nixos: only enable spipe when user specifies
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This commit is contained in:
parent
33eced411f
commit
b470c93c1e
@ -7,161 +7,169 @@ let
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.spiped = mkOption {
|
||||
type = types.attrsOf (types.submodule (
|
||||
{
|
||||
options = {
|
||||
encrypt = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Take unencrypted connections from the
|
||||
<literal>source</literal> socket and send encrypted
|
||||
connections to the <literal>target</literal> socket.
|
||||
'';
|
||||
};
|
||||
services.spiped = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enable the spiped service module.";
|
||||
};
|
||||
|
||||
decrypt = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Take encrypted connections from the
|
||||
<literal>source</literal> socket and send unencrypted
|
||||
connections to the <literal>target</literal> socket.
|
||||
'';
|
||||
};
|
||||
config = mkOption {
|
||||
type = types.attrsOf (types.submodule (
|
||||
{
|
||||
options = {
|
||||
encrypt = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Take unencrypted connections from the
|
||||
<literal>source</literal> socket and send encrypted
|
||||
connections to the <literal>target</literal> socket.
|
||||
'';
|
||||
};
|
||||
|
||||
source = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
Address on which spiped should listen for incoming
|
||||
connections. Must be in one of the following formats:
|
||||
<literal>/absolute/path/to/unix/socket</literal>,
|
||||
<literal>host.name:port</literal>,
|
||||
<literal>[ip.v4.ad.dr]:port</literal> or
|
||||
<literal>[ipv6::addr]:port</literal> - note that
|
||||
hostnames are resolved when spiped is launched and are
|
||||
not re-resolved later; thus if DNS entries change
|
||||
spiped will continue to connect to the expired
|
||||
address.
|
||||
'';
|
||||
};
|
||||
decrypt = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Take encrypted connections from the
|
||||
<literal>source</literal> socket and send unencrypted
|
||||
connections to the <literal>target</literal> socket.
|
||||
'';
|
||||
};
|
||||
|
||||
target = mkOption {
|
||||
type = types.str;
|
||||
description = "Address to which spiped should connect.";
|
||||
};
|
||||
source = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
Address on which spiped should listen for incoming
|
||||
connections. Must be in one of the following formats:
|
||||
<literal>/absolute/path/to/unix/socket</literal>,
|
||||
<literal>host.name:port</literal>,
|
||||
<literal>[ip.v4.ad.dr]:port</literal> or
|
||||
<literal>[ipv6::addr]:port</literal> - note that
|
||||
hostnames are resolved when spiped is launched and are
|
||||
not re-resolved later; thus if DNS entries change
|
||||
spiped will continue to connect to the expired
|
||||
address.
|
||||
'';
|
||||
};
|
||||
|
||||
keyfile = mkOption {
|
||||
type = types.path;
|
||||
description = ''
|
||||
Name of a file containing the spiped key. As the
|
||||
daemon runs as the <literal>spiped</literal> user, the
|
||||
key file must be somewhere owned by that user. By
|
||||
default, we recommend putting the keys for any spipe
|
||||
services in <literal>/var/lib/spiped</literal>.
|
||||
'';
|
||||
};
|
||||
target = mkOption {
|
||||
type = types.str;
|
||||
description = "Address to which spiped should connect.";
|
||||
};
|
||||
|
||||
timeout = mkOption {
|
||||
type = types.int;
|
||||
default = 5;
|
||||
description = ''
|
||||
Timeout, in seconds, after which an attempt to connect to
|
||||
the target or a protocol handshake will be aborted (and the
|
||||
connection dropped) if not completed
|
||||
'';
|
||||
};
|
||||
keyfile = mkOption {
|
||||
type = types.path;
|
||||
description = ''
|
||||
Name of a file containing the spiped key. As the
|
||||
daemon runs as the <literal>spiped</literal> user, the
|
||||
key file must be somewhere owned by that user. By
|
||||
default, we recommend putting the keys for any spipe
|
||||
services in <literal>/var/lib/spiped</literal>.
|
||||
'';
|
||||
};
|
||||
|
||||
maxConns = mkOption {
|
||||
type = types.int;
|
||||
default = 100;
|
||||
description = ''
|
||||
Limit on the number of simultaneous connections allowed.
|
||||
'';
|
||||
};
|
||||
timeout = mkOption {
|
||||
type = types.int;
|
||||
default = 5;
|
||||
description = ''
|
||||
Timeout, in seconds, after which an attempt to connect to
|
||||
the target or a protocol handshake will be aborted (and the
|
||||
connection dropped) if not completed
|
||||
'';
|
||||
};
|
||||
|
||||
waitForDNS = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Wait for DNS. Normally when <literal>spiped</literal> is
|
||||
launched it resolves addresses and binds to its source
|
||||
socket before the parent process returns; with this option
|
||||
it will daemonize first and retry failed DNS lookups until
|
||||
they succeed. This allows <literal>spiped</literal> to
|
||||
launch even if DNS isn't set up yet, but at the expense of
|
||||
losing the guarantee that once <literal>spiped</literal> has
|
||||
finished launching it will be ready to create pipes.
