From 3bcf8ae8795ede9909df07fb97e049442b38c231 Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Wed, 13 Jan 2016 11:48:11 +0100 Subject: nixos manuals: bring back package references This reverts most of 89e983786a, as those references are sanitized now. Fixes #10039, at least most of it. The `sane` case wasn't fixed, as it calls a *function* in pkgs to get the default value. --- nixos/modules/services/networking/dnscrypt-proxy.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 218bce2dbb31..c724ee979c2d 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -52,7 +52,10 @@ in default = "opendns"; type = types.nullOr types.string; description = '' - The name of the upstream DNSCrypt resolver to use. + The name of the upstream DNSCrypt resolver to use. See + ${resolverListFile} for alternative resolvers + (e.g., if you are concerned about logging and/or server + location). ''; }; customResolver = mkOption { -- cgit 1.4.1 From a7b7ac8bfb948f05c8956f8de23d806fb7686438 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 1 Feb 2016 16:27:46 +0100 Subject: openssh: Enable DSA host/client keys This applies a patch from Fedora to make HostKeyAlgorithms do the right thing, fixing the issue described in 401782cb678d2e28c0f7f2d40c6421624f410148. --- nixos/modules/programs/ssh.nix | 3 +++ nixos/modules/services/networking/ssh/sshd.nix | 13 ++++++++++++- pkgs/tools/networking/openssh/default.nix | 11 ++++++++++- 3 files changed, 25 insertions(+), 2 deletions(-) (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 2da8ff738fbc..169c6a38e75b 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -186,6 +186,9 @@ in ForwardX11 ${if cfg.forwardX11 then "yes" else "no"} + # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) + PubkeyAcceptedKeyTypes +ssh-dss + ${cfg.extraConfig} ''; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 5baea4bc6aea..ba3efc8c0c2a 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -52,6 +52,8 @@ let )); in listToAttrs (map mkAuthKeyFile usersWithKeys); + supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07"; + in { @@ -177,7 +179,7 @@ in default = [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ] ++ optionals (!versionAtLeast config.system.stateVersion "15.07") + ] ++ optionals supportOldHostKeys [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; } { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; } ]; @@ -347,6 +349,15 @@ in ${flip concatMapStrings cfg.hostKeys (k: '' HostKey ${k.path} '')} + + # Allow DSA client keys for now. (These were deprecated + # in OpenSSH 7.0.) + PubkeyAcceptedKeyTypes +ssh-dss + + # Re-enable DSA host keys for now. + ${optionalString supportOldHostKeys '' + HostKeyAlgorithms +ssh-dss + ''} ''; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index bb27b0cc3fcb..73e92aa4b8e5 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -36,7 +36,16 @@ stdenv.mkDerivation rec { export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; - patches = [ ./locale_archive.patch ] + patches = + [ ./locale_archive.patch + + # Fix "HostKeyAlgoritms +...", which we need to enable DSA + # host key support. + (fetchurl { + url = "https://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.1p1-hostkeyalgorithms.patch?id=c98f5597250d6f9a8e8d96960beb6306d150ef0f"; + sha256 = "029lzp9qv1af8wdm0wwj7qwjj1nimgsjj214jqm3amwz0857qgvp"; + }) + ] ++ optional withGssapiPatches gssapiSrc; buildInputs = [ zlib openssl libedit pkgconfig pam ] -- cgit 1.4.1 From 5184aaa1ea93368cb993b1e8e5862adb6e305110 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 1 Feb 2016 17:51:04 +0100 Subject: Use booleans properly --- nixos/modules/services/networking/connman.