dotfiles/hosts/soryu/gnunet-module.nix

{config, lib, pkgs, ...}:
let
  cfg = config.services.gnunet;
  format = pkgs.formats.ini { };

  configFile = format.generate "gnunet-config.conf" cfg.settings;
in
{
  options = {
    services.gnunet = {
      enable = lib.mkEnableOption "GNUnet daemon";
      package = lib.mkPackageOption pkgs "gnunet" { };
      settings = lib.mkOption {
        type = lib.types.submodule {
          freeformType = format.type;
          options = {
            transport-udp.PORT = lib.mkOption {
              default = 2086;
              type = lib.types.port;
              description = "The UDP port for use by GNUnet.";
            };
          };
        };
      };
    };
  };

  config = lib.mkIf cfg.enable {
    users.users.gnunet = {
      group = "gnunet";
      description = "GNUnet User";
      uid = config.ids.uids.gnunet;
    };
    users.groups.gnunet.gid = config.ids.gids.gnunet;
    users.groups.gnunetdns.gid = config.ids.gids.gnunetdns;

    # TODO: Avoid putting these in $PATH
    security.wrappers = let
      mkGnunetSuid = source: {
        setuid = true;
        owner = "root";
        group = "gnunet";
        permissions = "o+rx,o-w,g+rx,g-w,o-rwx";
        inherit source;
      };
      helpers = b: "${cfg.package}/lib/gnunet/libexec/${b}";
    in {
      gnunet-helper-vpn = mkGnunetSuid (helpers "gnunet-helper-vpn");
      # These don't exist
      #gnunet-helper-transport-wlan = mkGnunetSuid (helpers "gnunet-helper-transport-wlan");
      #gnunet-helper-transport-bluetooth = mkGnunetSuid (helpers "gnunet-helper-transport-bluetooth");
      gnunet-helper-exit = mkGnunetSuid (helpers "gnunet-helper-exit");
      gnunet-helper-nat-server = mkGnunetSuid (helpers "gnunet-helper-nat-server");
      gnunet-helper-nat-client = mkGnunetSuid (helpers "gnunet-helper-nat-client");
      # > The binary should then be owned by root and be in group "gnunetdns"
      # > and be installed SUID and only be group-executable (2750).
      # But logically it should be 4750
      gnunet-helper-dns = {
        setuid = true;
        owner = "root";
        group = "gnunetdns";
        permissions = "o+rx,o-w,g+rx,g-w,o-rwx";
        source = (helpers "gnunet-helper-dns");
      };
      gnunet-service-dns = {
        setgid = true;
        owner = "root";
        group = "gnunetdns";
        permissions = "o+rx,o-w,g-rwx,o-rwx";
        source = (helpers "gnunet-service-dns");
      };
    };

    services.gnunet.settings = {
      arm = {
        START_SYSTEM_SERVICES = lib.mkDefault "YES";
        START_USER_SERVICES = lib.mkDefault "NO";
      };
      dns = {
        BINARY = lib.mkDefault "/run/wrappers/bin/gnunet-service-dns";
      };
      PATHS = {
        SUID_BINARY_PATH = lib.mkDefault "/run/wrappers/bin";
        GNUNET_HOME = lib.mkDefault "/var/lib/gnunet";
        GNUNET_RUNTIME_DIR = lib.mkDefault "/run/gnunet";
        GNUNET_USER_RUNTIME_DIR = lib.mkDefault "/run/gnunet";
        GNUNET_DATA_HOME = lib.mkDefault "/var/lib/gnunet/data";
      };
    };

    systemd.services.gnunet = {
      description = "GNUnet system deamon";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      path = [ cfg.package pkgs.miniupnpc ];
      serviceConfig = {
        ExecStart = "${cfg.package}/lib/gnunet/libexec/gnunet-service-arm -c ${configFile}";
        User = "gnunet";
        Group = "gnunet";
        StateDirectory = "gnunet";
        StateDirectoryMode = "0700";
        WorkingDirectory = "/var/lib/gnunet";
        RuntimeDirectory = "gnunet";
      };
    };

    environment.systemPackages = [ cfg.package ];
  };
}
publish soryu config 2024-08-17 03:58:06 +02:00			`{config, lib, pkgs, ...}:`
			`let`
			`cfg = config.services.gnunet;`
			`format = pkgs.formats.ini { };`

