commit 800965ce8c3d8d7abb91267886f6b43e37f2bf18 · pyrox.dev/nixpkgs

nixos/doc/manual/release-notes/rl-2311.section.md

···

       396
       396
        
       

     

       397
       397
        
       - The `fonts.fonts` and `fonts.enableDefaultFonts` options have been renamed to `fonts.packages` and `fonts.enableDefaultPackages` respectively.

     

       398
       398
        
       

     

       399
       399
       +
       - The `services.sslh` module has been updated to follow [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). As such, several options have been moved to the freeform attribute set [services.sslh.settings](#opt-services.sslh.settings), which allows to change any of the settings in {manpage}`sslh(8)`.

     

       400
       400
       +
         In addition, the newly added option [services.sslh.method](#opt-services.sslh.method) allows to switch between the {manpage}`fork(2)`, {manpage}`select(2)` and `libev`-based connection handling method; see the [sslh docs](https://github.com/yrutschle/sslh/blob/master/doc/INSTALL.md#binaries) for a comparison.

     

       401
       401
       +
       

     

       399
       402
        
       - `pkgs.openvpn3` now optionally supports systemd-resolved. `programs.openvpn3` will automatically enable systemd-resolved support if `config.services.resolved.enable` is enabled.

     

       400
       403
        
       

     

       401
       404
        
       - `services.fail2ban.jails` can now be configured with attribute sets defining settings and filters instead of lines. The stringed options `daemonConfig` and `extraSettings` have respectively been replaced by `daemonSettings` and `jails.DEFAULT.settings` which use attribute sets.

+123 -64

nixos/modules/services/networking/sslh.nix

···

       5
       5
        
       let

     

       6
       6
        
         cfg = config.services.sslh;

     

       7
       7
        
         user = "sslh";

     

       8
       8
       -
         configFile = pkgs.writeText "sslh.conf" ''

     

       9
       9
       -
           verbose: ${boolToString cfg.verbose};

     

       10
       10
       -
           foreground: true;

     

       11
       11
       -
           inetd: false;

     

       12
       12
       -
           numeric: false;

     

       13
       13
       -
           transparent: ${boolToString cfg.transparent};

     

       14
       14
       -
           timeout: "${toString cfg.timeout}";

     

       15
       8
        
       

     

       16
       16
       -
           listen:

     

       17
       17
       -
           (

     

       18
       18
       -
             ${

     

       19
       19
       -
               concatMapStringsSep ",\n"

     

       20
       20
       -
               (addr: ''{ host: "${addr}"; port: "${toString cfg.port}"; }'')

     

       21
       21
       -
               cfg.listenAddresses

     

       22
       22
       -
             }

     

       23
       23
       -
           );

     

       9
       9
       +
         configFormat = pkgs.formats.libconfig {};

     

       10
       10
       +
         configFile = configFormat.generate "sslh.conf" cfg.settings;

     

       11
       11
       +
       in

     

       24
       12
        
       

     

       25
       25
       -
           ${cfg.appendConfig}

     

       26
       26
       -
         '';

     

       27
       27
       -
         defaultAppendConfig = ''

     

       28
       28
       -
           protocols:

     

       29
       29
       -
           (

     

       30
       30
       -
             { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; probe: "builtin"; },

     

       31
       31
       -
             { name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; },

     

       32
       32
       -
             { name: "xmpp"; host: "localhost"; port: "5222"; probe: "builtin"; },

     

       33
       33
       -
             { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; },

     

       34
       34
       -
             { name: "tls"; host: "localhost"; port: "443"; probe: "builtin"; },

     

       35
       35
       -
             { name: "anyprot"; host: "localhost"; port: "443"; probe: "builtin"; }

     

       36
       36
       -
           );

     

       37
       37
       -
         '';

     

       38
       38
       -
       in

     

       39
       13
        
       {

     

       40
       14
        
         imports = [

     