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix index deb1cbfc1858..8526d09f2353 100644 --- a/nixos/modules/services/networking/connman.nix +++ b/nixos/modules/services/networking/connman.nix @@ -53,13 +53,13 @@ in { config = mkIf cfg.enable { assertions = [{ - assertion = config.networking.useDHCP == false; + assertion = !config.networking.useDHCP; message = "You can not use services.networking.connman with services.networking.useDHCP"; }{ - assertion = config.networking.wireless.enable == true; + assertion = config.networking.wireless.enable; message = "You must use services.networking.connman with services.networking.wireless"; }{ - assertion = config.networking.networkmanager.enable == false; + assertion = config.networking.networkmanager.enable; message = "You can not use services.networking.connman with services.networking.networkmanager"; }]; -- cgit 1.4.1 From ecefd2167af6368a0ad26815080e368da246b213 Mon Sep 17 00:00:00 2001 From: aszlig Date: Mon, 1 Feb 2016 19:33:50 +0100 Subject: nixos/connman: Fix assertion for networkmanager Regression introduced by 5184aaa1ea93368cb993b1e8e5862adb6e305110. The fix was intended to remove the "x == true/false" assertions, but by accident a "x == false" was made "x == true" instead of "(!x)". Signed-off-by: aszlig Reported-by: devhell <"^"@regexmail.net> --- nixos/modules/services/networking/connman.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/services/networking/connman.nix b/nixos/modules/services/networking/connman.nix index 8526d09f2353..3fecfbb13a04 100644 --- a/nixos/modules/services/networking/connman.nix +++ b/nixos/modules/services/networking/connman.nix @@ -59,7 +59,7 @@ in { assertion = config.networking.wireless.enable; message = "You must use services.networking.connman with services.networking.wireless"; }{ - assertion = config.networking.networkmanager.enable; + assertion = !config.networking.networkmanager.enable; message = "You can not use services.networking.connman with services.networking.networkmanager"; }]; -- cgit 1.4.1 From 889351af8b8a9e8bb39dbd09dc56691a28b9d823 Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Wed, 3 Feb 2016 12:16:33 +0100 Subject: Revert "Merge #12357: nixos docs: show references to packages" The PR wasn't good enough yet. This reverts commit b2a37ceeea8c38ec71447f8dae1e6890a8cf982d, reversing changes made to 7fa9a1abce623aaf18b22f5dca3fc8a44a494e8d. --- lib/attrsets.nix | 2 +- nixos/modules/programs/ssh.nix | 3 ++- nixos/modules/programs/venus.nix | 3 ++- nixos/modules/services/amqp/activemq/default.nix | 3 ++- nixos/modules/services/misc/nixos-manual.nix | 3 ++- nixos/modules/services/misc/subsonic.nix | 4 +++- nixos/modules/services/monitoring/grafana.nix | 4 +++- .../modules/services/networking/dnscrypt-proxy.nix | 5 +--- nixos/modules/services/web-servers/phpfpm.nix | 5 ++-- .../services/x11/display-managers/lightdm.nix | 4 +++- nixos/release.nix | 28 ++++------------------ 11 files changed, 27 insertions(+), 37 deletions(-) (limited to 'nixos/modules/services/networking') diff --git a/lib/attrsets.nix b/lib/attrsets.nix index e3721bd1e94c..84f6cb3658b9 100644 --- a/lib/attrsets.nix +++ b/lib/attrsets.nix @@ -207,7 +207,7 @@ rec { /* Like `mapAttrsRecursive', but it takes an additional predicate - function that tells it whether to recurse into an attribute + function that tells it whether to recursive into an attribute set. If it returns false, `mapAttrsRecursiveCond' does not recurse, but does apply the map function. It is returns true, it does recurse, and does not apply the map function. diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 1ad45f468030..169c6a38e75b 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -36,7 +36,6 @@ in askPassword = mkOption { type = types.str; - default = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"; description = ''Program used by SSH to ask for passwords.''; }; @@ -227,5 +226,7 @@ in environment.variables.SSH_ASKPASS = optionalString config.services.xserver.enable askPassword; + programs.ssh.askPassword = mkDefault "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"; + }; } diff --git a/nixos/modules/programs/venus.nix