nixpkgs/nixos/modules/services/networking/pppd.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.pppd;
in
{
  meta = {
    maintainers = with maintainers; [ danderson ];
  };

  options = {
    services.pppd = {
      enable = mkEnableOption "pppd";

      package = mkOption {
        default = pkgs.ppp;
        defaultText = "pkgs.ppp";
        type = types.package;
        description = "pppd package to use.";
      };

      peers = mkOption {
        default = {};
        description = "pppd peers.";
        type = types.attrsOf (types.submodule (
          { name, ... }:
          {
            options = {
              name = mkOption {
                type = types.str;
                default = name;
                example = "dialup";
                description = "Name of the PPP peer.";
              };

              enable = mkOption {
                type = types.bool;
                default = true;
                example = false;
                description = "Whether to enable this PPP peer.";
              };

              autostart = mkOption {
                type = types.bool;
                default = true;
                example = false;
                description = "Whether the PPP session is automatically started at boot time.";
              };

              config = mkOption {
                type = types.lines;
                default = "";
                description = "pppd configuration for this peer, see the pppd(8) man page.";
              };
            };
          }));
      };
    };
  };

  config = let
    enabledConfigs = filter (f: f.enable) (attrValues cfg.peers);

    mkEtc = peerCfg: {
      name = "ppp/peers/${peerCfg.name}";
      value.text = peerCfg.config;
    };

    mkSystemd = peerCfg: {
      name = "pppd-${peerCfg.name}";
      value = {
        restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ];
        before = [ "network.target" ];
        wants = [ "network.target" ];
        after = [ "network-pre.target" ];
        environment = {
          # pppd likes to write directly into /var/run. This is rude
          # on a modern system, so we use libredirect to transparently
          # move those files into /run/pppd.
          LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so";
          NIX_REDIRECTS = "/var/run=/run/pppd";
        };
        serviceConfig = {
          ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog";
          Restart = "always";
          RestartSec = 5;

          AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";
          CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";
          KeyringMode = "private";
          LockPersonality = true;
          MemoryDenyWriteExecute = true;
          NoNewPrivileges = true;
          PrivateMounts = true;
          PrivateTmp = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelModules = true;
          # pppd can be configured to tweak kernel settings.
          ProtectKernelTunables = false;
          ProtectSystem = "strict";
          RemoveIPC = true;
          RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX";
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SecureBits = "no-setuid-fixup-locked noroot-locked";
          SystemCallFilter = "@system-service";
          SystemCallArchitectures = "native";

          # All pppd instances on a system must share a runtime
          # directory in order for PPP multilink to work correctly. So
          # we give all instances the same /run/pppd directory to store
          # things in.
          #
          # For the same reason, we can't set PrivateUsers=true, because
          # all instances need to run as the same user to access the
          # multilink database.
          RuntimeDirectory = "pppd";
          RuntimeDirectoryPreserve = true;
        };
        wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ];
      };
    };

    etcFiles = listToAttrs (map mkEtc enabledConfigs);
    systemdConfigs = listToAttrs (map mkSystemd enabledConfigs);

  in mkIf cfg.enable {
    environment.etc = etcFiles;
    systemd.services = systemdConfigs;
  };
}
nixos/pppd: init 2019-10-14 01:59:50 -07:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`cfg = config.services.pppd;`
			`in`
			`{`
			`meta = {`
			`maintainers = with maintainers; [ danderson ];`
			`};`

			`options = {`
			`services.pppd = {`
			`enable = mkEnableOption "pppd";`

			`package = mkOption {`
			`default = pkgs.ppp;`
			`defaultText = "pkgs.ppp";`
			`type = types.package;`
			`description = "pppd package to use.";`
			`};`