       41
       15
        
           (mkRenamedOptionModule [ "services" "sslh" "listenAddress" ] [ "services" "sslh" "listenAddresses" ])

     

       16
       16
       +
           (mkRenamedOptionModule [ "services" "sslh" "timeout" ] [ "services" "sslh" "settings" "timeout" ])

     

       17
       17
       +
           (mkRenamedOptionModule [ "services" "sslh" "transparent" ] [ "services" "sslh" "settings" "transparent" ])

     

       18
       18
       +
           (mkRemovedOptionModule [ "services" "sslh" "appendConfig" ] "Use services.sslh.settings instead")

     

       19
       19
       +
           (mkChangedOptionModule [ "services" "sslh" "verbose" ] [ "services" "sslh" "settings" "verbose-connections" ]

     

       20
       20
       +
             (config: if config.services.sslh.verbose then 1 else 0))

     

       42
       21
        
         ];

     

       43
       22
        
       

     

       44
       44
       -
         options = {

     

       45
       45
       -
           services.sslh = {

     

       46
       46
       -
             enable = mkEnableOption (lib.mdDoc "sslh");

     

       23
       23
       +
         meta.buildDocsInSandbox = false;

     

       24
       24
       +
       

     

       25
       25
       +
         options.services.sslh = {

     

       26
       26
       +
           enable = mkEnableOption (lib.mdDoc "sslh, protocol demultiplexer");

     

       27
       27
       +
       

     

       28
       28
       +
           method = mkOption {

     

       29
       29
       +
             type = types.enum [ "fork" "select" "ev" ];

     

       30
       30
       +
             default = "fork";

     

       31
       31
       +
             description = lib.mdDoc ''

     

       32
       32
       +
               The method to use for handling connections:

     

       33
       33
       +
       

     

       34
       34
       +
                 - `fork` forks a new process for each incoming connection. It is

     

       35
       35
       +
                 well-tested and very reliable, but incurs the overhead of many

     

       36
       36
       +
                 processes.

     

       37
       37
       +
       

     

       38
       38
       +
                 - `select` uses only one thread, which monitors all connections at once.

     

       39
       39
       +
                 It has lower overhead per connection, but if it stops, you'll lose all

     

       40
       40
       +
                 connections.

     

       41
       41
       +
       

     

       42
       42
       +
                 - `ev` is implemented using libev, it's similar to `select` but

     

       43
       43
       +
                   scales better to a large number of connections.

     

       44
       44
       +
             '';

     

       45
       45
       +
           };

     

       46
       46
       +
       

     

       47
       47
       +
           listenAddresses = mkOption {

     

       48
       48
       +
             type = with types; coercedTo str singleton (listOf str);

     

       49
       49
       +
             default = [ "0.0.0.0" "[::]" ];

     

       50
       50
       +
             description = lib.mdDoc "Listening addresses or hostnames.";

     

       51
       51
       +
           };

     

       52
       52
       +
       

     

       53
       53
       +
           port = mkOption {

     

       54
       54
       +
             type = types.port;

     

       55
       55
       +
             default = 443;

     

       56
       56
       +
             description = lib.mdDoc "Listening port.";

     

       57
       57
       +
           };

     

       58
       58
       +
       

     

       59
       59
       +
           settings = mkOption {

     

       60
       60
       +
             type = types.submodule {

     

       61
       61
       +
               freeformType = configFormat.type;

     

       62
       62
       +
       

     

       63
       63
       +
               options.timeout = mkOption {

     

       64
       64
       +
                 type = types.ints.unsigned;

     

       65
       65
       +
                 default = 2;

     

       66
       66
       +
                 description = lib.mdDoc "Timeout in seconds.";

     

       67
       67
       +
               };

     

       68
       68
       +
       

     

       69
       69
       +
               options.transparent = mkOption {

     

       70
       70
       +
                 type = types.bool;

     

       71
       71
       +
                 default = false;

     

       72
       72
       +
                 description = lib.mdDoc ''

     

       73
       73
       +
                   Whether the services behind sslh (Apache, sshd and so on) will see the

     

       74
       74
       +
                   external IP and ports as if the external world connected directly to

     

       75
       75
       +
                   them.

