{ config, lib, pkgs, ... }: with lib; let cfg = config.services.spiped; in { options = { services.spiped = { enable = mkOption { type = types.bool; default = false; description = lib.mdDoc "Enable the spiped service module."; }; config = mkOption { type = types.attrsOf (types.submodule ( { options = { encrypt = mkOption { type = types.bool; default = false; description = lib.mdDoc '' Take unencrypted connections from the `source` socket and send encrypted connections to the `target` socket. ''; }; decrypt = mkOption { type = types.bool; default = false; description = lib.mdDoc '' Take encrypted connections from the `source` socket and send unencrypted connections to the `target` socket. ''; }; source = mkOption { type = types.str; description = lib.mdDoc '' Address on which spiped should listen for incoming connections. Must be in one of the following formats: `/absolute/path/to/unix/socket`, `host.name:port`, `[ip.v4.ad.dr]:port` or `[ipv6::addr]:port` - note that hostnames are resolved when spiped is launched and are not re-resolved later; thus if DNS entries change spiped will continue to connect to the expired address. ''; }; target = mkOption { type = types.str; description = lib.mdDoc "Address to which spiped should connect."; }; keyfile = mkOption { type = types.path; description = lib.mdDoc '' Name of a file containing the spiped key. As the daemon runs as the `spiped` user, the key file must be somewhere owned by that user. By default, we recommend putting the keys for any spipe services in `/var/lib/spiped`. ''; }; timeout = mkOption { type = types.int; default = 5; description = lib.mdDoc '' Timeout, in seconds, after which an attempt to connect to the target or a protocol handshake will be aborted (and the connection dropped) if not completed ''; }; maxConns = mkOption { type = types.int; default = 100; description = lib.mdDoc '' Limit on the number of simultaneous connections allowed. ''; }; waitForDNS = mkOption { type = types.bool; default = false; description = lib.mdDoc '' Wait for DNS. Normally when `spiped` is launched it resolves addresses and binds to its source socket before the parent process returns; with this option it will daemonize first and retry failed DNS lookups until they succeed. This allows `spiped` to launch even if DNS isn't set up yet, but at the expense of losing the guarantee that once `spiped` has finished launching it will be ready to create pipes. ''; }; disableKeepalives = mkOption { type = types.bool; default = false; description = lib.mdDoc "Disable transport layer keep-alives."; }; weakHandshake = mkOption { type = types.bool; default = false; description = lib.mdDoc '' Use fast/weak handshaking: This reduces the CPU time spent in the initial connection setup, at the expense of losing perfect forward secrecy. ''; }; resolveRefresh = mkOption { type = types.int; default = 60; description = lib.mdDoc '' Resolution refresh time for the target socket, in seconds. ''; }; disableReresolution = mkOption { type = types.bool; default = false; description = lib.mdDoc "Disable target address re-resolution."; }; }; } )); default = {}; example = literalExpression '' { pipe1 = { keyfile = "/var/lib/spiped/pipe1.key"; encrypt = true; source = "localhost:6000"; target = "endpoint.example.com:7000"; }; pipe2 = { keyfile = "/var/lib/spiped/pipe2.key"; decrypt = true; source = "0.0.0.0:7000"; target = "localhost:3000"; }; } ''; description = lib.mdDoc '' Configuration for a secure pipe daemon. The daemon can be started, stopped, or examined using `systemctl`, under the name `spiped@foo`. ''; }; }; }; config = mkIf cfg.enable { assertions = mapAttrsToList (name: c: { assertion = (c.encrypt -> !c.decrypt) || (c.decrypt -> c.encrypt); message = "A pipe must either encrypt or decrypt"; }) cfg.config; users.groups.spiped.gid = config.ids.gids.spiped; users.users.spiped = { description = "Secure Pipe Service user"; group = "spiped"; uid = config.ids.uids.spiped; }; systemd.services."spiped@" = { description = "Secure pipe '%i'"; after = [ "network.target" ]; serviceConfig = { Restart = "always"; User = "spiped"; PermissionsStartOnly = true; }; preStart = '' cd /var/lib/spiped chmod -R 0660 * chown -R spiped:spiped * ''; scriptArgs = "%i"; script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`"; }; systemd.tmpfiles.rules = lib.mkIf (cfg.config != { }) [ "d /var/lib/spiped -" ]; # Setup spiped config files environment.etc = mapAttrs' (name: cfg: nameValuePair "spiped/${name}.spec" { text = concatStringsSep " " [ (if cfg.encrypt then "-e" else "-d") # Mode "-s ${cfg.source}" # Source "-t ${cfg.target}" # Target "-k ${cfg.keyfile}" # Keyfile "-n ${toString cfg.maxConns}" # Max number of conns "-o ${toString cfg.timeout}" # Timeout (optionalString cfg.waitForDNS "-D") # Wait for DNS (optionalString cfg.weakHandshake "-f") # No PFS (optionalString cfg.disableKeepalives "-j") # Keepalives (if cfg.disableReresolution then "-R" else "-r ${toString cfg.resolveRefresh}") ]; }) cfg.config; }; }