b/nixos/modules/programs/venus.nix index 5c322c5589fc..c3756b4838c7 100644 --- a/nixos/modules/programs/venus.nix +++ b/nixos/modules/programs/venus.nix @@ -99,7 +99,6 @@ in }; outputTheme = mkOption { - default = "${pkgs.venus}/themes/classic_fancy"; type = types.path; description = '' Directory containing a config.ini file which is merged with this one. @@ -170,5 +169,7 @@ in startAt = cfg.dates; }; + services.venus.outputTheme = mkDefault "${pkgs.venus}/themes/classic_fancy"; + }; } diff --git a/nixos/modules/services/amqp/activemq/default.nix b/nixos/modules/services/amqp/activemq/default.nix index 261f97617664..56ff388f8a9e 100644 --- a/nixos/modules/services/amqp/activemq/default.nix +++ b/nixos/modules/services/amqp/activemq/default.nix @@ -32,7 +32,6 @@ in { ''; }; configurationDir = mkOption { - default = "${activemq}/conf"; description = '' The base directory for ActiveMQ's configuration. By default, this directory is searched for a file named activemq.xml, @@ -126,6 +125,8 @@ in { ''; }; + services.activemq.configurationDir = mkDefault "${activemq}/conf"; + }; } diff --git a/nixos/modules/services/misc/nixos-manual.nix b/nixos/modules/services/misc/nixos-manual.nix index 2aa8f4a06cc9..3e1f53e79f3e 100644 --- a/nixos/modules/services/misc/nixos-manual.nix +++ b/nixos/modules/services/misc/nixos-manual.nix @@ -80,7 +80,6 @@ in services.nixosManual.browser = mkOption { type = types.path; - default = "${pkgs.w3m-nox}/bin/w3m"; description = '' Browser used to show the manual. ''; @@ -118,6 +117,8 @@ in services.mingetty.helpLine = mkIf cfg.showManual "\nPress for the NixOS manual."; + services.nixosManual.browser = mkDefault "${pkgs.w3m-nox}/bin/w3m"; + }; } diff --git a/nixos/modules/services/misc/subsonic.nix b/nixos/modules/services/misc/subsonic.nix index 020d53a481de..2831e95b9480 100644 --- a/nixos/modules/services/misc/subsonic.nix +++ b/nixos/modules/services/misc/subsonic.nix @@ -97,7 +97,6 @@ in transcoders = mkOption { type = types.listOf types.path; - default = [ "${pkgs.ffmpeg}/bin/ffmpeg" ]; description = '' List of paths to transcoder executables that should be accessible from Subsonic. Symlinks will be created to each executable inside @@ -153,5 +152,8 @@ in }; users.extraGroups.subsonic.gid = config.ids.gids.subsonic; + + services.subsonic.transcoders = mkDefault [ "${pkgs.ffmpeg}/bin/ffmpeg" ]; + }; } diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 1dec528b5a2c..0b49038dd273 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -87,7 +87,6 @@ in { staticRootPath = mkOption { description = "Root path for static assets."; - default = "${cfg.package.out}/share/grafana/public"; type = types.str; }; @@ -233,5 +232,8 @@ in { home = cfg.dataDir; createHome = true; }; + + services.grafana.staticRootPath = mkDefault "${cfg.package}/share/grafana/public"; + }; } diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index c724ee979c2d..218bce2dbb31 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -52,10 +52,7 @@ in default = "opendns"; type = types.nullOr types.string; description = '' - The name of the upstream DNSCrypt resolver to use. See - ${resolverListFile} for alternative resolvers - (e.g., if you are concerned about logging and/or server - location). + The name of the upstream DNSCrypt resolver to use. ''; }; customResolver = mkOption { diff --git a/nixos/modules/services/web-servers/phpfpm.nix b/nixos/modules/services/web-servers/phpfpm.nix index 277180fe139d..bdd41ed702b5 100644 --- a/nixos/modules/services/web-servers/phpfpm.nix +++ b/nixos/modules/services/web-servers/phpfpm.nix @@ -46,8 +46,7 @@ in { phpIni = mkOption { type = types.path; - default = "${cfg.phpPackage}/etc/php-recommended.ini"; - description = "php.ini file to use."; + description = "PHP configuration file to use."; }; poolConfigs = mkOption { @@ -88,5 +87,7 @@ in { }; }; + services.phpfpm.phpIni = mkDefault "${cfg.phpPackage}/etc/php-recommended.ini"; + }; } diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index ac7db3d9adc4..3949bf01a316 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -87,7 +87,6 @@ in background = mkOption { type = types.str; - default = "${pkgs.nixos-artwork}/share/artwork/gnome/Gnome_Dark.png"; description = '' The background image or color to use. ''; @@ -153,6 +152,9 @@ in }; users.extraGroups.lightdm.gid = config.ids.gids.lightdm; + + services.xserver.displayManager.lightdm.background = mkDefault "${pkgs.nixos-artwork}/share/artwork/gnome/Gnome_Dark.png"; + services.xserver.tty = null; # We might start multiple X servers so let the tty increment themselves.. services.xserver.display = null; # We specify our own display (and logfile) in xserver-wrapper up there }; diff --git a/nixos/release.nix b/nixos/release.nix index 71317c32b98d..d9f3e46b27c0 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -92,33 +92,15 @@ let }).config)); - cleanConfig = import ./lib/eval-config.nix { - system = "x86_64-linux"; - modules = [ ]; - pkgs = with pkgs.lib; - let - scrubDerivations = namePrefix: pkgSet: mapAttrs - (name: value: - let wholeName = "${namePrefix}.${name}"; in - if isAttrs value then - scrubDerivations wholeName value - // (optionalAttrs (isDerivation value) { outPath = "\${${wholeName}}"; }) - else value - ) - pkgSet; - in scrubDerivations "pkgs" pkgs; - }; - docs = (import ./doc/manual) { - inherit pkgs version; - revision = versionModule.system.nixosRevision; - inherit (cleanConfig) options; - }; - in rec { channel = import lib/make-channel.nix { inherit pkgs nixpkgs version versionSuffix; }; - inherit (docs) manual manualPDF manpages optionsJSON; + manual = buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.manual.manual); + manualPDF = (buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.manual.manualPDF)).x86_64-linux; + manpages = buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.manual.manpages); + options = (buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.manual.optionsJSON)).x86_64-linux; + # Build the initial ramdisk so Hydra can keep track of its size over time. initialRamdisk = buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.initialRamdisk); -- cgit 1.4.1 From 9e986c161b8127d16063ff5c0da7aad4639422c8 Mon Sep 17 00:00:00 2001 From: Nathan Zadoks Date: Tue, 9 Feb 2016 16:53:11 +0100 Subject: wpa_supplicant module: add an option for accepting raw PSKs fix #12892 --- .../modules/services/networking/wpa_supplicant.nix | 28 +++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 1b655af6c82d..1558c5832892 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -8,11 +8,15 @@ let ${optionalString cfg.userControlled.enable '' ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=${cfg.userControlled.group} update_config=1''} - ${concatStringsSep "\n" (mapAttrsToList (ssid: networkConfig: '' + ${concatStringsSep "\n" (mapAttrsToList (ssid: networkConfig: let + psk = if networkConfig.psk != null + then ''"${networkConfig.psk}"'' + else networkConfig.pskRaw; + in '' network={ ssid="${ssid}" - ${optionalString (networkConfig.psk != null) ''psk="${networkConfig.psk}"''} - ${optionalString (networkConfig.psk == null) ''key_mgmt=NONE''} + ${optionalString (psk != null) ''psk=${psk}''} + ${optionalString (psk == null) ''key_mgmt=NONE''} } '') cfg.networks)} '' else "/etc/wpa_supplicant.conf"; @@ -49,6 +53,19 @@ in { Be aware that these will be written to the nix store in plaintext! + + Mutually exclusive with pskRaw. + ''; + }; + + pskRaw = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The network's pre-shared key in hex defaulting + to being a network without any authentication. + + Mutually exclusive with psk. ''; }; }; @@ -95,6 +112,11 @@ in { config = mkMerge [ (mkIf cfg.enable { + assertions = flip mapAttrsToList cfg.networks (name: cfg: { + assertion = cfg.psk == null || cfg.pskRaw == null; + message = ''networking.wireless."