From 79d216b8f4f1881a99b00dfca2f84e3d735edcd9 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Wed, 26 Oct 2016 01:55:52 +0200 Subject: cjdns service: whitespace cleanup --- nixos/modules/services/networking/cjdns.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos/modules/services') diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index cb00139c5f1c..6c0e77c081f5 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -112,11 +112,11 @@ in "49275fut6tmzu354pq70sr5b95qq0vj" ]; description = '' - Any remote cjdns nodes that offer these passwords on + Any remote cjdns nodes that offer these passwords on connection will be allowed to route through this node. ''; }; - + admin = { bind = mkOption { type = types.string; -- cgit 1.4.1 From afe67f28a31484b4a33e8a2f9126ebc19d8a1809 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Wed, 26 Oct 2016 01:30:21 +0200 Subject: cjdns service: use cfg.enable shortcut --- nixos/modules/services/networking/cjdns.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/services') diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index 6c0e77c081f5..8fad0cd07de1 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -201,7 +201,7 @@ in }; - config = mkIf config.services.cjdns.enable { + config = mkIf cfg.enable { boot.kernelModules = [ "tun" ]; -- cgit 1.4.1 From 5fba586650464528d5be247f29eef3fc05950ba5 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Mon, 24 Oct 2016 20:32:43 +0200 Subject: cjdns service: better types - types.string -> str, string is deprecated - change type of confFile option to nullOr path, makes more sense --- nixos/modules/services/networking/cjdns.nix | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'nixos/modules/services') diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index 8fad0cd07de1..c0955811e548 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -95,8 +95,8 @@ in }; confFile = mkOption { - type = types.str; - default = ""; + type = types.nullOr types.path; + default = null; example = "/etc/cjdroute.conf"; description = '' Ignore all other cjdns options and load configuration from this file. @@ -119,7 +119,7 @@ in admin = { bind = mkOption { - type = types.string; + type = types.str; default = "127.0.0.1:11234"; description = '' Bind the administration port to this address and port. @@ -129,7 +129,7 @@ in UDPInterface = { bind = mkOption { - type = types.string; + type = types.str; default = ""; example = "192.168.1.32:43211"; description = '' @@ -154,6 +154,7 @@ in ETHInterface = { bind = mkOption { + type = types.str; default = ""; example = "eth0"; description = @@ -212,7 +213,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - preStart = if cfg.confFile != "" then "" else '' + preStart = if cfg.confFile != null then "" else '' [ -e /etc/cjdns.keys ] && source /etc/cjdns.keys if [ -z "$CJDNS_PRIVATE_KEY" ]; then @@ -234,7 +235,7 @@ in ''; script = ( - if cfg.confFile != "" then "${pkg}/bin/cjdroute < ${cfg.confFile}" else + if cfg.confFile != null then "${pkg}/bin/cjdroute < ${cfg.confFile}" else '' source /etc/cjdns.keys echo '${cjdrouteConf}' | sed \ @@ -253,7 +254,7 @@ in networking.extraHosts = "${cjdnsHosts}"; assertions = [ - { assertion = ( cfg.ETHInterface.bind != "" || cfg.UDPInterface.bind != "" || cfg.confFile != "" ); + { assertion = ( cfg.ETHInterface.bind != "" || cfg.UDPInterface.bind != "" || cfg.confFile != null ); message = "Neither cjdns.ETHInterface.bind nor cjdns.UDPInterface.bind defined."; } { assertion = config.networking.enableIPv6; -- cgit 1.4.1 From e94bd6f31dc6b551b28b479a992564d837e28b95 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Tue, 25 Oct 2016 19:52:58 +0200 Subject: cjdns service: protect /home and /tmp --- nixos/modules/services/networking/cjdns.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'nixos/modules/services') diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index c0955811e548..64d9ec215e40 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -248,6 +248,9 @@ in serviceConfig = { Type = "forking"; Restart = "on-failure"; + + ProtectHome = true; + PrivateTmp = true; }; }; -- cgit 1.4.1 From 9654e09b5a4bd44ecf16f8c435afa834a76ef2b1 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Mon, 24 Oct 2016 20:33:34 +0200 Subject: cjdns service: ensure that generated passwd has requested length `head -cNUM ... | tr -dc SET` might generate output containing fewer than NUM characters. Given the limited alphabet, this could result in a fairly weak passphrase. The construction `tr > /etc/cjdns.keys fi ''; -- cgit 1.4.1 From 8180922d236c53b5e09cfe1b63f6c12977bb2803 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Tue, 25 Oct 2016 20:56:54 +0200 Subject: cjdns service: refactor cjdns hosts builder The old version would export two lists to a bash builder and do pairwise processing on the bash side. In the new version we instead generate a logic free builder on the Nix side. This is not only conceptually simpler but reduces the amount of code and intermediate values. --- nixos/modules/services/networking/cjdns-hosts.sh | 11 --------- nixos/modules/services/networking/cjdns.nix | 29 +++++++++++------------- 2 files changed, 13 insertions(+), 27 deletions(-) delete mode 100644 nixos/modules/services/networking/cjdns-hosts.sh (limited to 'nixos/modules/services') diff --git a/nixos/modules/services/networking/cjdns-hosts.sh b/nixos/modules/services/networking/cjdns-hosts.sh deleted file mode 100644 index 8a2b47e52143..000000000000 --- a/nixos/modules/services/networking/cjdns-hosts.sh +++ /dev/null @@ -1,11 +0,0 @@ -pubs=($pubs) -hosts=($hosts) - -lines="''\n" -for ((i = 0; i < ${#pubs[*]}; i++)); do - addr=$($cjdns/bin/publictoip6 ${pubs[i]}) - lines="${lines}$addr ${hosts[i]}\n" -done -lines="${lines}''" - -echo -ne $lines > $out diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index 849d273a41d3..5e15e40ea0c1 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -28,21 +28,18 @@ let }; }; - peers = mapAttrsToList (n: v: v) (cfg.ETHInterface.connectTo // cfg.UDPInterface.connectTo); - - pubs = toString (map (p: if p.hostname == "" then "" else p.publicKey) peers); - hosts = toString (map (p: if p.hostname == "" then "" else p.hostname) peers); - - cjdnsHosts = - if hosts != "" then - import (pkgs.stdenv.mkDerivation { - name = "cjdns-hosts"; - builder = ./cjdns-hosts.sh; - - inherit (pkgs) cjdns; - inherit pubs hosts; - }) - else ""; + # Additional /etc/hosts entries for peers with an associated hostname + cjdnsExtraHosts = import (pkgs.runCommand "cjdns-hosts" {} + # Generate a builder that produces an output usable as a Nix string value + '' + exec >$out + echo \'\' + ${concatStringsSep "\n" (mapAttrsToList (k: v: + optionalString (v.hostname != "") + "echo $(${pkgs.cjdns}/bin/publictoip6 ${x.key}) ${x.host}") + (cfg.ETHInterface.connectTo // cfg.UDPInterface.connectTo))} + echo \'\' + ''); parseModules = x: x // { connectTo = mapAttrs (name: value: { inherit (value) password publicKey; }) x.connectTo; }; @@ -254,7 +251,7 @@ in }; }; - networking.extraHosts = "${cjdnsHosts}"; + networking.extraHosts = cjdnsExtraHosts; assertions = [ { assertion = ( cfg.ETHInterface.bind != "" || cfg.UDPInterface.bind != "" || cfg.confFile != null ); -- cgit 1.4.1