From 33754edb3e7cae6e54d85bb01fa0b5e228b283cf Mon Sep 17 00:00:00 2001 From: Jack Cummings Date: Fri, 5 Oct 2012 21:39:56 -0700 Subject: [PATCH 01/24] - add a hostapd module --- modules/module-list.nix | 1 + modules/services/networking/hostapd.nix | 154 ++++++++++++++++++++++++ 2 files changed, 155 insertions(+) create mode 100644 modules/services/networking/hostapd.nix diff --git a/modules/module-list.nix b/modules/module-list.nix index e480ee9767e1..0cca6a95544f 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -129,6 +129,7 @@ ./services/networking/gnunet.nix ./services/networking/gogoclient.nix ./services/networking/gvpe.nix + ./services/networking/hostapd.nix ./services/networking/ifplugd.nix ./services/networking/ircd-hybrid/default.nix ./services/networking/nat.nix diff --git a/modules/services/networking/hostapd.nix b/modules/services/networking/hostapd.nix new file mode 100644 index 000000000000..712b1a6824cc --- /dev/null +++ b/modules/services/networking/hostapd.nix @@ -0,0 +1,154 @@ +{ config, pkgs, ... }: + +# TODO: +# +# asserts +# ensure that the nl80211 module is loaded/compiled in the kernel +# hwMode must be a/b/g +# channel must be between 1 and 13 (maybe) +# wpa_supplicant and hostapd on the same wireless interface doesn't make any sense +# perhaps an assertion that there is a dhcp server and a dns server on the IP address serviced by the hostapd? + +with pkgs.lib; + +let + + cfg = config.services.hostapd; + + configFile = pkgs.writeText "hostapd.conf" + '' + interface=${cfg.interface} + driver=${cfg.driver} + ssid=${cfg.ssid} + hw_mode=${cfg.hwMode} + channel=${toString cfg.channel} + + # logging (debug level) + logger_syslog=-1 + logger_syslog_level=2 + logger_stdout=-1 + logger_stdout_level=2 + + ctrl_interface=/var/run/hostapd + ctrl_interface_group=${cfg.group} + + ${if cfg.wpa then '' + wpa=1 + wpa_passphrase=${cfg.wpaPassphrase} + '' else ""} + + ${cfg.extraCfg} + '' ; + +in + +{ + ###### interface + + options = { + + services.hostapd = { + + enable = mkOption { + default = false; + description = '' + enable putting a wireless interface into infrastructure mode, + allowing other wireless devices to associate with the wireless interface and do + wireless networking. A simple access point will enable hostapd.wpa, and + hostapd.wpa_passphrase, hostapd.ssid, dhcpd on the wireless interface to + provide IP addresses to the associated stations, and nat (from the wireless + interface to an upstream interface). + ''; + }; + + interface = mkOption { + default = ""; + example = "wlan0"; + description = '' + The interfaces hostapd will use. + ''; + }; + + driver = mkOption { + default = "nl80211"; + example = "hostapd"; + type = types.string; + description = "Which driver hostapd will use. Most things will probably use the default."; + }; + + ssid = mkOption { + default = "nixos"; + example = "mySpecialSSID"; + type = types.string; + description = "SSID to be used in IEEE 802.11 management frames."; + }; + + hwMode = mkOption { + default = "b"; + example = "g"; + type = types.string; + description = "Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g"; + }; + + channel = mkOption { + default = 7; + example = 11; + type = types.int; + description = + '' + Channel number (IEEE 802.11) + Please note that some drivers do not use this value from hostapd and the + channel will need to be configured separately with iwconfig. + ''; + }; + + group = mkOption { + default = "wheel"; + example = "network"; + type = types.string; + description = "members of this group can control hostapd"; + }; + + wpa = mkOption { + default = true; + description = "enable WPA (IEEE 802.11i/D3.0) to authenticate to the access point"; + }; + + wpaPassphrase = mkOption { + default = "my_sekret"; + example = "any_64_char_string"; + type = types.string; + description = "WPA-PSK (pre-shared-key) passphrase. Clients will need this passphrase to associate with this access point"; + }; + + extraCfg = mkOption { + default = ""; + example = '' + auth_algo=0 + ieee80211n=1 + ht_capab=[HT40-][SHORT-GI-40][DSSS_CCK-40] + ''; + type = types.string; + description = "Extra configuration options to put in the hostapd.conf"; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.hostapd ]; + + jobs.hostapd = + { startOn = "started network-interfaces"; + stopOn = "stopping network-interfaces"; + + script = + '' + exec ${pkgs.hostapd}/bin/hostapd ${configFile} + ''; + }; + }; +} From 757ab7f6d3399cae3c76e1b744eae692db6c8559 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Sat, 6 Oct 2012 20:58:46 -0400 Subject: [PATCH 02/24] Generate nsswitch.conf properly --- modules/config/nsswitch-mdns.conf | 11 ----------- modules/config/nsswitch.conf | 10 ---------- modules/config/nsswitch.nix | 33 ++++++++++++++++++++----------- 3 files changed, 22 insertions(+), 32 deletions(-) delete mode 100644 modules/config/nsswitch-mdns.conf delete mode 100644 modules/config/nsswitch.conf diff --git a/modules/config/nsswitch-mdns.conf b/modules/config/nsswitch-mdns.conf deleted file mode 100644 index 61dd436682d3..000000000000 --- a/modules/config/nsswitch-mdns.conf +++ /dev/null @@ -1,11 +0,0 @@ -# NSS configuration files with mDNS enabled (requires running Avahi daemon). - -passwd: ldap files -group: ldap files -shadow: ldap files - -hosts: files mdns_minimal [NOTFOUND=return] dns mdns -networks: files dns - -services: files -protocols: files diff --git a/modules/config/nsswitch.conf b/modules/config/nsswitch.conf deleted file mode 100644 index 44beaf5b44cc..000000000000 --- a/modules/config/nsswitch.conf +++ /dev/null @@ -1,10 +0,0 @@ -passwd: files ldap -group: files ldap -shadow: files ldap - -hosts: files dns -networks: files dns -ethers: files - -services: files -protocols: files diff --git a/modules/config/nsswitch.nix b/modules/config/nsswitch.nix index cac6ff382a4a..7c969320b3dc 100644 --- a/modules/config/nsswitch.nix +++ b/modules/config/nsswitch.nix @@ -1,13 +1,15 @@ # Configuration for the Name Service Switch (/etc/nsswitch.conf). -{config, pkgs, ...