${name}".psk and networking.wireless."${name}".pskRaw are mutually exclusive''; + }); + environment.systemPackages = [ pkgs.wpa_supplicant ]; services.dbus.packages = [ pkgs.wpa_supplicant ]; -- cgit 1.4.1 From c76817291912904f3ed553366804488cf31169e4 Mon Sep 17 00:00:00 2001 From: "tg(x)" <*@tg-x.net> Date: Wed, 10 Feb 2016 01:48:17 +0100 Subject: tinc: enable chroot --- nixos/modules/services/networking/tinc.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index 34f4f6b37b60..a26b998b9155 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -166,7 +166,7 @@ in fi ''; script = '' - tincd -D -U tinc.${network} -n ${network} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel} + tincd -R -D -U tinc.${network} -n ${network} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel} ''; }) ); -- cgit 1.4.1 From 5c19830b77c00f87fa67121dadeb16096a6d18e2 Mon Sep 17 00:00:00 2001 From: "tg(x)" <*@tg-x.net> Date: Wed, 10 Feb 2016 17:29:36 +0100 Subject: tinc: chroot option --- nixos/modules/services/networking/tinc.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index a26b998b9155..9330e6c92ba8 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -95,6 +95,16 @@ in ''; }; + chroot = mkOption { + default = true; + type = types.bool; + description = '' + Change process root directory to the directory where the config file is located (/etc/tinc/netname/), for added security. + The chroot is performed after all the initialization is done, after writing pid files and opening network sockets. + + Note that tinc can't run scripts anymore (such as tinc-down or host-up), unless it is setup to be runnable inside chroot environment. + ''; + }; }; }; }; @@ -166,7 +176,7 @@ in fi ''; script = '' - tincd -R -D -U tinc.${network} -n ${network} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel} + tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel} ''; }) ); -- cgit 1.4.1 From fc8a16f4edf052ba71ec7dcd289769fdf512ae87 Mon Sep 17 00:00:00 2001 From: Eric Litak Date: Thu, 11 Feb 2016 08:44:00 -0800 Subject: unifi: LD_LIBRARY_PATH hack for embedded libsnappyjava.so, fixes #12897 --- nixos/modules/services/networking/unifi.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index be8f12ecd32d..4dc0cd96904c 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -61,6 +61,8 @@ in partOf = systemdMountPoints; bindsTo = systemdMountPoints; unitConfig.RequiresMountsFor = stateDir; + # This a HACK to fix missing dependencies of dynamic libs extracted from jars + environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc}/lib"; preStart = '' # Ensure privacy of state -- cgit 1.4.1 From 9c249a3adfbe07d31b2693ab9a3081cf37371435 Mon Sep 17 00:00:00 2001 From: Edward Tjörnhammar Date: Sat, 13 Feb 2016 15:22:19 +0100 Subject: nixos: i2pd, make config options adhere to version 2.4.0 --- nixos/modules/services/networking/i2pd.nix | 300 +++++++++++------------------ 1 file changed, 111 insertions(+), 189 deletions(-) (limited to 'nixos/modules/services/networking') diff --git a/nixos/modules/services/networking/i2pd.nix b/nixos/modules/services/networking/i2pd.nix index af9424ecfeaf..e73316a9b1e8 100644 --- a/nixos/modules/services/networking/i2pd.nix +++ b/nixos/modules/services/networking/i2pd.nix @@ -12,21 +12,69 @@ let toOneZero = b: if b then "1" else "0"; + mkEndpointOpt = name: addr: port: { + name = mkOption { + type = types.str; + default = name; + description = "The endpoint name."; + }; + address = mkOption { + type = types.str; + default = addr; + description = "Bind address for ${name} endpoint. Default: " + addr; + }; + port = mkOption { + type = types.int; + default = port; + description = "Bind port for ${name} endoint. Default: " + toString port; + }; + }; + + commonTunOpts = let + i2cpOpts = { + length = mkOption { + type = types.int; + description = "Guaranteed minimum hops."; + default = 