			`peers = mkOption {`
			`default = {};`
nixos/pppd: add description for peers, unbreaks metrics job and channel services.pppd.peers was lacking a description, causing a trace warning resulting in a parse error in the metrics job. 2019-10-17 13:59:52 +02:00			`description = "pppd peers.";`
nixos/pppd: init 2019-10-14 01:59:50 -07:00			`type = types.attrsOf (types.submodule (`
			`{ name, ... }:`
			`{`
			`options = {`
			`name = mkOption {`
			`type = types.str;`
			`default = name;`
			`example = "dialup";`
			`description = "Name of the PPP peer.";`
			`};`

			`enable = mkOption {`
			`type = types.bool;`
			`default = true;`
			`example = false;`
			`description = "Whether to enable this PPP peer.";`
			`};`

			`autostart = mkOption {`
			`type = types.bool;`
			`default = true;`
			`example = false;`
			`description = "Whether the PPP session is automatically started at boot time.";`
			`};`

			`config = mkOption {`
			`type = types.lines;`
			`default = "";`
			`description = "pppd configuration for this peer, see the pppd(8) man page.";`
			`};`
			`};`
			`}));`
			`};`
			`};`
			`};`

			`config = let`
			`enabledConfigs = filter (f: f.enable) (attrValues cfg.peers);`

			`mkEtc = peerCfg: {`
treewide: use attrs instead of list for types.loaOf options 2019-09-14 19:51:29 +02:00			`name = "ppp/peers/${peerCfg.name}";`
			`value.text = peerCfg.config;`
nixos/pppd: init 2019-10-14 01:59:50 -07:00			`};`

			`mkSystemd = peerCfg: {`
treewide: use attrs instead of list for types.loaOf options 2019-09-14 19:51:29 +02:00			`name = "pppd-${peerCfg.name}";`
			`value = {`
nixos/pppd: init 2019-10-14 01:59:50 -07:00			`restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ];`
			`before = [ "network.target" ];`
			`wants = [ "network.target" ];`
			`after = [ "network-pre.target" ];`
			`environment = {`
			`# pppd likes to write directly into /var/run. This is rude`
			`# on a modern system, so we use libredirect to transparently`
			`# move those files into /run/pppd.`
			`LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so";`
			`NIX_REDIRECTS = "/var/run=/run/pppd";`
			`};`
			`serviceConfig = {`
			`ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog";`
			`Restart = "always";`
			`RestartSec = 5;`

			`AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";`
			`CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";`
			`KeyringMode = "private";`
			`LockPersonality = true;`
			`MemoryDenyWriteExecute = true;`
			`NoNewPrivileges = true;`
			`PrivateMounts = true;`
			`PrivateTmp = true;`
			`ProtectControlGroups = true;`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectKernelModules = true;`
			`# pppd can be configured to tweak kernel settings.`
			`ProtectKernelTunables = false;`
			`ProtectSystem = "strict";`
			`RemoveIPC = true;`
			`RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX";`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`RestrictSUIDSGID = true;`
			`SecureBits = "no-setuid-fixup-locked noroot-locked";`
			`SystemCallFilter = "@system-service";`
			`SystemCallArchitectures = "native";`

			`# All pppd instances on a system must share a runtime`
			`# directory in order for PPP multilink to work correctly. So`
			`# we give all instances the same /run/pppd directory to store`
			`# things in.`
			`#`
			`# For the same reason, we can't set PrivateUsers=true, because`
			`# all instances need to run as the same user to access the`
			`# multilink database.`
			`RuntimeDirectory = "pppd";`
			`RuntimeDirectoryPreserve = true;`
			`};`
			`wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ];`
			`};`
			`};`

treewide: use attrs instead of list for types.loaOf options 2019-09-14 19:51:29 +02:00			`etcFiles = listToAttrs (map mkEtc enabledConfigs);`
			`systemdConfigs = listToAttrs (map mkSystemd enabledConfigs);`
nixos/pppd: init 2019-10-14 01:59:50 -07:00
			`in mkIf cfg.enable {`
nixos/pppd: fix build error 2020-02-14 10:42:49 +08:00			`environment.etc = etcFiles;`
			`systemd.services = systemdConfigs;`
nixos/pppd: init 2019-10-14 01:59:50 -07:00			`};`
			`}`