}: +{ config, pkgs, ... }: + +with pkgs.lib; let options = { # NSS modules. Hacky! - system.nssModules = pkgs.lib.mkOption { + system.nssModules = mkOption { internal = true; default = []; description = " @@ -15,34 +17,43 @@ let several DNS resolution methods to be specified via /etc/nsswitch.conf. "; - merge = pkgs.lib.mergeListOption; + merge = mergeListOption; apply = list: let list2 = list # !!! this should be in the LDAP module - ++ pkgs.lib.optional config.users.ldap.enable pkgs.nss_ldap; + ++ optional config.users.ldap.enable pkgs.nss_ldap; in { list = list2; - path = pkgs.lib.makeLibraryPath list2; + path = makeLibraryPath list2; }; }; }; + inherit (config.services.avahi) nssmdns; + in { - require = [options]; + require = [ options ]; environment.etc = [ # Name Service Switch configuration file. Required by the C library. # !!! Factor out the mdns stuff. The avahi module should define # an option used by this module. - { source = - if config.services.avahi.nssmdns - then ./nsswitch-mdns.conf - else ./nsswitch.conf; + { source = pkgs.writeText "nsswitch.conf" + '' + passwd: files ldap + group: files ldap + shadow: files ldap + hosts: files ${optionalString nssmdns "mdns_minimal [NOTFOUND=return]"} dns ${optionalString nssmdns "mdns"} + networks: files dns + ethers: files + services: files + protocols: files + ''; target = "nsswitch.conf"; } ]; @@ -58,5 +69,5 @@ in # chroot gets to seem them, and (ii) applications can benefit from # changes in the list of NSS modules at run-time, without requiring # a reboot. - environment.systemPackages = [config.system.nssModules.list]; + environment.systemPackages = [ config.system.nssModules.list ]; } From 13841d6e47a54a6ec5c0c501a9d19d23fc081b2d Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Sat, 6 Oct 2012 21:00:26 -0400 Subject: [PATCH 03/24] Use nss-myhostname to ensure that the hostname resolves to something sensible --- modules/config/nsswitch.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/config/nsswitch.nix b/modules/config/nsswitch.nix index 7c969320b3dc..4c46e8ec87d3 100644 --- a/modules/config/nsswitch.nix +++ b/modules/config/nsswitch.nix @@ -48,7 +48,7 @@ in passwd: files ldap group: files ldap shadow: files ldap - hosts: files ${optionalString nssmdns "mdns_minimal [NOTFOUND=return]"} dns ${optionalString nssmdns "mdns"} + hosts: files ${optionalString nssmdns "mdns_minimal [NOTFOUND=return]"} dns ${optionalString nssmdns "mdns"} myhostname networks: files dns ethers: files services: files @@ -58,6 +58,11 @@ in } ]; + # Use nss-myhostname to ensure that our hostname always resolves to + # a valid IP address. It returns all locally configured IP + # addresses, or ::1 and 127.0.0.2 as fallbacks. + system.nssModules = [ pkgs.nss_myhostname ]; + environment.shellInit = if config.system.nssModules.path != "" then '' From 74295866f511a76199e7ab74aa995403c6f40954 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Sun, 7 Oct 2012 00:37:36 -0400 Subject: [PATCH 04/24] Don't include NSS modules in $LD_LIBRARY_PATH This is broken because it requires restarting applications to see new NSS modules. The proper way to handle NSS modules is through nscd. See commit 554ae9908b4abd45c9769da023470ae2c12ebdfd. --- modules/config/nsswitch.nix | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/modules/config/nsswitch.nix b/modules/config/nsswitch.nix index 4c46e8ec87d3..806ff8763038 100644 --- a/modules/config/nsswitch.nix +++ b/modules/config/nsswitch.nix @@ -62,17 +62,4 @@ in # a valid IP address. It returns all locally configured IP # addresses, or ::1 and 127.0.0.2 as fallbacks. system.nssModules = [ pkgs.nss_myhostname ]; - - environment.shellInit = - if config.system.nssModules.path != "" then - '' - LD_LIBRARY_PATH=${config.system.nssModules.path}:$LD_LIBRARY_PATH - '' - else ""; - - # NSS modules need to be in `systemPath' so that (i) the builder - # chroot gets to seem them, and (ii) applications can benefit from - # changes in the list of NSS modules at run-time, without requiring - # a reboot. - environment.systemPackages = [ config.system.nssModules.list ]; } From 570e523a88eebf9e20343608a153a41dbfa8375f Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Sun, 7 Oct 2012 00:40:00 -0400 Subject: [PATCH 05/24] Remove 127.0.0.1 mapping for the system's hostname Also remove the . mapping. --- modules/config/networking.nix | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/modules/config/networking.nix b/modules/config/networking.nix index 2b4be69cc51f..f0aafc6b4041 100644 --- a/modules/config/networking.nix +++ b/modules/config/networking.nix @@ -18,13 +18,6 @@ let }; - localhostWithDomain = optionalString (cfg.domain != "") - "localhost.${cfg.domain}"; - - hostnameWithDomain = optionalString - (cfg.domain != "" && cfg.hostName != "") - "${cfg.hostName}.