3; + }; + quantity = mkOption { + type = types.int; + description = "Number of simultaneous tunnels."; + default = 5; + }; + }; + in name: { + outbound = i2cpOpts; + inbound = i2cpOpts; + crypto.tagsToSend = mkOption { + type = types.int; + description = "Number of ElGamal/AES tags to send."; + default = 40; + }; + destination = mkOption { + type = types.str; + description = "Remote endpoint, I2P hostname or b32.i2p address."; + }; + keys = mkOption { + type = types.str; + default = name + "-keys.dat"; + description = "Keyset used for tunnel identity."; + }; + } // mkEndpointOpt name "127.0.0.1" 0; + i2pdConf = pkgs.writeText "i2pd.conf" '' - v6 = ${toOneZero cfg.enableIPv6} - unreachable = ${toOneZero cfg.unreachable} + ipv6 = ${toOneZero cfg.enableIPv6} + notransit = ${toOneZero cfg.notransit} floodfill = ${toOneZero cfg.floodfill} ${if isNull cfg.port then "" else "port = ${toString cfg.port}"} - httpproxyport = ${toString cfg.proxy.httpPort} - socksproxyport = ${toString cfg.proxy.socksPort} - ircaddress = ${cfg.irc.host} - ircport = ${toString cfg.irc.port} - ircdest = ${cfg.irc.dest} - irckeys = ${cfg.irc.keyFile} - eepport = ${toString cfg.eep.port} - ${if isNull cfg.sam.port then "" else "--samport=${toString cfg.sam.port}"} - eephost = ${cfg.eep.host} - eepkeys = ${cfg.eep.keyFile} + ${flip concatMapStrings + (collect (proto: proto ? port && proto ? address && proto ? name) cfg.proto) + (proto: let portStr = toString proto.port; in '' + [${proto.name}] + address = ${proto.address} + port = ${toString proto.port} + '') + } ''; i2pdTunnelConf = pkgs.writeText "i2pd-tunnels.conf" '' @@ -39,10 +87,15 @@ let keys = ${tun.keys} address = ${tun.address} port = ${toString tun.port} + inbound.length = ${toString tun.inbound.length} + outbound.length = ${toString tun.outbound.length} + inbound.quantity = ${toString tun.inbound.quantity} + outbound.quantity = ${toString tun.outbound.quantity} + crypto.tagsToSend = ${toString tun.crypto.tagsToSend} '') } ${flip concatMapStrings - (collect (tun: tun ? port && tun ? host) cfg.outTunnels) + (collect (tun: tun ? port && tun ? host) cfg.inTunnels) (tun: let portStr = toString tun.port; in '' [${tun.name}] type = server @@ -59,10 +112,10 @@ let i2pdSh = pkgs.writeScriptBin "i2pd" '' #!/bin/sh ${if isNull cfg.extIp then extip else ""} - ${pkgs.i2pd}/bin/i2pd --log=1 --daemon=0 --service=0 \ + ${pkgs.i2pd}/bin/i2pd --log=1 \ --host=${if isNull cfg.extIp then "$EXTIP" else cfg.extIp} \ --conf=${i2pdConf} \ - --tunnelscfg=${i2pdTunnelConf} + --tunconf=${i2pdTunnelConf} ''; in @@ -91,11 +144,11 @@ in ''; }; - unreachable = mkOption { + notransit = mkOption { type = types.bool; default = false; description = '' - If the router is declared to be unreachable and needs introduction nodes. + Tells the router to not accept transit tunnels during startup. ''; }; @@ -111,7 +164,7 @@ in type = with types; nullOr int; default = null; description = '' - I2P listen port. If no one is given the router will pick between 9111 and 30777. + I2P listen port. If no one is given the router will pick between 9111 and 30777. ''; }; @@ -123,184 +176,53 @@ in ''; }; - http = { - port = mkOption { - type = types.int; - default = 7070; - description = '' - HTTP listen port. - ''; - }; - }; - - proxy = { - httpPort = mkOption { - type = types.int; - default = 4446; - description = '' - HTTP proxy listen port. - ''; - }; - socksPort = mkOption { - type = types.int; - default = 4447; - description = '' - SOCKS proxy listen port. - ''; - }; - }; - - irc = { - host = mkOption { - type = types.str; - default = "127.0.0.1"; - description = '' - Address to forward incoming traffic to. 127.0.0.1 by default. - ''; - }; - dest = mkOption { - type = types.str; - default = "irc.postman.i2p"; - description = '' - Destination I2P tunnel endpoint address of IRC server. irc.postman.i2p by default. - ''; - }; - port = mkOption { - type = types.int; - default = 6668; - description = '' - Local IRC tunnel endoint port to listen on. 6668 by default. - ''; - }; - keyFile = mkOption { - type = types.str; - default = "privKeys.dat"; - description = '' - File name containing destination keys. privKeys.dat by default. - ''; - }; - }; - - eep = { - host = mkOption { - type = types.str; - default = "127.0.0.1"; - description = '' - Address to forward incoming traffic to. 127.0.0.1 by default. - ''; - }; - port = mkOption { - type = types.int; - default = 80; - description = '' - Port to forward incoming traffic to. 80 by default. - ''; - }; - keyFile = mkOption { - type = types.str; - default = "privKeys.dat"; - description = '' - File name containing destination keys. privKeys.dat by default. - ''; - }; - }; - - sam = { - port = mkOption { - type = with types; nullOr int; - default = null; - description = '' - Local SAM tunnel endpoint. Usually 7656. SAM is disabled if not specified. - ''; - }; - }; + proto.http = mkEndpointOpt "http" "127.0.0.1" 7070; + proto.sam = mkEndpointOpt "sam" "127.0.0.1" 7656; + proto.bob = mkEndpointOpt "bob" "127.0.0.1" 2827; + proto.i2pControl = mkEndpointOpt "i2pcontrol" "127.0.0.1" 7650; + proto.httpProxy = mkEndpointOpt "httpproxy" "127.0.0.1" 4446; + proto.socksProxy = mkEndpointOpt "socksproxy" "127.0.0.1" 4447; outTunnels = mkOption { default = {}; - type = with types; loaOf optionSet; - description = '' - ''; - options = [ ({ name, config, ... }: { - - options = { - name = mkOption { - type = types.str; - description = "The name of the tunnel."; - }; - destination = mkOption { - type = types.str; - description = "Remote endpoint, I2P hostname or b32.i2p address."; - }; - keys = mkOption { - type = types.str; - default = name + "-keys.dat"; - description = "Keyset used for tunnel identity."; - }; - address = mkOption { - type = types.str; - default = "127.0.0.1"; - description = "Local bind address for tunnel."; - }; - port = mkOption { - type = types.int; - default = 0; - description = "Local tunnel listen port."; - }; - }; - - config = { - name = mkDefault name; - }; - - }) ]; + type = with types; loaOf optionSet; + description = '' + Connect to someone as a client and establish a local accept endpoint + ''; + options = [ ({ name, config, ... }: { + options = commonTunOpts name; + config = { + name = mkDefault name; + }; + }) ]; }; inTunnels = mkOption { default = {}; - type = with types; loaOf optionSet; - description = '' - ''; - options = [ ({ name, config, ... }: { - - options = { - - name = mkOption { - type = types.str; - description = "The name of the tunnel."; - }; - keys = mkOption { - type = types.path; - default = name + "-keys.dat"; - description = "Keyset used for tunnel identity."; - }; - address = mkOption { - type = types.str; - default = "127.0.0.1"; - description = "Local service IP address."; - }; - port = mkOption { - type = types.int; - default = 0; - description = "Local tunnel listen port."; - }; - inPort = mkOption { - type = types.int; - default = 0; - description = "I2P service port. Default to the tunnel's listen port."; - }; - accessList = mkOption { - type = with types; listOf str; - default = []; - description = "I2P nodes that are allowed to connect to this service."; - }; - - }; - - config = { - name = mkDefault name; - }; - - }) ]; + type = with types; loaOf optionSet; + description = '' + Serve something on I2P network at port and delegate requests to address inPort. + ''; + options = [ ({ name, config, ... }: { + + options = { + inPort = mkOption { + type = types.int; + default = 0; + description = "Service port. Default to the tunnel's listen port."; + }; + accessList = mkOption { + type = with types; listOf str; + default = []; + description = "I2P nodes that are allowed to connect to this service."; + }; + } // commonTunOpts name; + + config = { + name = mkDefault name; + }; + + }) ]; }; }; }; -- cgit 1.4.1