ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-12-27 22:03:54 +03:00
Code Issues Projects Releases Wiki Activity

nixos: only enable spipe when user specifies

Browse Source 
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This commit is contained in:
Austin Seipp 2014-04-19 19:34:18 -05:00
parent 33eced411f
commit b470c93c1e
1 changed files with 145 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

282
nixos/modules/services/networking/spiped.nix
View File

@ -7,161 +7,169 @@ let
in
{
options = {
services.spiped = mkOption {
type = types.attrsOf (types.submodule (
{
options = {
encrypt = mkOption {
type = types.bool;
default = false;
description = ''
Take unencrypted connections from the
<literal>source</literal> socket and send encrypted
connections to the <literal>target</literal> socket.
'';
};
services.spiped = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable the spiped service module.";
};
decrypt = mkOption {
type = types.bool;
default = false;
description = ''
Take encrypted connections from the
<literal>source</literal> socket and send unencrypted
connections to the <literal>target</literal> socket.
'';
};
config = mkOption {
type = types.attrsOf (types.submodule (
{
options = {
encrypt = mkOption {
type = types.bool;
default = false;
description = ''
Take unencrypted connections from the
<literal>source</literal> socket and send encrypted
connections to the <literal>target</literal> socket.
'';
};
source = mkOption {
type = types.str;
description = ''
Address on which spiped should listen for incoming
connections. Must be in one of the following formats:
<literal>/absolute/path/to/unix/socket</literal>,
<literal>host.name:port</literal>,
<literal>[ip.v4.ad.dr]:port</literal> or
<literal>[ipv6::addr]:port</literal> - note that
hostnames are resolved when spiped is launched and are
not re-resolved later; thus if DNS entries change
spiped will continue to connect to the expired
address.
'';
};
decrypt = mkOption {
type = types.bool;
default = false;
description = ''
Take encrypted connections from the
<literal>source</literal> socket and send unencrypted
connections to the <literal>target</literal> socket.
'';
};
target = mkOption {
type = types.str;
description = "Address to which spiped should connect.";
};
source = mkOption {
type = types.str;
description = ''
Address on which spiped should listen for incoming
connections. Must be in one of the following formats:
<literal>/absolute/path/to/unix/socket</literal>,
<literal>host.name:port</literal>,
<literal>[ip.v4.ad.dr]:port</literal> or
<literal>[ipv6::addr]:port</literal> - note that
hostnames are resolved when spiped is launched and are
not re-resolved later; thus if DNS entries change
spiped will continue to connect to the expired
address.
'';
};
keyfile = mkOption {
type = types.path;
description = ''
Name of a file containing the spiped key. As the
daemon runs as the <literal>spiped</literal> user, the
key file must be somewhere owned by that user. By
default, we recommend putting the keys for any spipe
services in <literal>/var/lib/spiped</literal>.
'';
};
target = mkOption {
type = types.str;
description = "Address to which spiped should connect.";
};
timeout = mkOption {
type = types.int;
default = 5;
description = ''
Timeout, in seconds, after which an attempt to connect to
the target or a protocol handshake will be aborted (and the
connection dropped) if not completed
'';
};
keyfile = mkOption {
type = types.path;
description = ''
Name of a file containing the spiped key. As the
daemon runs as the <literal>spiped</literal> user, the
key file must be somewhere owned by that user. By
default, we recommend putting the keys for any spipe
services in <literal>/var/lib/spiped</literal>.
'';
};
maxConns = mkOption {
type = types.int;
default = 100;
description = ''
Limit on the number of simultaneous connections allowed.
'';
};
timeout = mkOption {
type = types.int;
default = 5;
description = ''
Timeout, in seconds, after which an attempt to connect to
the target or a protocol handshake will be aborted (and the
connection dropped) if not completed
'';
};
waitForDNS = mkOption {
