Convert "gw6c" and its security options (untested)
svn path=/nixos/branches/fix-style/; revision=14364
This commit is contained in:
parent
f889d6215e
commit
028b515a6e
@ -1299,72 +1299,6 @@ in
|
||||
};
|
||||
|
||||
|
||||
gw6c = {
|
||||
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
description = "
|
||||
Whether to enable Gateway6 client (IPv6 tunnel).
|
||||
";
|
||||
};
|
||||
|
||||
autorun = mkOption {
|
||||
default = true;
|
||||
description = "
|
||||
Switch to false to create upstart-job and configuration,
|
||||
but not run it automatically
|
||||
";
|
||||
};
|
||||
|
||||
username = mkOption {
|
||||
default = "";
|
||||
description = "
|
||||
Your Gateway6 login name, if any.
|
||||
";
|
||||
};
|
||||
|
||||
password = mkOption {
|
||||
default = "";
|
||||
description = "
|
||||
Your Gateway6 password, if any.
|
||||
";
|
||||
};
|
||||
|
||||
server = mkOption {
|
||||
default = "anon.freenet6.net";
|
||||
example = "broker.freenet6.net";
|
||||
description = "
|
||||
Used Gateway6 server.
|
||||
";
|
||||
};
|
||||
|
||||
keepAlive = mkOption {
|
||||
default = "30";
|
||||
example = "2";
|
||||
description = "
|
||||
Gateway6 keep-alive period.
|
||||
";
|
||||
};
|
||||
|
||||
everPing = mkOption {
|
||||
default = "1000000";
|
||||
example = "2";
|
||||
description = "
|
||||
Gateway6 manual ping period.
|
||||
";
|
||||
};
|
||||
|
||||
waitPingableBroker = mkOption {
|
||||
default = true;
|
||||
example = false;
|
||||
description = "
|
||||
Whether to wait until tunnel broker returns ICMP echo.
|
||||
";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
ircdHybrid = {
|
||||
|
||||
enable = mkOption {
|
||||
@ -1978,32 +1912,6 @@ in
|
||||
};
|
||||
|
||||
|
||||
security = {
|
||||
|
||||
seccureKeys = {
|
||||
public = mkOption {
|
||||
default = /var/elliptic-keys/public;
|
||||
description = "
|
||||
Public key. Make it path argument, so it is copied into store and
|
||||
hashed.
|
||||
|
||||
The key is used to encrypt Gateway 6 configuration in store, as it
|
||||
contains a password for external service. Unfortunately,
|
||||
derivation file should be protected by other means. For example,
|
||||
nix-http-export.cgi will happily export any non-derivation path,
|
||||
but not a derivation.
|
||||
";
|
||||
};
|
||||
private = mkOption {
|
||||
default = "/var/elliptic-keys/private";
|
||||
description = "
|
||||
Private key. Make it string argument, so it is not copied into store.
|
||||
";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
nesting = {
|
||||
children = mkOption {
|
||||
@ -2082,6 +1990,8 @@ in
|
||||
(import ../upstart-jobs/guest-users.nix)
|
||||
(import ../upstart-jobs/pulseaudio.nix)
|
||||
(import ../upstart-jobs/kbd.nix)
|
||||
(import ../upstart-jobs/gw6c.nix) # Gateway6
|
||||
|
||||
|
||||
#users
|
||||
(import ../upstart-jobs/ldap)
|
||||
|
@ -262,12 +262,6 @@ let
|
||||
inherit config pkgs modprobe;
|
||||
})
|
||||
|
||||
# Gateway6
|
||||
++ optional config.services.gw6c.enable
|
||||
(import ../upstart-jobs/gw6c.nix {
|
||||
inherit config pkgs;
|
||||
})
|
||||
|
||||
# VSFTPd server
|
||||
++ optional config.services.vsftpd.enable
|
||||
(import ../upstart-jobs/vsftpd.nix {
|
||||
|
@ -1,8 +1,106 @@
|
||||
{config, pkgs}:
|
||||
{pkgs, config, ...}:
|
||||
|
||||
###### interface
|
||||
let
|
||||
inherit (pkgs.lib) mkOption mkIf;
|
||||
|
||||
options = {
|
||||
services = {
|
||||
gw6c = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
description = "
|
||||
Whether to enable Gateway6 client (IPv6 tunnel).
