public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos: only enable spipe when user specifies

Browse Source 
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This commit is contained in:
Austin Seipp 2014-04-19 19:34:18 -05:00
parent 33eced411f
commit b470c93c1e
1 changed files with 145 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

282
nixos/modules/services/networking/spiped.nix
View File

@ -7,161 +7,169 @@ let
in in
{ {
options = { options = {
services.spiped = mkOption { services.spiped = {
type = types.attrsOf (types.submodule ( enable = mkOption {
{ type = types.bool;
options = { default = false;
encrypt = mkOption { description = "Enable the spiped service module.";
type = types.bool; };
default = false;
description = ''
Take unencrypted connections from the
<literal>source</literal> socket and send encrypted
connections to the <literal>target</literal> socket.
'';
};
decrypt = mkOption { config = mkOption {
type = types.bool; type = types.attrsOf (types.submodule (
default = false; {
description = '' options = {
Take encrypted connections from the encrypt = mkOption {
<literal>source</literal> socket and send unencrypted type = types.bool;
connections to the <literal>target</literal> socket. default = false;
''; description = ''
}; Take unencrypted connections from the
<literal>source</literal> socket and send encrypted
connections to the <literal>target</literal> socket.
'';
};
source = mkOption { decrypt = mkOption {
type = types.str; type = types.bool;
description = '' default = false;
Address on which spiped should listen for incoming description = ''
connections. Must be in one of the following formats: Take encrypted connections from the
<literal>/absolute/path/to/unix/socket</literal>, <literal>source</literal> socket and send unencrypted
<literal>host.name:port</literal>, connections to the <literal>target</literal> socket.
<literal>[ip.v4.ad.dr]:port</literal> or '';
<literal>[ipv6::addr]:port</literal> - note that };
hostnames are resolved when spiped is launched and are
not re-resolved later; thus if DNS entries change
spiped will continue to connect to the expired
address.
'';
};
target = mkOption { source = mkOption {
type = types.str; type = types.str;
description = "Address to which spiped should connect."; description = ''
}; Address on which spiped should listen for incoming
connections. Must be in one of the following formats:
<literal>/absolute/path/to/unix/socket</literal>,
<literal>host.name:port</literal>,
<literal>[ip.v4.ad.dr]:port</literal> or
<literal>[ipv6::addr]:port</literal> - note that
hostnames are resolved when spiped is launched and are
not re-resolved later; thus if DNS entries change
spiped will continue to connect to the expired
address.
'';
};
keyfile = mkOption { target = mkOption {
type = types.path; type = types.str;
description = '' description = "Address to which spiped should connect.";
Name of a file containing the spiped key. As the };
daemon runs as the <literal>spiped</literal> user, the
key file must be somewhere owned by that user. By
default, we recommend putting the keys for any spipe
services in <literal>/var/lib/spiped</literal>.
'';
};
timeout = mkOption { keyfile = mkOption {
type = types.int; type = types.path;
default = 5; description = ''
description = '' Name of a file containing the spiped key. As the
Timeout, in seconds, after which an attempt to connect to daemon runs as the <literal>spiped</literal> user, the
the target or a protocol handshake will be aborted (and the key file must be somewhere owned by that user. By
connection dropped) if not completed default, we recommend putting the keys for any spipe
''; services in <literal>/var/lib/spiped</literal>.
}; '';
};
maxConns = mkOption { timeout = mkOption {
type = types.int; type = types.int;
default = 100; default = 5;
description = '' description = ''
Limit on the number of simultaneous connections allowed. Timeout, in seconds, after which an attempt to connect to
''; the target or a protocol handshake will be aborted (and the
}; connection dropped) if not completed
'';
};
waitForDNS = mkOption { maxConns = mkOption {
type = types.bool; type = types.int;
default = false; default = 100;
description = '' description = ''
Wait for DNS. Normally when <literal>spiped</literal> is Limit on the number of simultaneous connections allowed.
