diff --git a/nixos/modules/services/networking/spiped.nix b/nixos/modules/services/networking/spiped.nix
index ec5908b182f..005d7182351 100644
--- a/nixos/modules/services/networking/spiped.nix
+++ b/nixos/modules/services/networking/spiped.nix
@@ -7,161 +7,169 @@ let
in
{
options = {
- services.spiped = mkOption {
- type = types.attrsOf (types.submodule (
- {
- options = {
- encrypt = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Take unencrypted connections from the
- source socket and send encrypted
- connections to the target socket.
- '';
- };
+ services.spiped = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Enable the spiped service module.";
+ };
- decrypt = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Take encrypted connections from the
- source socket and send unencrypted
- connections to the target socket.
- '';
- };
+ config = mkOption {
+ type = types.attrsOf (types.submodule (
+ {
+ options = {
+ encrypt = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Take unencrypted connections from the
+ source socket and send encrypted
+ connections to the target socket.
+ '';
+ };
- source = mkOption {
- type = types.str;
- description = ''
- Address on which spiped should listen for incoming
- connections. Must be in one of the following formats:
- /absolute/path/to/unix/socket,
- host.name:port,
- [ip.v4.ad.dr]:port or
- [ipv6::addr]:port - note that
- hostnames are resolved when spiped is launched and are
- not re-resolved later; thus if DNS entries change
- spiped will continue to connect to the expired
- address.
- '';
- };
+ decrypt = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Take encrypted connections from the
+ source socket and send unencrypted
+ connections to the target socket.
+ '';
+ };
- target = mkOption {
- type = types.str;
- description = "Address to which spiped should connect.";
- };
+ source = mkOption {
+ type = types.str;
+ description = ''
+ Address on which spiped should listen for incoming
+ connections. Must be in one of the following formats:
+ /absolute/path/to/unix/socket,
+ host.name:port,
+ [ip.v4.ad.dr]:port or
+ [ipv6::addr]:port - note that
+ hostnames are resolved when spiped is launched and are
+ not re-resolved later; thus if DNS entries change
+ spiped will continue to connect to the expired
+ address.
+ '';
+ };
- keyfile = mkOption {
- type = types.path;
- description = ''
- Name of a file containing the spiped key. As the
- daemon runs as the spiped user, the
- key file must be somewhere owned by that user. By
- default, we recommend putting the keys for any spipe
- services in /var/lib/spiped.
- '';
- };
+ target = mkOption {
+ type = types.str;
+ description = "Address to which spiped should connect.";
+ };
- timeout = mkOption {
- type = types.int;
- default = 5;
- description = ''
- Timeout, in seconds, after which an attempt to connect to
- the target or a protocol handshake will be aborted (and the
- connection dropped) if not completed
- '';
- };
+ keyfile = mkOption {
+ type = types.path;
+ description = ''
+ Name of a file containing the spiped key. As the
+ daemon runs as the spiped user, the
+ key file must be somewhere owned by that user. By
+ default, we recommend putting the keys for any spipe
+ services in /var/lib/spiped.
+ '';
+ };
- maxConns = mkOption {
- type = types.int;
- default = 100;
- description = ''
- Limit on the number of simultaneous connections allowed.
- '';
- };
+ timeout = mkOption {
+ type = types.int;
+ default = 5;
+ description = ''
+ Timeout, in seconds, after which an attempt to connect to
+ the target or a protocol handshake will be aborted (and the
+ connection dropped) if not completed
+ '';
+ };
- waitForDNS = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Wait for DNS. Normally when spiped is
- launched it resolves addresses and binds to its source
- socket before the parent process returns; with this option
- it will daemonize first and retry failed DNS lookups until
- they succeed. This allows spiped to
- launch even if DNS isn't set up yet, but at the expense of
- losing the guarantee that once spiped has
- finished launching it will be ready to create pipes.