${cfg.domain}"; - in { @@ -49,9 +42,7 @@ in { # /etc/hosts: Hostname-to-IP mappings. source = pkgs.writeText "hosts" '' - ${optionalString (cfg.hostName != "") - "127.0.0.1 ${hostnameWithDomain} ${cfg.hostName}"} - 127.0.0.1 localhost ${localhostWithDomain} + 127.0.0.1 localhost ${cfg.extraHosts} ''; target = "hosts"; From 2b2f0067b838c3032458f3fafdc1f6190ed9176f Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Sun, 7 Oct 2012 00:46:24 -0400 Subject: [PATCH 06/24] Add an /etc/hosts entry mapping localhost to ::1 --- modules/config/networking.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/config/networking.nix b/modules/config/networking.nix index f0aafc6b4041..c6ea171bf3d4 100644 --- a/modules/config/networking.nix +++ b/modules/config/networking.nix @@ -43,6 +43,7 @@ in source = pkgs.writeText "hosts" '' 127.0.0.1 localhost + ::1 localhost ${cfg.extraHosts} ''; target = "hosts"; From 01b8c48c3288243e17cfe1d4b298f4fc2c8bceb5 Mon Sep 17 00:00:00 2001 From: Mathijs Kwik Date: Mon, 8 Oct 2012 16:00:05 +0200 Subject: [PATCH 07/24] logcheck: add some options to ease setting up ignore-rules The special handling for cronjobs should probably move to the cron module (logcheckIgnore = bool option) in the future, as it's more natural to just declare a cronjob, and mark it as "log-ignored", instead of adding cronjobs through logcheck. But as systemCronjobs is not an attrset yet (just simple strings), this would require adding an attrset for cronjobs or parsing strings in the nix language to get hold of the cron-user and command. So for now, I keep the interface within logcheck's module. --- modules/services/logging/logcheck.nix | 124 ++++++++++++++++++++++---- 1 file changed, 108 insertions(+), 16 deletions(-) diff --git a/modules/services/logging/logcheck.nix b/modules/services/logging/logcheck.nix index 40d736255eca..23f21b6a754d 100644 --- a/modules/services/logging/logcheck.nix +++ b/modules/services/logging/logcheck.nix @@ -5,16 +5,13 @@ with pkgs.lib; let cfg = config.services.logcheck; - rulesDir = pkgs.runCommand "logcheck-rules-dir" - {} ( - '' - mkdir $out - cp -prd ${pkgs.logcheck}/etc/logcheck/* $out/ - rm $out/logcheck.* - chmod u+w $out/* - '' + optionalString (! builtins.isNull cfg.extraRulesDir) '' - cp -prd ${cfg.extraRulesDir}/* $out/ - '' ); + defaultRules = pkgs.runCommand "logcheck-default-rules" {} '' + cp -prd ${pkgs.logcheck}/etc/logcheck $out + chmod u+w $out + rm $out/logcheck.* + ''; + + rulesDir = pkgs.symlinkJoin "logcheck-rules-dir" ([ defaultRules ] ++ cfg.extraRulesDirs); configFile = pkgs.writeText "logcheck.conf" cfg.config; @@ -33,6 +30,74 @@ let 2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/setuid-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags} ''; + writeIgnoreRule = name: {level, regex, ...}: + pkgs.writeTextFile + { inherit name; + destination = "/ignore.d.${level}/${name}"; + text = '' + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ${regex} + ''; + }; + + writeIgnoreCronRule = name: {level, user, regex, cmdline, ...}: + let escapeRegex = escape (stringToCharacters "\\[]{}()^$?*+|."); + cmdline_ = builtins.unsafeDiscardStringContext cmdline; + re = if regex != "" then regex else if cmdline_ == "" then ".*" else escapeRegex cmdline_; + in writeIgnoreRule "cron-${name}" { + inherit level; + regex = '' + (/usr/bin/)?cron\[[0-9]+\]: \(${user}\) CMD \(${re}\)$ + ''; + }; + + levelOption = mkOption { + default = "server"; + type = types.uniq types.string; + description = '' + Set the logcheck level. Either "workstation", "server", or "paranoid". + ''; + }; + + ignoreOptions = { + level = levelOption; + + regex = mkOption { + default = ""; + type = types.uniq types.string; + description = '' + Regex specifying which log lines to ignore. + ''; + }; + }; + + ignoreCronOptions = { + user = mkOption { + default = "root"; + type = types.uniq types.string; + description = '' + User that runs the cronjob. + ''; + }; + + cmdline = mkOption { + default = ""; + type = types.uniq types.string; + description = '' + Command line for the cron job. Will be turned into a regex for the logcheck ignore rule. + ''; + }; + + timeArgs = mkOption { + default = null; + type = types.nullOr (types.uniq types.string); + example = "02 06 * * *"; + description = '' + "min hr dom mon dow" crontab time args, to auto-create a cronjob too. + Leave at null to not do this and just add a logcheck ignore rule. + ''; + }; + }; + in { options = { @@ -98,16 +163,33 @@ in ''; }; - extraRulesDir = mkOption { - default = null; + extraRulesDirs = mkOption { + default = []; example = "/etc/logcheck"; - type = types.nullOr types.path; + type = types.listOf types.path; description = '' - Directory with extra rules. - Will be merged with bundled rules, so it's possible to override certain behaviour. + Directories with extra rules. ''; }; + ignore = mkOption { + default = {}; + description = '' + This option defines extra ignore rules. + ''; + type = types.loaOf types.optionSet; + options = [ ignoreOptions ]; + }; + + ignoreCron = mkOption { + default = {}; + description = '' + This option defines extra ignore rules for cronjobs. + ''; + type = types.loaOf types.optionSet; + options = [ ignoreOptions ignoreCronOptions ]; + }; + extraGroups = mkOption { default = []; type = types.listOf types.string; @@ -122,6 +204,10 @@ in }; config = mkIf cfg.enable { + services.logcheck.extraRulesDirs = + mapAttrsToList writeIgnoreRule cfg.ignore + ++ mapAttrsToList writeIgnoreCronRule cfg.ignoreCron; + users.extraUsers = singleton { name = cfg.user; shell = "/bin/sh"; @@ -134,6 +220,12 @@ in chown ${cfg.user} /var/{lib,lock}/logcheck ''; - services.cron.systemCronJobs = [ cronJob ]; + services.cron.systemCronJobs = + let withTime = name: {timeArgs, ...