|
||||
";
|
||||
};
|
||||
|
||||
autorun = mkOption {
|
||||
default = true;
|
||||
description = "
|
||||
Switch to false to create upstart-job and configuration,
|
||||
but not run it automatically
|
||||
";
|
||||
};
|
||||
|
||||
username = mkOption {
|
||||
default = "";
|
||||
description = "
|
||||
Your Gateway6 login name, if any.
|
||||
";
|
||||
};
|
||||
|
||||
password = mkOption {
|
||||
default = "";
|
||||
description = "
|
||||
Your Gateway6 password, if any.
|
||||
";
|
||||
};
|
||||
|
||||
server = mkOption {
|
||||
default = "anon.freenet6.net";
|
||||
example = "broker.freenet6.net";
|
||||
description = "
|
||||
Used Gateway6 server.
|
||||
";
|
||||
};
|
||||
|
||||
keepAlive = mkOption {
|
||||
default = "30";
|
||||
example = "2";
|
||||
description = "
|
||||
Gateway6 keep-alive period.
|
||||
";
|
||||
};
|
||||
|
||||
everPing = mkOption {
|
||||
default = "1000000";
|
||||
example = "2";
|
||||
description = "
|
||||
Gateway6 manual ping period.
|
||||
";
|
||||
};
|
||||
|
||||
waitPingableBroker = mkOption {
|
||||
default = true;
|
||||
example = false;
|
||||
description = "
|
||||
Whether to wait until tunnel broker returns ICMP echo.
|
||||
";
|
||||
};
|
||||
};
|
||||
};
|
||||
security = {
|
||||
seccureKeys = {
|
||||
public = mkOption {
|
||||
default = /var/elliptic-keys/public;
|
||||
description = "
|
||||
Public key. Make it path argument, so it is copied into store and
|
||||
hashed.
|
||||
|
||||
The key is used to encrypt Gateway 6 configuration in store, as it
|
||||
contains a password for external service. Unfortunately,
|
||||
derivation file should be protected by other means. For example,
|
||||
nix-http-export.cgi will happily export any non-derivation path,
|
||||
but not a derivation.
|
||||
";
|
||||
};
|
||||
private = mkOption {
|
||||
default = "/var/elliptic-keys/private";
|
||||
description = "
|
||||
Private key. Make it string argument, so it is not copied into store.
|
||||
";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
|
||||
###### implementation
|
||||
|
||||
let
|
||||
cfg = config.services.gw6c;
|
||||
procps = pkgs.procps;
|
||||
gw6cService = import ../services/gw6c {
|
||||
gw6cService = import ../../services/gw6c {
|
||||
inherit (pkgs) stdenv gw6c coreutils
|
||||
procps upstart iputils gnused
|
||||
gnugrep seccureUser writeScript;
|
||||
@ -17,16 +115,26 @@ let
|
||||
waitPingableBroker = cfg.waitPingableBroker;
|
||||
};
|
||||
in
|
||||
{
|
||||
|
||||
|
||||
mkIf config.services.gw6c.enable {
|
||||
require = [
|
||||
options
|
||||
];
|
||||
|
||||
services = {
|
||||
extraJobs = [{
|
||||
name = "gw6c";
|
||||
users = [];
|
||||
groups = [];
|
||||
job = "
|
||||
description \"Gateway6 client\"
|
||||
job = ''
|
||||
description \"Gateway6 client\"
|
||||
|
||||
start on ${ if cfg.autorun then "network-interfaces/started" else "never" }
|
||||
stop on network-interfaces/stop
|
||||
start on ${ if cfg.autorun then "network-interfaces/started" else "never" }
|
||||
stop on network-interfaces/stop
|
||||
|
||||
respawn ${gw6cService}/bin/control start
|
||||
";
|
||||
respawn ${gw6cService}/bin/control start
|
||||
'';
|
||||
}];
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user