From b2be363fea1016a28085de22dd386307edbe0409 Mon Sep 17 00:00:00 2001 From: gnidorah Date: Tue, 27 Mar 2018 19:43:11 +0300 Subject: [PATCH 1/5] nixos/hans: init --- nixos/modules/module-list.nix | 1 + nixos/modules/services/networking/hans.nix | 132 +++++++++++++++++++++ 2 files changed, 133 insertions(+) create mode 100644 nixos/modules/services/networking/hans.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index e7f28c670be..f9e73acbc53 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -483,6 +483,7 @@ ./services/networking/gnunet.nix ./services/networking/gogoclient.nix ./services/networking/gvpe.nix + ./services/networking/hans.nix ./services/networking/haproxy.nix ./services/networking/heyefi.nix ./services/networking/hostapd.nix diff --git a/nixos/modules/services/networking/hans.nix b/nixos/modules/services/networking/hans.nix new file mode 100644 index 00000000000..24a7edaea45 --- /dev/null +++ b/nixos/modules/services/networking/hans.nix @@ -0,0 +1,132 @@ +# NixOS module for hans, ip over icmp daemon + +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.hans; + + hansUser = "hans"; + +in +{ + + ### configuration + + options = { + + services.hans = { + clients = mkOption { + default = {}; + description = '' + Each attribute of this option defines a systemd service that + runs hans. Many or none may be defined. + The name of each service is + hans-name + where name is the name of the + corresponding attribute name. + ''; + example = literalExample '' + { + foo = { + server = "192.0.2.1"; + extraConfig = "-p mysecurepassword"; + } + } + ''; + type = types.attrsOf (types.submodule ( + { + options = { + server = mkOption { + type = types.str; + default = ""; + description = "IP address of server running hans"; + example = "192.0.2.1"; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Additional command line parameters"; + example = "-p mysecurepassword"; + }; + }; + })); + }; + + server = { + enable = mkOption { + type = types.bool; + default = false; + description = "enable hans server"; + }; + + ip = mkOption { + type = types.str; + default = ""; + description = "The assigned ip range"; + example = "198.51.100.0"; + }; + + systemPings = mkOption { + type = types.bool; + default = false; + description = "Respond to ordinary pings"; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Additional command line parameters"; + example = "-p mysecurepassword"; + }; + }; + + }; + }; + + ### implementation + + config = mkIf (cfg.server.enable || cfg.clients != {}) { + boot.kernel.sysctl = optionalAttrs cfg.server.systemPings { + "net.ipv4.icmp_echo_ignore_all" = 1; + }; + + boot.kernelModules = [ "tun" ]; + + systemd.services = + let + createHansClientService = name: cfg: + { + description = "hans client - ${name}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + RestartSec = "30s"; + Restart = "always"; + ExecStart = "${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.extraConfig} -c ${cfg.server}"; + }; + }; + in + listToAttrs ( + mapAttrsToList + (name: value: nameValuePair "hans-${name}" (createHansClientService name value)) + cfg.clients + ) // { + hans = mkIf (cfg.server.enable) { + description = "hans, ip over icmp server daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.server.extraConfig} -s ${cfg.server.ip} ${optionalString cfg.server.systemPings "-r"}"; + }; + }; + + users.extraUsers = singleton { + name = hansUser; + description = "Hans daemon user"; + }; + }; + + meta.maintainers = with maintainers; [ gnidorah ]; +} From 16c5866ceced4a9f0c5c4ea0f09d6e7d9dd5693b Mon Sep 17 00:00:00 2001 From: gnidorah Date: Tue, 27 Mar 2018 22:23:36 +0300 Subject: [PATCH 2/5] nixos/hans: passwordFile option #24288 --- nixos/modules/services/networking/hans.nix | 39 +++++++++++++++++++--- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/networking/hans.nix b/nixos/modules/services/networking/hans.nix index 24a7edaea45..1b54a822aae 100644 --- a/nixos/modules/services/networking/hans.nix +++ b/nixos/modules/services/networking/hans.nix @@ -31,7 +31,7 @@ in { foo = { server = "192.0.2.1"; - extraConfig = "-p mysecurepassword"; + extraConfig = "-v"; } } ''; @@ -49,8 +49,15 @@ in type = types.str; default = ""; description = "Additional command line parameters"; - example = "-p mysecurepassword"; + example = "-v"; }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "File that containts password"; + }; + }; })); }; @@ -79,7 +86,13 @@ in type = types.str; default = ""; description = "Additional command line parameters"; - example = "-p mysecurepassword"; + example = "-v"; + }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "File that containts password"; }; }; @@ -102,10 +115,18 @@ in description = "hans client - ${name}"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + preStart = '' + cat > /run/hans/${name}-script << EOF + #!