}: ! (builtins.isNull timeArgs); + mkCron = name: {user, cmdline, timeArgs, ...}: '' + ${timeArgs} ${user} ${cmdline} + ''; + in mapAttrsToList mkCron (filterAttrs withTime cfg.ignoreCron) + ++ [ cronJob ]; }; } From e8d8b6b39997fdd9b0796fd79fffad9750c37774 Mon Sep 17 00:00:00 2001 From: Jack Cummings Date: Fri, 5 Oct 2012 22:02:47 -0700 Subject: [PATCH 08/24] smartd: Add options for each device being monitored --- modules/services/monitoring/smartd.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/modules/services/monitoring/smartd.nix b/modules/services/monitoring/smartd.nix index 2427f29020ea..7ca5625bfe77 100644 --- a/modules/services/monitoring/smartd.nix +++ b/modules/services/monitoring/smartd.nix @@ -24,7 +24,7 @@ let smartdConf = pkgs.writeText "smartd.conf" (concatMapStrings (device: '' - ${device} -a -m root -M exec ${smartdMail} + ${device} -a -m root -M exec ${smartdMail} ${cfg.deviceOpts} '' ) cfg.devices); @@ -50,6 +50,17 @@ in ''; }; + deviceOpts = mkOption { + default = ""; + type = types.string; + example = "-o on -s (S/../.././02|L/../../7/04)"; + description = '' + Additional options for each device that is monitored. The example + turns on SMART Automatic Offline Testing on startup, and schedules short + self-tests daily, and long self-tests weekly. + ''; + }; + devices = mkOption { default = []; example = ["/dev/sda" "/dev/sdb"]; From e40146de16a8edf5e63b92057d0a7abca745182d Mon Sep 17 00:00:00 2001 From: Jack Cummings Date: Fri, 5 Oct 2012 22:11:57 -0700 Subject: [PATCH 09/24] nat: enable NAT for multiple networks --- modules/services/networking/nat.nix | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/modules/services/networking/nat.nix b/modules/services/networking/nat.nix index c51eeb54be78..ff6ff02f7e91 100644 --- a/modules/services/networking/nat.nix +++ b/modules/services/networking/nat.nix @@ -1,4 +1,6 @@ # This module enables Network Address Translation (NAT). +# XXX: todo: support multiple upstream links +# see http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html { config, pkgs, ... }: @@ -25,11 +27,11 @@ in }; networking.nat.internalIPs = mkOption { - example = "192.168.1.0/24"; + example = [ "192.168.1.0/24" ] ; description = '' - The IP address range for which to perform NAT. Packets - coming from these addresses and destined for the external + The IP address ranges for which to perform NAT. Packets + coming from these networks and destined for the external interface will be rewritten. ''; }; @@ -76,13 +78,17 @@ in '' iptables -t nat -F POSTROUTING iptables -t nat -X - + '' + + (concatMapStrings (network: + '' iptables -t nat -A POSTROUTING \ - -s ${cfg.internalIPs} -o ${cfg.externalInterface} \ + -s ${network} -o ${cfg.externalInterface} \ ${if cfg.externalIP == "" then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}"} - + '' + ) cfg.internalIPs) + + '' echo 1 > /proc/sys/net/ipv4/ip_forward ''; @@ -91,7 +97,5 @@ in iptables -t nat -F POSTROUTING ''; }; - }; - } From 71e6eca5675a9a32d245ace3b29154409a4700bf Mon Sep 17 00:00:00 2001 From: Jack Cummings Date: Tue, 9 Oct 2012 12:19:09 -0700 Subject: [PATCH 10/24] - fix indention, clarify parameter descriptions, and use 'exec' instead of 'script' in the hostapd job --- modules/services/networking/hostapd.nix | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/modules/services/networking/hostapd.nix b/modules/services/networking/hostapd.nix index 712b1a6824cc..42779494b4b8 100644 --- a/modules/services/networking/hostapd.nix +++ b/modules/services/networking/hostapd.nix @@ -52,7 +52,7 @@ in enable = mkOption { default = false; description = '' - enable putting a wireless interface into infrastructure mode, + Enable putting a wireless interface into infrastructure mode, allowing other wireless devices to associate with the wireless interface and do wireless networking. A simple access point will enable hostapd.wpa, and hostapd.wpa_passphrase, hostapd.ssid, dhcpd on the wireless interface to @@ -107,19 +107,24 @@ in example = "network"; type = types.string; description = "members of this group can control hostapd"; - }; + }; wpa = mkOption { default = true; description = "enable WPA (IEEE 802.11i/D3.0) to authenticate to the access point"; - }; + }; wpaPassphrase = mkOption { default = "my_sekret"; example = "any_64_char_string"; type = types.string; - description = "WPA-PSK (pre-shared-key) passphrase. Clients will need this passphrase to associate with this access point"; - }; + description = + '' + WPA-PSK (pre-shared-key) passphrase. Clients will need this + passphrase to associate with this access point. Warning: This passphrase will + get put into a world-readable file in the nix store. + ''; + }; extraCfg = mkOption { default = ""; @@ -130,9 +135,9 @@ in ''; type = types.string; description = "Extra configuration options to put in the hostapd.conf"; - }; }; }; + }; ###### implementation @@ -144,11 +149,7 @@ in jobs.hostapd = { startOn = "started network-interfaces"; stopOn = "stopping network-interfaces"; - - script = - '' - exec ${pkgs.hostapd}/bin/hostapd ${configFile} - ''; + exec = "${pkgs.hostapd}/bin/hostapd ${configFile}"; }; }; } From 6c62de6a31a17951d06981a2f6e21d8324c07786 Mon Sep 17 00:00:00 2001 From: Mathijs Kwik Date: Fri, 12 Oct 2012 13:09:19 +0200 Subject: [PATCH 11/24] firewall: option to enable the rpfilter