launched it resolves addresses and binds to its source '';
socket before the parent process returns; with this option };
it will daemonize first and retry failed DNS lookups until
they succeed. This allows <literal>spiped</literal> to
launch even if DNS isn't set up yet, but at the expense of
losing the guarantee that once <literal>spiped</literal> has
finished launching it will be ready to create pipes.
'';
};
disableKeepalives = mkOption { waitForDNS = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = "Disable transport layer keep-alives."; description = ''
}; Wait for DNS. Normally when <literal>spiped</literal> is
launched it resolves addresses and binds to its source
socket before the parent process returns; with this option
it will daemonize first and retry failed DNS lookups until
they succeed. This allows <literal>spiped</literal> to
launch even if DNS isn't set up yet, but at the expense of
losing the guarantee that once <literal>spiped</literal> has
finished launching it will be ready to create pipes.
'';
};
weakHandshake = mkOption { disableKeepalives = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = "Disable transport layer keep-alives.";
Use fast/weak handshaking: This reduces the CPU time spent };
in the initial connection setup, at the expense of losing
perfect forward secrecy.
'';
};
resolveRefresh = mkOption { weakHandshake = mkOption {
type = types.int; type = types.bool;
default = 60; default = false;
description = '' description = ''
Resolution refresh time for the target socket, in seconds. Use fast/weak handshaking: This reduces the CPU time spent
''; in the initial connection setup, at the expense of losing
}; perfect forward secrecy.
'';
};
disableReresolution = mkOption { resolveRefresh = mkOption {
type = types.bool; type = types.int;
default = false; default = 60;
description = "Disable target address re-resolution."; description = ''
}; Resolution refresh time for the target socket, in seconds.
}; '';
} };
));
default = {}; disableReresolution = mkOption {
type = types.bool;
example = literalExample '' default = false;
{ description = "Disable target address re-resolution.";
pipe1 = };
{ keyfile = "/var/lib/spiped/pipe1.key";
encrypt = true;
source = "localhost:6000";
target = "endpoint.example.com:7000";
}; };
pipe2 = }
{ keyfile = "/var/lib/spiped/pipe2.key"; ));
decrypt = true;
source = "0.0.0.0:7000";
target = "localhost:3000";
};
}
'';
description = '' default = {};
Configuration for a secure pipe daemon. The daemon can be
started, stopped, or examined using example = literalExample ''
<literal>systemctl</literal>, under the name {
<literal>spiped@foo</literal>. pipe1 =
''; { keyfile = "/var/lib/spiped/pipe1.key";
encrypt = true;
source = "localhost:6000";
target = "endpoint.example.com:7000";
};
pipe2 =
{ keyfile = "/var/lib/spiped/pipe2.key";
decrypt = true;
source = "0.0.0.0:7000";
target = "localhost:3000";
};
}
'';
description = ''
Configuration for a secure pipe daemon. The daemon can be
started, stopped, or examined using
<literal>systemctl</literal>, under the name
<literal>spiped@foo</literal>.
'';
};
}; };
}; };
config = { config = mkIf cfg.enable {
assertions = mapAttrsToList (name: c: { assertions = mapAttrsToList (name: c: {
assertion = (c.encrypt -> !c.decrypt) || (c.decrypt -> c.encrypt); assertion = (c.encrypt -> !c.decrypt) || (c.decrypt -> c.encrypt);
message = "A pipe must either encrypt or decrypt"; message = "A pipe must either encrypt or decrypt";
}) cfg; }) cfg.config;
users.extraGroups.spiped.gid = config.ids.gids.spiped; users.extraGroups.spiped.gid = config.ids.gids.spiped;
users.extraUsers.spiped = { users.extraUsers.spiped = {
@ -189,7 +197,7 @@ in
script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`"; script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`";
}; };
system.activationScripts.spiped = optionalString (cfg != {}) system.activationScripts.spiped = optionalString (cfg.config != {})
"mkdir -p /var/lib/spiped"; "mkdir -p /var/lib/spiped";
# Setup spiped config files # Setup spiped config files
@ -207,6 +215,6 @@ in
(if cfg.disableReresolution then "-R" (if cfg.disableReresolution then "-R"
else "-r ${toString cfg.resolveRefresh}") else "-r ${toString cfg.resolveRefresh}")
]; ];
}) cfg; }) cfg.config;
}; };
} }