/bin/sh + ${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.extraConfig} -c ${cfg.server} ${optionalString (cfg.passwordFile != "") "-p $(cat \"${cfg.passwordFile}\")"} + EOF + chmod 700 /run/hans/${name}-script + ''; + script = "/run/hans/${name}-script"; serviceConfig = { RestartSec = "30s"; Restart = "always"; - ExecStart = "${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.extraConfig} -c ${cfg.server}"; + RuntimeDirectory = [ "hans" ]; }; }; in @@ -118,7 +139,15 @@ in description = "hans, ip over icmp server daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.server.extraConfig} -s ${cfg.server.ip} ${optionalString cfg.server.systemPings "-r"}"; + preStart = '' + cat > /run/hans/script << EOF + #!/bin/sh + ${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.server.extraConfig} -s ${cfg.server.ip} ${optionalString cfg.server.systemPings "-r"} ${optionalString (cfg.passwordFile != "") "-p $(cat \"${cfg.passwordFile}\")"} + EOF + chmod 700 /run/hans/script + ''; + script = "/run/hans/script"; + serviceConfig.RuntimeDirectory = [ "hans" ]; }; }; From 276d10dae6b14e457c8206e9e292ce8341434520 Mon Sep 17 00:00:00 2001 From: gnidorah Date: Tue, 27 Mar 2018 22:42:37 +0300 Subject: [PATCH 3/5] nixos/iodine: passwordFile option #24288 --- nixos/modules/services/networking/iodine.nix | 38 +++++++++++++++++--- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/networking/iodine.nix b/nixos/modules/services/networking/iodine.nix index 512dbd77ae4..66569a7e912 100644 --- a/nixos/modules/services/networking/iodine.nix +++ b/nixos/modules/services/networking/iodine.nix @@ -32,7 +32,7 @@ in foo = { server = "tunnel.mdomain.com"; relay = "8.8.8.8"; - extraConfig = "-P mysecurepassword"; + extraConfig = "-v"; } } ''; @@ -57,7 +57,13 @@ in type = types.str; default = ""; description = "Additional command line parameters"; - example = "-P mysecurepassword -l 192.168.1.10 -p 23"; + example = "-l 192.168.1.10 -p 23"; + }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "File that containts password"; }; }; })); @@ -88,7 +94,13 @@ in type = types.str; default = ""; description = "Additional command line parameters"; - example = "-P mysecurepassword -l 192.168.1.10 -p 23"; + example = "-l 192.168.1.10 -p 23"; + }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "File that containts password"; }; }; @@ -108,10 +120,18 @@ in description = "iodine client - ${name}"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + preStart = '' + cat > /run/iodine/${name}-script << EOF + #!/bin/sh + ${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "-P $(cat \"${cfg.passwordFile}\")"} ${cfg.relay} ${cfg.server} + EOF + chmod 700 /run/iodine/${name}-script + ''; + script = "/run/iodine/${name}-script"; serviceConfig = { RestartSec = "30s"; Restart = "always"; - ExecStart = "${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${cfg.relay} ${cfg.server}"; + RuntimeDirectory = [ "iodine" ]; }; }; in @@ -124,7 +144,15 @@ in description = "iodine, ip over dns server daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${cfg.server.ip} ${cfg.server.domain}"; + preStart = '' + cat > /run/iodined/script << EOF + #!/bin/sh + ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.passwordFile != "") "-P $(cat \"${cfg.passwordFile}\")"} ${cfg.server.ip} ${cfg.server.domain} + EOF + chmod 700 /run/iodined/script + ''; + script = "/run/iodined/script"; + serviceConfig.RuntimeDirectory = [ "iodined" ]; }; }; From 33c34aff2fb42268f45c5563f767266e27c58a9b Mon Sep 17 00:00:00 2001 From: gnidorah Date: Wed, 28 Mar 2018 08:32:29 +0300 Subject: [PATCH 4/5] hans, iodine: correct script --- nixos/modules/services/networking/hans.nix | 20 ++------------------ nixos/modules/services/networking/iodine.nix | 20 ++------------------ 2 files changed, 4 insertions(+), 36 deletions(-) diff --git a/nixos/modules/services/networking/hans.nix b/nixos/modules/services/networking/hans.nix index 1b54a822aae..4579154d78f 100644 --- a/nixos/modules/services/networking/hans.nix +++ b/nixos/modules/services/networking/hans.nix @@ -115,18 +115,10 @@ in description = "hans client - ${name}"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - cat > /run/hans/${name}-script << EOF - #!