     

       76
       76
       +
                 '';

     

       77
       77
       +
               };

     

       78
       78
       +
       

     

       79
       79
       +
               options.verbose-connections = mkOption {

     

       80
       80
       +
                 type = types.ints.between 0 4;

     

       81
       81
       +
                 default = 0;

     

       82
       82
       +
                 description = lib.mdDoc ''

     

       83
       83
       +
                   Where to log connections information. Possible values are:

     

       84
       84
       +
       

     

       85
       85
       +
                    0. don't log anything

     

       86
       86
       +
                    1. write log to stdout

     

       87
       87
       +
                    2. write log to syslog

     

       88
       88
       +
                    3. write log to both stdout and syslog

     

       89
       89
       +
                    4. write to a log file ({option}`sslh.settings.logfile`)

     

       90
       90
       +
                 '';

     

       91
       91
       +
               };

     

       92
       92
       +
       

     

       93
       93
       +
               options.numeric = mkOption {

     

       94
       94
       +
                 type = types.bool;

     

       95
       95
       +
                 default = true;

     

       96
       96
       +
                 description = lib.mdDoc ''

     

       97
       97
       +
                   Whether to disable reverse DNS lookups, thus keeping IP

     

       98
       98
       +
                   address literals in the log.

     

       99
       99
       +
                 '';

     

       100
       100
       +
               };

     

       101
       101
       +
       

     

       102
       102
       +
               options.protocols = mkOption {

     

       103
       103
       +
                 type = types.listOf configFormat.type;

     

       104
       104
       +
                 default = [

     

       105
       105
       +
                   { name = "ssh";     host = "localhost"; port =  "22"; service= "ssh"; }

     

       106
       106
       +
                   { name = "openvpn"; host = "localhost"; port = "1194"; }

     

       107
       107
       +
                   { name = "xmpp";    host = "localhost"; port = "5222"; }

     

       108
       108
       +
                   { name = "http";    host = "localhost"; port =   "80"; }

     

       109
       109
       +
                   { name = "tls";     host = "localhost"; port =  "443"; }

     

       110
       110
       +
                   { name = "anyprot"; host = "localhost"; port =  "443"; }

     

       111
       111
       +
                 ];

     

       112
       112
       +
                 description = lib.mdDoc ''

     

       113
       113
       +
                   List of protocols sslh will probe for and redirect.

     

       114
       114
       +
                   Each protocol entry consists of:

     

       115
       115
       +
       

     

       116
       116
       +
                     - `name`: name of the probe.

     

       47
       117
        
       

     

       48
       48
       -
             verbose = mkOption {

     

       49
       49
       -
               type = types.bool;

     

       50
       50
       -
               default = false;

     

       51
       51
       -
               description = lib.mdDoc "Verbose logs.";

     

       52
       52
       -
             };

     

       118
       118
       +
                     - `service`: libwrap service name (see {manpage}`hosts_access(5)`),

     

       53
       119
        
       

     

       54
       54
       -
             timeout = mkOption {

     

       55
       55
       -
               type = types.int;

     

       56
       56
       -
               default = 2;

     

       57
       57
       -
               description = lib.mdDoc "Timeout in seconds.";

     

       58
       58
       -
             };

     

       120
       120
       +
                     - `host`, `port`: where to connect when this probe succeeds,

     

       59
       121
        
       

     

       60
       60
       -
             transparent = mkOption {

     

       61
       61
       -
               type = types.bool;

     

       62
       62
       -
               default = false;

     

       63
       63
       -
               description = lib.mdDoc "Will the services behind sslh (Apache, sshd and so on) see the external IP and ports as if the external world connected directly to them";

     

       64
       64
       -
             };

     

       122
       122
       +
                     - `log_level`: to log incoming connections,

     

       65
       123
        
       

