New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/stunnel: add module #33151
nixos/stunnel: add module #33151
Conversation
Find inspiration via
I don't know if there is a canonical setting for this path, but at least until something better comes along you can use "/etc/ssl/certs/ca-bundle.crt". This is where NixOS places all configured certificates.
It matters if other services depend on this service, and you want to have correct dependency ordering. Some services fork after they are properly configured and ready to serve clients (at least that's the systemd model). systemd itself doesn't care. Look for "Type=" in "man systemd.service" to read more about the various service start-up types. |
}; | ||
|
||
CAPath = mkOption { | ||
type = types.string; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
types.path
|
||
environment.etc."stunnel.cfg".text = '' | ||
${ if cfg.user != null then "setuid = ${ cfg.user }" else "" } | ||
${ if cfg.group != null then "setgid = ${ cfg.group }" else "" } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
${optionalString (cfg.user != null) "setuid = ${ cfg.user }"}
6f07b8d
to
8a0cc0b
Compare
The module has now gotten a lot of improvements and bug fixes, also the client-configuration should work completely. I have to admit that I didn't manage to get the stunnel client-mode to work with certificate validation, although I'm generating the correct configuration. The issue might have to do with SNI and I have to do some more experimenting to get it to work. I guess this is a problem with stunnel itself rather than NixOS, though it would be nice if someone could get it to work. The systemd-service somehow manages to work correctly even with |
debug = ${cfg.logLevel} | ||
|
||
${ optionalString cfg.fipsMode "fips = yes" } | ||
${ optionalString cfg.enableInsecureSSLv3 "options = -NO_SSLv3" } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here it says NO_SSLv3
, are you sure this would if enableInsecureSSLv3
is true, this would have the desired effect?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have to admit this is quite confusing. As you can see in the manual and in the example configuration, options prefixed by a dash get removed. This is because NO_SSLv3
is already the default.
I was very scared of making the mistake of leaving out the dash or negating the Boolean somehow. In my option, this is an extraordinarily bad design and I'm happy there exists a Nix language to abstract it. ;)
systemd.services.stunnel = { | ||
description = "stunnel TLS tunneling service"; | ||
after = [ "network-online.target" ]; | ||
wants = [ "network-online.target" ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
network.target
should be enough. Then stunnel will be stopped before the network is on shutdown.
Thanks! |
Motivation for this change
stunnel
is a TLS endpoint and useful in many situations, especially for services which don't have native TLS support. While it is already packaged for NixOS, there was no way to configure it.This PR aims to provide basic configuration options for the most important settings. It is a work in progress and while already in use for server-mode configurations, it needs more testing especially with client-mode configurations.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)This is my first NixOS module and I don't have that much experience yet. There are still some things I would like to accomplish:
stunnel
won't start. Can this be checked?stunnel
runs in foreground which works pretty well. There is an option to fork into background and create a PID file, but I couldn't get that to work. Is it bad to run the process in the foreground inside the systemd service?Thanks.