nixpkgs/nixos/modules/services/networking/stunnel.nix

{
  config,
  lib,
  pkgs,
  ...
}:

with lib;

let

  cfg = config.services.stunnel;
  yesNo = val: if val then "yes" else "no";

  verifyRequiredField = type: field: n: c: {
    assertion = hasAttr field c;
    message = "stunnel: \"${n}\" ${type} configuration - Field ${field} is required.";
  };

  verifyChainPathAssert = n: c: {
    assertion = (c.verifyHostname or null) == null || (c.verifyChain || c.verifyPeer);
    message =
      "stunnel: \"${n}\" client configuration - hostname verification "
      + "is not possible without either verifyChain or verifyPeer enabled";
  };

  removeNulls = mapAttrs (_: filterAttrs (_: v: v != null));
  mkValueString =
    v:
    if v == true then
      "yes"
    else if v == false then
      "no"
    else
      generators.mkValueStringDefault { } v;
  generateConfig =
    c:
    generators.toINI {
      mkSectionName = id;
      mkKeyValue = k: v: "${k} = ${mkValueString v}";
    } (removeNulls c);

in

{

  ###### interface

  options = {

    services.stunnel = {

      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to enable the stunnel TLS tunneling service.";
      };

      user = mkOption {
        type = with types; nullOr str;
        default = "nobody";
        description = "The user under which stunnel runs.";
      };

      group = mkOption {
        type = with types; nullOr str;
        default = "nogroup";
        description = "The group under which stunnel runs.";
      };

      logLevel = mkOption {
        type = types.enum [
          "emerg"
          "alert"
          "crit"
          "err"
          "warning"
          "notice"
          "info"
          "debug"
        ];
        default = "info";
        description = "Verbosity of stunnel output.";
      };

      fipsMode = mkOption {
        type = types.bool;
        default = false;
        description = "Enable FIPS 140-2 mode required for compliance.";
      };

      enableInsecureSSLv3 = mkOption {
        type = types.bool;
        default = false;
        description = "Enable support for the insecure SSLv3 protocol.";
      };

      servers = mkOption {
        description = ''
          Define the server configurations.

          See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`.
        '';
        type =
          with types;
          attrsOf (
            attrsOf (
              nullOr (oneOf [
                bool
                int
                str
              ])
            )
          );
        example = {
          fancyWebserver = {
            accept = 443;
            connect = 8080;
            cert = "/path/to/pem/file";
          };
        };
        default = { };
      };

      clients = mkOption {
        description = ''
          Define the client configurations.

          By default, verifyChain and OCSPaia are enabled and a CAFile is provided from pkgs.cacert.

          See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`.
        '';
        type =
          with types;
          attrsOf (
            attrsOf (
              nullOr (oneOf [
                bool
                int
                str
              ])
            )
          );

        apply =
          let
            applyDefaults =
              c:
              {
                CAFile = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
                OCSPaia = true;
                verifyChain = true;
              }
              // c;
            setCheckHostFromVerifyHostname =
              c:
              # To preserve backward-compatibility with the old NixOS stunnel module
              # definition, allow "verifyHostname" as an alias for "checkHost".
              c
              // {
                checkHost = c.checkHost or c.verifyHostname or null;
                verifyHostname = null; # Not a real stunnel configuration setting
              };
            forceClient = c: c // { client = true; };
          in
          mapAttrs (_: c: forceClient (setCheckHostFromVerifyHostname (applyDefaults c)));

        example = {
          foobar = {
            accept = "0.0.0.0:8080";
            connect = "nixos.org:443";
            verifyChain = false;
          };
        };
        default = { };
      };
    };
  };

  ###### implementation

  config = mkIf cfg.enable {

    assertions = concatLists [
      (singleton {
        assertion = (length (attrValues cfg.servers) != 0) || ((length (attrValues cfg.clients)) != 0);
        message = "stunnel: At least one server- or client-configuration has to be present.";
      })

      (mapAttrsToList verifyChainPathAssert cfg.clients)
      (mapAttrsToList (verifyRequiredField "client" "accept") cfg.clients)
      (mapAttrsToList (verifyRequiredField "client" "connect") cfg.clients)
      (mapAttrsToList (verifyRequiredField "server" "accept") cfg.servers)
      (mapAttrsToList (verifyRequiredField "server" "cert") cfg.servers)
      (mapAttrsToList (verifyRequiredField "server" "connect") cfg.servers)
    ];

    environment.systemPackages = [ pkgs.stunnel ];

    environment.etc."stunnel.cfg".text = ''
      ${optionalString (cfg.user != null) "setuid = ${cfg.user}"}
      ${optionalString (cfg.group != null) "setgid = ${cfg.group}"}

      debug = ${cfg.logLevel}

      ${optionalString cfg.fipsMode "fips = yes"}
      ${optionalString cfg.enableInsecureSSLv3 "options = -NO_SSLv3"}

