nixos/stunnel: add module #33151
nixos/stunnel: add module #33151
Conversation
Find inspiration via
I don't know if there is a canonical setting for this path, but at least until something better comes along you can use "/etc/ssl/certs/ca-bundle.crt". This is where NixOS places all configured certificates.
It matters if other services depend on this service, and you want to have correct dependency ordering. Some services fork after they are properly configured and ready to serve clients (at least that's the systemd model). systemd itself doesn't care. Look for "Type=" in "man systemd.service" to read more about the various service start-up types. |
| }; | ||
|
|
||
| CAPath = mkOption { | ||
| type = types.string; |
|
|
||
| environment.etc."stunnel.cfg".text = '' | ||
| ${ if cfg.user != null then "setuid = ${ cfg.user }" else "" } | ||
| ${ if cfg.group != null then "setgid = ${ cfg.group }" else "" } |
There was a problem hiding this comment.
${optionalString (cfg.user != null) "setuid = ${ cfg.user }"}
lschuermann
force-pushed
the
stunnel-module
branch
from
6f07b8d
to
8a0cc0b
Compare
|
The module has now gotten a lot of improvements and bug fixes, also the client-configuration should work completely. I have to admit that I didn't manage to get the stunnel client-mode to work with certificate validation, although I'm generating the correct configuration. The issue might have to do with SNI and I have to do some more experimenting to get it to work. I guess this is a problem with stunnel itself rather than NixOS, though it would be nice if someone could get it to work. The systemd-service somehow manages to work correctly even with |
| debug = ${cfg.logLevel} | ||
|
|
||
| ${ optionalString cfg.fipsMode "fips = yes" } | ||
| ${ optionalString cfg.enableInsecureSSLv3 "options = -NO_SSLv3" } |
There was a problem hiding this comment.
Here it says NO_SSLv3, are you sure this would if enableInsecureSSLv3 is true, this would have the desired effect?
There was a problem hiding this comment.
I have to admit this is quite confusing. As you can see in the manual and in the example configuration, options prefixed by a dash get removed. This is because NO_SSLv3 is already the default.
I was very scared of making the mistake of leaving out the dash or negating the Boolean somehow. In my option, this is an extraordinarily bad design and I'm happy there exists a Nix language to abstract it. ;)
| systemd.services.stunnel = { | ||
| description = "stunnel TLS tunneling service"; | ||
| after = [ "network-online.target" ]; | ||
| wants = [ "network-online.target" ]; |
There was a problem hiding this comment.
network.target should be enough. Then stunnel will be stopped before the network is on shutdown.
|
Thanks! |
Motivation for this change
stunnelis a TLS endpoint and useful in many situations, especially for services which don't have native TLS support. While it is already packaged for NixOS, there was no way to configure it.This PR aims to provide basic configuration options for the most important settings. It is a work in progress and while already in use for server-mode configurations, it needs more testing especially with client-mode configurations.
Things done
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)This is my first NixOS module and I don't have that much experience yet. There are still some things I would like to accomplish:
stunnelwon't start. Can this be checked?stunnelruns in foreground which works pretty well. There is an option to fork into background and create a PID file, but I couldn't get that to work. Is it bad to run the process in the foreground inside the systemd service?Thanks.