diff --git a/nixos/modules/services/networking/stunnel.nix b/nixos/modules/services/networking/stunnel.nix index 9f9068c8e077..da308dde8b26 100644 --- a/nixos/modules/services/networking/stunnel.nix +++ b/nixos/modules/services/networking/stunnel.nix @@ -1,14 +1,11 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.stunnel; yesNo = val: if val then "yes" else "no"; verifyRequiredField = type: field: n: c: { - assertion = hasAttr field c; + assertion = lib.hasAttr field c; message = "stunnel: \"${n}\" ${type} configuration - Field ${field} is required."; }; @@ -18,14 +15,14 @@ let "is not possible without either verifyChain or verifyPeer enabled"; }; - removeNulls = mapAttrs (_: filterAttrs (_: v: v != null)); + removeNulls = lib.mapAttrs (_: lib.filterAttrs (_: v: v != null)); mkValueString = v: if v == true then "yes" else if v == false then "no" - else generators.mkValueStringDefault {} v; + else lib.generators.mkValueStringDefault {} v; generateConfig = c: - generators.toINI { - mkSectionName = id; + lib.generators.toINI { + mkSectionName = lib.id; mkKeyValue = k: v: "${k} = ${mkValueString v}"; } (removeNulls c); @@ -39,50 +36,50 @@ in services.stunnel = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = "Whether to enable the stunnel TLS tunneling service."; }; - user = mkOption { - type = with types; nullOr str; + user = lib.mkOption { + type = with lib.types; nullOr str; default = "nobody"; description = "The user under which stunnel runs."; }; - group = mkOption { - type = with types; nullOr str; + group = lib.mkOption { + type = with lib.types; nullOr str; default = "nogroup"; description = "The group under which stunnel runs."; }; - logLevel = mkOption { - type = types.enum [ "emerg" "alert" "crit" "err" "warning" "notice" "info" "debug" ]; + logLevel = lib.mkOption { + type = lib.types.enum [ "emerg" "alert" "crit" "err" "warning" "notice" "info" "debug" ]; default = "info"; description = "Verbosity of stunnel output."; }; - fipsMode = mkOption { - type = types.bool; + fipsMode = lib.mkOption { + type = lib.types.bool; default = false; description = "Enable FIPS 140-2 mode required for compliance."; }; - enableInsecureSSLv3 = mkOption { - type = types.bool; + enableInsecureSSLv3 = lib.mkOption { + type = lib.types.bool; default = false; description = "Enable support for the insecure SSLv3 protocol."; }; - servers = mkOption { + servers = lib.mkOption { description = '' Define the server configurations. See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`. ''; - type = with types; attrsOf (attrsOf (nullOr (oneOf [bool int str]))); + type = with lib.types; attrsOf (attrsOf (nullOr (oneOf [bool int str]))); example = { fancyWebserver = { accept = 443; @@ -93,7 +90,7 @@ in default = { }; }; - clients = mkOption { + clients = lib.mkOption { description = '' Define the client configurations. @@ -101,7 +98,7 @@ in See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`. ''; - type = with types; attrsOf (attrsOf (nullOr (oneOf [bool int str]))); + type = with lib.types; attrsOf (attrsOf (nullOr (oneOf [bool int str]))); apply = let applyDefaults = c: @@ -118,7 +115,7 @@ in verifyHostname = null; # Not a real stunnel configuration setting }; forceClient = c: c // { client = true; }; - in mapAttrs (_: c: forceClient (setCheckHostFromVerifyHostname (applyDefaults c))); + in lib.mapAttrs (_: c: forceClient (setCheckHostFromVerifyHostname (applyDefaults c))); example = { foobar = { @@ -135,32 +132,32 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - assertions = concatLists [ - (singleton { - assertion = (length (attrValues cfg.servers) != 0) || ((length (attrValues cfg.clients)) != 0); + assertions = lib.concatLists [ + (lib.singleton { + assertion = (lib.length (lib.attrValues cfg.servers) != 0) || ((lib.length (lib.attrValues cfg.clients)) != 0); message = "stunnel: At least one server- or client-configuration has to be present."; }) - (mapAttrsToList verifyChainPathAssert cfg.clients) - (mapAttrsToList (verifyRequiredField "client" "accept") cfg.clients) - (mapAttrsToList (verifyRequiredField "client" "connect") cfg.clients) - (mapAttrsToList (verifyRequiredField "server" "accept") cfg.servers) - (mapAttrsToList (verifyRequiredField "server" "cert") cfg.servers) - (mapAttrsToList (verifyRequiredField "server" "connect") cfg.servers) + (lib.mapAttrsToList verifyChainPathAssert cfg.clients) + (lib.mapAttrsToList (verifyRequiredField "client" "accept") cfg.clients) + (lib.mapAttrsToList (verifyRequiredField "client" "connect") cfg.clients) + (lib.mapAttrsToList (verifyRequiredField "server" "accept") cfg.servers) + (lib.mapAttrsToList (verifyRequiredField "server" "cert") cfg.servers) + (lib.mapAttrsToList (verifyRequiredField "server" "connect") cfg.servers) ]; environment.systemPackages = [ pkgs.stunnel ]; environment.etc."stunnel.cfg".text = '' - ${ optionalString (cfg.user != null) "setuid = ${cfg.user}" } - ${ optionalString (cfg.group != null) "setgid = ${cfg.group}" } + ${ lib.optionalString (cfg.user != null) "setuid = ${cfg.user}" } + ${ lib.optionalString (cfg.group != null) "setgid = ${cfg.group}" } debug = ${cfg.logLevel} - ${ optionalString cfg.fipsMode "fips = yes" } - ${ optionalString cfg.enableInsecureSSLv3 "options = -NO_SSLv3" } + ${ lib.optionalString cfg.fipsMode "fips = yes" } + ${ lib.optionalString cfg.enableInsecureSSLv3 "options = -NO_SSLv3" } ; ----- SERVER CONFIGURATIONS ----- ${ generateConfig cfg.servers } @@ -181,7 +178,7 @@ in }; }; - meta.maintainers = with maintainers; [ + meta.maintainers = with lib.maintainers; [ # Server side lschuermann # Client side