     

       66
       66
       -
             listenAddresses = mkOption {

     

       67
       67
       -
               type = types.coercedTo types.str singleton (types.listOf types.str);

     

       68
       68
       -
               default = [ "0.0.0.0" "[::]" ];

     

       69
       69
       -
               description = lib.mdDoc "Listening addresses or hostnames.";

     

       70
       70
       -
             };

     

       124
       124
       +
                     - `transparent`: proxy this protocol transparently,

     

       71
       125
        
       

     

       72
       72
       -
             port = mkOption {

     

       73
       73
       -
               type = types.port;

     

       74
       74
       -
               default = 443;

     

       75
       75
       -
               description = lib.mdDoc "Listening port.";

     

       76
       76
       -
             };

     

       126
       126
       +
                     - etc.

     

       77
       127
        
       

     

       78
       78
       -
             appendConfig = mkOption {

     

       79
       79
       -
               type = types.str;

     

       80
       80
       -
               default = defaultAppendConfig;

     

       81
       81
       -
               description = lib.mdDoc "Verbatim configuration file.";

     

       128
       128
       +
                   See the documentation for all options, including probe-specific ones.

     

       129
       129
       +
                 '';

     

       130
       130
       +
               };

     

       82
       131
        
             };

     

       132
       132
       +
             description = lib.mdDoc "sslh configuration. See {manpage}`sslh(8)` for available settings.";

     

       83
       133
        
           };

     

       84
       134
        
         };

     

       85
       135
        
       

     
···

       96
       146
        
                 PermissionsStartOnly = true;

     

       97
       147
        
                 Restart              = "always";

     

       98
       148
        
                 RestartSec           = "1s";

     

       99
       99
       -
                 ExecStart            = "${pkgs.sslh}/bin/sslh -F${configFile}";

     

       149
       149
       +
                 ExecStart            = "${pkgs.sslh}/bin/sslh-${cfg.method} -F${configFile}";

     

       100
       150
        
                 KillMode             = "process";

     

       101
       101
       -
                 AmbientCapabilities  = "CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_SETGID CAP_SETUID";

     

       151
       151
       +
                 AmbientCapabilities  = ["CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" "CAP_SETGID" "CAP_SETUID"];

     

       102
       152
        
                 PrivateTmp           = true;

     

       103
       153
        
                 PrivateDevices       = true;

     

       104
       154
        
                 ProtectSystem        = "full";

     

       105
       155
        
                 ProtectHome          = true;

     

       106
       156
        
               };

     

       107
       157
        
             };

     

       158
       158
       +
       

     

       159
       159
       +
             services.sslh.settings = {

     

       160
       160
       +
               # Settings defined here are not supposed to be changed: doing so will

     

       161
       161
       +
               # break the module, as such you need `lib.mkForce` to override them.

     

       162
       162
       +
               foreground = true;

     

       163
       163
       +
               inetd = false;

     

       164
       164
       +
               listen = map (addr: { host = addr; port = toString cfg.port; }) cfg.listenAddresses;

     

       165
       165
       +
             };

     

       166
       166
       +
       

     

       108
       167
        
           })

     

       109
       168
        
       

     

       110
       169
        
           # code from https://github.com/yrutschle/sslh#transparent-proxy-support

     

       111
       170
        
           # the only difference is using iptables mark 0x2 instead of 0x1 to avoid conflicts with nixos/nat module

     

       112
       112
       -
           (mkIf (cfg.enable && cfg.transparent) {

     

       171
       171
       +
           (mkIf (cfg.enable && cfg.settings.transparent) {

     

       113
       172
        
             # Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination

     

       114
       173
        
             boot.kernel.sysctl."net.ipv4.conf.default.route_localnet" = 1;

     

       115
       174
        
             boot.kernel.sysctl."net.ipv4.conf.all.route_localnet"     = 1;

+5 -13

nixos/tests/sslh.nix

···

       10
       10
        
                 prefixLength = 64;

     

