From bd448b713944524f41a8d37cfe59d4594b536911 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Tue, 10 May 2016 06:33:54 +0200 Subject: dnscrypt-proxy service: use up-to-date dnscrypt-resolvers list The list of public proxies is updated now and again and it's probably a good idea to always work from the most recent list, rather than the one that is shipped with the release. This can be crucial in case of resolvers that are revealed to have gone rogue or otherwise have been compromised. --- nixos/modules/services/networking/dnscrypt-proxy.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 3961088c4b07..4521f82f5db8 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -6,7 +6,12 @@ let dnscrypt-proxy = pkgs.dnscrypt-proxy; cfg = config.services.dnscrypt-proxy; - resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"; + # last updated: 2016-05-04 + resolverListFile = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv"; + sha256 = "07kbbisrvrqdxif3061hxj3whin3llg4nh50ln7prisi2vbd76xd"; + }; + localAddress = "${cfg.localAddress}:${toString cfg.localPort}"; daemonArgs = -- cgit 1.4.1 From e38e3dcdb6c3f069a22dd497be3800da5f516eda Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Tue, 10 May 2016 07:04:20 +0200 Subject: dnscrypt-proxy service: allow user to specify their own resolver list --- .../modules/services/networking/dnscrypt-proxy.nix | 26 +++++++++++++--------- 1 file changed, 16 insertions(+), 10 deletions(-) (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 4521f82f5db8..eb43e83c95f0 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -6,12 +6,6 @@ let dnscrypt-proxy = pkgs.dnscrypt-proxy; cfg = config.services.dnscrypt-proxy; - # last updated: 2016-05-04 - resolverListFile = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv"; - sha256 = "07kbbisrvrqdxif3061hxj3whin3llg4nh50ln7prisi2vbd76xd"; - }; - localAddress = "${cfg.localAddress}:${toString cfg.localPort}"; daemonArgs = @@ -28,7 +22,7 @@ let "--provider-key=${cfg.customResolver.key}" ] else - [ "--resolvers-list=${resolverListFile}" + [ "--resolvers-list=${cfg.resolverList}" "--resolver-name=${toString cfg.resolverName}" ]; in @@ -82,12 +76,24 @@ in default = "dnscrypt.eu-nl"; type = types.nullOr types.string; description = '' - The name of the upstream DNSCrypt resolver to use. See - ${resolverListFile} for alternative resolvers. + The name of the upstream DNSCrypt resolver to use, taken from the + list named in the resolverList option. The default resolver is located in Holland, supports DNS security extensions, and claims to not keep logs. ''; }; + resolverList = mkOption { + description = '' + The list of upstream DNSCrypt resolvers. By default, we use the most + recent list published by upstream. + ''; + example = literalExample "${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"; + default = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv"; + sha256 = "07kbbisrvrqdxif3061hxj3whin3llg4nh50ln7prisi2vbd76xd"; + }; + defaultText = "pkgs.fetchurl { url = ...; sha256 = ...; }"; + }; customResolver = mkOption { default = null; description = '' @@ -174,7 +180,7 @@ in ${pkgs.lz4}/lib/liblz4.so.* mr, ${pkgs.attr.out}/lib/libattr.so.* mr, - ${resolverListFile} r, + ${cfg.resolverList} r, } '')); -- cgit 1.4.1 From 356f1bdac85f4cc018b320141d3227a4c1f6dccf Mon Sep 17 00:00:00 2001 From: Kranium Gikos Mendoza Date: Wed, 11 May 2016 12:18:38 +0800 Subject: sniproxy service: init --- nixos/modules/misc/ids.nix | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/services/networking/sniproxy.nix | 99 ++++++++++++++++++++++++++ 3 files changed, 102 insertions(+) create mode 100644 nixos/modules/services/networking/sniproxy.nix (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 7e40c1366677..8ee13fea7790 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -265,6 +265,7 @@ factorio = 241; emby = 242; graylog = 243; + sniproxy = 244; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -500,6 +501,7 @@ taskd = 240; factorio = 241; emby = 242; + sniproxy = 244; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b92361f628be..df720e86f5b7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -379,6 +379,7 @@ ./services/networking/skydns.nix ./services/networking/shairport-sync.nix ./services/networking/shout.nix + ./services/networking/sniproxy.nix ./services/networking/softether.nix ./services/networking/spiped.nix ./services/networking/sslh.nix diff --git a/nixos/modules/services/networking/sniproxy.nix b/nixos/modules/services/networking/sniproxy.nix new file mode 100644 index 000000000000..4d0f36923293 --- /dev/null +++ b/nixos/modules/services/networking/sniproxy.nix @@ -0,0 +1,99 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + + cfg = config.services.sniproxy; + + configFile = pkgs.writeText "sniproxy.conf" '' + user ${cfg.user} + pidfile /run/sniproxy.pid + ${cfg.config} + ''; + +in +{ + options = { + services.sniproxy = { + enable = mkEnableOption "sniproxy server"; + + user = mkOption { + type = types.str; + default = "sniproxy"; + description = "User account under which sniproxy runs."; + }; + + group = mkOption { + type = types.str; + default = "sniproxy"; + description = "Group under which sniproxy runs."; + }; + + config = mkOption { + type = types.lines; + default = ""; + description = "sniproxy.conf configuration excluding the daemon username and pid file."; + example = literalExample '' + error_log { + filename /var/log/sniproxy/error.log + } + access_log { + filename /var/log/sniproxy/access.log + } + listen 443 { + proto tls + } + table { + example.com 192.0.2.10 + example.net 192.0.2.20 + } + ''; + }; + + logDir = mkOption { + type = types.str; + default = "/var/log/sniproxy/"; + description = "Location of the log directory for sniproxy."; + }; + + }; + + }; + + config = mkIf cfg.enable { + systemd.services.sniproxy = { + description = "sniproxy server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = '' + test -d ${cfg.logDir} || { + echo "Creating initial log directory for sniproxy in ${cfg.logDir}" + mkdir -p ${cfg.logDir} + chmod 640 ${cfg.logDir} + } + chown -R ${cfg.user}:${cfg.group} ${cfg.logDir} + ''; + + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.sniproxy}/bin/sniproxy -c ${configFile}"; + Restart = "always"; + }; + }; + + users.extraUsers = mkIf (cfg.user == "sniproxy") { + sniproxy = { + group = cfg.group; + uid = config.ids.uids.sniproxy; + }; + }; + + users.extraGroups = mkIf (cfg.group == "sniproxy") { + sniproxy = { + gid = config.ids.gids.sniproxy; + }; + }; + + }; +} -- cgit 1.4.1 From 431a98b12b5e1cc51181da815870dda5e23709f8 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 10 May 2016 01:06:16 +0200 Subject: nixos/nat: Allow nat without an externalInterface --- nixos/modules/services/networking/nat.nix | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix index 9d163e60d5ea..f35b0f68e3ef 100644 --- a/nixos/modules/services/networking/nat.nix +++ b/nixos/modules/services/networking/nat.nix @@ -12,6 +12,9 @@ let dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}"; + externalInterfaceFilter = param: + optionalString (cfg.externalInterface != null) "${param} ${cfg.externalInterface}"; + flushNat = '' iptables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true iptables -w -t nat -F nixos-nat-pre 2>/dev/null || true @@ -36,19 +39,20 @@ let # NAT the marked packets. ${optionalString (cfg.internalInterfaces != []) '' iptables -w -t nat -A nixos-nat-post -m mark --mark 1 \ - -o ${cfg.externalInterface} ${dest} + ${externalInterfaceFilter "-o"} ${dest} ''} # NAT packets coming from the internal IPs. ${concatMapStrings (range: '' iptables -w -t nat -A nixos-nat-post \ - -s '${range}' -o ${cfg.externalInterface} ${dest} + -s '${range}' \! -d '${range}' + ${externalInterfaceFilter "-o"} ${dest} '') cfg.internalIPs} # NAT from external ports to internal ports. ${concatMapStrings (fwd: '' iptables -w -t nat -A nixos-nat-pre \ - -i ${cfg.externalInterface} -p tcp \ + ${externalInterfaceFilter "-i"} -p tcp \ --dport ${builtins.toString fwd.sourcePort} \ -j DNAT --to-destination ${fwd.destination} '') cfg.forwardPorts} @@ -100,7 +104,8 @@ in }; networking.nat.externalInterface = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; example = "eth1"; description = '' -- cgit 1.4.1