From 05976a2b5a3d048fbcad1191f57800113788d700 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 24 Jun 2014 16:58:38 -0500 Subject: [PATCH 1/8] dhcpd: Update 4.1-ESV-R6 -> 4.3.0 Additionally add the ability to run as a non-root user / group by including paranoia patches in the build. --- pkgs/tools/networking/dhcp/default.nix | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/pkgs/tools/networking/dhcp/default.nix b/pkgs/tools/networking/dhcp/default.nix index 2dac54577b8b..1a00c335684e 100644 --- a/pkgs/tools/networking/dhcp/default.nix +++ b/pkgs/tools/networking/dhcp/default.nix @@ -1,11 +1,12 @@ -{ stdenv, fetchurl, nettools, iputils, iproute, makeWrapper, coreutils, gnused }: +{ stdenv, fetchurl, perl, file, nettools, iputils, iproute, makeWrapper, coreutils, gnused }: stdenv.mkDerivation rec { - name = "dhcp-4.1-ESV-R6"; + name = "dhcp-${version}"; + version = "4.3.0"; src = fetchurl { - url = http://ftp.isc.org/isc/dhcp/4.1-ESV-R6/dhcp-4.1-ESV-R6.tar.gz; - sha256 = "17md1vml07szl9dx4875gfg4sgnb3z73glpbq1si7p82mfhnddny"; + url = "http://ftp.isc.org/isc/dhcp/${version}/${name}.tar.gz"; + sha256 = "12mydvj6x3zcl3gla06bywfkkrgg03g66fijs94mwb7kbiym3dm7"; }; patches = @@ -23,13 +24,15 @@ stdenv.mkDerivation rec { # Fixes "socket.c:591: error: invalid application of 'sizeof' to # incomplete type 'struct in6_pktinfo'". See # http://www.mail-archive.com/blfs-book@linuxfromscratch.org/msg13013.html - NIX_CFLAGS_COMPILE = "-D_GNU_SOURCE"; + # + # Also adds the ability to run dhcpd as a non-root user / group + NIX_CFLAGS_COMPILE = "-D_GNU_SOURCE -DPARANOIA"; # It would automatically add -Werror, which disables build in gcc 4.4 # due to an uninitialized variable. CFLAGS = "-g -O2 -Wall"; - buildInputs = [ makeWrapper ]; + buildInputs = [ perl makeWrapper ]; postInstall = '' @@ -42,6 +45,7 @@ stdenv.mkDerivation rec { preConfigure = '' + substituteInPlace configure --replace "/usr/bin/file" "${file}/bin/file" sed -i "includes/dhcpd.h" \ -"es|^ *#define \+_PATH_DHCLIENT_SCRIPT.*$|#define _PATH_DHCLIENT_SCRIPT \"$out/sbin/dhclient-script\"|g" ''; From 56228e56147a9679994480a00cd813479ff392da Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 24 Jun 2014 17:23:16 -0500 Subject: [PATCH 2/8] nixos/dhcp: Modernize ddns-update-style --- nixos/modules/services/networking/dhcpd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix index e5e1c103c686..d796dcf70326 100644 --- a/nixos/modules/services/networking/dhcpd.nix +++ b/nixos/modules/services/networking/dhcpd.nix @@ -13,7 +13,7 @@ let default-lease-time 600; max-lease-time 7200; authoritative; - ddns-update-style ad-hoc; + ddns-update-style interim; log-facility local1; # see dhcpd.nix ${cfg.extraConfig} From 4fbf120e8454d722df72ac1a49f1a8d707c0b46f Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 24 Jun 2014 17:09:27 -0500 Subject: [PATCH 3/8] nixos/dhcpd: Add the ability to drop privileges --- nixos/modules/services/networking/dhcpd.nix | 22 ++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix index d796dcf70326..0c6783760de1 100644 --- a/nixos/modules/services/networking/dhcpd.nix +++ b/nixos/modules/services/networking/dhcpd.nix @@ -66,6 +66,24 @@ in "; }; + user = mkOption { + default = "nobody"; + type = types.nullOr types.str; + description = '' + The user to drop privileges to after the daemon has started. + A value of null disables the user privilege change. + ''; + }; + + group = mkOption { + default = "nogroup"; + type = types.nullOr types.str; + description = '' + The group to drop privileges to after the daemon has started. + A value of null disables the group privilege change. + ''; + }; + configFile = mkOption { default = null; description = " @@ -120,8 +138,10 @@ in touch ${stateDir}/dhcpd.leases - exec ${pkgs.dhcp}/sbin/dhcpd -f -cf ${configFile} \ + exec ${pkgs.dhcp}/sbin/dhcpd -f --no-pid -cf ${configFile} \ -lf ${stateDir}/dhcpd.leases \ + ${optionalString (cfg.user != null) "-user ${cfg.user}"} \ + ${optionalString (cfg.group != null) "-group ${cfg.group}"} \ ${toString cfg.interfaces} ''; }; From 24368beed84506cf930a355b12e9b17b926dd359 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 25 Jun 2014 03:28:53 -0500 Subject: [PATCH 4/8] nixos/dhcpd: Use dhcp user instead of nobody --- nixos/modules/misc/ids.nix | 1 + nixos/modules/services/networking/dhcpd.nix | 29 ++++++--------------- 2 files changed, 9 insertions(+), 21 deletions(-) diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 8a459ce5e889..fa81ff8a8398 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -140,6 +140,7 @@ mopidy = 130; unifi = 131; gdm = 132; + dhcpd = 133; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix index 0c6783760de1..2bc4e5eda43c 100644 --- a/nixos/modules/services/networking/dhcpd.nix +++ b/nixos/modules/services/networking/dhcpd.nix @@ -66,24 +66,6 @@ in "; }; - user = mkOption { - default = "nobody"; - type = types.nullOr types.str; - description = '' - The user to drop privileges to after the daemon has started. - A value of null disables the user privilege change. - ''; - }; - - group = mkOption { - default = "nogroup"; - type = types.nullOr types.str; - description = '' - The group to drop privileges to after the daemon has started. - A value of null disables the group privilege change. - ''; - }; - configFile = mkOption { default = null; description = " @@ -126,6 +108,13 @@ in config = mkIf config.services.dhcpd.enable { + users = { + extraUsers.dhcpd = { + uid = config.ids.uids.dhcpd; + description = "DHCP daemon user"; + }; + }; + jobs.dhcpd = { description = "DHCP server"; @@ -139,9 +128,7 @@ in touch ${stateDir}/dhcpd.leases exec ${pkgs.dhcp}/sbin/dhcpd -f --no-pid -cf ${configFile} \ - -lf ${stateDir}/dhcpd.leases \ - ${optionalString (cfg.user != null) "-user ${cfg.user}"} \ - ${optionalString (cfg.group != null) "-group ${cfg.group}"} \ + -lf ${stateDir}/dhcpd.leases -user dhcpd -group nogroup \ ${toString cfg.interfaces} ''; }; From b3ddcfabd9d725824f44838e86bd6e74b88c51f0 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Fri, 27 Jun 2014 02:02:48 -0500 Subject: [PATCH 5/8] nixos/dhcpd: Convert to systemd from upstart --- nixos/modules/services/networking/dhcpd.nix | 24 +++++++++++++++------ 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix index 2bc4e5eda43c..e1c404265f4d 100644 --- a/nixos/modules/services/networking/dhcpd.nix +++ b/nixos/modules/services/networking/dhcpd.nix @@ -115,22 +115,32 @@ in }; }; - jobs.dhcpd = + systemd.services.dhcpd = { description = "DHCP server"; - startOn = "started network-interfaces"; - stopOn = "stopping network-interfaces"; + wantedBy = [ "multi-user.target" ]; - script = + path = [ pkgs.dhcp ]; + + preStart = '' mkdir -m 755 -p ${stateDir} touch ${stateDir}/dhcpd.leases - exec ${pkgs.dhcp}/sbin/dhcpd -f --no-pid -cf ${configFile} \ - -lf ${stateDir}/dhcpd.leases -user dhcpd -group nogroup \ - ${toString cfg.interfaces} + mkdir -m 755 -p /run/dhcpd + chown dhcpd /run/dhcpd ''; + + serviceConfig = + { ExecStart = "@${pkgs.dhcp}/sbin/dhcpd dhcpd" + + " -pf /run/dhcpd/dhcpd.pid -cf ${configFile}" + + " -lf ${stateDir}/dhcpd.leases -user dhcpd -group nogroup" + + " ${toString cfg.interfaces}"; + Restart = "always"; + Type = "forking"; + PIDFile = "/run/dhcpd/dhcpd.pid"; + }; }; }; From d0c0c2f9ba34c7bc2a03b4468cc9535d99a1db1c Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 6 Aug 2014 15:38:02 -0500 Subject: [PATCH 6/8] nixos/dhcpd: Wait until network interfaces are configured to start --- nixos/modules/services/networking/dhcpd.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix index e1c404265f4d..900df67b53aa 100644 --- a/nixos/modules/services/networking/dhcpd.nix +++ b/nixos/modules/services/networking/dhcpd.nix @@ -120,6 +120,8 @@ in wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = [ pkgs.dhcp ]; preStart = From ae48ab82ad8022c7521cb4302d9c73293c4ff4c7 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 6 Aug 2014 23:07:35 -0500 Subject: [PATCH 7/8] license: Add isc --- lib/licenses.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/licenses.nix b/lib/licenses.nix index 29144264ddd2..c01ed0d7fbec 100644 --- a/lib/licenses.nix +++ b/lib/licenses.nix @@ -121,6 +121,12 @@ rec { url = https://fedoraproject.org/wiki/Licensing/GPL_Classpath_Exception; }; + isc = { + shortName = "ISC License"; + fullName = "Internet Systems Consortium License"; + url = http://www.isc.org/downloads/software-support-policy/isc-license/; + }; + inria = { shortName = "INRIA-NCLA"; fullName = "INRIA Non-Commercial License Agreement"; From 5337b164359f8b3578788ba5f3aaadd39d917e37 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 6 Aug 2014 23:08:10 -0500 Subject: [PATCH 8/8] dhcp: Update meta information and add maintainership --- pkgs/tools/networking/dhcp/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/networking/dhcp/default.nix b/pkgs/tools/networking/dhcp/default.nix index 1a00c335684e..07925ca110df 100644 --- a/pkgs/tools/networking/dhcp/default.nix +++ b/pkgs/tools/networking/dhcp/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { -"es|^ *#define \+_PATH_DHCLIENT_SCRIPT.*$|#define _PATH_DHCLIENT_SCRIPT \"$out/sbin/dhclient-script\"|g" ''; - meta = { + meta = with stdenv.lib; { description = "Dynamic Host Configuration Protocol (DHCP) tools"; longDescription = '' @@ -61,6 +61,8 @@ stdenv.mkDerivation rec { ''; homepage = http://www.isc.org/products/DHCP/; - license = "http://www.isc.org/sw/dhcp/dhcp-copyright.php"; + license = licenses.isc; + platforms = platforms.unix; + maintainers = with maintainers; [ wkennington ]; }; }