/bin/sh - ${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.extraConfig} -c ${cfg.server} ${optionalString (cfg.passwordFile != "") "-p $(cat \"${cfg.passwordFile}\")"} - EOF - chmod 700 /run/hans/${name}-script - ''; - script = "/run/hans/${name}-script"; + script = "${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.extraConfig} -c ${cfg.server} ${optionalString (cfg.passwordFile != "") "-p $(cat \"${cfg.passwordFile}\")"}"; serviceConfig = { RestartSec = "30s"; Restart = "always"; - RuntimeDirectory = [ "hans" ]; }; }; in @@ -139,15 +131,7 @@ in description = "hans, ip over icmp server daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - cat > /run/hans/script << EOF - #!/bin/sh - ${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.server.extraConfig} -s ${cfg.server.ip} ${optionalString cfg.server.systemPings "-r"} ${optionalString (cfg.passwordFile != "") "-p $(cat \"${cfg.passwordFile}\")"} - EOF - chmod 700 /run/hans/script - ''; - script = "/run/hans/script"; - serviceConfig.RuntimeDirectory = [ "hans" ]; + script = "${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.server.extraConfig} -s ${cfg.server.ip} ${optionalString cfg.server.systemPings "-r"} ${optionalString (cfg.passwordFile != "") "-p $(cat \"${cfg.passwordFile}\")"}"; }; }; diff --git a/nixos/modules/services/networking/iodine.nix b/nixos/modules/services/networking/iodine.nix index 66569a7e912..709c36ee54f 100644 --- a/nixos/modules/services/networking/iodine.nix +++ b/nixos/modules/services/networking/iodine.nix @@ -120,18 +120,10 @@ in description = "iodine client - ${name}"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - cat > /run/iodine/${name}-script << EOF - #!/bin/sh - ${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "-P $(cat \"${cfg.passwordFile}\")"} ${cfg.relay} ${cfg.server} - EOF - chmod 700 /run/iodine/${name}-script - ''; - script = "/run/iodine/${name}-script"; + script = "${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "-P $(cat \"${cfg.passwordFile}\")"} ${cfg.relay} ${cfg.server}"; serviceConfig = { RestartSec = "30s"; Restart = "always"; - RuntimeDirectory = [ "iodine" ]; }; }; in @@ -144,15 +136,7 @@ in description = "iodine, ip over dns server daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - cat > /run/iodined/script << EOF - #!/bin/sh - ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.passwordFile != "") "-P $(cat \"${cfg.passwordFile}\")"} ${cfg.server.ip} ${cfg.server.domain} - EOF - chmod 700 /run/iodined/script - ''; - script = "/run/iodined/script"; - serviceConfig.RuntimeDirectory = [ "iodined" ]; + script = "${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.passwordFile != "") "-P $(cat \"${cfg.passwordFile}\")"} ${cfg.server.ip} ${cfg.server.domain}"; }; }; From 30a56d72db90914272d023eb5ede7fb5d8c842fb Mon Sep 17 00:00:00 2001 From: gnidorah Date: Wed, 28 Mar 2018 09:13:09 +0300 Subject: [PATCH 5/5] hans: rename option --- nixos/modules/services/networking/hans.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/networking/hans.nix b/nixos/modules/services/networking/hans.nix index 4579154d78f..56c30a6b96e 100644 --- a/nixos/modules/services/networking/hans.nix +++ b/nixos/modules/services/networking/hans.nix @@ -76,10 +76,10 @@ in example = "198.51.100.0"; }; - systemPings = mkOption { + respondToSystemPings = mkOption { type = types.bool; default = false; - description = "Respond to ordinary pings"; + description = "Force hans respond to ordinary pings"; }; extraConfig = mkOption { @@ -102,7 +102,7 @@ in ### implementation config = mkIf (cfg.server.enable || cfg.clients != {}) { - boot.kernel.sysctl = optionalAttrs cfg.server.systemPings { + boot.kernel.sysctl = optionalAttrs cfg.server.respondToSystemPings { "net.ipv4.icmp_echo_ignore_all" = 1; }; @@ -131,7 +131,7 @@ in description = "hans, ip over icmp server daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - script = "${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.server.extraConfig} -s ${cfg.server.ip} ${optionalString cfg.server.systemPings "-r"} ${optionalString (cfg.passwordFile != "") "-p $(cat \"${cfg.passwordFile}\")"}"; + script = "${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.server.extraConfig} -s ${cfg.server.ip} ${optionalString cfg.server.respondToSystemPings "-r"} ${optionalString (cfg.passwordFile != "") "-p $(cat \"${cfg.passwordFile}\")"}"; }; };