public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bird: refactor module

Browse Source 
- syntax check before deploying configuration
- remove static unnessary static uid/gid (configuration is opened as root)
- add service hardening
This commit is contained in:
Jörg Thalheim 2016-12-09 10:48:54 +01:00
parent e314e5b930
commit cc864af928
2 changed files with 57 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/misc/ids.nix
View File

@ -211,7 +211,6 @@
lambdabot = 191; lambdabot = 191;
asterisk = 192; asterisk = 192;
plex = 193; plex = 193;
bird = 195;
grafana = 196; grafana = 196;
skydns = 197; skydns = 197;
ripple-rest = 198; ripple-rest = 198;
@ -470,7 +469,6 @@
#asterisk = 192; # unused #asterisk = 192; # unused
plex = 193; plex = 193;
sabnzbd = 194; sabnzbd = 194;
bird = 195;
#grafana = 196; #unused #grafana = 196; #unused
#skydns = 197; #unused #skydns = 197; #unused
#ripple-rest = 198; #unused #ripple-rest = 198; #unused

122
nixos/modules/services/networking/bird.nix
View File

@ -1,76 +1,68 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (lib) mkEnableOption mkIf mkOption singleton types; inherit (lib) mkEnableOption mkIf mkOption types;
inherit (pkgs) bird;
cfg = config.services.bird;
configFile = pkgs.writeText "bird.conf" '' generic = variant:
${cfg.config} let
''; cfg = config.services.${variant};
in pkg = pkgs.${variant};
birdc = if variant == "bird6" then "birdc6" else "birdc";
{ configFile = pkgs.stdenv.mkDerivation {
name = "${variant}.conf";
###### interface text = cfg.config;
preferLocalBuild = true;
options = { buildCommand = ''
echo -n "$text" > $out
services.bird = { ${pkg}/bin/${variant} -d -p -c $out
enable = mkEnableOption "BIRD Internet Routing Daemon";
config = mkOption {
type = types.string;
description = ''
BIRD Internet Routing Daemon configuration file.
<link xlink:href='http://bird.network.cz/'/>
''; '';
}; };
in {
user = mkOption { ###### interface
type = types.string; options = {
default = "bird"; services.${variant} = {
description = '' enable = mkEnableOption "BIRD Internet Routing Daemon";
BIRD Internet Routing Daemon user. config = mkOption {
''; type = types.lines;
description = ''
BIRD Internet Routing Daemon configuration file.
<link xlink:href='http://bird.network.cz/'/>
'';
};
};
}; };
group = mkOption { ###### implementation
type = types.string; config = mkIf cfg.enable {
default = "bird"; systemd.services.${variant} = {
description = '' description = "BIRD Internet Routing Daemon";
BIRD Internet Routing Daemon group. wantedBy = [ "multi-user.target" ];
''; serviceConfig = {
}; Type = "forking";
Restart = "on-failure";
}; ExecStart = "${pkg}/bin/${variant} -c ${configFile} -u ${variant} -g ${variant}";
ExecReload = "${pkg}/bin/${birdc} configure";
}; ExecStop = "${pkg}/bin/${birdc} down";
CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_SETUID" "CAP_SETGID"
# see bird/sysdep/linux/syspriv.h
###### implementation "CAP_NET_BIND_SERVICE" "CAP_NET_BROADCAST" "CAP_NET_ADMIN" "CAP_NET_RAW" ];
ProtectSystem = "full";
config = mkIf cfg.enable { ProtectHome = "yes";
SystemCallFilter="~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
users.extraUsers = singleton { MemoryDenyWriteExecute = "yes";
name = cfg.user; };
description = "BIRD Internet Routing Daemon user"; };
uid = config.ids.uids.bird; users = {
group = cfg.group; extraUsers.${variant} = {
}; description = "BIRD Internet Routing Daemon user";
group = "${variant}";
users.extraGroups = singleton { };
name = cfg.group; extraGroups.${variant} = {};
gid = config.ids.gids.bird; };
};
systemd.services.bird = {
description = "BIRD Internet Routing Daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${bird}/bin/bird -d -c ${configFile} -s /var/run/bird.ctl -u ${cfg.user} -g ${cfg.group}";
}; };
}; };
};
inherit (config.services) bird bird6;
in {
imports = [(generic "bird") (generic "bird6")];
} }