netfilter module This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which only works for ipv4. Furthermore, it's nicer to handle this kind of filtering in the firewall. There are some more subtle differences, please see: https://home.regit.org/netfilter-en/secure-use-of-helpers/ I chose to enable this by default (when the firewall is enabled) as it's a good idea in general. Only people with advanced routing needs might not want this, but I guess they don't use the nixos firewall anyway and use a custom solution. Furthermore, the option only becomes available in kernel 3.3+, so conservative nixos users that just stick to the default kernel will not need to act now just yet. --- modules/services/networking/firewall.nix | 30 ++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index e6ae725f85ff..7ea4e593cd12 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -39,6 +39,11 @@ let } ''; + kernelPackages = config.boot.kernelPackages; + kernelHasRPFilter = kernelPackages.kernel ? features + && kernelPackages.kernel.features ? netfilterRPFilter + && kernelPackages.kernel.features.netfilterRPFilter; + in { @@ -140,6 +145,22 @@ in ''; }; + networking.firewall.checkReversePath = mkOption { + default = kernelHasRPFilter; + type = types.bool; + description = + '' + Performs a reverse path filter test on a packet. + If a reply to the packet would not be sent via the same interface + that the packet arrived on, it is refused. + + If using asymmetric routing or other complicated routing, + disable this setting and setup your own counter-measures. + + (needs kernel 3.3+) + ''; + }; + networking.firewall.extraCommands = mkOption { default = ""; example = "iptables -A INPUT -p icmp -j ACCEPT"; @@ -170,6 +191,9 @@ in boot.kernelModules = [ "nf_conntrack_ftp" ]; + assertions = [ { assertion = ! cfg.checkReversePath || kernelHasRPFilter; + message = "This kernel does not support rpfilter"; } ]; + jobs.firewall = { startOn = "started network-interfaces"; @@ -233,6 +257,12 @@ in # The "nixos-fw" chain does the actual work. ip46tables -N nixos-fw + # Perform a reverse-path test to refuse spoofers + # For now, we just drop, as the raw table doesn't have a log-refuse yet + ${optionalString (kernelHasRPFilter && cfg.checkReversePath) '' + ip46tables -A PREROUTING -t raw -m rpfilter --invert -j DROP + ''} + # Accept all traffic on the trusted interfaces. ${flip concatMapStrings cfg.trustedInterfaces (iface: '' ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept From 97a3a99b40a2f3183f6c87af4c27664cbd030065 Mon Sep 17 00:00:00 2001 From: Mathijs Kwik Date: Fri, 12 Oct 2012 13:16:33 +0200 Subject: [PATCH 12/24] firewall: options to select connection-tracking helpers My main reason for adding this is the ability to turn off helpers altogether. If you are not using any of the special protocols, keeping them turned off is safest, and in case you do want to use them, it's best to configure them through the new CT target for your network topology. Perhaps some sane defaults for nixos can be examined in the future. This change has no impact if you don't touch the added options, so no need to adapt. --- modules/services/networking/firewall.nix | 45 ++++++++++++++++++++++-- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index 7ea4e593cd12..8ddeacf1a0f3 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -44,6 +44,10 @@ let && kernelPackages.kernel.features ? netfilterRPFilter && kernelPackages.kernel.features.netfilterRPFilter; + kernelCanDisableHelpers = kernelPackages.kernel ? features + && kernelPackages.kernel.features ? canDisableNetfilterConntrackHelpers + && kernelPackages.kernel.features.canDisableNetfilterConntrackHelpers; + in { @@ -161,6 +165,37 @@ in ''; }; + networking.firewall.connectionTrackingModules = mkOption { + default = [ "ftp" ]; + example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; + type = types.list types.string; + description = + '' + List of connection-tracking helpers that are auto-loaded. + The complete list of possible values is given in the example. + + As helpers can pose as a security risk, it is adviced to + set this to an empty list and disable the setting + networking.firewall.autoLoadConntrackHelpers + + Loading of helpers is recommended to be done through the new + CT target. More info: + https://home.regit.org/netfilter-en/secure-use-of-helpers/ + ''; + }; + + networking.firewall.autoLoadConntrackHelpers = mkOption { + default = true; + type = types.bool; + description = + '' + Whether to auto-load connection-tracking helpers. + See the description at networking.firewall.connectionTrackingModules + + (needs kernel 3.5+) + ''; + }; + networking.firewall.extraCommands = mkOption { default = ""; example = "iptables -A INPUT -p icmp -j ACCEPT"; @@ -189,10 +224,16 @@ in environment.systemPackages = [ pkgs.iptables ]; - boot.kernelModules = [ "nf_conntrack_ftp" ]; + boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; + boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' + options nf_conntrack nf_conntrack_helper=0 + ''; assertions = [ { assertion = ! cfg.checkReversePath || kernelHasRPFilter; - message = "This kernel does not support rpfilter"; } ]; + message = "This kernel does not support rpfilter"; } + { assertion = cfg.autoLoadConntrackHelpers || kernelCanDisableHelpers; + message = "This kernel does not support disabling conntrack helpers"; } + ]; jobs.firewall = { startOn = "started network-interfaces"; From f4329320ab39f43f6ec4a9eeec3d06eda881df6b Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Sun, 14 Oct 2012 22:07:15 -0400 Subject: [PATCH 13/24] Forward compatibility with the systemd branch --- lib/eval-config.