dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/services.stunnel: remove with lib;

Browse Source
This commit is contained in:
Felix Buehler 2024-08-30 00:47:10 +02:00
parent 93d6b8180e
commit 07894f4f30
1 changed files with 37 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
nixos/modules/services/networking/stunnel.nix
View File

@ -1,14 +1,11 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.stunnel;
yesNo = val: if val then "yes" else "no";
verifyRequiredField = type: field: n: c: {
assertion = hasAttr field c;
assertion = lib.hasAttr field c;
message = "stunnel: \"${n}\" ${type} configuration - Field ${field} is required.";
};
@ -18,14 +15,14 @@ let
"is not possible without either verifyChain or verifyPeer enabled";
};
removeNulls = mapAttrs (_: filterAttrs (_: v: v != null));
removeNulls = lib.mapAttrs (_: lib.filterAttrs (_: v: v != null));
mkValueString = v:
if v == true then "yes"
else if v == false then "no"
else generators.mkValueStringDefault {} v;
else lib.generators.mkValueStringDefault {} v;
generateConfig = c:
generators.toINI {
mkSectionName = id;
lib.generators.toINI {
mkSectionName = lib.id;
mkKeyValue = k: v: "${k} = ${mkValueString v}";
} (removeNulls c);
@ -39,50 +36,50 @@ in
services.stunnel = {
enable = mkOption {
type = types.bool;
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether to enable the stunnel TLS tunneling service.";
};
user = mkOption {
type = with types; nullOr str;
user = lib.mkOption {
type = with lib.types; nullOr str;
default = "nobody";
description = "The user under which stunnel runs.";
};
group = mkOption {
type = with types; nullOr str;
group = lib.mkOption {
type = with lib.types; nullOr str;
default = "nogroup";
description = "The group under which stunnel runs.";
};
logLevel = mkOption {
type = types.enum [ "emerg" "alert" "crit" "err" "warning" "notice" "info" "debug" ];
logLevel = lib.mkOption {
type = lib.types.enum [ "emerg" "alert" "crit" "err" "warning" "notice" "info" "debug" ];
default = "info";
description = "Verbosity of stunnel output.";
};
fipsMode = mkOption {
type = types.bool;
fipsMode = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable FIPS 140-2 mode required for compliance.";
};
enableInsecureSSLv3 = mkOption {
type = types.bool;
enableInsecureSSLv3 = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable support for the insecure SSLv3 protocol.";
};
servers = mkOption {
servers = lib.mkOption {
description = ''
Define the server configurations.
See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`.
'';
type = with types; attrsOf (attrsOf (nullOr (oneOf [bool int str])));
type = with lib.types; attrsOf (attrsOf (nullOr (oneOf [bool int str])));
example = {
fancyWebserver = {
accept = 443;
@ -93,7 +90,7 @@ in
default = { };
};
clients = mkOption {
clients = lib.mkOption {
description = ''
Define the client configurations.
@ -101,7 +98,7 @@ in
See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`.
'';
type = with types; attrsOf (attrsOf (nullOr (oneOf [bool int str])));
type = with lib.types; attrsOf (attrsOf (nullOr (oneOf [bool int str])));
apply = let
applyDefaults = c:
@ -118,7 +115,7 @@ in
verifyHostname = null; # Not a real stunnel configuration setting
};
forceClient = c: c // { client = true; };
in mapAttrs (_: c: forceClient (setCheckHostFromVerifyHostname (applyDefaults c)));
in lib.mapAttrs (_: c: forceClient (setCheckHostFromVerifyHostname (applyDefaults c)));
example = {
foobar = {
@ -135,32 +132,32 @@ in
###### implementation
config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
assertions = concatLists [
(singleton {
assertion = (length (attrValues cfg.servers) != 0) || ((length (attrValues cfg.clients)) != 0);
assertions = lib.concatLists [
(lib.singleton {
assertion = (lib.length (lib.attrValues cfg.servers) != 0) || ((lib.length (lib.attrValues cfg.clients)) != 0);
message = "stunnel: At least one server- or client-configuration has to be present.";
})
(mapAttrsToList verifyChainPathAssert cfg.clients)
(mapAttrsToList (verifyRequiredField "client" "accept") cfg.clients)
(mapAttrsToList (verifyRequiredField "client" "connect") cfg.clients)
(mapAttrsToList (verifyRequiredField "server" "accept") cfg.servers)
(mapAttrsToList (verifyRequiredField "server" "cert") cfg.servers)
(mapAttrsToList (verifyRequiredField "server" "connect") cfg.servers)
(lib.mapAttrsToList verifyChainPathAssert cfg.clients)
(lib.mapAttrsToList (verifyRequiredField "client" "accept") cfg.clients)
(lib.mapAttrsToList (verifyRequiredField "client" "connect") cfg.clients)
(lib.mapAttrsToList (verifyRequiredField "server" "accept") cfg.servers)
(lib.mapAttrsToList (verifyRequiredField "server" "cert") cfg.servers)
(lib.mapAttrsToList (verifyRequiredField "server" "connect") cfg.servers)
];
environment.systemPackages = [ pkgs.stunnel ];
environment.etc."stunnel.cfg".text = ''
${ optionalString (cfg.user != null) "setuid = ${cfg.user}" }
${ optionalString (cfg.group != null) "setgid = ${cfg.group}" }
${ lib.optionalString (cfg.user != null) "setuid = ${cfg.user}" }
${ lib.optionalString (cfg.group != null) "setgid = ${cfg.group}" }
debug = ${cfg.logLevel}
${ optionalString cfg.fipsMode "fips = yes" }
${ optionalString cfg.enableInsecureSSLv3 "options = -NO_SSLv3" }
${ lib.optionalString cfg.fipsMode "fips = yes" }
${ lib.optionalString cfg.enableInsecureSSLv3 "options = -NO_SSLv3" }
; ----- SERVER CONFIGURATIONS -----
${ generateConfig cfg.servers }
@ -181,7 +178,7 @@ in
};
};
meta.maintainers = with maintainers; [
meta.maintainers = with lib.maintainers; [
# Server side
lschuermann
# Client side