public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bird: refactor module

Browse Source 
- syntax check before deploying configuration
- remove static unnessary static uid/gid (configuration is opened as root)
- add service hardening
This commit is contained in:
Jörg Thalheim 2016-12-09 10:48:54 +01:00
parent e314e5b930
commit cc864af928
2 changed files with 57 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/misc/ids.nix
View File

@ -211,7 +211,6 @@
lambdabot = 191; lambdabot = 191;
asterisk = 192; asterisk = 192;
plex = 193; plex = 193;
bird = 195;
grafana = 196; grafana = 196;
skydns = 197; skydns = 197;
ripple-rest = 198; ripple-rest = 198;
@ -470,7 +469,6 @@
#asterisk = 192; # unused #asterisk = 192; # unused
plex = 193; plex = 193;
sabnzbd = 194; sabnzbd = 194;
bird = 195;
#grafana = 196; #unused #grafana = 196; #unused
#skydns = 197; #unused #skydns = 197; #unused
#ripple-rest = 198; #unused #ripple-rest = 198; #unused

92
nixos/modules/services/networking/bird.nix
View File

@ -1,76 +1,68 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (lib) mkEnableOption mkIf mkOption singleton types; inherit (lib) mkEnableOption mkIf mkOption types;
inherit (pkgs) bird;
cfg = config.services.bird;
configFile = pkgs.writeText "bird.conf" '' generic = variant:
${cfg.config} let
cfg = config.services.${variant};
pkg = pkgs.${variant};
birdc = if variant == "bird6" then "birdc6" else "birdc";
configFile = pkgs.stdenv.mkDerivation {
name = "${variant}.conf";
text = cfg.config;
preferLocalBuild = true;
buildCommand = ''
echo -n "$text" > $out
${pkg}/bin/${variant} -d -p -c $out
''; '';
in };
in {
{
###### interface ###### interface
options = { options = {
services.${variant} = {
services.bird = {
enable = mkEnableOption "BIRD Internet Routing Daemon"; enable = mkEnableOption "BIRD Internet Routing Daemon";
config = mkOption { config = mkOption {
type = types.string; type = types.lines;
description = '' description = ''
BIRD Internet Routing Daemon configuration file. BIRD Internet Routing Daemon configuration file.
<link xlink:href='http://bird.network.cz/'/> <link xlink:href='http://bird.network.cz/'/>
''; '';
}; };
user = mkOption {
type = types.string;
default = "bird";
description = ''
BIRD Internet Routing Daemon user.
'';
}; };
group = mkOption {
type = types.string;
default = "bird";
description = ''
BIRD Internet Routing Daemon group.
'';
}; };
};
};
###### implementation ###### implementation
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.services.${variant} = {
users.extraUsers = singleton {
name = cfg.user;
description = "BIRD Internet Routing Daemon user";
uid = config.ids.uids.bird;
group = cfg.group;
};
users.extraGroups = singleton {
name = cfg.group;
gid = config.ids.gids.bird;
};
systemd.services.bird = {
description = "BIRD Internet Routing Daemon"; description = "BIRD Internet Routing Daemon";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
ExecStart = "${bird}/bin/bird -d -c ${configFile} -s /var/run/bird.ctl -u ${cfg.user} -g ${cfg.group}"; Type = "forking";
Restart = "on-failure";
ExecStart = "${pkg}/bin/${variant} -c ${configFile} -u ${variant} -g ${variant}";
ExecReload = "${pkg}/bin/${birdc} configure";
ExecStop = "${pkg}/bin/${birdc} down";
CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_SETUID" "CAP_SETGID"
# see bird/sysdep/linux/syspriv.h
"CAP_NET_BIND_SERVICE" "CAP_NET_BROADCAST" "CAP_NET_ADMIN" "CAP_NET_RAW" ];
ProtectSystem = "full";
ProtectHome = "yes";
SystemCallFilter="~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
MemoryDenyWriteExecute = "yes";
};
};
users = {
extraUsers.${variant} = {
description = "BIRD Internet Routing Daemon user";
group = "${variant}";
};
extraGroups.${variant} = {};
}; };
}; };
}; };
inherit (config.services) bird bird6;
in {
imports = [(generic "bird") (generic "bird6")];
} }