diff options
| author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2022-02-07 18:01:27 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-07 18:01:27 +0000 |
| commit | 9cdb39f965f588390a2685b6f725a023c4b16221 (patch) | |
| tree | 6750e439562a6e2b3dbc130931b809c57ccf8aca /nixos | |
| parent | 4e2cf99754e07b51bb266e9392009302ef4bd802 (diff) | |
| parent | 64b690300863dd46651da6ecc69451e8ffb8af97 (diff) | |
Merge master into staging-next
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/networking/wg-netmanager.nix | 42 | ||||
| -rw-r--r-- | nixos/modules/services/security/cfssl.nix | 95 |
3 files changed, 97 insertions, 41 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 28724d1e85d3e..cbc650249127f 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -914,6 +914,7 @@ ./services/networking/vsftpd.nix ./services/networking/wasabibackend.nix ./services/networking/websockify.nix + ./services/networking/wg-netmanager.nix ./services/networking/wg-quick.nix ./services/networking/wireguard.nix ./services/networking/wpa_supplicant.nix diff --git a/nixos/modules/services/networking/wg-netmanager.nix b/nixos/modules/services/networking/wg-netmanager.nix new file mode 100644 index 0000000000000..493ff7ceba9f1 --- /dev/null +++ b/nixos/modules/services/networking/wg-netmanager.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.wg-netmanager; +in +{ + + options = { + services.wg-netmanager = { + enable = mkEnableOption "Wireguard network manager"; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + # NOTE: wg-netmanager runs as root + systemd.services.wg-netmanager = { + description = "Wireguard network manager"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = with pkgs; [ wireguard-tools iproute2 wireguard-go ]; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + ExecStart = "${pkgs.wg-netmanager}/bin/wg_netmanager"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStop = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + ReadWritePaths = [ + "/tmp" # wg-netmanager creates files in /tmp before deleting them after use + ]; + }; + unitConfig = { + ConditionPathExists = ["/etc/wg_netmanager/network.yaml" "/etc/wg_netmanager/peer.yaml"]; + }; + }; + }; + + meta.maintainers = with maintainers; [ gin66 ]; +} diff --git a/nixos/modules/services/security/cfssl.nix b/nixos/modules/services/security/cfssl.nix index e5bed0a9987c0..6df2343b84d22 100644 --- a/nixos/modules/services/security/cfssl.nix +++ b/nixos/modules/services/security/cfssl.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; @@ -11,7 +11,16 @@ in { dataDir = mkOption { default = "/var/lib/cfssl"; type = types.path; - description = "Cfssl work directory."; + description = '' + The work directory for CFSSL. + + <note><para> + If left as the default value this directory will automatically be + created before the CFSSL server starts, otherwise you are + responsible for ensuring the directory exists with appropriate + ownership and permissions. + </para></note> + ''; }; address = mkOption { @@ -22,7 +31,7 @@ in { port = mkOption { default = 8888; - type = types.ints.u16; + type = types.port; description = "Port to bind."; }; @@ -147,13 +156,12 @@ in { }; config = mkIf cfg.enable { - users.extraGroups.cfssl = { + users.groups.cfssl = { gid = config.ids.gids.cfssl; }; - users.extraUsers.cfssl = { + users.users.cfssl = { description = "cfssl user"; - createHome = true; home = cfg.dataDir; group = "cfssl"; uid = config.ids.uids.cfssl; @@ -164,41 +172,46 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - serviceConfig = { - WorkingDirectory = cfg.dataDir; - StateDirectory = cfg.dataDir; - StateDirectoryMode = 700; - Restart = "always"; - User = "cfssl"; - - ExecStart = with cfg; let - opt = n: v: optionalString (v != null) ''-${n}="${v}"''; - in - lib.concatStringsSep " \\\n" [ - "${pkgs.cfssl}/bin/cfssl serve" - (opt "address" address) - (opt "port" (toString port)) - (opt "ca" ca) - (opt "ca-key" caKey) - (opt "ca-bundle" caBundle) - (opt "int-bundle" intBundle) - (opt "int-dir" intDir) - (opt "metadata" metadata) - (opt "remote" remote) - (opt "config" configFile) - (opt "responder" responder) - (opt "responder-key" responderKey) - (opt "tls-key" tlsKey) - (opt "tls-cert" tlsCert) - (opt "mutual-tls-ca" mutualTlsCa) - (opt "mutual-tls-cn" mutualTlsCn) - (opt "mutual-tls-client-key" mutualTlsClientKey) - (opt "mutual-tls-client-cert" mutualTlsClientCert) - (opt "tls-remote-ca" tlsRemoteCa) - (opt "db-config" dbConfig) - (opt "loglevel" (toString logLevel)) - ]; - }; + serviceConfig = lib.mkMerge [ + { + WorkingDirectory = cfg.dataDir; + Restart = "always"; + User = "cfssl"; + Group = "cfssl"; + + ExecStart = with cfg; let + opt = n: v: optionalString (v != null) ''-${n}="${v}"''; + in + lib.concatStringsSep " \\\n" [ + "${pkgs.cfssl}/bin/cfssl serve" + (opt "address" address) + (opt "port" (toString port)) + (opt "ca" ca) + (opt "ca-key" caKey) + (opt "ca-bundle" caBundle) + (opt "int-bundle" intBundle) + (opt "int-dir" intDir) + (opt "metadata" metadata) + (opt "remote" remote) + (opt "config" configFile) + (opt "responder" responder) + (opt "responder-key" responderKey) + (opt "tls-key" tlsKey) + (opt "tls-cert" tlsCert) + (opt "mutual-tls-ca" mutualTlsCa) + (opt "mutual-tls-cn" mutualTlsCn) + (opt "mutual-tls-client-key" mutualTlsClientKey) + (opt "mutual-tls-client-cert" mutualTlsClientCert) + (opt "tls-remote-ca" tlsRemoteCa) + (opt "db-config" dbConfig) + (opt "loglevel" (toString logLevel)) + ]; + } + (mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) { + StateDirectory = baseNameOf cfg.dataDir; + StateDirectoryMode = 700; + }) + ]; }; services.cfssl = { |