      ; ----- SERVER CONFIGURATIONS -----
      ${generateConfig cfg.servers}

      ; ----- CLIENT CONFIGURATIONS -----
      ${generateConfig cfg.clients}
    '';

    systemd.services.stunnel = {
      description = "stunnel TLS tunneling service";
      after = [ "network.target" ];
      wants = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      restartTriggers = [ config.environment.etc."stunnel.cfg".source ];
      serviceConfig = {
        ExecStart = "${pkgs.stunnel}/bin/stunnel ${config.environment.etc."stunnel.cfg".source}";
        Type = "forking";
      };
    };

    meta.maintainers = with maintainers; [
      # Server side
      lschuermann
      # Client side
      das_j
    ];
  };

}
nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`

			`with lib;`

			`let`

			`cfg = config.services.stunnel;`
			`yesNo = val: if val then "yes" else "no";`

nixos/stunnel: Make free-form This unlocks stunnel's other ~100 configuration directives, allowing full stunnel use in NixOS. 2022-02-22 16:42:29 -08:00			`verifyRequiredField = type: field: n: c: {`
			`assertion = hasAttr field c;`
			`message = "stunnel: \"${n}\" ${type} configuration - Field ${field} is required.";`
			`};`

nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00			`verifyChainPathAssert = n: c: {`
nixos/stunnel: Make free-form This unlocks stunnel's other ~100 configuration directives, allowing full stunnel use in NixOS. 2022-02-22 16:42:29 -08:00			`assertion = (c.verifyHostname or null) == null \|\| (c.verifyChain \|\| c.verifyPeer);`
nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00			`message =`
			`"stunnel: \"${n}\" client configuration - hostname verification "`
			`+ "is not possible without either verifyChain or verifyPeer enabled";`
			`};`

nixos/stunnel: Make free-form This unlocks stunnel's other ~100 configuration directives, allowing full stunnel use in NixOS. 2022-02-22 16:42:29 -08:00			`removeNulls = mapAttrs (_: filterAttrs (_: v: v != null));`
			`mkValueString =`
			`v:`
			`if v == true then`
			`"yes"`
			`else if v == false then`
			`"no"`
			`else`
			`generators.mkValueStringDefault { } v;`
			`generateConfig =`
			`c:`
			`generators.toINI {`
			`mkSectionName = id;`
			`mkKeyValue = k: v: "${k} = ${mkValueString v}";`
			`} (removeNulls c);`
nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00
			`in`

			`{`

			`###### interface`

			`options = {`

			`services.stunnel = {`

			`enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "Whether to enable the stunnel TLS tunneling service.";`
			`};`

			`user = mkOption {`
nixos/modules: Remove all usages of types.string And replace them with a more appropriate type Also fix up some minor module problems along the way 2019-08-08 22:48:27 +02:00			`type = with types; nullOr str;`
nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00			`default = "nobody";`
			`description = "The user under which stunnel runs.";`
			`};`

			`group = mkOption {`
nixos/modules: Remove all usages of types.string And replace them with a more appropriate type Also fix up some minor module problems along the way 2019-08-08 22:48:27 +02:00			`type = with types; nullOr str;`
nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00			`default = "nogroup";`
			`description = "The group under which stunnel runs.";`
			`};`

			`logLevel = mkOption {`
			`type = types.enum [`
			`"emerg"`
			`"alert"`
			`"crit"`
			`"err"`
			`"warning"`
			`"notice"`
			`"info"`
			`"debug"`
			`];`
			`default = "info";`
			`description = "Verbosity of stunnel output.";`
			`};`

			`fipsMode = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "Enable FIPS 140-2 mode required for compliance.";`
			`};`

			`enableInsecureSSLv3 = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "Enable support for the insecure SSLv3 protocol.";`
			`};`

			`servers = mkOption {`
nixos/stunnel: Make free-form This unlocks stunnel's other ~100 configuration directives, allowing full stunnel use in NixOS. 2022-02-22 16:42:29 -08:00			`description = ''`
nixos: fix typos 2022-12-17 19:31:14 -05:00			`Define the server configurations.`
nixos/stunnel: Make free-form This unlocks stunnel's other ~100 configuration directives, allowing full stunnel use in NixOS. 2022-02-22 16:42:29 -08:00
			See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`.
			`'';`
			`type =`
			`with types;`
			`attrsOf (`
			`attrsOf (`
			`nullOr (oneOf [`
			`bool`
			`int`
			`str`
			`])`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 0128fbb0a58f0c85aeaf316b0dfa343246b929c2 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:29:24 +01:00			`)`
nixos/stunnel: Make free-form This unlocks stunnel's other ~100 configuration directives, allowing full stunnel use in NixOS. 2022-02-22 16:42:29 -08:00			`);`
nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00			`example = {`
			`fancyWebserver = {`
			`accept = 443;`
			`connect = 8080;`
			`cert = "/path/to/pem/file";`
			`};`
			`};`
			`default = { };`
			`};`

			`clients = mkOption {`
nixos/stunnel: Make free-form This unlocks stunnel's other ~100 configuration directives, allowing full stunnel use in NixOS. 2022-02-22 16:42:29 -08:00			`description = ''`
			`Define the client configurations.`

