···
10
-
services.spiped = mkOption {
11
-
type = types.attrsOf (types.submodule (
14
-
encrypt = mkOption {
18
-
Take unencrypted connections from the
19
-
<literal>source</literal> socket and send encrypted
20
-
connections to the <literal>target</literal> socket.
14
+
description = "Enable the spiped service module.";
24
-
decrypt = mkOption {
28
-
Take encrypted connections from the
29
-
<literal>source</literal> socket and send unencrypted
30
-
connections to the <literal>target</literal> socket.
18
+
type = types.attrsOf (types.submodule (
21
+
encrypt = mkOption {
25
+
Take unencrypted connections from the
26
+
<literal>source</literal> socket and send encrypted
27
+
connections to the <literal>target</literal> socket.
37
-
Address on which spiped should listen for incoming
38
-
connections. Must be in one of the following formats:
39
-
<literal>/absolute/path/to/unix/socket</literal>,
40
-
<literal>host.name:port</literal>,
41
-
<literal>[ip.v4.ad.dr]:port</literal> or
42
-
<literal>[ipv6::addr]:port</literal> - note that
43
-
hostnames are resolved when spiped is launched and are
44
-
not re-resolved later; thus if DNS entries change
45
-
spiped will continue to connect to the expired
31
+
decrypt = mkOption {
35
+
Take encrypted connections from the
36
+
<literal>source</literal> socket and send unencrypted
37
+
connections to the <literal>target</literal> socket.
52
-
description = "Address to which spiped should connect.";
44
+
Address on which spiped should listen for incoming
45
+
connections. Must be in one of the following formats:
46
+
<literal>/absolute/path/to/unix/socket</literal>,
47
+
<literal>host.name:port</literal>,
48
+
<literal>[ip.v4.ad.dr]:port</literal> or
49
+
<literal>[ipv6::addr]:port</literal> - note that
50
+
hostnames are resolved when spiped is launched and are
51
+
not re-resolved later; thus if DNS entries change
52
+
spiped will continue to connect to the expired
55
-
keyfile = mkOption {
58
-
Name of a file containing the spiped key. As the
59
-
daemon runs as the <literal>spiped</literal> user, the
60
-
key file must be somewhere owned by that user. By
61
-
default, we recommend putting the keys for any spipe
62
-
services in <literal>/var/lib/spiped</literal>.
59
+
description = "Address to which spiped should connect.";
66
-
timeout = mkOption {
70
-
Timeout, in seconds, after which an attempt to connect to
71
-
the target or a protocol handshake will be aborted (and the
72
-
connection dropped) if not completed
62
+
keyfile = mkOption {
65
+
Name of a file containing the spiped key. As the
66
+
daemon runs as the <literal>spiped</literal> user, the
67
+
key file must be somewhere owned by that user. By
68
+
default, we recommend putting the keys for any spipe
69
+
services in <literal>/var/lib/spiped</literal>.
76
-
maxConns = mkOption {
80
-
Limit on the number of simultaneous connections allowed.
73
+
timeout = mkOption {
77
+
Timeout, in seconds, after which an attempt to connect to
78
+
the target or a protocol handshake will be aborted (and the
79
+
connection dropped) if not completed
84
-
waitForDNS = mkOption {
88
-
Wait for DNS. Normally when <literal>spiped</literal> is
89
-
launched it resolves addresses and binds to its source
90
-
socket before the parent process returns; with this option
91
-
it will daemonize first and retry failed DNS lookups until
92
-
they succeed. This allows <literal>spiped</literal> to
93
-
launch even if DNS isn't set up yet, but at the expense of
94
-
losing the guarantee that once <literal>spiped</literal> has
95
-
finished launching it will be ready to create pipes.
83
+
maxConns = mkOption {
87
+
Limit on the number of simultaneous connections allowed.
99
-
disableKeepalives = mkOption {
102
-
description = "Disable transport layer keep-alives.";
91
+
waitForDNS = mkOption {
95
+
Wait for DNS. Normally when <literal>spiped</literal> is
96
+
launched it resolves addresses and binds to its source
97
+
socket before the parent process returns; with this option
98
+
it will daemonize first and retry failed DNS lookups until
99
+
they succeed. This allows <literal>spiped</literal> to
100
+
launch even if DNS isn't set up yet, but at the expense of
101
+
losing the guarantee that once <literal>spiped</literal> has
102
+
finished launching it will be ready to create pipes.
105
-
weakHandshake = mkOption {
109
-
Use fast/weak handshaking: This reduces the CPU time spent
110
-
in the initial connection setup, at the expense of losing
111
-
perfect forward secrecy.
106
+
disableKeepalives = mkOption {
109
+
description = "Disable transport layer keep-alives.";
115
-
resolveRefresh = mkOption {
119
-
Resolution refresh time for the target socket, in seconds.
112
+
weakHandshake = mkOption {
116
+
Use fast/weak handshaking: This reduces the CPU time spent
117
+
in the initial connection setup, at the expense of losing
118
+
perfect forward secrecy.
123
-
disableReresolution = mkOption {
126
-
description = "Disable target address re-resolution.";
122
+
resolveRefresh = mkOption {
126
+
Resolution refresh time for the target socket, in seconds.
130
+
disableReresolution = mkOption {
133
+
description = "Disable target address re-resolution.";
134
-
example = literalExample ''
137
-
{ keyfile = "/var/lib/spiped/pipe1.key";
139
-
source = "localhost:6000";
140
-
target = "endpoint.example.com:7000";
143
-
{ keyfile = "/var/lib/spiped/pipe2.key";
145
-
source = "0.0.0.0:7000";
146
-
target = "localhost:3000";
141
+
example = literalExample ''
144
+
{ keyfile = "/var/lib/spiped/pipe1.key";
146
+
source = "localhost:6000";
147
+
target = "endpoint.example.com:7000";
150
+
{ keyfile = "/var/lib/spiped/pipe2.key";
152
+
source = "0.0.0.0:7000";
153
+
target = "localhost:3000";
152
-
Configuration for a secure pipe daemon. The daemon can be
153
-
started, stopped, or examined using
154
-
<literal>systemctl</literal>, under the name
155
-
<literal>spiped@foo</literal>.
159
+
Configuration for a secure pipe daemon. The daemon can be
160
+
started, stopped, or examined using
161
+
<literal>systemctl</literal>, under the name
162
+
<literal>spiped@foo</literal>.
168
+
config = mkIf cfg.enable {
assertions = mapAttrsToList (name: c: {
assertion = (c.encrypt -> !c.decrypt) || (c.decrypt -> c.encrypt);
message = "A pipe must either encrypt or decrypt";
users.extraGroups.spiped.gid = config.ids.gids.spiped;
users.extraUsers.spiped = {
···
script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`";
192
-
system.activationScripts.spiped = optionalString (cfg != {})
200
+
system.activationScripts.spiped = optionalString (cfg.config != {})
"mkdir -p /var/lib/spiped";
# Setup spiped config files
···
(if cfg.disableReresolution then "-R"
else "-r ${toString cfg.resolveRefresh}")
pyrox.dev