       11
       11
        
               }

     

       12
       12
        
             ];

     

       13
       13
       -
             # sslh is really slow when reverse dns does not work

     

       14
       14
       -
             networking.hosts = {

     

       15
       15
       -
               "fe00:aa:bb:cc::2" = [ "server" ];

     

       16
       16
       -
               "fe00:aa:bb:cc::1" = [ "client" ];

     

       17
       17
       -
             };

     

       18
       13
        
             services.sslh = {

     

       19
       14
        
               enable = true;

     

       20
       20
       -
               transparent = true;

     

       21
       21
       -
               appendConfig = ''

     

       22
       22
       -
                 protocols:

     

       23
       23
       -
                 (

     

       24
       24
       -
                   { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; probe: "builtin"; },

     

       25
       25
       -
                   { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; },

     

       26
       26
       -
                 );

     

       27
       27
       -
               '';

     

       15
       15
       +
               settings.transparent = true;

     

       16
       16
       +
               settings.protocols = [

     

       17
       17
       +
                 { name = "ssh"; service = "ssh"; host = "localhost"; port = "22"; probe = "builtin"; }

     

       18
       18
       +
                 { name = "http"; host = "localhost"; port = "80"; probe = "builtin"; }

     

       19
       19
       +
               ];

     

       28
       20
        
             };

     

       29
       21
        
             services.openssh.enable = true;

     

       30
       22
        
             users.users.root.openssh.authorizedKeys.keyFiles = [ ./initrd-network-ssh/id_ed25519.pub ];

+12 -4

pkgs/servers/sslh/default.nix

···

       1
       1
       -
       { lib, stdenv, fetchFromGitHub, libcap, libconfig, perl, tcp_wrappers, pcre2, nixosTests }:

     

       1
       1
       +
       { lib, stdenv, fetchFromGitHub, fetchpatch, libcap, libev, libconfig, perl, tcp_wrappers, pcre2, nixosTests }:

     

       2
       2
        
       

     

       3
       3
        
       stdenv.mkDerivation rec {

     

       4
       4
        
         pname = "sslh";

     

       5
       5
       -
         version = "1.22c";

     

       5
       5
       +
         version = "2.0.0";

     

       6
       6
        
       

     

       7
       7
        
         src = fetchFromGitHub {

     

       8
       8
        
           owner = "yrutschle";

     

       9
       9
        
           repo = pname;

     

       10
       10
        
           rev = "v${version}";

     

       11
       11
       -
           sha256 = "sha256-A+nUWiOPoz/T5afZUzt5In01e049TgHisTF8P5Vj180=";

     

       11
       11
       +
           hash = "sha256-KfNQWSmAf86AFoInKlNZoiSuSwVLaJVnfo7SjZVY/VU=";

     

       12
       12
        
         };

     

       13
       13
        
       

     

       14
       14
        
         postPatch = "patchShebangs *.sh";

     

       15
       15
        
       

     

       16
       16
       -
         buildInputs = [ libcap libconfig perl tcp_wrappers pcre2 ];

     

       16
       16
       +
         buildInputs = [ libcap libev libconfig perl tcp_wrappers pcre2 ];

     

       17
       17
        
       

     

       18
       18
        
         makeFlags = [ "USELIBCAP=1" "USELIBWRAP=1" ];

     

       19
       19
       +
       

     

       20
       20
       +
         postInstall = ''

     

       21
       21
       +
           # install all flavours

     

       22
       22
       +
           install -p sslh-fork "$out/sbin/sslh-fork"

     

       23
       23
       +
           install -p sslh-select "$out/sbin/sslh-select"

     

       24
       24
       +
           install -p sslh-ev "$out/sbin/sslh-ev"

     

       25
       25
       +
           ln -sf sslh-fork "$out/sbin/sslh"

     

       26
       26
       +
         '';

     

       19
       27
        
       

     

       20
       28
        
         installFlags = [ "PREFIX=$(out)" ];

     

       21
       29