- '';
- };
+ maxConns = mkOption {
+ type = types.int;
+ default = 100;
+ description = ''
+ Limit on the number of simultaneous connections allowed.
+ '';
+ };
- disableKeepalives = mkOption {
- type = types.bool;
- default = false;
- description = "Disable transport layer keep-alives.";
- };
+ waitForDNS = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Wait for DNS. Normally when spiped is
+ launched it resolves addresses and binds to its source
+ socket before the parent process returns; with this option
+ it will daemonize first and retry failed DNS lookups until
+ they succeed. This allows spiped to
+ launch even if DNS isn't set up yet, but at the expense of
+ losing the guarantee that once spiped has
+ finished launching it will be ready to create pipes.
+ '';
+ };
- weakHandshake = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Use fast/weak handshaking: This reduces the CPU time spent
- in the initial connection setup, at the expense of losing
- perfect forward secrecy.
- '';
- };
+ disableKeepalives = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Disable transport layer keep-alives.";
+ };
- resolveRefresh = mkOption {
- type = types.int;
- default = 60;
- description = ''
- Resolution refresh time for the target socket, in seconds.
- '';
- };
+ weakHandshake = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Use fast/weak handshaking: This reduces the CPU time spent
+ in the initial connection setup, at the expense of losing
+ perfect forward secrecy.
+ '';
+ };
- disableReresolution = mkOption {
- type = types.bool;
- default = false;
- description = "Disable target address re-resolution.";
- };
- };
- }
- ));
+ resolveRefresh = mkOption {
+ type = types.int;
+ default = 60;
+ description = ''
+ Resolution refresh time for the target socket, in seconds.
+ '';
+ };
- default = {};
-
- example = literalExample ''
- {
- pipe1 =
- { keyfile = "/var/lib/spiped/pipe1.key";
- encrypt = true;
- source = "localhost:6000";
- target = "endpoint.example.com:7000";
+ disableReresolution = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Disable target address re-resolution.";
+ };
};
- pipe2 =
- { keyfile = "/var/lib/spiped/pipe2.key";
- decrypt = true;
- source = "0.0.0.0:7000";
- target = "localhost:3000";
- };
- }
- '';
+ }
+ ));
- description = ''
- Configuration for a secure pipe daemon. The daemon can be
- started, stopped, or examined using
- systemctl, under the name
- spiped@foo.
- '';
+ default = {};
+
+ example = literalExample ''
+ {
+ pipe1 =
+ { keyfile = "/var/lib/spiped/pipe1.key";
+ encrypt = true;
+ source = "localhost:6000";
+ target = "endpoint.example.com:7000";
+ };
+ pipe2 =
+ { keyfile = "/var/lib/spiped/pipe2.key";
+ decrypt = true;
+ source = "0.0.0.0:7000";
+ target = "localhost:3000";
+ };
+ }
+ '';
+
+ description = ''
+ Configuration for a secure pipe daemon. The daemon can be
+ started, stopped, or examined using
+ systemctl, under the name
+ spiped@foo.
+ '';
+ };
};
};
- config = {
+ config = mkIf cfg.enable {
assertions = mapAttrsToList (name: c: {
assertion = (c.encrypt -> !c.decrypt) || (c.decrypt -> c.encrypt);
message = "A pipe must either encrypt or decrypt";
- }) cfg;
+ }) cfg.config;
users.extraGroups.spiped.gid = config.ids.gids.spiped;
users.extraUsers.spiped = {
@@ -189,7 +197,7 @@ in
script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`";
};
- system.activationScripts.spiped = optionalString (cfg != {})
+ system.activationScripts.spiped = optionalString (cfg.config != {})
"mkdir -p /var/lib/spiped";
# Setup spiped config files
@@ -207,6 +215,6 @@ in
(if cfg.disableReresolution then "-R"
else "-r ${toString cfg.resolveRefresh}")
];
- }) cfg;
+ }) cfg.config;
};
}