From 69c6e3352dbf417738453e3bad560cd4327d9f52 Mon Sep 17 00:00:00 2001 From: figboy9 Date: Sun, 28 Jul 2024 14:03:49 +0900 Subject: [PATCH 01/11] nixos/veilid: Add veilid service module --- nixos/modules/module-list.nix | 7 +- nixos/modules/services/networking/veilid.nix | 606 +++++++++++++++++++ 2 files changed, 609 insertions(+), 4 deletions(-) create mode 100644 nixos/modules/services/networking/veilid.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index f97a6b47512c..370e7b761443 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1236,6 +1236,7 @@ ./services/networking/uptermd.nix ./services/networking/v2ray.nix ./services/networking/v2raya.nix + ./services/networking/veilid.nix ./services/networking/vdirsyncer.nix ./services/networking/vsftpd.nix ./services/networking/wasabibackend.nix @@ -1694,9 +1695,7 @@ ./virtualisation/xe-guest-utilities.nix ./virtualisation/xen-dom0.nix { - documentation.nixos.extraModules = [ - ./virtualisation/qemu-vm.nix - ./image/repart.nix - ]; + documentation.nixos.extraModules = + [ ./virtualisation/qemu-vm.nix ./image/repart.nix ]; } ] diff --git a/nixos/modules/services/networking/veilid.nix b/nixos/modules/services/networking/veilid.nix new file mode 100644 index 000000000000..098b74b683e3 --- /dev/null +++ b/nixos/modules/services/networking/veilid.nix @@ -0,0 +1,606 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.veilid; + dataDir = "/var/lib/veilid"; + + settingsFormat = pkgs.formats.yaml { }; + configFile = settingsFormat.generate "veilid.yaml" cfg.settings; +in { + config = lib.mkIf cfg.enable { + networking = { + firewall = { + allowedTCPPorts = [ 5150 ]; + allowedUDPPorts = [ 5150 ]; + }; + }; + + systemd.services.veilid = { + enable = true; + description = "Veilid Network Service"; + after = [ "network-pre.target" ]; + wants = [ "network.target" ]; + before = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ configFile ]; + environment = { HOME = dataDir; }; + serviceConfig = { + User = "veilid"; + Restart = "always"; + StateDirectory = "veilid"; + RuntimeDirectory = "veilid"; + ExecStart = "${pkgs.veilid}/bin/veilid-server -c ${configFile}"; + }; + }; + users.users.veilid = { isSystemUser = true; }; + + users.users.veilid.group = "veilid"; + users.groups.veilid = { }; + + environment = { + etc."veilid/veilid-server.conf".source = configFile; + systemPackages = [ pkgs.veilid ]; + }; + }; + + options.services.veilid = { + enable = lib.mkEnableOption "veilid"; + settings = lib.mkOption { + + type = lib.types.attrsOf (lib.types.submodule { + freeformType = settingsFormat.type; + + options = { + daemon = { + enabled = lib.mkOption { + type = lib.types.bool; + default = false; + }; + pid_file = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + chroot = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + working_directory = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + user = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + group = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + stdout_file = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + stderr_file = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + }; + client_api = { + ipc_enabled = lib.mkOption { + type = lib.types.bool; + default = true; + }; + ipc_directory = lib.mkOption { + type = lib.types.str; + default = + "/home/${config.users.users.veilid.name}/.local/share/veilid/ipc"; + }; + network_enabled = lib.mkOption { + type = lib.types.bool; + default = false; + }; + listen_address = lib.mkOption { + type = lib.types.str; + default = "localhost:5959"; + }; + }; + auto_attach = lib.mkOption { + type = lib.types.bool; + default = true; + }; + logging = { + system = { + enabled = lib.mkOption { + type = lib.types.bool; + default = false; + }; + level = lib.mkOption { + type = lib.types.str; + default = "info"; + }; + ignore_log_targets = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + }; + terminal = { + enabled = lib.mkOption { + type = lib.types.bool; + default = false; + }; + level = lib.mkOption { + type = lib.types.str; + default = "info"; + }; + ignore_log_targets = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + }; + file = { + enabled = lib.mkOption { + type = lib.types.bool; + default = false; + }; + path = lib.mkOption { + type = lib.types.str; + default = ""; + }; + append = lib.mkOption { + type = lib.types.bool; + default = true; + }; + level = lib.mkOption { + type = lib.types.str; + default = "info"; + }; + ignore_log_targets = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + }; + api = { + enabled = lib.mkOption { + type = lib.types.bool; + default = false; + }; + level = lib.mkOption { + type = lib.types.str; + default = "info"; + }; + ignore_log_targets = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + }; + otlp = { + enabled = lib.mkOption { + type = lib.types.bool; + default = true; + }; + level = lib.mkOption { + type = lib.types.str; + default = "trace"; + }; + grpc_endpoint = lib.mkOption { + type = lib.types.str; + default = "localhost:4317"; + }; + ignore_log_targets = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + }; + console = { + enabled = lib.mkOption { + type = lib.types.bool; + default = true; + }; + }; + }; + testing = { + subnode_index = lib.mkOption { + type = lib.types.number; + default = 0; + }; + }; + core = { + capabilities = { + disable = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + }; + protected_store = { + allow_insecure_fallback = lib.mkOption { + type = lib.types.bool; + default = true; + }; + always_use_insecure_storage = lib.mkOption { + type = lib.types.bool; + default = true; + }; + directory = lib.mkOption { + type = lib.types.str; + default = + "/home/${config.users.users.veilid.name}/.local/share/veilid/protected_store"; + }; + delete = lib.mkOption { + type = lib.types.bool; + default = false; + }; + device_encryption_key_password = lib.mkOption { + type = lib.types.str; + default = + "/home/${config.users.users.veilid.name}/.local/share/veilid/protected_store"; + }; + new_device_encryption_key_password = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + }; + table_store = { + directory = lib.mkOption { + type = lib.types.str; + default = + "/home/${config.users.users.veilid.name}/.local/share/veilid/table_store"; + }; + delete = lib.mkOption { + type = lib.types.bool; + default = false; + }; + }; + block_store = { + directory = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = + "/home/${config.users.users.veilid.name}/.local/share/veilid/block_store"; + }; + delete = lib.mkOption { + type = lib.types.bool; + default = false; + }; + }; + network = { + connection_initial_timeout_ms = lib.mkOption { + type = lib.types.number; + default = 2000; + }; + connection_inactivity_timeout_ms = lib.mkOption { + type = lib.types.number; + default = 60000; + }; + max_connections_per_ip4 = lib.mkOption { + type = lib.types.number; + default = 32; + }; + max_connections_per_ip6_prefix = lib.mkOption { + type = lib.types.number; + default = 32; + }; + max_connections_per_ip6_prefix_size = lib.mkOption { + type = lib.types.number; + default = 56; + }; + max_connection_frequency_per_min = lib.mkOption { + type = lib.types.number; + default = 128; + }; + client_allowlist_timeout_ms = lib.mkOption { + type = lib.types.number; + default = 300000; + }; + reverse_connection_receipt_time_ms = lib.mkOption { + type = lib.types.number; + default = 5000; + }; + network_key_password = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + }; + routing_table = { + node_id = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + node_id_secret = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + bootstrap = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ "bootstrap.veilid.net" ]; + }; + limit_over_attached = lib.mkOption { + type = lib.types.number; + default = 64; + }; + limit_fully_attached = lib.mkOption { + type = lib.types.number; + default = 32; + }; + limit_attached_strong = lib.mkOption { + type = lib.types.number; + default = 32; + }; + limit_attached_good = lib.mkOption { + type = lib.types.number; + default = 8; + }; + limit_attached_weak = lib.mkOption { + type = lib.types.number; + default = 4; + }; + }; + rpc = { + concurrency = lib.mkOption { + type = lib.types.number; + default = 0; + }; + queue_size = lib.mkOption { + type = lib.types.number; + default = 1024; + }; + max_timestamp_behind_ms = lib.mkOption { + type = lib.types.number; + default = 10000; + }; + max_timestamp_ahead_ms = lib.mkOption { + type = lib.types.number; + default = 10000; + }; + timeout_ms = lib.mkOption { + type = lib.types.number; + default = 5000; + }; + max_route_hop_count = lib.mkOption { + type = lib.types.number; + default = 4; + }; + default_route_hop_count = lib.mkOption { + type = lib.types.number; + default = 1; + }; + }; + dht = { + max_find_node_count = lib.mkOption { + type = lib.types.number; + default = 20; + }; + resolve_node_timeout_ms = lib.mkOption { + type = lib.types.number; + default = 10000; + }; + resolve_node_count = lib.mkOption { + type = lib.types.number; + default = 1; + }; + resolve_node_fanout = lib.mkOption { + type = lib.types.number; + default = 4; + }; + get_value_timeout_ms = lib.mkOption { + type = lib.types.number; + default = 10000; + }; + get_value_count = lib.mkOption { + type = lib.types.number; + default = 3; + }; + get_value_fanout = lib.mkOption { + type = lib.types.number; + default = 4; + }; + set_value_timeout_ms = lib.mkOption { + type = lib.types.number; + default = 10000; + }; + set_value_count = lib.mkOption { + type = lib.types.number; + default = 5; + }; + set_value_fanout = lib.mkOption { + type = lib.types.number; + default = 4; + }; + min_peer_count = lib.mkOption { + type = lib.types.number; + default = 20; + }; + min_peer_refresh_time_ms = lib.mkOption { + type = lib.types.number; + default = 60000; + }; + validate_dial_info_receipt_time_ms = lib.mkOption { + type = lib.types.number; + default = 2000; + }; + local_subkey_cache_size = lib.mkOption { + type = lib.types.number; + default = 128; + }; + local_max_subkey_cache_memory_mb = lib.mkOption { + type = lib.types.number; + default = 256; + }; + remote_subkey_cache_size = lib.mkOption { + type = lib.types.number; + default = 1024; + }; + remote_max_records = lib.mkOption { + type = lib.types.number; + default = 65536; + }; + remote_max_subkey_cache_memory_mb = lib.mkOption { + type = lib.types.number; + default = 2552; + }; + remote_max_storage_space_mb = lib.mkOption { + type = lib.types.number; + default = 10000; + }; + public_watch_limit = lib.mkOption { + type = lib.types.number; + default = 32; + }; + member_watch_limit = lib.mkOption { + type = lib.types.number; + default = 8; + }; + max_watch_expiration_ms = lib.mkOption { + type = lib.types.number; + default = 600000; + }; + }; + upnp = lib.mkOption { + type = lib.types.bool; + default = true; + }; + detect_address_changes = lib.mkOption { + type = lib.types.bool; + default = true; + }; + restricted_nat_retries = lib.mkOption { + type = lib.types.number; + default = 0; + }; + tls = { + certificate_path = lib.mkOption { + type = lib.types.str; + default = + "/home/${config.users.users.veilid.name}/.local/share/veilid/protected_store"; + }; + private_key_path = lib.mkOption { + type = lib.types.str; + default = + "/home/${config.users.users.veilid.name}/.local/share/veilid/protected_store"; + }; + connection_initial_timeout_ms = lib.mkOption { + type = lib.types.number; + default = 2000; + }; + }; + application = { + https = { + enabled = lib.mkOption { + type = lib.types.bool; + default = true; + }; + listen_address = lib.mkOption { + type = lib.types.str; + default = ":433"; + }; + + path = lib.mkOption { + type = lib.types.str; + default = "app"; + }; + url = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + }; + }; + protocol = { + udp = { + enabled = lib.mkOption { + type = lib.types.bool; + default = true; + }; + socket_pool_size = lib.mkOption { + type = lib.types.number; + default = 0; + }; + listen_address = lib.mkOption { + type = lib.types.str; + default = ""; + }; + public_address = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + }; + tcp = { + connect = lib.mkOption { + type = lib.types.bool; + default = true; + }; + listen = lib.mkOption { + type = lib.types.bool; + default = true; + }; + max_connections = lib.mkOption { + type = lib.types.number; + default = 32; + }; + listen_address = lib.mkOption { + type = lib.types.str; + default = ""; + }; + public_address = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + }; + ws = { + connect = lib.mkOption { + type = lib.types.bool; + default = true; + }; + listen = lib.mkOption { + type = lib.types.bool; + default = true; + }; + max_connections = lib.mkOption { + type = lib.types.number; + default = 32; + }; + listen_address = lib.mkOption { + type = lib.types.str; + default = ""; + }; + + path = lib.mkOption { + type = lib.types.str; + default = "ws"; + }; + url = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + }; + wss = { + connect = lib.mkOption { + type = lib.types.bool; + default = true; + }; + listen = lib.mkOption { + type = lib.types.bool; + default = true; + }; + max_connections = lib.mkOption { + type = lib.types.number; + default = 32; + }; + listen_address = lib.mkOption { + type = lib.types.str; + default = ""; + }; + + path = lib.mkOption { + type = lib.types.str; + default = "ws"; + }; + url = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + }; + }; + }; + }; + }); + }; + }; + +} From c321004b56ad5916f54edc7a863af45907c01164 Mon Sep 17 00:00:00 2001 From: figboy9 Date: Sun, 28 Jul 2024 14:05:07 +0900 Subject: [PATCH 02/11] Add figboy9 to maintainers --- maintainers/maintainer-list.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix index d5e0e9468be9..1ee6debd0b62 100644 --- a/maintainers/maintainer-list.nix +++ b/maintainers/maintainer-list.nix @@ -6641,6 +6641,12 @@ { fingerprint = "elY15tXap1tddxbBVoUoAioe1u0RDWti5rc9cauSmwo"; } ]; }; + figboy9 = { + email = "figboy9@tuta.io"; + github = "figboy9"; + githubId = 52276064; + name = "figboy9"; + }; figsoda = { email = "figsoda@pm.me"; matrix = "@figsoda:matrix.org"; From 67b152a087a28cfab0191229af4626b432a6762a Mon Sep 17 00:00:00 2001 From: figboy9 Date: Sun, 28 Jul 2024 14:42:12 +0900 Subject: [PATCH 03/11] Add figboy9 to module maintainers --- nixos/modules/services/networking/veilid.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/services/networking/veilid.nix b/nixos/modules/services/networking/veilid.nix index 098b74b683e3..5ff7b3b196fc 100644 --- a/nixos/modules/services/networking/veilid.nix +++ b/nixos/modules/services/networking/veilid.nix @@ -603,4 +603,5 @@ in { }; }; + meta.maintainers = with lib.maintainers; [ figboy9 ]; } From 318014034a856b09da9bbe23c101a2d99d897b3b Mon Sep 17 00:00:00 2001 From: figboy9 Date: Sat, 14 Sep 2024 18:03:02 +0900 Subject: [PATCH 04/11] reduce options --- nixos/modules/services/networking/veilid.nix | 589 +++---------------- 1 file changed, 87 insertions(+), 502 deletions(-) diff --git a/nixos/modules/services/networking/veilid.nix b/nixos/modules/services/networking/veilid.nix index 5ff7b3b196fc..9c8a9bd7a661 100644 --- a/nixos/modules/services/networking/veilid.nix +++ b/nixos/modules/services/networking/veilid.nix @@ -1,4 +1,5 @@ { config, pkgs, lib, ... }: +with lib; let cfg = config.services.veilid; dataDir = "/var/lib/veilid"; @@ -6,7 +7,7 @@ let settingsFormat = pkgs.formats.yaml { }; configFile = settingsFormat.generate "veilid.yaml" cfg.settings; in { - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { networking = { firewall = { allowedTCPPorts = [ 5150 ]; @@ -43,565 +44,149 @@ in { }; options.services.veilid = { - enable = lib.mkEnableOption "veilid"; - settings = lib.mkOption { - - type = lib.types.attrsOf (lib.types.submodule { + enable = mkEnableOption "Veilid Headless Node"; + settings = mkOption { + description = '' + Build veilid-server.conf with nix expression. + Check [Configuration Keys](https://veilid.gitlab.io/developer-book/admin/config.html#configuration-keys). + ''; + type = types.submodule { freeformType = settingsFormat.type; options = { - daemon = { - enabled = lib.mkOption { - type = lib.types.bool; - default = false; - }; - pid_file = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - chroot = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - working_directory = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - user = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - group = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - stdout_file = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - stderr_file = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - }; client_api = { - ipc_enabled = lib.mkOption { - type = lib.types.bool; + ipc_enabled = mkOption { + type = types.bool; default = true; + description = + "veilid-server will respond to Python and other JSON client requests."; }; - ipc_directory = lib.mkOption { - type = lib.types.str; - default = - "/home/${config.users.users.veilid.name}/.local/share/veilid/ipc"; + ipc_directory = mkOption { + type = types.str; + default = "${dataDir}/ipc"; }; - network_enabled = lib.mkOption { - type = lib.types.bool; - default = false; - }; - listen_address = lib.mkOption { - type = lib.types.str; - default = "localhost:5959"; - }; - }; - auto_attach = lib.mkOption { - type = lib.types.bool; - default = true; }; logging = { system = { - enabled = lib.mkOption { - type = lib.types.bool; - default = false; + enabled = mkOption { + type = types.bool; + default = true; + description = "Events of type 'system' will be logged."; }; - level = lib.mkOption { - type = lib.types.str; + level = mkOption { + type = types.str; default = "info"; - }; - ignore_log_targets = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; + description = + "The minimum priority of system events to be logged."; }; }; terminal = { - enabled = lib.mkOption { - type = lib.types.bool; + enabled = mkOption { + type = types.bool; default = false; + description = "Events of type 'terminal' will be logged."; }; - level = lib.mkOption { - type = lib.types.str; + level = mkOption { + type = types.str; default = "info"; - }; - ignore_log_targets = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - }; - }; - file = { - enabled = lib.mkOption { - type = lib.types.bool; - default = false; - }; - path = lib.mkOption { - type = lib.types.str; - default = ""; - }; - append = lib.mkOption { - type = lib.types.bool; - default = true; - }; - level = lib.mkOption { - type = lib.types.str; - default = "info"; - }; - ignore_log_targets = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; + description = + "The minimum priority of terminal events to be logged."; }; }; api = { - enabled = lib.mkOption { - type = lib.types.bool; + enabled = mkOption { + type = types.bool; default = false; + description = "Events of type 'api' will be logged."; }; - level = lib.mkOption { - type = lib.types.str; + level = mkOption { + type = types.str; default = "info"; + description = + "The minimum priority of api events to be logged."; }; - ignore_log_targets = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - }; - }; - otlp = { - enabled = lib.mkOption { - type = lib.types.bool; - default = true; - }; - level = lib.mkOption { - type = lib.types.str; - default = "trace"; - }; - grpc_endpoint = lib.mkOption { - type = lib.types.str; - default = "localhost:4317"; - }; - ignore_log_targets = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - }; - }; - console = { - enabled = lib.mkOption { - type = lib.types.bool; - default = true; - }; - }; - }; - testing = { - subnode_index = lib.mkOption { - type = lib.types.number; - default = 0; }; }; core = { capabilities = { - disable = lib.mkOption { - type = lib.types.listOf lib.types.str; + disable = mkOption { + type = types.listOf types.str; default = [ ]; + description = + "A list of capabilities to disable (for example, DHTV to say you cannot store DHT information)."; }; }; protected_store = { - allow_insecure_fallback = lib.mkOption { - type = lib.types.bool; + allow_insecure_fallback = mkOption { + type = types.bool; default = true; + description = + "If we can't use system-provided secure storage, should we proceed anyway?"; }; - always_use_insecure_storage = lib.mkOption { - type = lib.types.bool; + always_use_insecure_storage = mkOption { + type = types.bool; default = true; + description = + "Should we bypass any attempt to use system-provided secure storage?"; }; - directory = lib.mkOption { - type = lib.types.str; - default = - "/home/${config.users.users.veilid.name}/.local/share/veilid/protected_store"; - }; - delete = lib.mkOption { - type = lib.types.bool; - default = false; - }; - device_encryption_key_password = lib.mkOption { - type = lib.types.str; - default = - "/home/${config.users.users.veilid.name}/.local/share/veilid/protected_store"; - }; - new_device_encryption_key_password = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; + directory = mkOption { + type = types.str; + default = "${dataDir}/protected_store"; + description = + "The filesystem directory to store your protected store in."; }; }; table_store = { - directory = lib.mkOption { - type = lib.types.str; - default = - "/home/${config.users.users.veilid.name}/.local/share/veilid/table_store"; - }; - delete = lib.mkOption { - type = lib.types.bool; - default = false; + directory = mkOption { + type = types.str; + default = "${dataDir}/table_store"; + description = + "The filesystem directory to store your table store within."; }; }; block_store = { - directory = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = - "/home/${config.users.users.veilid.name}/.local/share/veilid/block_store"; - }; - delete = lib.mkOption { - type = lib.types.bool; - default = false; + directory = mkOption { + type = types.nullOr types.str; + default = "${dataDir}/block_store"; + description = + "The filesystem directory to store blocks for the block store."; }; }; network = { - connection_initial_timeout_ms = lib.mkOption { - type = lib.types.number; - default = 2000; - }; - connection_inactivity_timeout_ms = lib.mkOption { - type = lib.types.number; - default = 60000; - }; - max_connections_per_ip4 = lib.mkOption { - type = lib.types.number; - default = 32; - }; - max_connections_per_ip6_prefix = lib.mkOption { - type = lib.types.number; - default = 32; - }; - max_connections_per_ip6_prefix_size = lib.mkOption { - type = lib.types.number; - default = 56; - }; - max_connection_frequency_per_min = lib.mkOption { - type = lib.types.number; - default = 128; - }; - client_allowlist_timeout_ms = lib.mkOption { - type = lib.types.number; - default = 300000; - }; - reverse_connection_receipt_time_ms = lib.mkOption { - type = lib.types.number; - default = 5000; - }; - network_key_password = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - }; routing_table = { - node_id = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - node_id_secret = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - bootstrap = lib.mkOption { - type = lib.types.listOf lib.types.str; + bootstrap = mkOption { + type = types.listOf types.str; default = [ "bootstrap.veilid.net" ]; + description = + "Host name of existing well-known Veilid bootstrap servers for the network to connect to."; + }; }; - limit_over_attached = lib.mkOption { - type = lib.types.number; - default = 64; + dht = { + min_peer_count = mkOption { + type = types.number; + default = 20; + description = + "Minimum number of nodes to keep in the peer table."; + }; }; - limit_fully_attached = lib.mkOption { - type = lib.types.number; - default = 32; - }; - limit_attached_strong = lib.mkOption { - type = lib.types.number; - default = 32; - }; - limit_attached_good = lib.mkOption { - type = lib.types.number; - default = 8; - }; - limit_attached_weak = lib.mkOption { - type = lib.types.number; - default = 4; - }; - }; - rpc = { - concurrency = lib.mkOption { - type = lib.types.number; - default = 0; - }; - queue_size = lib.mkOption { - type = lib.types.number; - default = 1024; - }; - max_timestamp_behind_ms = lib.mkOption { - type = lib.types.number; - default = 10000; - }; - max_timestamp_ahead_ms = lib.mkOption { - type = lib.types.number; - default = 10000; - }; - timeout_ms = lib.mkOption { - type = lib.types.number; - default = 5000; - }; - max_route_hop_count = lib.mkOption { - type = lib.types.number; - default = 4; - }; - default_route_hop_count = lib.mkOption { - type = lib.types.number; - default = 1; - }; - }; - dht = { - max_find_node_count = lib.mkOption { - type = lib.types.number; - default = 20; - }; - resolve_node_timeout_ms = lib.mkOption { - type = lib.types.number; - default = 10000; - }; - resolve_node_count = lib.mkOption { - type = lib.types.number; - default = 1; - }; - resolve_node_fanout = lib.mkOption { - type = lib.types.number; - default = 4; - }; - get_value_timeout_ms = lib.mkOption { - type = lib.types.number; - default = 10000; - }; - get_value_count = lib.mkOption { - type = lib.types.number; - default = 3; - }; - get_value_fanout = lib.mkOption { - type = lib.types.number; - default = 4; - }; - set_value_timeout_ms = lib.mkOption { - type = lib.types.number; - default = 10000; - }; - set_value_count = lib.mkOption { - type = lib.types.number; - default = 5; - }; - set_value_fanout = lib.mkOption { - type = lib.types.number; - default = 4; - }; - min_peer_count = lib.mkOption { - type = lib.types.number; - default = 20; - }; - min_peer_refresh_time_ms = lib.mkOption { - type = lib.types.number; - default = 60000; - }; - validate_dial_info_receipt_time_ms = lib.mkOption { - type = lib.types.number; - default = 2000; - }; - local_subkey_cache_size = lib.mkOption { - type = lib.types.number; - default = 128; - }; - local_max_subkey_cache_memory_mb = lib.mkOption { - type = lib.types.number; - default = 256; - }; - remote_subkey_cache_size = lib.mkOption { - type = lib.types.number; - default = 1024; - }; - remote_max_records = lib.mkOption { - type = lib.types.number; - default = 65536; - }; - remote_max_subkey_cache_memory_mb = lib.mkOption { - type = lib.types.number; - default = 2552; - }; - remote_max_storage_space_mb = lib.mkOption { - type = lib.types.number; - default = 10000; - }; - public_watch_limit = lib.mkOption { - type = lib.types.number; - default = 32; - }; - member_watch_limit = lib.mkOption { - type = lib.types.number; - default = 8; - }; - max_watch_expiration_ms = lib.mkOption { - type = lib.types.number; - default = 600000; - }; - }; - upnp = lib.mkOption { - type = lib.types.bool; - default = true; - }; - detect_address_changes = lib.mkOption { - type = lib.types.bool; - default = true; - }; - restricted_nat_retries = lib.mkOption { - type = lib.types.number; - default = 0; - }; - tls = { - certificate_path = lib.mkOption { - type = lib.types.str; - default = - "/home/${config.users.users.veilid.name}/.local/share/veilid/protected_store"; - }; - private_key_path = lib.mkOption { - type = lib.types.str; - default = - "/home/${config.users.users.veilid.name}/.local/share/veilid/protected_store"; - }; - connection_initial_timeout_ms = lib.mkOption { - type = lib.types.number; - default = 2000; - }; - }; - application = { - https = { - enabled = lib.mkOption { - type = lib.types.bool; + upnp = mkOption { + type = types.bool; default = true; - }; - listen_address = lib.mkOption { - type = lib.types.str; - default = ":433"; - }; - - path = lib.mkOption { - type = lib.types.str; - default = "app"; - }; - url = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; + description = + "Should the app try to improve its incoming network connectivity using UPnP?"; }; - }; - protocol = { - udp = { - enabled = lib.mkOption { - type = lib.types.bool; + detect_address_changes = mkOption { + type = types.bool; default = true; - }; - socket_pool_size = lib.mkOption { - type = lib.types.number; - default = 0; - }; - listen_address = lib.mkOption { - type = lib.types.str; - default = ""; - }; - public_address = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - }; - tcp = { - connect = lib.mkOption { - type = lib.types.bool; - default = true; - }; - listen = lib.mkOption { - type = lib.types.bool; - default = true; - }; - max_connections = lib.mkOption { - type = lib.types.number; - default = 32; - }; - listen_address = lib.mkOption { - type = lib.types.str; - default = ""; - }; - public_address = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - }; - ws = { - connect = lib.mkOption { - type = lib.types.bool; - default = true; - }; - listen = lib.mkOption { - type = lib.types.bool; - default = true; - }; - max_connections = lib.mkOption { - type = lib.types.number; - default = 32; - }; - listen_address = lib.mkOption { - type = lib.types.str; - default = ""; - }; - - path = lib.mkOption { - type = lib.types.str; - default = "ws"; - }; - url = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - }; - wss = { - connect = lib.mkOption { - type = lib.types.bool; - default = true; - }; - listen = lib.mkOption { - type = lib.types.bool; - default = true; - }; - max_connections = lib.mkOption { - type = lib.types.number; - default = 32; - }; - listen_address = lib.mkOption { - type = lib.types.str; - default = ""; - }; - - path = lib.mkOption { - type = lib.types.str; - default = "ws"; - }; - url = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; + description = + "Should veilid-core detect and notify on network address changes?"; }; }; }; }; - }); + }; }; }; - meta.maintainers = with lib.maintainers; [ figboy9 ]; + meta.maintainers = with maintainers; [ figboy9 ]; } From 0ea2046bc50aac2f4abf37952898e51392eb27c5 Mon Sep 17 00:00:00 2001 From: figboy9 Date: Sat, 14 Sep 2024 18:15:14 +0900 Subject: [PATCH 05/11] make opening the firewall optional --- nixos/modules/services/networking/veilid.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/networking/veilid.nix b/nixos/modules/services/networking/veilid.nix index 9c8a9bd7a661..e5e32d78a245 100644 --- a/nixos/modules/services/networking/veilid.nix +++ b/nixos/modules/services/networking/veilid.nix @@ -8,11 +8,9 @@ let configFile = settingsFormat.generate "veilid.yaml" cfg.settings; in { config = mkIf cfg.enable { - networking = { - firewall = { + networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ 5150 ]; allowedUDPPorts = [ 5150 ]; - }; }; systemd.services.veilid = { @@ -45,6 +43,11 @@ in { options.services.veilid = { enable = mkEnableOption "Veilid Headless Node"; + openFirewall = mkOption { + default = false; + type = types.bool; + description = "Whether to open firewall on ports 5150/tcp, 5150/udp"; + }; settings = mkOption { description = '' Build veilid-server.conf with nix expression. From 55a594468a7a224dfe2a8485bf51ff24d4d90fec Mon Sep 17 00:00:00 2001 From: figboy9 Date: Sat, 14 Sep 2024 18:20:01 +0900 Subject: [PATCH 06/11] change dataDir --- nixos/modules/services/networking/veilid.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/veilid.nix b/nixos/modules/services/networking/veilid.nix index e5e32d78a245..f04677f1a3cd 100644 --- a/nixos/modules/services/networking/veilid.nix +++ b/nixos/modules/services/networking/veilid.nix @@ -2,7 +2,7 @@ with lib; let cfg = config.services.veilid; - dataDir = "/var/lib/veilid"; + dataDir = "/var/db/veilid-server"; settingsFormat = pkgs.formats.yaml { }; configFile = settingsFormat.generate "veilid.yaml" cfg.settings; From 16002b1628ed7a3accd743a6bd462f6bac3e8238 Mon Sep 17 00:00:00 2001 From: figboy9 Date: Sat, 14 Sep 2024 18:25:26 +0900 Subject: [PATCH 07/11] fix systemd service based on veilid package --- nixos/modules/services/networking/veilid.nix | 80 ++++++++++++++------ 1 file changed, 57 insertions(+), 23 deletions(-) diff --git a/nixos/modules/services/networking/veilid.nix b/nixos/modules/services/networking/veilid.nix index f04677f1a3cd..90f2e2556ae2 100644 --- a/nixos/modules/services/networking/veilid.nix +++ b/nixos/modules/services/networking/veilid.nix @@ -5,40 +5,66 @@ let dataDir = "/var/db/veilid-server"; settingsFormat = pkgs.formats.yaml { }; - configFile = settingsFormat.generate "veilid.yaml" cfg.settings; + configFile = settingsFormat.generate "veilid-server.conf" cfg.settings; in { config = mkIf cfg.enable { networking.firewall = mkIf cfg.openFirewall { - allowedTCPPorts = [ 5150 ]; - allowedUDPPorts = [ 5150 ]; + allowedTCPPorts = [ 5150 ]; + allowedUDPPorts = [ 5150 ]; }; + # Based on https://gitlab.com/veilid/veilid/-/blob/main/package/systemd/veilid-server.service?ref_type=heads systemd.services.veilid = { enable = true; - description = "Veilid Network Service"; - after = [ "network-pre.target" ]; - wants = [ "network.target" ]; - before = [ "network.target" ]; + description = "Veilid Headless Node"; + wants = [ "network-online.target" ]; + before = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ configFile ]; - environment = { HOME = dataDir; }; + environment = { RUST_BACKTRACE = "1"; }; serviceConfig = { - User = "veilid"; - Restart = "always"; - StateDirectory = "veilid"; - RuntimeDirectory = "veilid"; ExecStart = "${pkgs.veilid}/bin/veilid-server -c ${configFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -s HUP $MAINPID"; + KillSignal = "SIGQUIT"; + TimeoutStopSec = 5; + WorkingDirectory = "/"; + User = "veilid"; + Group = "veilid"; + UMask = "0002"; + + CapabilityBoundingSet = ""; + SystemCallFilter = [ "@system-service" ]; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectHome = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = dataDir; + + RestrictRealtime = true; + SystemCallArchitectures = "native"; + LockPersonality = true; + RestrictSUIDSGID = true; }; }; - users.users.veilid = { isSystemUser = true; }; - - users.users.veilid.group = "veilid"; + users.users.veilid = { + isSystemUser = true; + group = "veilid"; + home = dataDir; + createHome = true; + }; users.groups.veilid = { }; - environment = { - etc."veilid/veilid-server.conf".source = configFile; - systemPackages = [ pkgs.veilid ]; - }; + environment = { systemPackages = [ pkgs.veilid ]; }; + services.veilid.settings = { }; }; options.services.veilid = { @@ -79,6 +105,7 @@ in { level = mkOption { type = types.str; default = "info"; + example = "debug"; description = "The minimum priority of system events to be logged."; }; @@ -92,6 +119,7 @@ in { level = mkOption { type = types.str; default = "info"; + example = "debug"; description = "The minimum priority of terminal events to be logged."; }; @@ -105,6 +133,7 @@ in { level = mkOption { type = types.str; default = "info"; + example = "debug"; description = "The minimum priority of api events to be logged."; }; @@ -115,6 +144,7 @@ in { disable = mkOption { type = types.listOf types.str; default = [ ]; + example = [ "APPM" ]; description = "A list of capabilities to disable (for example, DHTV to say you cannot store DHT information)."; }; @@ -156,13 +186,17 @@ in { }; }; network = { - routing_table = { + routing_table = { bootstrap = mkOption { type = types.listOf types.str; - default = [ "bootstrap.veilid.net" ]; + default = [ "bootstrap.veilid.net" ]; description = "Host name of existing well-known Veilid bootstrap servers for the network to connect to."; }; + node_id = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; }; dht = { min_peer_count = mkOption { @@ -174,13 +208,13 @@ in { }; upnp = mkOption { type = types.bool; - default = true; + default = true; description = "Should the app try to improve its incoming network connectivity using UPnP?"; }; detect_address_changes = mkOption { type = types.bool; - default = true; + default = true; description = "Should veilid-core detect and notify on network address changes?"; }; From a01561ab26fd18602577f5d5d38a40b36929eb06 Mon Sep 17 00:00:00 2001 From: figboy9 Date: Sun, 15 Sep 2024 10:35:52 +0900 Subject: [PATCH 08/11] nixos/veilid: add a description of options --- nixos/modules/services/networking/veilid.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nixos/modules/services/networking/veilid.nix b/nixos/modules/services/networking/veilid.nix index 90f2e2556ae2..82e242144311 100644 --- a/nixos/modules/services/networking/veilid.nix +++ b/nixos/modules/services/networking/veilid.nix @@ -93,6 +93,7 @@ in { ipc_directory = mkOption { type = types.str; default = "${dataDir}/ipc"; + description = "IPC directory where file sockets are stored."; }; }; logging = { @@ -196,6 +197,8 @@ in { node_id = lib.mkOption { type = lib.types.nullOr lib.types.str; default = null; + description = + "Base64-encoded public key for the node, used as the node's ID."; }; }; dht = { From ca5cb00a4cfc8505a637527b7ebc8f342a4c7eeb Mon Sep 17 00:00:00 2001 From: figboy9 Date: Sun, 15 Sep 2024 10:37:36 +0900 Subject: [PATCH 09/11] nixos/veilid: format with nixfmt-rfc-style --- nixos/modules/services/networking/veilid.nix | 63 +++++++++----------- 1 file changed, 29 insertions(+), 34 deletions(-) diff --git a/nixos/modules/services/networking/veilid.nix b/nixos/modules/services/networking/veilid.nix index 82e242144311..d0d411bcec48 100644 --- a/nixos/modules/services/networking/veilid.nix +++ b/nixos/modules/services/networking/veilid.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: with lib; let cfg = config.services.veilid; @@ -6,7 +11,8 @@ let settingsFormat = pkgs.formats.yaml { }; configFile = settingsFormat.generate "veilid-server.conf" cfg.settings; -in { +in +{ config = mkIf cfg.enable { networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ 5150 ]; @@ -21,7 +27,9 @@ in { before = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ configFile ]; - environment = { RUST_BACKTRACE = "1"; }; + environment = { + RUST_BACKTRACE = "1"; + }; serviceConfig = { ExecStart = "${pkgs.veilid}/bin/veilid-server -c ${configFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -s HUP $MAINPID"; @@ -63,7 +71,9 @@ in { }; users.groups.veilid = { }; - environment = { systemPackages = [ pkgs.veilid ]; }; + environment = { + systemPackages = [ pkgs.veilid ]; + }; services.veilid.settings = { }; }; @@ -87,8 +97,7 @@ in { ipc_enabled = mkOption { type = types.bool; default = true; - description = - "veilid-server will respond to Python and other JSON client requests."; + description = "veilid-server will respond to Python and other JSON client requests."; }; ipc_directory = mkOption { type = types.str; @@ -107,8 +116,7 @@ in { type = types.str; default = "info"; example = "debug"; - description = - "The minimum priority of system events to be logged."; + description = "The minimum priority of system events to be logged."; }; }; terminal = { @@ -121,8 +129,7 @@ in { type = types.str; default = "info"; example = "debug"; - description = - "The minimum priority of terminal events to be logged."; + description = "The minimum priority of terminal events to be logged."; }; }; api = { @@ -135,8 +142,7 @@ in { type = types.str; default = "info"; example = "debug"; - description = - "The minimum priority of api events to be logged."; + description = "The minimum priority of api events to be logged."; }; }; }; @@ -146,44 +152,38 @@ in { type = types.listOf types.str; default = [ ]; example = [ "APPM" ]; - description = - "A list of capabilities to disable (for example, DHTV to say you cannot store DHT information)."; + description = "A list of capabilities to disable (for example, DHTV to say you cannot store DHT information)."; }; }; protected_store = { allow_insecure_fallback = mkOption { type = types.bool; default = true; - description = - "If we can't use system-provided secure storage, should we proceed anyway?"; + description = "If we can't use system-provided secure storage, should we proceed anyway?"; }; always_use_insecure_storage = mkOption { type = types.bool; default = true; - description = - "Should we bypass any attempt to use system-provided secure storage?"; + description = "Should we bypass any attempt to use system-provided secure storage?"; }; directory = mkOption { type = types.str; default = "${dataDir}/protected_store"; - description = - "The filesystem directory to store your protected store in."; + description = "The filesystem directory to store your protected store in."; }; }; table_store = { directory = mkOption { type = types.str; default = "${dataDir}/table_store"; - description = - "The filesystem directory to store your table store within."; + description = "The filesystem directory to store your table store within."; }; }; block_store = { directory = mkOption { type = types.nullOr types.str; default = "${dataDir}/block_store"; - description = - "The filesystem directory to store blocks for the block store."; + description = "The filesystem directory to store blocks for the block store."; }; }; network = { @@ -191,35 +191,30 @@ in { bootstrap = mkOption { type = types.listOf types.str; default = [ "bootstrap.veilid.net" ]; - description = - "Host name of existing well-known Veilid bootstrap servers for the network to connect to."; + description = "Host name of existing well-known Veilid bootstrap servers for the network to connect to."; }; node_id = lib.mkOption { type = lib.types.nullOr lib.types.str; default = null; - description = - "Base64-encoded public key for the node, used as the node's ID."; + description = "Base64-encoded public key for the node, used as the node's ID."; }; }; dht = { min_peer_count = mkOption { type = types.number; default = 20; - description = - "Minimum number of nodes to keep in the peer table."; + description = "Minimum number of nodes to keep in the peer table."; }; }; upnp = mkOption { type = types.bool; default = true; - description = - "Should the app try to improve its incoming network connectivity using UPnP?"; + description = "Should the app try to improve its incoming network connectivity using UPnP?"; }; detect_address_changes = mkOption { type = types.bool; default = true; - description = - "Should veilid-core detect and notify on network address changes?"; + description = "Should veilid-core detect and notify on network address changes?"; }; }; }; From 1dba027ae97a0ec3d19826f913c7235546c19442 Mon Sep 17 00:00:00 2001 From: figboy9 Date: Sun, 15 Sep 2024 10:40:44 +0900 Subject: [PATCH 10/11] nixos/veilid: format module-list with nixfmt-rfc-style --- nixos/modules/module-list.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 370e7b761443..26fdff93e98d 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1695,7 +1695,9 @@ ./virtualisation/xe-guest-utilities.nix ./virtualisation/xen-dom0.nix { - documentation.nixos.extraModules = - [ ./virtualisation/qemu-vm.nix ./image/repart.nix ]; + documentation.nixos.extraModules = [ + ./virtualisation/qemu-vm.nix + ./image/repart.nix + ]; } ] From 56f8f810aeedd2b03c4bc390f714875fe522e93a Mon Sep 17 00:00:00 2001 From: figboy9 Date: Mon, 23 Sep 2024 13:30:38 +0900 Subject: [PATCH 11/11] nixos/veilid: fix description link --- nixos/modules/services/networking/veilid.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/veilid.nix b/nixos/modules/services/networking/veilid.nix index d0d411bcec48..d471a5f61952 100644 --- a/nixos/modules/services/networking/veilid.nix +++ b/nixos/modules/services/networking/veilid.nix @@ -87,7 +87,7 @@ in settings = mkOption { description = '' Build veilid-server.conf with nix expression. - Check [Configuration Keys](https://veilid.gitlab.io/developer-book/admin/config.html#configuration-keys). + Check Configuration Keys. ''; type = types.submodule { freeformType = settingsFormat.type;