			`By default, verifyChain and OCSPaia are enabled and a CAFile is provided from pkgs.cacert.`

			See "SERVICE-LEVEL OPTIONS" in {manpage}`stunnel(8)`.
			`'';`
			`type =`
			`with types;`
			`attrsOf (`
			`attrsOf (`
			`nullOr (oneOf [`
			`bool`
			`int`
			`str`
			`])`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 0128fbb0a58f0c85aeaf316b0dfa343246b929c2 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:29:24 +01:00			`)`
nixos/stunnel: Make free-form This unlocks stunnel's other ~100 configuration directives, allowing full stunnel use in NixOS. 2022-02-22 16:42:29 -08:00			`);`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev 0128fbb0a58f0c85aeaf316b0dfa343246b929c2 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 20:29:24 +01:00
nixos/stunnel: Make free-form This unlocks stunnel's other ~100 configuration directives, allowing full stunnel use in NixOS. 2022-02-22 16:42:29 -08:00			`apply =`
			`let`
			`applyDefaults =`
			`c:`
			`{`
			`CAFile = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";`
			`OCSPaia = true;`
			`verifyChain = true;`
			`}`
			`// c;`
			`setCheckHostFromVerifyHostname =`
			`c:`
			`# To preserve backward-compatibility with the old NixOS stunnel module`
			`# definition, allow "verifyHostname" as an alias for "checkHost".`
			`c`
			`// {`
			`checkHost = c.checkHost or c.verifyHostname or null;`
			`verifyHostname = null; # Not a real stunnel configuration setting`
			`};`
			`forceClient = c: c // { client = true; };`
			`in`
			`mapAttrs (_: c: forceClient (setCheckHostFromVerifyHostname (applyDefaults c)));`

nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00			`example = {`
			`foobar = {`
			`accept = "0.0.0.0:8080";`
			`connect = "nixos.org:443";`
			`verifyChain = false;`
			`};`
			`};`
			`default = { };`
			`};`
			`};`
			`};`

			`###### implementation`

			`config = mkIf cfg.enable {`

			`assertions = concatLists [`
			`(singleton {`
			`assertion = (length (attrValues cfg.servers) != 0) \|\| ((length (attrValues cfg.clients)) != 0);`
			`message = "stunnel: At least one server- or client-configuration has to be present.";`
			`})`

			`(mapAttrsToList verifyChainPathAssert cfg.clients)`
nixos/stunnel: Make free-form This unlocks stunnel's other ~100 configuration directives, allowing full stunnel use in NixOS. 2022-02-22 16:42:29 -08:00			`(mapAttrsToList (verifyRequiredField "client" "accept") cfg.clients)`
			`(mapAttrsToList (verifyRequiredField "client" "connect") cfg.clients)`
			`(mapAttrsToList (verifyRequiredField "server" "accept") cfg.servers)`
			`(mapAttrsToList (verifyRequiredField "server" "cert") cfg.servers)`
			`(mapAttrsToList (verifyRequiredField "server" "connect") cfg.servers)`
nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00			`];`

			`environment.systemPackages = [ pkgs.stunnel ];`

			`environment.etc."stunnel.cfg".text = ''`
treewide: use more lib.optionalString 2023-03-19 21:44:31 +01:00			`${optionalString (cfg.user != null) "setuid = ${cfg.user}"}`
			`${optionalString (cfg.group != null) "setgid = ${cfg.group}"}`
nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00
			`debug = ${cfg.logLevel}`

			`${optionalString cfg.fipsMode "fips = yes"}`
			`${optionalString cfg.enableInsecureSSLv3 "options = -NO_SSLv3"}`

			`; ----- SERVER CONFIGURATIONS -----`
nixos/stunnel: Make free-form This unlocks stunnel's other ~100 configuration directives, allowing full stunnel use in NixOS. 2022-02-22 16:42:29 -08:00			`${generateConfig cfg.servers}`
nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00
			`; ----- CLIENT CONFIGURATIONS -----`
nixos/stunnel: Make free-form This unlocks stunnel's other ~100 configuration directives, allowing full stunnel use in NixOS. 2022-02-22 16:42:29 -08:00			`${generateConfig cfg.clients}`
nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00			`'';`

			`systemd.services.stunnel = {`
			`description = "stunnel TLS tunneling service";`
			`after = [ "network.target" ];`
			`wants = [ "network.target" ];`
			`wantedBy = [ "multi-user.target" ];`
			`restartTriggers = [ config.environment.etc."stunnel.cfg".source ];`
			`serviceConfig = {`
			`ExecStart = "${pkgs.stunnel}/bin/stunnel ${config.environment.etc."stunnel.cfg".source}";`
			`Type = "forking";`
			`};`
			`};`

nixos/stunnel: Add maintainers 2019-10-25 15:48:31 +02:00			`meta.maintainers = with maintainers; [`
			`# Server side`
			`lschuermann`
			`# Client side`
			`das_j`
			`];`
nixos/stunnel: add module (#33151) 2018-01-21 12:23:07 +01:00			`};`

			`}`