCORD_BOT_TOKEN`
-          keys.
-        '';
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    # from https://github.com/TediCross/TediCross/blob/master/guides/autostart/Linux.md
-    systemd.services.tedicross = {
-      description = "TediCross Telegram-Discord bridge service";
-      wantedBy = [ "multi-user.target" ];
-      wants = [ "network-online.target" ];
-      after = [ "network-online.target" ];
-      serviceConfig = {
-        Type = "simple";
-        ExecStart = "${pkgs.nodePackages.tedicross}/bin/tedicross --config='${configYAML}' --data-dir='${dataDir}'";
-        Restart = "always";
-        DynamicUser = true;
-        StateDirectory = baseNameOf dataDir;
-        EnvironmentFile = cfg.environmentFile;
-      };
-    };
-  };
-
-  meta.maintainers = with maintainers; [ pacien ];
-}
-
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-01 19:01:08 +0000