Skip to content

Commit

Permalink
nixos/services.stunnel: remove with lib;
Browse files Browse the repository at this point in the history
  • Loading branch information
@Stunkymonkey
Stunkymonkey committed Nov 23, 2024
1 parent 8fb9605 commit 025588c
Showing 1 changed file with 37 additions and 40 deletions.
77 changes: 37 additions & 40 deletions nixos/modules/services/networking/stunnel.nix
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,11 @@
{ config, lib, pkgs, ... }:

with lib;

let

cfg = config.services.stunnel;
yesNo = val: if val then "yes" else "no";

verifyRequiredField = type: field: n: c: {
assertion = hasAttr field c;
assertion = lib.hasAttr field c;
message = "stunnel: \"${n}\" ${type} configuration - Field ${field} is required.";
};

Expand All @@ -18,14 +15,14 @@ let
"is not possible without either verifyChain or verifyPeer enabled";
};

removeNulls = mapAttrs (_: filterAttrs (_: v: v != null));
removeNulls = lib.mapAttrs (_: lib.filterAttrs (_: v: v != null));
mkValueString = v:
if v == true then "yes"
else if v == false then "no"
else generators.mkValueStringDefault {} v;
else lib.generators.mkValueStringDefault {} v;
generateConfig = c:
generators.toINI {
mkSectionName = id;
lib.generators.toINI {
mkSectionName = lib.id;
mkKeyValue = k: v: "${k} = ${mkValueString v}";
} (removeNulls c);

Expand All @@ -39,50 +36,50 @@ in

services.stunnel = {

enable = mkOption {
type = types.bool;
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether to enable the stunnel TLS tunneling service.";
};

user = mkOption {
type = with types; nullOr str;
user = lib.mkOption {
type = with lib.types; nullOr str;
default = "nobody";
description = "The user under which stunnel runs.";
};

group = mkOption {
type = with types; nullOr str;
group = lib.mkOption {
type = with lib.types; nullOr str;
default = "nogroup";
description = "The group under which stunnel runs.";
};

logLevel = mkOption {
type = types.enum [ "emerg" "alert" "crit" "err" "warning" "notice" "info" "debug" ];
logLevel = lib.mkOption {
type = lib.types.enum [ "emerg" "alert" "crit" "err" "warning" "notice" "info" "debug" ];
default = "info";
description = "Verbosity of stunnel output.";
};

fipsMode = mkOption {
type = types.bool;
fipsMode = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable FIPS 140-2 mode required for compliance.";
};

enableInsecureSSLv3 = mkOption {
type = types.bool;
enableInsecureSSLv3 = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable support for the insecure SSLv3 protocol.";
};


servers = mkOption {
servers = lib.mkOption {
description = ''
Define the server configurations.
See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`.
'';
type = with types; attrsOf (attrsOf (nullOr (oneOf [bool int str])));
type = with lib.types; attrsOf (attrsOf (nullOr (oneOf [bool int str])));
example = {
fancyWebserver = {
accept = 443;
Expand All @@ -93,15 +90,15 @@ in
default = { };
};

clients = mkOption {
clients = lib.mkOption {
description = ''
Define the client configurations.
By default, verifyChain and OCSPaia are enabled and a CAFile is provided from pkgs.cacert.
See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`.
'';
type = with types; attrsOf (attrsOf (nullOr (oneOf [bool int str])));
type = with lib.types; attrsOf (attrsOf (nullOr (oneOf [bool int str])));

apply = let
applyDefaults = c:
Expand All @@ -118,7 +115,7 @@ in
verifyHostname = null; # Not a real stunnel configuration setting
};
forceClient = c: c // { client = true; };
in mapAttrs (_: c: forceClient (setCheckHostFromVerifyHostname (applyDefaults c)));
in lib.mapAttrs (_: c: forceClient (setCheckHostFromVerifyHostname (applyDefaults c)));

example = {
foobar = {
Expand All @@ -135,32 +132,32 @@ in

###### implementation

config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {

assertions = concatLists [
(singleton {
assertion = (length (attrValues cfg.servers) != 0) || ((length (attrValues cfg.clients)) != 0);
assertions = lib.concatLists [
(lib.singleton {
assertion = (lib.length (lib.attrValues cfg.servers) != 0) || ((lib.length (lib.attrValues cfg.clients)) != 0);
message = "stunnel: At least one server- or client-configuration has to be present.";
})

(mapAttrsToList verifyChainPathAssert cfg.clients)
(mapAttrsToList (verifyRequiredField "client" "accept") cfg.clients)
(mapAttrsToList (verifyRequiredField "client" "connect") cfg.clients)
(mapAttrsToList (verifyRequiredField "server" "accept") cfg.servers)
(mapAttrsToList (verifyRequiredField "server" "cert") cfg.servers)
(mapAttrsToList (verifyRequiredField "server" "connect") cfg.servers)
(lib.mapAttrsToList verifyChainPathAssert cfg.clients)
(lib.mapAttrsToList (verifyRequiredField "client" "accept") cfg.clients)
(lib.mapAttrsToList (verifyRequiredField "client" "connect") cfg.clients)
(lib.mapAttrsToList (verifyRequiredField "server" "accept") cfg.servers)
(lib.mapAttrsToList (verifyRequiredField "server" "cert") cfg.servers)
(lib.mapAttrsToList (verifyRequiredField "server" "connect") cfg.servers)
];

environment.systemPackages = [ pkgs.stunnel ];

environment.etc."stunnel.cfg".text = ''
${ optionalString (cfg.user != null) "setuid = ${cfg.user}" }
${ optionalString (cfg.group != null) "setgid = ${cfg.group}" }
${ lib.optionalString (cfg.user != null) "setuid = ${cfg.user}" }
${ lib.optionalString (cfg.group != null) "setgid = ${cfg.group}" }
debug = ${cfg.logLevel}
${ optionalString cfg.fipsMode "fips = yes" }
${ optionalString cfg.enableInsecureSSLv3 "options = -NO_SSLv3" }
${ lib.optionalString cfg.fipsMode "fips = yes" }
${ lib.optionalString cfg.enableInsecureSSLv3 "options = -NO_SSLv3" }
; ----- SERVER CONFIGURATIONS -----
${ generateConfig cfg.servers }
Expand All @@ -181,7 +178,7 @@ in
};
};

meta.maintainers = with maintainers; [
meta.maintainers = with lib.maintainers; [
# Server side
lschuermann
# Client side
Expand Down

0 comments on commit 025588c

Please sign in to comment.