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/eval-config.nix b/lib/eval-config.nix index ffc0db1c7ea6..f99f3fbedbb2 100644 --- a/lib/eval-config.nix +++ b/lib/eval-config.nix @@ -31,6 +31,7 @@ rec { inherit pkgs modules baseModules; modulesPath = ../modules; pkgs_i686 = import { system = "i686-linux"; }; + utils = {}; # forward compatibility }; # Import Nixpkgs, allowing the NixOS option nixpkgs.config to From 8499d7555fff04594f58267858258d714fe5c6e5 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 16 Oct 2012 11:28:30 -0400 Subject: [PATCH 14/24] =?UTF-8?q?Backward=20compatibility=20hack=20for=20?= =?UTF-8?q?=E2=80=98networking.nat.internalIPs=E2=80=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/services/networking/nat.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/services/networking/nat.nix b/modules/services/networking/nat.nix index ff6ff02f7e91..9d62a764f060 100644 --- a/modules/services/networking/nat.nix +++ b/modules/services/networking/nat.nix @@ -34,6 +34,9 @@ in coming from these networks and destined for the external interface will be rewritten. ''; + # Backward compatibility: this used to be a single range instead + # of a list. + apply = x: if isList x then x else [x]; }; networking.nat.externalInterface = mkOption { @@ -78,8 +81,8 @@ in '' iptables -t nat -F POSTROUTING iptables -t nat -X - '' - + (concatMapStrings (network: + '' + + (concatMapStrings (network: '' iptables -t nat -A POSTROUTING \ -s ${network} -o ${cfg.externalInterface} \ From efc104c4c8dd8eb0f2eb2de13d36a2d0c47012df Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Tue, 16 Oct 2012 18:23:28 +0200 Subject: [PATCH 15/24] modules/programs/bash: improve bash completion support The new configuration.nix option 'environment.enableBashCompletion' determines whether bash completion is automatically enabled system-wide for all interactive shells or not. The default setting is 'off'. --- modules/programs/bash/bash.nix | 31 ++++++++++++++++++++++++++++++- modules/programs/bash/bashrc.sh | 10 +--------- 2 files changed, 31 insertions(+), 10 deletions(-) diff --git a/modules/programs/bash/bash.nix b/modules/programs/bash/bash.nix index 51654b164a07..9eefb8e686f6 100644 --- a/modules/programs/bash/bash.nix +++ b/modules/programs/bash/bash.nix @@ -7,6 +7,25 @@ with pkgs.lib; let + initBashCompletion = optionalString config.environment.enableBashCompletion '' + # Check whether we're running a version of Bash that has support for + # programmable completion. If we do, enable all modules installed in + # the system (and user profile). + if shopt -q progcomp &>/dev/null; then + . "${pkgs.bashCompletion}/etc/profile.d/bash_completion.sh" + nullglobStatus=$(shopt -p nullglob) + shopt -s nullglob + for p in $NIX_PROFILES /run/current-system/sw; do + for m in "$p/etc/bash_completion.d/"*; do + echo enable bash completion module $m + . $m + done + done + eval "$nullglobStatus" + fi + ''; + + options = { environment.shellInit = mkOption { @@ -18,6 +37,12 @@ let type = with pkgs.lib.types; string; }; + environment.enableBashCompletion = mkOption { + default = false; + description = "Enable bash-completion for all interactive shells."; + type = with pkgs.lib.types; bool; + }; + }; in @@ -38,7 +63,10 @@ in { # /etc/bashrc: executed every time a bash starts. Sources # /etc/profile to ensure that the system environment is # configured properly. - source = ./bashrc.sh; + source = pkgs.substituteAll { + src = ./bashrc.sh; + inherit initBashCompletion; + }; target = "bashrc"; } @@ -59,4 +87,5 @@ in mv /bin/.sh.tmp /bin/sh # atomically replace /bin/sh ''; + environment.pathsToLink = optional config.environment.enableBashCompletion "/etc/bash_completion.d"; } diff --git a/modules/programs/bash/bashrc.sh b/modules/programs/bash/bashrc.sh index 745506561519..4382e7ee9d88 100644 --- a/modules/programs/bash/bashrc.sh +++ b/modules/programs/bash/bashrc.sh @@ -27,15 +27,7 @@ if test "$TERM" = "xterm"; then PS1="\[\033]2;\h:\u:\w\007\]$PS1" fi -# Check whether we're running a version of Bash that has support for -# programmable completion. If we do, and if the current user has -# installed the package 'bash-completion' in her $HOME/.nix-profile, -# then completion is enabled automatically. -if [ -f "$HOME/.nix-profile/etc/profile.d/bash_completion.sh" ]; then - if shopt -q progcomp &>/dev/null; then - . "$HOME/.nix-profile/etc/profile.d/bash_completion.sh" - fi -fi +@initBashCompletion@ # Some aliases. alias ls="ls --color=tty" From 04a8642b4bf4bb998a6218275e19dd8970c03914 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Tue, 16 Oct 2012 18:41:20 +0200 Subject: [PATCH 16/24] modules/programs/bash: clean-up variables used in initialization of bash-completion --- modules/programs/bash/bash.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/programs/bash/bash.nix b/modules/programs/bash/bash.nix index 9eefb8e686f6..ca825d7ab946 100644 --- a/modules/programs/bash/bash.nix +++ b/modules/programs/bash/bash.nix @@ -17,11 +17,11 @@ let shopt -s nullglob for p in $NIX_PROFILES /run/current-system/sw; do for m in "$p/etc/bash_completion.d/"*; do - echo enable bash completion module $m . $m done done eval "$nullglobStatus" + unset nullglobStatus p m fi ''; From 56f90da276b93b6af16c6ac94f0e452a2da94927 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Tue, 16 Oct 2012 19:07:19 +0200 Subject: [PATCH 17/24] modules/programs/bash: '/run/current-system/sw' is already a part of $NIX_PROFILES --- modules/programs/bash/bash.