type = types.bool;
default = false;
description = ''
Wait for DNS. Normally when <literal>spiped</literal> is
launched it resolves addresses and binds to its source
socket before the parent process returns; with this option
it will daemonize first and retry failed DNS lookups until
they succeed. This allows <literal>spiped</literal> to
launch even if DNS isn't set up yet, but at the expense of
losing the guarantee that once <literal>spiped</literal> has
finished launching it will be ready to create pipes.
'';
};
maxConns = mkOption {
type = types.int;
default = 100;
description = ''
Limit on the number of simultaneous connections allowed.
'';
};
disableKeepalives = mkOption {
type = types.bool;
default = false;
description = "Disable transport layer keep-alives.";
};
waitForDNS = mkOption {
type = types.bool;
default = false;
description = ''
Wait for DNS. Normally when <literal>spiped</literal> is
launched it resolves addresses and binds to its source
socket before the parent process returns; with this option
it will daemonize first and retry failed DNS lookups until
they succeed. This allows <literal>spiped</literal> to
launch even if DNS isn't set up yet, but at the expense of
losing the guarantee that once <literal>spiped</literal> has
finished launching it will be ready to create pipes.
'';
};
weakHandshake = mkOption {
type = types.bool;
default = false;
description = ''
Use fast/weak handshaking: This reduces the CPU time spent
in the initial connection setup, at the expense of losing
perfect forward secrecy.
'';
};
disableKeepalives = mkOption {
type = types.bool;
default = false;
description = "Disable transport layer keep-alives.";
};
resolveRefresh = mkOption {
type = types.int;
default = 60;
description = ''
Resolution refresh time for the target socket, in seconds.
'';
};
weakHandshake = mkOption {
type = types.bool;
default = false;
description = ''
Use fast/weak handshaking: This reduces the CPU time spent
in the initial connection setup, at the expense of losing
perfect forward secrecy.
'';
};
disableReresolution = mkOption {
type = types.bool;
default = false;
description = "Disable target address re-resolution.";
};
};
}
));
resolveRefresh = mkOption {
type = types.int;
default = 60;
description = ''
Resolution refresh time for the target socket, in seconds.
'';
};
default = {};
example = literalExample ''
{
pipe1 =
{ keyfile = "/var/lib/spiped/pipe1.key";
encrypt = true;
source = "localhost:6000";
target = "endpoint.example.com:7000";
disableReresolution = mkOption {
type = types.bool;
default = false;
description = "Disable target address re-resolution.";
};
};
pipe2 =
{ keyfile = "/var/lib/spiped/pipe2.key";
decrypt = true;
source = "0.0.0.0:7000";
target = "localhost:3000";
};
}
'';
}
));
description = ''
Configuration for a secure pipe daemon. The daemon can be
started, stopped, or examined using
<literal>systemctl</literal>, under the name
<literal>spiped@foo</literal>.
'';
default = {};
example = literalExample ''
{
pipe1 =
{ keyfile = "/var/lib/spiped/pipe1.key";
encrypt = true;
source = "localhost:6000";
target = "endpoint.example.com:7000";
};
pipe2 =
{ keyfile = "/var/lib/spiped/pipe2.key";
decrypt = true;
source = "0.0.0.0:7000";
target = "localhost:3000";
};
}
'';
description = ''
Configuration for a secure pipe daemon. The daemon can be
started, stopped, or examined using
<literal>systemctl</literal>, under the name
<literal>spiped@foo</literal>.
'';
};
};
};
config = {
config = mkIf cfg.enable {
assertions = mapAttrsToList (name: c: {
assertion = (c.encrypt -> !c.decrypt) || (c.decrypt -> c.encrypt);
message = "A pipe must either encrypt or decrypt";
}) cfg;
}) cfg.config;
users.extraGroups.spiped.gid = config.ids.gids.spiped;
users.extraUsers.spiped = {
@ -189,7 +197,7 @@ in
script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`";
};
system.activationScripts.spiped = optionalString (cfg != {})
system.activationScripts.spiped = optionalString (cfg.config != {})
"mkdir -p /var/lib/spiped";
# Setup spiped config files
@ -207,6 +215,6 @@ in
(if cfg.disableReresolution then "-R"
else "-r ${toString cfg.resolveRefresh}")
];
}) cfg;
}) cfg.config;
};
}