dotfiles/hosts/soryu/gnunet-module.nix

110 lines
3.5 KiB
Nix
Raw Normal View History

2024-08-17 03:58:06 +02:00
{config, lib, pkgs, ...}:
let
cfg = config.services.gnunet;
format = pkgs.formats.ini { };
configFile = format.generate "gnunet-config.conf" cfg.settings;
in
{
options = {
services.gnunet = {
enable = lib.mkEnableOption "GNUnet daemon";
package = lib.mkPackageOption pkgs "gnunet" { };
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
transport-udp.PORT = lib.mkOption {
default = 2086;
type = lib.types.port;
description = "The UDP port for use by GNUnet.";
};
};
};
};
};
};
config = lib.mkIf cfg.enable {
users.users.gnunet = {
group = "gnunet";
description = "GNUnet User";
uid = config.ids.uids.gnunet;
};
users.groups.gnunet.gid = config.ids.gids.gnunet;
users.groups.gnunetdns.gid = config.ids.gids.gnunetdns;
# TODO: Avoid putting these in $PATH
security.wrappers = let
mkGnunetSuid = source: {
setuid = true;
owner = "root";
group = "gnunet";
permissions = "o+rx,o-w,g+rx,g-w,o-rwx";
inherit source;
};
helpers = b: "${cfg.package}/lib/gnunet/libexec/${b}";
in {
gnunet-helper-vpn = mkGnunetSuid (helpers "gnunet-helper-vpn");
# These don't exist
#gnunet-helper-transport-wlan = mkGnunetSuid (helpers "gnunet-helper-transport-wlan");
#gnunet-helper-transport-bluetooth = mkGnunetSuid (helpers "gnunet-helper-transport-bluetooth");
gnunet-helper-exit = mkGnunetSuid (helpers "gnunet-helper-exit");
gnunet-helper-nat-server = mkGnunetSuid (helpers "gnunet-helper-nat-server");
gnunet-helper-nat-client = mkGnunetSuid (helpers "gnunet-helper-nat-client");
# > The binary should then be owned by root and be in group "gnunetdns"
# > and be installed SUID and only be group-executable (2750).
# But logically it should be 4750
gnunet-helper-dns = {
setuid = true;
owner = "root";
group = "gnunetdns";
permissions = "o+rx,o-w,g+rx,g-w,o-rwx";
source = (helpers "gnunet-helper-dns");
};
gnunet-service-dns = {
setgid = true;
owner = "root";
group = "gnunetdns";
permissions = "o+rx,o-w,g-rwx,o-rwx";
source = (helpers "gnunet-service-dns");
};
};
services.gnunet.settings = {
arm = {
START_SYSTEM_SERVICES = lib.mkDefault "YES";
START_USER_SERVICES = lib.mkDefault "NO";
};
dns = {
BINARY = lib.mkDefault "/run/wrappers/bin/gnunet-service-dns";
};
PATHS = {
SUID_BINARY_PATH = lib.mkDefault "/run/wrappers/bin";
GNUNET_HOME = lib.mkDefault "/var/lib/gnunet";
GNUNET_RUNTIME_DIR = lib.mkDefault "/run/gnunet";
GNUNET_USER_RUNTIME_DIR = lib.mkDefault "/run/gnunet";
GNUNET_DATA_HOME = lib.mkDefault "/var/lib/gnunet/data";
};
};
systemd.services.gnunet = {
description = "GNUnet system deamon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ cfg.package pkgs.miniupnpc ];
serviceConfig = {
ExecStart = "${cfg.package}/lib/gnunet/libexec/gnunet-service-arm -c ${configFile}";
User = "gnunet";
Group = "gnunet";
StateDirectory = "gnunet";
StateDirectoryMode = "0700";
WorkingDirectory = "/var/lib/gnunet";
RuntimeDirectory = "gnunet";
};
};
environment.systemPackages = [ cfg.package ];
};
}