Merge pull request #334495 from Sigmanificient/liboop

- The `services.trust-dns` module has been renamed to `services.hickory-dns`.

- The `lsh` package and the `services.lshd` module have been removed as they had no maintainer in Nixpkgs and hadn’t seen an upstream release in over a decade. It is recommended to migrate to `openssh` and `services.openssh`.

## Other Notable Changes {#sec-release-24.11-notable-changes}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

  ./services/networking/spacecookie.nix

  ./services/networking/spiped.nix

  ./services/networking/squid.nix

  ./services/networking/ssh/lshd.nix

  ./services/networking/ssh/sshd.nix

  ./services/networking/sslh.nix

  ./services/networking/strongswan-swanctl/module.nix

    (mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.")

    (mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer")

    (mkRemovedOptionModule [ "services" "kippo" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "lshd" ] "The corresponding package was removed from nixpkgs as it had no maintainer in Nixpkgs and hasn't seen an upstream release in over a decades.")

    (mkRemovedOptionModule [ "services" "mailpile" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "marathon" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "mathics" ] "The Mathics module has been removed")

{ config, lib, pkgs, ... }:

with lib;

let

  inherit (pkgs) lsh;

  cfg = config.services.lshd;

in

{

  ###### interface

  options = {

    services.lshd = {

      enable = mkOption {

        type = types.bool;

        default = false;

        description = ''

          Whether to enable the GNU lshd SSH2 daemon, which allows

          secure remote login.

        '';

      };

      portNumber = mkOption {

        default = 22;

        type = types.port;

        description = ''

          The port on which to listen for connections.

        '';

      };

      interfaces = mkOption {

        default = [];

        type = types.listOf types.str;

        description = ''

          List of network interfaces where listening for connections.

          When providing the empty list, `[]`, lshd listens on all

          network interfaces.

        '';

        example = [ "localhost" "1.2.3.4:443" ];

      };

      hostKey = mkOption {

        default = "/etc/lsh/host-key";

        type = types.str;

        description = ''

          Path to the server's private key.  Note that this key must

          have been created, e.g., using "lsh-keygen --server |

          lsh-writekey --server", so that you can run lshd.

        '';

      };

      syslog = mkOption {

        type = types.bool;

        default = true;

        description = "Whether to enable syslog output.";

      };

      passwordAuthentication = mkOption {

        type = types.bool;

        default = true;

        description = "Whether to enable password authentication.";

      };

      publicKeyAuthentication = mkOption {

        type = types.bool;

        default = true;

        description = "Whether to enable public key authentication.";

      };

      rootLogin = mkOption {

        type = types.bool;

        default = false;

        description = "Whether to enable remote root login.";

      };

      loginShell = mkOption {

        default = null;

        type = types.nullOr types.str;

        description = ''

          If non-null, override the default login shell with the

          specified value.

        '';

        example = "/nix/store/xyz-bash-10.0/bin/bash10";

      };

      srpKeyExchange = mkOption {

        default = false;

        type = types.bool;

        description = ''

          Whether to enable SRP key exchange and user authentication.

        '';

      };

      tcpForwarding = mkOption {

        type = types.bool;

        default = true;

        description = "Whether to enable TCP/IP forwarding.";

      };

      x11Forwarding = mkOption {

        type = types.bool;

        default = true;

        description = "Whether to enable X11 forwarding.";

      };

      subsystems = mkOption {

        type = types.listOf types.path;

        description = ''

          List of subsystem-path pairs, where the head of the pair

          denotes the subsystem name, and the tail denotes the path to

          an executable implementing it.

        '';

      };

    };

  };

  ###### implementation

  config = mkIf cfg.enable {

    services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ];

    systemd.services.lshd = {

      description = "GNU lshd SSH2 daemon";

      after = [ "network.target" ];

      wantedBy = [ "multi-user.target" ];

      environment = {

        LD_LIBRARY_PATH = config.system.nssModules.path;

      };

      preStart = ''

        test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh

        test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh

        if ! test -f /var/spool/lsh/yarrow-seed-file

        then

            # XXX: It would be nice to provide feedback to the

            # user when this fails, so that they can retry it

            # manually.

            ${lsh}/bin/lsh-make-seed --sloppy \

               -o /var/spool/lsh/yarrow-seed-file

        fi

        if ! test -f "${cfg.hostKey}"

        then

            ${lsh}/bin/lsh-keygen --server | \

            ${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}"

        fi

      '';

      script = with cfg; ''

        ${lsh}/sbin/lshd --daemonic \

          --password-helper="${lsh}/sbin/lsh-pam-checkpw" \

          -p ${toString portNumber} \

          ${optionalString (interfaces != []) (concatStrings (map (i: "--interface=\"${i}\"") interfaces))} \

          -h "${hostKey}" \

          ${optionalString (!syslog) "--no-syslog" } \

          ${if passwordAuthentication then "--password" else "--no-password" } \

          ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \

          ${if rootLogin then "--root-login" else "--no-root-login" } \

          ${optionalString (loginShell != null) "--login-shell=\"${loginShell}\"" } \

          ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \

          ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \

          ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \

          --subsystems=${concatStringsSep ","

                                          (map (pair: (head pair) + "=" +

                                                      (head (tail pair)))

                                               subsystems)}

      '';

    };

    security.pam.services.lshd = {};

  };

}

{lib, stdenv, fetchurl}:

stdenv.mkDerivation {

  pname = "liboop";

  version = "1.0";

  src = fetchurl {

    url = "http://download.ofb.net/liboop/liboop.tar.gz";

    sha256 = "34d83c6e0f09ee15cb2bc3131e219747c3b612bb57cf7d25318ab90da9a2d97c";

  };

  meta = {

    description = "Event loop library";

    homepage = "http://liboop.ofb.net/";

    license = "LGPL";

    platforms = lib.platforms.linux;

  };

}