nixpkgs/nixos/modules/services/networking/cjdns.nix
Eelco Dolstra 29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00

207 lines
5.2 KiB
Nix

# You may notice the commented out sections in this file,
# it would be great to configure cjdns from nix, but cjdns
# reads its configuration from stdin, including the private
# key and admin password, all nested in a JSON structure.
#
# Until a good method of storing the keys outside the nix
# store and mixing them back into a string is devised
# (without too much shell hackery), a skeleton of the
# configuration building lies commented out.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.cjdns;
/*
# can't keep keys and passwords in the nix store,
# but don't want to deal with this stdin quagmire.
cjdrouteConf = '' {
"admin": {"bind": "${cfg.admin.bind}", "password": "\${CJDNS_ADMIN}" },
"privateKey": "\${CJDNS_KEY}",
"interfaces": {
''
+ optionalString (cfg.interfaces.udp.bind.address != null) ''
"UDPInterface": [ {
"bind": "${cfg.interfaces.udp.bind.address}:"''
${if cfg.interfaces.upd.bind.port != null
then ${toString cfg.interfaces.udp.bind.port}
else ${RANDOM}
fi)
+ '' } ]''
+ (if cfg.interfaces.eth.bind != null then ''
"ETHInterface": [ {
"bind": "${cfg.interfaces.eth.bind}",
"beacon": ${toString cfg.interfaces.eth.beacon}
} ]
'' fi )
+ ''
},
"router": { "interface": { "type": "TUNInterface" }, },
"security": [ { "setuser": "nobody" } ]
}
'';
cjdrouteConfFile = pkgs.writeText "cjdroute.conf" cjdrouteConf
*/
in
{
options = {
services.cjdns = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable this option to start a instance of the
cjdns network encryption and and routing engine.
Configuration will be read from <literal>confFile</literal>.
'';
};
confFile = mkOption {
default = "/etc/cjdroute.conf";
description = ''
Configuration file to pipe to cjdroute.
'';
};
/*
admin = {
bind = mkOption {
default = "127.0.0.1:11234";
description = ''
Bind the administration port to this address and port.
'';
};
passwordFile = mkOption {
example = "/root/cjdns.adminPassword";
description = ''
File containing a password to the administration port.
'';
};
};
keyFile = mkOption {
type = types.str;
example = "/root/cjdns.key";
description = ''
Path to a file containing a cjdns private key on a single line.
'';
};
passwordsFile = mkOption {
type = types.str;
default = null;
example = "/root/cjdns.authorizedPasswords";
description = ''
A file containing a list of json dictionaries with passwords.
For example:
{"password": "s8xf5z7znl4jt05g922n3wpk75wkypk"},
{ "name": "nice guy",
"password": "xhthk1mglz8tpjrbbvdlhyc092rhpx5"},
{"password": "3qfxyhmrht7uwzq29pmhbdm9w4bnc8w"}
'';
};
interfaces = {
udp = {
bind = {
address = mkOption {
default = "0.0.0.0";
description = ''
Address to bind UDP tunnels to; disable by setting to null;
'';
};
port = mkOption {
type = types.int;
default = null;
description = ''
Port to bind UDP tunnels to.
A port will be choosen at random if this is not set.
This option is required to act as the server end of
a tunnel.
'';
};
};
};
eth = {
bind = mkOption {
default = null;
example = "eth0";
description = ''
Bind to this device and operate with native wire format.
'';
};
beacon = mkOption {
default = 2;
description = ''
Auto-connect to other cjdns nodes on the same network.
Options:
0 -- Disabled.
1 -- Accept beacons, this will cause cjdns to accept incoming
beacon messages and try connecting to the sender.
2 -- Accept and send beacons, this will cause cjdns to broadcast
messages on the local network which contain a randomly
generated per-session password, other nodes which have this
set to 1 or 2 will hear the beacon messages and connect
automatically.
'';
};
connectTo = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Credentials for connecting look similar to UDP credientials
except they begin with the mac address, for example:
"01:02:03:04:05:06":{"password":"a","publicKey":"b"}
'';
};
};
};
*/
};
};
config = mkIf config.services.cjdns.enable {
boot.kernelModules = [ "tun" ];
/*
networking.firewall.allowedUDPPorts = mkIf (cfg.udp.bind.port != null) [
cfg.udp.bind.port
];
*/
systemd.services.cjdns = {
description = "encrypted networking for everybody";
wantedBy = [ "multi-user.target" ];
wants = [ "network.target" ];
before = [ "network.target" ];
path = [ pkgs.cjdns ];
serviceConfig = {
Type = "forking";
ExecStart = ''
${pkgs.stdenv.shell} -c "${pkgs.cjdns}/sbin/cjdroute < ${cfg.confFile}"
'';
Restart = "on-failure";
};
};
};
}