			`configFile = format.generate "gnunet-config.conf" cfg.settings;`
			`in`
			`{`
			`options = {`
			`services.gnunet = {`
			`enable = lib.mkEnableOption "GNUnet daemon";`
			`package = lib.mkPackageOption pkgs "gnunet" { };`
			`settings = lib.mkOption {`
			`type = lib.types.submodule {`
			`freeformType = format.type;`
			`options = {`
			`transport-udp.PORT = lib.mkOption {`
			`default = 2086;`
			`type = lib.types.port;`
			`description = "The UDP port for use by GNUnet.";`
			`};`
			`};`
			`};`
			`};`
			`};`
			`};`

			`config = lib.mkIf cfg.enable {`
			`users.users.gnunet = {`
			`group = "gnunet";`
			`description = "GNUnet User";`
			`uid = config.ids.uids.gnunet;`
			`};`
			`users.groups.gnunet.gid = config.ids.gids.gnunet;`
			`users.groups.gnunetdns.gid = config.ids.gids.gnunetdns;`

			`# TODO: Avoid putting these in $PATH`
			`security.wrappers = let`
			`mkGnunetSuid = source: {`
			`setuid = true;`
			`owner = "root";`
			`group = "gnunet";`
			`permissions = "o+rx,o-w,g+rx,g-w,o-rwx";`
			`inherit source;`
			`};`
			`helpers = b: "${cfg.package}/lib/gnunet/libexec/${b}";`
			`in {`
			`gnunet-helper-vpn = mkGnunetSuid (helpers "gnunet-helper-vpn");`
			`# These don't exist`
			`#gnunet-helper-transport-wlan = mkGnunetSuid (helpers "gnunet-helper-transport-wlan");`
			`#gnunet-helper-transport-bluetooth = mkGnunetSuid (helpers "gnunet-helper-transport-bluetooth");`
			`gnunet-helper-exit = mkGnunetSuid (helpers "gnunet-helper-exit");`
			`gnunet-helper-nat-server = mkGnunetSuid (helpers "gnunet-helper-nat-server");`
			`gnunet-helper-nat-client = mkGnunetSuid (helpers "gnunet-helper-nat-client");`
			`# > The binary should then be owned by root and be in group "gnunetdns"`
			`# > and be installed SUID and only be group-executable (2750).`
			`# But logically it should be 4750`
			`gnunet-helper-dns = {`
			`setuid = true;`
			`owner = "root";`
			`group = "gnunetdns";`
			`permissions = "o+rx,o-w,g+rx,g-w,o-rwx";`
			`source = (helpers "gnunet-helper-dns");`
			`};`
			`gnunet-service-dns = {`
			`setgid = true;`
			`owner = "root";`
			`group = "gnunetdns";`
			`permissions = "o+rx,o-w,g-rwx,o-rwx";`
			`source = (helpers "gnunet-service-dns");`
			`};`
			`};`

			`services.gnunet.settings = {`
			`arm = {`
			`START_SYSTEM_SERVICES = lib.mkDefault "YES";`
			`START_USER_SERVICES = lib.mkDefault "NO";`
			`};`
			`dns = {`
			`BINARY = lib.mkDefault "/run/wrappers/bin/gnunet-service-dns";`
			`};`
			`PATHS = {`
			`SUID_BINARY_PATH = lib.mkDefault "/run/wrappers/bin";`
			`GNUNET_HOME = lib.mkDefault "/var/lib/gnunet";`
			`GNUNET_RUNTIME_DIR = lib.mkDefault "/run/gnunet";`
			`GNUNET_USER_RUNTIME_DIR = lib.mkDefault "/run/gnunet";`
			`GNUNET_DATA_HOME = lib.mkDefault "/var/lib/gnunet/data";`
			`};`
			`};`

			`systemd.services.gnunet = {`
			`description = "GNUnet system deamon";`
			`after = [ "network.target" ];`
			`wantedBy = [ "multi-user.target" ];`
			`path = [ cfg.package pkgs.miniupnpc ];`
			`serviceConfig = {`
			`ExecStart = "${cfg.package}/lib/gnunet/libexec/gnunet-service-arm -c ${configFile}";`
			`User = "gnunet";`
			`Group = "gnunet";`
			`StateDirectory = "gnunet";`
			`StateDirectoryMode = "0700";`
			`WorkingDirectory = "/var/lib/gnunet";`
			`RuntimeDirectory = "gnunet";`
			`};`
			`};`

			`environment.systemPackages = [ cfg.package ];`
			`};`
			`}`