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/programs/bash/bash.nix b/modules/programs/bash/bash.nix index ca825d7ab946..441d30f1e9fa 100644 --- a/modules/programs/bash/bash.nix +++ b/modules/programs/bash/bash.nix @@ -15,7 +15,7 @@ let . "${pkgs.bashCompletion}/etc/profile.d/bash_completion.sh" nullglobStatus=$(shopt -p nullglob) shopt -s nullglob - for p in $NIX_PROFILES /run/current-system/sw; do + for p in $NIX_PROFILES; do for m in "$p/etc/bash_completion.d/"*; do . $m done From 18076e001a54c86c42a3a74a2ef45e1f1dbb4c91 Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 17 Oct 2012 15:11:53 +0200 Subject: [PATCH 18/24] apache-httpd: Use authn_core for version >= 2.3. Beginning with version 2.3, the authn were refactored. As a result, authn_alias is now part of the new module authn_core, so let's use authn_core instead of authn_alias. For details please see: http://httpd.apache.org/docs/2.4/upgrading.html#misc Signed-off-by: aszlig --- modules/services/web-servers/apache-httpd/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index 9ceb66a85a0a..4a5362436b0a 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -101,7 +101,8 @@ let "auth_basic" "auth_digest" # Authentication: is the user who he claims to be? - "authn_file" "authn_dbm" "authn_anon" "authn_alias" + "authn_file" "authn_dbm" "authn_anon" + (if versionOlder httpd.version "2.3" then "authn_alias" else "authn_core") # Authorization: is the user allowed access? "authz_user" "authz_groupfile" "authz_host" From 3ad8fac5a25b549bd28d5bc5c4f461a52f109c6a Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 17 Oct 2012 15:17:48 +0200 Subject: [PATCH 19/24] apache-httpd: Dynamically load MPM module in v2.4. Now, MPMs can be loaded at runtime and it's no longer required to compile in one of the MPM modules statically. So, if version is >= 2.4, load the MPM module corresponding to the multiProcessingModule value of the service module. For details, please see: http://httpd.apache.org/docs/2.4/mpm.html Signed-off-by: aszlig --- modules/services/web-servers/apache-httpd/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index 4a5362436b0a..b70ed3933aaf 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -114,6 +114,7 @@ let "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" "userdir" "alias" "rewrite" "proxy" "proxy_http" ] + ++ optional (!versionOlder httpd.version "2.4") "mpm_${mainCfg.multiProcessingModule}" ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ]) ++ optional enableSSL "ssl" ++ extraApacheModules; From 3acd98b040517cae680c8ca4273c0613f8af82ce Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 17 Oct 2012 15:21:32 +0200 Subject: [PATCH 20/24] apache-httpd: Add unixd for 2.4, needed by "User". Beginning with 2.4 mod_unixd is needed to supply Unix usernames and groups for the web server. For details please have a look at: http://httpd.apache.org/docs/2.4/upgrading.html#commonproblems Signed-off-by: aszlig --- modules/services/web-servers/apache-httpd/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index b70ed3933aaf..05fada720ba7 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -114,7 +114,10 @@ let "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" "userdir" "alias" "rewrite" "proxy" "proxy_http" ] - ++ optional (!versionOlder httpd.version "2.4") "mpm_${mainCfg.multiProcessingModule}" + ++ optionals (!versionOlder httpd.version "2.4") [ + "mpm_${mainCfg.multiProcessingModule}" + "unixd" + ] ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ]) ++ optional enableSSL "ssl" ++ extraApacheModules; From a88453fbaa8104502975d40c1b53738f71168b70 Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 17 Oct 2012 16:57:18 +0200 Subject: [PATCH 21/24] apache-httpd: Properly wrap access directives. The Order/Deny directives are deprecated in version 2.4, so we're going to define two wrappers for allDenied and allGranted in order to properly generate configurations for both version 2.2 and 2.4. For more information an access control changes, see: http://httpd.apache.org/docs/2.4/upgrading.html#access Signed-off-by: aszlig --- .../web-servers/apache-httpd/default.nix | 37 ++++++++++++------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index 05fada720ba7..29a20cae162b 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -116,6 +116,7 @@ let ] ++ optionals (!versionOlder httpd.version "2.4") [ "mpm_${mainCfg.multiProcessingModule}" + "authz_core" "unixd" ] ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ]) @@ -123,6 +124,21 @@ let ++ extraApacheModules; + allDenied = if versionOlder httpd.version "2.4" then '' + Order deny,allow + Deny from all + '' else '' + Require all denied + ''; + + allGranted = if versionOlder httpd.version "2.4" then '' + Order allow,deny + Allow from all + '' else '' + Require all granted + ''; + + loggingConf = '' ErrorLog ${mainCfg.logDir}/error_log @@ -191,8 +207,7 @@ let Options Indexes FollowSymLinks AllowOverride None - Order allow,deny - Allow from all + ${allGranted} ''; @@ -246,12 +261,10 @@ let AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec - Order allow,deny - Allow from all + ${allGranted} - Order deny,allow - Deny from all + ${allDenied} @@ -273,8 +286,7 @@ let Alias ${elem.urlPath} ${elem.dir}/ Options +Indexes - Order allow,deny - Allow