|
||||
'';
|
||||
};
|
||||
maxConns = mkOption {
|
||||
type = types.int;
|
||||
default = 100;
|
||||
description = ''
|
||||
Limit on the number of simultaneous connections allowed.
|
||||
'';
|
||||
};
|
||||
|
||||
disableKeepalives = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Disable transport layer keep-alives.";
|
||||
};
|
||||
waitForDNS = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Wait for DNS. Normally when <literal>spiped</literal> is
|
||||
launched it resolves addresses and binds to its source
|
||||
socket before the parent process returns; with this option
|
||||
it will daemonize first and retry failed DNS lookups until
|
||||
they succeed. This allows <literal>spiped</literal> to
|
||||
launch even if DNS isn't set up yet, but at the expense of
|
||||
losing the guarantee that once <literal>spiped</literal> has
|
||||
finished launching it will be ready to create pipes.
|
||||
'';
|
||||
};
|
||||
|
||||
weakHandshake = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Use fast/weak handshaking: This reduces the CPU time spent
|
||||
in the initial connection setup, at the expense of losing
|
||||
perfect forward secrecy.
|
||||
'';
|
||||
};
|
||||
disableKeepalives = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Disable transport layer keep-alives.";
|
||||
};
|
||||
|
||||
resolveRefresh = mkOption {
|
||||
type = types.int;
|
||||
default = 60;
|
||||
description = ''
|
||||
Resolution refresh time for the target socket, in seconds.
|
||||
'';
|
||||
};
|
||||
weakHandshake = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Use fast/weak handshaking: This reduces the CPU time spent
|
||||
in the initial connection setup, at the expense of losing
|
||||
perfect forward secrecy.
|
||||
'';
|
||||
};
|
||||
|
||||
disableReresolution = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Disable target address re-resolution.";
|
||||
};
|
||||
};
|
||||
}
|
||||
));
|
||||
resolveRefresh = mkOption {
|
||||
type = types.int;
|
||||
default = 60;
|
||||
description = ''
|
||||
Resolution refresh time for the target socket, in seconds.
|
||||
'';
|
||||
};
|
||||
|
||||
default = {};
|
||||
|
||||
example = literalExample ''
|
||||
{
|
||||
pipe1 =
|
||||
{ keyfile = "/var/lib/spiped/pipe1.key";
|
||||
encrypt = true;
|
||||
source = "localhost:6000";
|
||||
target = "endpoint.example.com:7000";
|
||||
disableReresolution = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Disable target address re-resolution.";
|
||||
};
|
||||
};
|
||||
pipe2 =
|
||||
{ keyfile = "/var/lib/spiped/pipe2.key";
|
||||
decrypt = true;
|
||||
source = "0.0.0.0:7000";
|
||||
target = "localhost:3000";
|
||||
};
|
||||
}
|
||||
'';
|
||||
}
|
||||
));
|
||||
|
||||
description = ''
|
||||
Configuration for a secure pipe daemon. The daemon can be
|
||||
started, stopped, or examined using
|
||||
<literal>systemctl</literal>, under the name
|
||||
<literal>spiped@foo</literal>.
|
||||
'';
|
||||
default = {};
|
||||
|
||||
example = literalExample ''
|
||||
{
|
||||
pipe1 =
|
||||
{ keyfile = "/var/lib/spiped/pipe1.key";
|
||||
encrypt = true;
|
||||
source = "localhost:6000";
|
||||
target = "endpoint.example.com:7000";
|
||||
};
|
||||
pipe2 =
|
||||
{ keyfile = "/var/lib/spiped/pipe2.key";
|
||||
decrypt = true;
|
||||
source = "0.0.0.0:7000";
|
||||
target = "localhost:3000";
|
||||
};
|
||||
}
|
||||
'';
|
||||
|
||||
description = ''
|
||||
Configuration for a secure pipe daemon. The daemon can be
|
||||
started, stopped, or examined using
|
||||
<literal>systemctl</literal>, under the name
|
||||
<literal>spiped@foo</literal>.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
config = mkIf cfg.enable {
|
||||
assertions = mapAttrsToList (name: c: {
|
||||
assertion = (c.encrypt -> !c.decrypt) || (c.decrypt -> c.encrypt);
|
||||
message = "A pipe must either encrypt or decrypt";
|
||||
}) cfg;
|
||||
}) cfg.config;
|
||||
|
||||
users.extraGroups.spiped.gid = config.ids.gids.spiped;
|
||||
users.extraUsers.spiped = {
|
||||
@ -189,7 +197,7 @@ in
|
||||
script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`";
|
||||
};
|
||||
|
||||
system.activationScripts.spiped = optionalString (cfg != {})
|
||||
system.activationScripts.spiped = optionalString (cfg.config != {})
|
||||
"mkdir -p /var/lib/spiped";
|
||||
|
||||
# Setup spiped config files
|
||||
@ -207,6 +215,6 @@ in
|
||||
(if cfg.disableReresolution then "-R"
|
||||
else "-r ${toString cfg.resolveRefresh}")
|
||||
];
|
||||
}) cfg;
|
||||
}) cfg.config;
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user