JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Convert "gw6c" and its security options (untested)

Browse Source 
svn path=/nixos/branches/fix-style/; revision=14364
This commit is contained in:
Marc Weber 2009-03-06 12:25:48 +00:00
parent f889d6215e
commit 028b515a6e
3 changed files with 119 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
system/options.nix
View File

@ -1299,72 +1299,6 @@ in
}; };
gw6c = {
enable = mkOption {
default = false;
description = "
Whether to enable Gateway6 client (IPv6 tunnel).
";
};
autorun = mkOption {
default = true;
description = "
Switch to false to create upstart-job and configuration,
but not run it automatically
";
};
username = mkOption {
default = "";
description = "
Your Gateway6 login name, if any.
";
};
password = mkOption {
default = "";
description = "
Your Gateway6 password, if any.
";
};
server = mkOption {
default = "anon.freenet6.net";
example = "broker.freenet6.net";
description = "
Used Gateway6 server.
";
};
keepAlive = mkOption {
default = "30";
example = "2";
description = "
Gateway6 keep-alive period.
";
};
everPing = mkOption {
default = "1000000";
example = "2";
description = "
Gateway6 manual ping period.
";
};
waitPingableBroker = mkOption {
default = true;
example = false;
description = "
Whether to wait until tunnel broker returns ICMP echo.
";
};
};
ircdHybrid = { ircdHybrid = {
enable = mkOption { enable = mkOption {
@ -1978,32 +1912,6 @@ in
}; };
security = {
seccureKeys = {
public = mkOption {
default = /var/elliptic-keys/public;
description = "
Public key. Make it path argument, so it is copied into store and
hashed.
The key is used to encrypt Gateway 6 configuration in store, as it
contains a password for external service. Unfortunately,
derivation file should be protected by other means. For example,
nix-http-export.cgi will happily export any non-derivation path,
but not a derivation.
";
};
private = mkOption {
default = "/var/elliptic-keys/private";
description = "
Private key. Make it string argument, so it is not copied into store.
";
};
};
};
nesting = { nesting = {
children = mkOption { children = mkOption {
@ -2082,6 +1990,8 @@ in
(import ../upstart-jobs/guest-users.nix) (import ../upstart-jobs/guest-users.nix)
(import ../upstart-jobs/pulseaudio.nix) (import ../upstart-jobs/pulseaudio.nix)
(import ../upstart-jobs/kbd.nix) (import ../upstart-jobs/kbd.nix)
(import ../upstart-jobs/gw6c.nix) # Gateway6
#users #users
(import ../upstart-jobs/ldap) (import ../upstart-jobs/ldap)

6
upstart-jobs/default.nix
View File

@ -262,12 +262,6 @@ let
inherit config pkgs modprobe; inherit config pkgs modprobe;
}) })
# Gateway6
++ optional config.services.gw6c.enable
(import ../upstart-jobs/gw6c.nix {
inherit config pkgs;
})
# VSFTPd server # VSFTPd server
++ optional config.services.vsftpd.enable ++ optional config.services.vsftpd.enable
(import ../upstart-jobs/vsftpd.nix { (import ../upstart-jobs/vsftpd.nix {

126
upstart-jobs/gw6c.nix
View File

@ -1,8 +1,106 @@
{config, pkgs}: {pkgs, config, ...}:
###### interface
let
inherit (pkgs.lib) mkOption mkIf;
options = {
services = {
gw6c = {
enable = mkOption {
default = false;
description = "
Whether to enable Gateway6 client (IPv6 tunnel).
";
};
autorun = mkOption {
default = true;
description = "
Switch to false to create upstart-job and configuration,
but not run it automatically
";
};
username = mkOption {
default = "";
description = "
Your Gateway6 login name, if any.
";
};
password = mkOption {
default = "";
description = "
Your Gateway6 password, if any.
";
};
server = mkOption {
default = "anon.freenet6.net";
example = "broker.freenet6.net";
description = "
Used Gateway6 server.
";
};
keepAlive = mkOption {
default = "30";
example = "2";
description = "
Gateway6 keep-alive period.
";
};
everPing = mkOption {
default = "1000000";
example = "2";
description = "
Gateway6 manual ping period.
";
};
waitPingableBroker = mkOption {
default = true;
example = false;
description = "
Whether to wait until tunnel broker returns ICMP echo.
";
};
};
};
security = {
seccureKeys = {
public = mkOption {
default = /var/elliptic-keys/public;
description = "
Public key. Make it path argument, so it is copied into store and
hashed.
The key is used to encrypt Gateway 6 configuration in store, as it
contains a password for external service. Unfortunately,
derivation file should be protected by other means. For example,
nix-http-export.cgi will happily export any non-derivation path,
but not a derivation.
";
};
private = mkOption {
default = "/var/elliptic-keys/private";
description = "
Private key. Make it string argument, so it is not copied into store.
";
};
};
};
};
in
###### implementation
let let
cfg = config.services.gw6c; cfg = config.services.gw6c;
procps = pkgs.procps; procps = pkgs.procps;
gw6cService = import ../services/gw6c { gw6cService = import ../../services/gw6c {
inherit (pkgs) stdenv gw6c coreutils inherit (pkgs) stdenv gw6c coreutils
procps upstart iputils gnused procps upstart iputils gnused
gnugrep seccureUser writeScript; gnugrep seccureUser writeScript;
@ -17,16 +115,26 @@ let
waitPingableBroker = cfg.waitPingableBroker; waitPingableBroker = cfg.waitPingableBroker;
}; };
in in
{
mkIf config.services.gw6c.enable {
require = [
options
];
services = {
extraJobs = [{
name = "gw6c"; name = "gw6c";
users = []; users = [];
groups = []; groups = [];
job = " job = ''
description \"Gateway6 client\" description \"Gateway6 client\"
start on ${ if cfg.autorun then "network-interfaces/started" else "never" } start on ${ if cfg.autorun then "network-interfaces/started" else "never" }
stop on network-interfaces/stop stop on network-interfaces/stop
respawn ${gw6cService}/bin/control start respawn ${gw6cService}/bin/control start
"; '';
}];
};
} }