from all + ${allGranted} AllowOverride All ''; @@ -326,8 +338,7 @@ let AddHandler type-map var - Order allow,deny - Deny from all + ${allDenied} ${mimeConf} @@ -345,16 +356,14 @@ let Options FollowSymLinks AllowOverride None - Order deny,allow - Deny from all + ${allDenied} # But do allow access to files in the store so that we don't have # to generate clauses for every generated file that we # want to serve. - Order allow,deny - Allow from all + ${allGranted} # Generate directives for the main server. From 5655ec0efa3839217dae12742d585c11d25dd693 Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 17 Oct 2012 17:03:50 +0200 Subject: [PATCH 22/24] apache-httpd: Avoid NameVirtualHost in >= v2.4. NameVirtualHost no longer has any effect on version 2.4 and just emits ugly warnings, so let's not use it if we use 2.4. More information: http://httpd.apache.org/docs/2.4/upgrading.html#misc Signed-off-by: aszlig --- modules/services/web-servers/apache-httpd/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index 29a20cae162b..9a3a3a105411 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -373,7 +373,9 @@ let ${let ports = map getPort allHosts; uniquePorts = uniqList {inputList = ports;}; - in concatMapStrings (port: "NameVirtualHost *:${toString port}\n") uniquePorts + isNeeded = versionOlder httpd.version "2.4"; + directives = concatMapStrings (port: "NameVirtualHost *:${toString port}\n") uniquePorts; + in optionalString isNeeded directives } ${let From 919e6e55a9c6c98fe408831905a8b91587af0503 Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 17 Oct 2012 17:38:43 +0200 Subject: [PATCH 23/24] apache-httpd: Create runtime dir for version 2.4. By default the path is determined related to ServerRoot. Unfortunately ServerRoot is pointing to the Nix store and the web server can't write to it. We now create a directory called "runtime" withen the stateDir and point DefaultRuntimeDir to it. For more information on the DefaultRuntimeDir directive, please see: http://httpd.apache.org/docs/2.4/mod/core.html#defaultruntimedir Signed-off-by: aszlig --- modules/services/web-servers/apache-httpd/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index 9a3a3a105411..89fd491fd220 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -303,6 +303,10 @@ let ServerRoot ${httpd} + ${optionalString (!versionOlder httpd.version "2.4") '' + DefaultRuntimeDir ${mainCfg.stateDir}/runtime + ''} + PidFile ${mainCfg.stateDir}/httpd.pid ${optionalString (mainCfg.multiProcessingModule != "prefork") '' @@ -636,6 +640,10 @@ in '' mkdir -m 0750 -p ${mainCfg.stateDir} chown root.${mainCfg.group} ${mainCfg.stateDir} + ${optionalString (!versionOlder httpd.version "2.4") '' + mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" + chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" + ''} mkdir -m 0700 -p ${mainCfg.logDir} ${optionalString (mainCfg.documentRoot != null) From f9831a94c984b1bfdff598299a1b66341a1f9cd2 Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 17 Oct 2012 17:47:30 +0200 Subject: [PATCH 24/24] apache-httpd: Simplify all versionOlder calls. We now just have a simple attribute called "version24" which replaces all those pesky versionOlder that were spreading throughout the file and makes things way more readable. Signed-off-by: aszlig --- .../web-servers/apache-httpd/default.nix | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index 89fd491fd220..1729850421a3 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -8,6 +8,8 @@ let httpd = mainCfg.package; + version24 = !versionOlder httpd.version "2.4"; + httpdConf = mainCfg.configFile; php = pkgs.php.override { apacheHttpd = httpd; }; @@ -102,7 +104,7 @@ let # Authentication: is the user who he claims to be? "authn_file" "authn_dbm" "authn_anon" - (if versionOlder httpd.version "2.3" then "authn_alias" else "authn_core") + (if version24 then "authn_core" else "authn_alias") # Authorization: is the user allowed access? "authz_user" "authz_groupfile" "authz_host" @@ -114,7 +116,7 @@ let "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" "userdir" "alias" "rewrite" "proxy" "proxy_http" ] - ++ optionals (!versionOlder httpd.version "2.4") [ + ++ optionals version24 [ "mpm_${mainCfg.multiProcessingModule}" "authz_core" "unixd" @@ -124,18 +126,18 @@ let ++ extraApacheModules; - allDenied = if versionOlder httpd.version "2.4" then '' + allDenied = if version24 then '' + Require all denied + '' else '' Order deny,allow Deny from all - '' else '' - Require all denied ''; - allGranted = if versionOlder httpd.version "2.4" then '' + allGranted = if version24 then '' + Require all granted + '' else '' Order allow,deny Allow from all - '' else '' - Require all granted ''; @@ -303,7 +305,7 @@ let ServerRoot ${httpd} - ${optionalString (!versionOlder httpd.version "2.4") '' + ${optionalString version24 '' DefaultRuntimeDir ${mainCfg.stateDir}/runtime ''} @@ -377,9 +379,8 @@ let ${let ports = map getPort allHosts; uniquePorts = uniqList {inputList = ports;}; - isNeeded = versionOlder httpd.version "2.4"; directives = concatMapStrings (port: "NameVirtualHost *:${toString port}\n") uniquePorts; - in optionalString isNeeded directives + in optionalString (!version24) directives } ${let @@ -640,7 +641,7 @@ in '' mkdir -m 0750 -p ${mainCfg.stateDir} chown root.${mainCfg.group} ${mainCfg.stateDir} - ${optionalString (!versionOlder httpd.version "2.4") '' + ${optionalString version24 '' mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" ''}