Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

knock: init at 0.7.8 #74793

Open
wants to merge 2 commits into
base: master
from
Open

knock: init at 0.7.8 #74793

wants to merge 2 commits into from

Conversation

@filalex77
Copy link
Contributor

filalex77 commented Dec 1, 2019

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

This change is Reviewable

@teto

This comment has been minimized.

Copy link
Contributor

teto commented Dec 1, 2019

is it easy to run as a standalone or should we expect some later module ?

example = "7000,8000,9000";
};

one_time_sequences = mkOption {

This comment has been minimized.

Copy link
@Infinisil

Infinisil Dec 24, 2019

Member

Use camelCase for option names. Same for the others

example = 10;
};

tcpflags = mkOption {

This comment has been minimized.

Copy link
@Infinisil

Infinisil Dec 24, 2019

Member

tcpFlags

default = null;
type = nullOr str;
description = ''
Time to wait (in seconds) between Start_Command and Stop_Command.

This comment has been minimized.

Copy link
@Infinisil

Infinisil Dec 24, 2019

Member

Use <option>startCommand</option> here to have it show up nicer in the manual. (and make sure to camelCase all such references to options too)

description = "Extra packages to add to PATH.";
};

options = mkOption {

This comment has been minimized.

Copy link
@Infinisil

Infinisil Dec 24, 2019

Member

It's convention to not put such options into a separate attribute set. So I'd define options.services.knockd.interface instead

options = mkOption {
type = types.submodule {
options = {
useSyslog = mkEnableOption "logging messages through syslog()";

This comment has been minimized.

Copy link
@Infinisil

Infinisil Dec 24, 2019

Member

Unless there is a good reason this should be configurable I think this can be dropped. The standard on NixOS is to log through journald. Similarly logfile can be dropped.

serviceConfig = {
ExecStart = "${pkgs.knock}/bin/knockd";
Restart = "always";
PIDFile = cfg.options.pidfile;

This comment has been minimized.

Copy link
@Infinisil

Infinisil Dec 24, 2019

Member

Also if possible make it not fork into the background, this is preferred in NixOS.

###### implementation

config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ knock ] ++ cfg.extraPackages;

This comment has been minimized.

Copy link
@Infinisil

Infinisil Dec 24, 2019

Member

Does this need to be added to systemPackages? Unless there's a reason, this can be removed.

enable = mkEnableOption description;

extraPackages = mkOption {
default = with pkgs; [ iptables iproute ];

This comment has been minimized.

Copy link
@Infinisil

Infinisil Dec 24, 2019

Member

Does the service work at all if these two packages aren't included here? If so, they should be set with path = [ iptables iproute ] ++ extraPackages instead, and this should default to []

unitConfig.Documentation = "man:knockd(1)";

serviceConfig = {
ExecStart = "${pkgs.knock}/bin/knockd";

This comment has been minimized.

Copy link
@Infinisil

Infinisil Dec 24, 2019

Member

This runs as root like this which is not optimal. Try to make it use DynamicUser = true; instead. Although this might not play well with the ability for the user to configure arbitrary commands.

port knock sequence. These port-hits need not be on open ports, since we
use libpcap to sniff the raw interface traffic.
'';
homepage = "http://www.zeroflux.org/projects/knock";

This comment has been minimized.

Copy link
@Infinisil

Infinisil Dec 24, 2019

Member

Has HTTPS support

@filalex77

This comment has been minimized.

Copy link
Contributor Author

filalex77 commented Dec 25, 2019

@Infinisil Thanks for an awesome review, I learned so much! I'll address all of the mentioned points whenever possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.