2e751c0772
the conversion procedure is simple: - find all things that look like options, ie calls to either `mkOption` or `lib.mkOption` that take an attrset. remember the attrset as the option - for all options, find a `description` attribute who's value is not a call to `mdDoc` or `lib.mdDoc` - textually convert the entire value of the attribute to MD with a few simple regexes (the set from mdize-module.sh) - if the change produced a change in the manual output, discard - if the change kept the manual unchanged, add some text to the description to make sure we've actually found an option. if the manual changes this time, keep the converted description this procedure converts 80% of nixos options to markdown. around 2000 options remain to be inspected, but most of those fail the "does not change the manual output check": currently the MD conversion process does not faithfully convert docbook tags like <code> and <package>, so any option using such tags will not be converted at all.
220 lines
7.5 KiB
Nix
220 lines
7.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.spiped;
|
|
in
|
|
{
|
|
options = {
|
|
services.spiped = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "Enable the spiped service module.";
|
|
};
|
|
|
|
config = mkOption {
|
|
type = types.attrsOf (types.submodule (
|
|
{
|
|
options = {
|
|
encrypt = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc ''
|
|
Take unencrypted connections from the
|
|
`source` socket and send encrypted
|
|
connections to the `target` socket.
|
|
'';
|
|
};
|
|
|
|
decrypt = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc ''
|
|
Take encrypted connections from the
|
|
`source` socket and send unencrypted
|
|
connections to the `target` socket.
|
|
'';
|
|
};
|
|
|
|
source = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc ''
|
|
Address on which spiped should listen for incoming
|
|
connections. Must be in one of the following formats:
|
|
`/absolute/path/to/unix/socket`,
|
|
`host.name:port`,
|
|
`[ip.v4.ad.dr]:port` or
|
|
`[ipv6::addr]:port` - note that
|
|
hostnames are resolved when spiped is launched and are
|
|
not re-resolved later; thus if DNS entries change
|
|
spiped will continue to connect to the expired
|
|
address.
|
|
'';
|
|
};
|
|
|
|
target = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Address to which spiped should connect.";
|
|
};
|
|
|
|
keyfile = mkOption {
|
|
type = types.path;
|
|
description = lib.mdDoc ''
|
|
Name of a file containing the spiped key. As the
|
|
daemon runs as the `spiped` user, the
|
|
key file must be somewhere owned by that user. By
|
|
default, we recommend putting the keys for any spipe
|
|
services in `/var/lib/spiped`.
|
|
'';
|
|
};
|
|
|
|
timeout = mkOption {
|
|
type = types.int;
|
|
default = 5;
|
|
description = lib.mdDoc ''
|
|
Timeout, in seconds, after which an attempt to connect to
|
|
the target or a protocol handshake will be aborted (and the
|
|
connection dropped) if not completed
|
|
'';
|
|
};
|
|
|
|
maxConns = mkOption {
|
|
type = types.int;
|
|
default = 100;
|
|
description = lib.mdDoc ''
|
|
Limit on the number of simultaneous connections allowed.
|
|
'';
|
|
};
|
|
|
|
waitForDNS = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc ''
|
|
Wait for DNS. Normally when `spiped` is
|
|
launched it resolves addresses and binds to its source
|
|
socket before the parent process returns; with this option
|
|
it will daemonize first and retry failed DNS lookups until
|
|
they succeed. This allows `spiped` to
|
|
launch even if DNS isn't set up yet, but at the expense of
|
|
losing the guarantee that once `spiped` has
|
|
finished launching it will be ready to create pipes.
|
|
'';
|
|
};
|
|
|
|
disableKeepalives = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "Disable transport layer keep-alives.";
|
|
};
|
|
|
|
weakHandshake = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc ''
|
|
Use fast/weak handshaking: This reduces the CPU time spent
|
|
in the initial connection setup, at the expense of losing
|
|
perfect forward secrecy.
|
|
'';
|
|
};
|
|
|
|
resolveRefresh = mkOption {
|
|
type = types.int;
|
|
default = 60;
|
|
description = lib.mdDoc ''
|
|
Resolution refresh time for the target socket, in seconds.
|
|
'';
|
|
};
|
|
|
|
disableReresolution = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "Disable target address re-resolution.";
|
|
};
|
|
};
|
|
}
|
|
));
|
|
|
|
default = {};
|
|
|
|
example = literalExpression ''
|
|
{
|
|
pipe1 =
|
|
{ keyfile = "/var/lib/spiped/pipe1.key";
|
|
encrypt = true;
|
|
source = "localhost:6000";
|
|
target = "endpoint.example.com:7000";
|
|
};
|
|
pipe2 =
|
|
{ keyfile = "/var/lib/spiped/pipe2.key";
|
|
decrypt = true;
|
|
source = "0.0.0.0:7000";
|
|
target = "localhost:3000";
|
|
};
|
|
}
|
|
'';
|
|
|
|
description = lib.mdDoc ''
|
|
Configuration for a secure pipe daemon. The daemon can be
|
|
started, stopped, or examined using
|
|
`systemctl`, under the name
|
|
`spiped@foo`.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
assertions = mapAttrsToList (name: c: {
|
|
assertion = (c.encrypt -> !c.decrypt) || (c.decrypt -> c.encrypt);
|
|
message = "A pipe must either encrypt or decrypt";
|
|
}) cfg.config;
|
|
|
|
users.groups.spiped.gid = config.ids.gids.spiped;
|
|
users.users.spiped = {
|
|
description = "Secure Pipe Service user";
|
|
group = "spiped";
|
|
uid = config.ids.uids.spiped;
|
|
};
|
|
|
|
systemd.services."spiped@" = {
|
|
description = "Secure pipe '%i'";
|
|
after = [ "network.target" ];
|
|
|
|
serviceConfig = {
|
|
Restart = "always";
|
|
User = "spiped";
|
|
PermissionsStartOnly = true;
|
|
};
|
|
|
|
preStart = ''
|
|
cd /var/lib/spiped
|
|
chmod -R 0660 *
|
|
chown -R spiped:spiped *
|
|
'';
|
|
scriptArgs = "%i";
|
|
script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`";
|
|
};
|
|
|
|
system.activationScripts.spiped = optionalString (cfg.config != {})
|
|
"mkdir -p /var/lib/spiped";
|
|
|
|
# Setup spiped config files
|
|
environment.etc = mapAttrs' (name: cfg: nameValuePair "spiped/${name}.spec"
|
|
{ text = concatStringsSep " "
|
|
[ (if cfg.encrypt then "-e" else "-d") # Mode
|
|
"-s ${cfg.source}" # Source
|
|
"-t ${cfg.target}" # Target
|
|
"-k ${cfg.keyfile}" # Keyfile
|
|
"-n ${toString cfg.maxConns}" # Max number of conns
|
|
"-o ${toString cfg.timeout}" # Timeout
|
|
(optionalString cfg.waitForDNS "-D") # Wait for DNS
|
|
(optionalString cfg.weakHandshake "-f") # No PFS
|
|
(optionalString cfg.disableKeepalives "-j") # Keepalives
|
|
(if cfg.disableReresolution then "-R"
|
|
else "-r ${toString cfg.resolveRefresh}")
|
|
];
|
|
}) cfg.config;
|
|
};
|
|
}
|