diff --git a/nixos/hosts/marisa-7d76/networking.nix b/nixos/hosts/marisa-7d76/networking.nix index 0654f5b..7c136ac 100644 --- a/nixos/hosts/marisa-7d76/networking.nix +++ b/nixos/hosts/marisa-7d76/networking.nix @@ -1,12 +1,15 @@ -{ profiles, lib, ... }: +{ + config, + profiles, + lib, + ... +}: { imports = with profiles; [ services.enthalpy ]; services.enthalpy = { - users.rebmit = { }; - services.nix-daemon = { }; ipsec.interfaces = [ "enp14s0" ]; clat = { enable = true; @@ -15,6 +18,19 @@ gost.enable = true; }; + systemd.services.nix-daemon = { + serviceConfig = config.networking.netns.enthalpy.serviceConfig; + after = [ "netns-enthalpy.service" ]; + requires = [ "netns-enthalpy.service" ]; + }; + + systemd.services."user@${toString config.users.users.rebmit.uid}" = { + overrideStrategy = "asDropin"; + serviceConfig = config.networking.netns.enthalpy.serviceConfig; + after = [ "netns-enthalpy.service" ]; + requires = [ "netns-enthalpy.service" ]; + }; + systemd.network = { enable = true; wait-online.anyInterface = true; diff --git a/nixos/hosts/marisa-a7s/networking.nix b/nixos/hosts/marisa-a7s/networking.nix index 412c4ef..2402f88 100644 --- a/nixos/hosts/marisa-a7s/networking.nix +++ b/nixos/hosts/marisa-a7s/networking.nix @@ -1,12 +1,15 @@ -{ profiles, lib, ... }: +{ + config, + profiles, + lib, + ... +}: { imports = with profiles; [ services.enthalpy ]; services.enthalpy = { - users.rebmit = { }; - services.nix-daemon = { }; ipsec = { interfaces = [ "wlan0" ]; whitelist = [ "rebmit's edge network" ]; @@ -18,6 +21,19 @@ gost.enable = true; }; + systemd.services.nix-daemon = { + serviceConfig = config.networking.netns.enthalpy.serviceConfig; + after = [ "netns-enthalpy.service" ]; + requires = [ "netns-enthalpy.service" ]; + }; + + systemd.services."user@${toString config.users.users.rebmit.uid}" = { + overrideStrategy = "asDropin"; + serviceConfig = config.networking.netns.enthalpy.serviceConfig; + after = [ "netns-enthalpy.service" ]; + requires = [ "netns-enthalpy.service" ]; + }; + systemd.network = { enable = true; wait-online.anyInterface = true; diff --git a/nixos/hosts/reisen-sin0/networking.nix b/nixos/hosts/reisen-sin0/networking.nix index 133a359..c118286 100644 --- a/nixos/hosts/reisen-sin0/networking.nix +++ b/nixos/hosts/reisen-sin0/networking.nix @@ -1,7 +1,6 @@ { profiles, data, - lib, ... }: { @@ -57,12 +56,6 @@ dhcpV6Config.RouteMetric = 1024; ipv6AcceptRAConfig.RouteMetric = 1024; }; - "50-enthalpy" = { - routes = lib.singleton { - Destination = data.enthalpy_network_prefix; - Gateway = "fe80::ff:fe00:0"; - }; - }; }; }; } diff --git a/nixos/modules/networking/netns/common.nix b/nixos/modules/networking/netns/common.nix index ef5a851..d5eec8e 100644 --- a/nixos/modules/networking/netns/common.nix +++ b/nixos/modules/networking/netns/common.nix @@ -26,7 +26,7 @@ in }; mntnsPath = mkOption { type = types.str; - default = if name == "default" then "/proc/1/ns/mnt" else "/run/netns-${name}/mntns/${name}"; + default = if name == "default" then "/proc/1/ns/mnt" else "/run/${name}/mntns/${name}"; readOnly = true; description = '' Path to the auxiliary mount namespace. @@ -71,7 +71,7 @@ in BindReadOnlyPaths = optionals config.enableDNSIsolation [ "/etc/netns/${name}/resolv.conf:/etc/resolv.conf:norbind" "/etc/netns/${name}/nsswitch.conf:/etc/nsswitch.conf:norbind" - "/run/netns-${name}/nscd:/run/nscd:norbind" + "/run/${name}/nscd:/run/nscd:norbind" ]; }; readOnly = true; @@ -143,13 +143,13 @@ in ${optionalString enableDNSIsolation '' nsenter --mount=${mntnsPath} mount --bind --read-only /etc/netns/${name}/resolv.conf /etc/resolv.conf nsenter --mount=${mntnsPath} mount --bind --read-only /etc/netns/${name}/nsswitch.conf /etc/nsswitch.conf - nsenter --mount=${mntnsPath} mount --bind --read-only /run/netns-${name}/nscd /run/nscd + nsenter --mount=${mntnsPath} mount --bind --read-only /run/${name}/nscd /run/nscd ''} ''; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - RuntimeDirectory = "netns-${name}/mntns"; + RuntimeDirectory = "${name}/mntns"; }; after = [ diff --git a/nixos/modules/networking/netns/extra-veth.nix b/nixos/modules/networking/netns/extra-veth.nix deleted file mode 100644 index d62da85..0000000 --- a/nixos/modules/networking/netns/extra-veth.nix +++ /dev/null @@ -1,127 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; -let - allNetns = config.networking.netns; - allExtraVeths = flatten (mapAttrsToList (_name: cfg: cfg.extraVeths) allNetns); -in -{ - options.networking.netns = mkOption { - type = types.attrsOf ( - types.submodule ( - { name, ... }: - { - options.extraVeths = mkOption { - type = types.listOf ( - types.submodule ( - { config, ... }: - { - options = { - sourceNetns = mkOption { - type = types.str; - default = name; - readOnly = true; - description = '' - The current network namespace. - ''; - }; - targetNetns = mkOption { - type = types.str; - description = '' - The network namespace to connect to. - ''; - }; - sourceInterface = mkOption { - type = types.str; - default = if config.targetNetns == "default" then "host" else config.targetNetns; - description = '' - The interface name in the current network namespace; - ''; - }; - targetInterface = mkOption { - type = types.str; - default = if config.sourceNetns == "default" then "host" else config.sourceNetns; - description = '' - The interface name in the other network namespace; - ''; - }; - }; - } - ) - ); - default = [ ]; - description = '' - Extra veth-pairs to be created for enabling link-scope connectivity - between inter-network namespaces. - Note that a veth-pair only needs to be defined on one end. - ''; - }; - } - ) - ); - }; - - config = { - systemd.services = listToAttrs ( - map ( - ev: - let - inherit (ev) - sourceNetns - targetNetns - sourceInterface - targetInterface - ; - sourceNetnsPath = config.networking.netns.${sourceNetns}.netnsPath; - targetNetnsPath = config.networking.netns.${targetNetns}.netnsPath; - serviceDeps = map (ns: "netns-${ns}.service") ( - filter (ns: ns != "default") [ - sourceNetns - targetNetns - ] - ); - mkSetup = - netns: _netnsPath: interface: - if netns == "default" then - "ip link set ${interface} up" - else - "ip -n ${netns} link set ${interface} up"; - mkDrop = - netns: _netnsPath: interface: - if netns == "default" then "ip link del ${interface}" else "ip -n ${netns} link del ${interface}"; - in - nameValuePair "netns-extra-veth-1-${sourceNetns}-${targetNetns}" { - path = with pkgs; [ - coreutils - iproute2 - procps - ]; - script = '' - ip link add ${sourceInterface} mtu 1400 address 02:00:00:00:00:01 netns ${sourceNetnsPath} type veth \ - peer ${targetInterface} mtu 1400 address 02:00:00:00:00:00 netns ${targetNetnsPath} - ${mkSetup sourceNetns sourceNetnsPath sourceInterface} - ${mkSetup targetNetns targetNetnsPath targetInterface} - ''; - preStop = '' - ${mkDrop sourceNetns sourceNetnsPath sourceInterface} - ''; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - after = [ - "network.target" - ] ++ serviceDeps; - partOf = serviceDeps; - wantedBy = [ - "multi-user.target" - ] ++ serviceDeps; - } - ) allExtraVeths - ); - }; -} diff --git a/nixos/modules/networking/netns/nscd.nix b/nixos/modules/networking/netns/nscd.nix index aa567c4..0b74837 100644 --- a/nixos/modules/networking/netns/nscd.nix +++ b/nixos/modules/networking/netns/nscd.nix @@ -43,12 +43,12 @@ in "/etc/netns/${name}/resolv.conf:/etc/resolv.conf:norbind" "/etc/netns/${name}/nsswitch.conf:/etc/nsswitch.conf:norbind" ]; - BindPaths = [ "/run/netns-${name}/nscd:/run/nscd:norbind" ]; + BindPaths = [ "/run/${name}/nscd:/run/nscd:norbind" ]; Type = "notify"; Restart = "on-failure"; RestartSec = 5; User = "${name}-nscd"; - RuntimeDirectory = "netns-${name}/nscd"; + RuntimeDirectory = "${name}/nscd"; RuntimeDirectoryPreserve = true; ExecStart = "${pkgs.nsncd}/bin/nsncd"; }; diff --git a/nixos/modules/networking/netns/port-forward.nix b/nixos/modules/networking/netns/port-forward.nix index 60f5778..1ef3375 100644 --- a/nixos/modules/networking/netns/port-forward.nix +++ b/nixos/modules/networking/netns/port-forward.nix @@ -84,7 +84,7 @@ in ] ); in - nameValuePair "netns-${name}-port-forward-${toString index}" { + nameValuePair "netns-${name}-port-forward-${toString index}-${netns}-${protocol}" { serviceConfig = mylib.misc.serviceHardened // cfg.serviceConfig diff --git a/nixos/modules/services/enthalpy/bird.nix b/nixos/modules/services/enthalpy/bird.nix index f2d59ae..337b84c 100644 --- a/nixos/modules/services/enthalpy/bird.nix +++ b/nixos/modules/services/enthalpy/bird.nix @@ -16,7 +16,7 @@ in enable = mkEnableOption "bird for site-scope connectivity"; socket = mkOption { type = types.str; - default = "/run/netns-${cfg.netns}/bird/bird.ctl"; + default = "/run/enthalpy/bird/bird.ctl"; description = '' Path to the bird control socket. ''; @@ -43,7 +43,7 @@ in }; config = mkIf (cfg.enable && cfg.bird.enable) { - environment.etc."netns/${cfg.netns}/bird.conf".source = pkgs.writeTextFile { + environment.etc."enthalpy/bird/bird.conf".source = pkgs.writeTextFile { name = "bird"; text = cfg.bird.config; checkPhase = optionalString cfg.bird.checkConfig '' @@ -55,14 +55,14 @@ in systemd.services.enthalpy-bird = { serviceConfig = mylib.misc.serviceHardened - // config.networking.netns.${cfg.netns}.serviceConfig + // config.networking.netns.enthalpy.serviceConfig // { Type = "forking"; Restart = "on-failure"; RestartSec = 5; DynamicUser = true; - RuntimeDirectory = "netns-${cfg.netns}/bird"; - ExecStart = "${pkgs.bird}/bin/bird -s ${cfg.bird.socket} -c /etc/netns/${cfg.netns}/bird.conf"; + RuntimeDirectory = "enthalpy/bird"; + ExecStart = "${pkgs.bird}/bin/bird -s ${cfg.bird.socket} -c /etc/enthalpy/bird/bird.conf"; ExecReload = "${pkgs.bird}/bin/birdc -s ${cfg.bird.socket} configure"; ExecStop = "${pkgs.bird}/bin/birdc -s ${cfg.bird.socket} down"; CapabilityBoundingSet = [ @@ -82,13 +82,13 @@ in "AF_NETLINK" ]; }; - after = [ "netns-${cfg.netns}.service" ]; - partOf = [ "netns-${cfg.netns}.service" ]; + after = [ "netns-enthalpy.service" ]; + partOf = [ "netns-enthalpy.service" ]; wantedBy = [ "multi-user.target" - "netns-${cfg.netns}.service" + "netns-enthalpy.service" ]; - reloadTriggers = [ config.environment.etc."netns/${cfg.netns}/bird.conf".source ]; + reloadTriggers = [ config.environment.etc."enthalpy/bird/bird.conf".source ]; }; services.enthalpy.bird.config = mkBefore '' diff --git a/nixos/modules/services/enthalpy/clat.nix b/nixos/modules/services/enthalpy/clat.nix index 3b30fe2..3cb7739 100644 --- a/nixos/modules/services/enthalpy/clat.nix +++ b/nixos/modules/services/enthalpy/clat.nix @@ -11,7 +11,7 @@ with lib; let inherit (mylib.network) cidr; cfg = config.services.enthalpy; - interface = config.networking.netns.${cfg.netns}.interface; + interface = config.networking.netns.enthalpy.interface; in { options.services.enthalpy.clat = { @@ -61,7 +61,7 @@ in ''; serviceConfig = mylib.misc.serviceHardened - // config.networking.netns.${cfg.netns}.serviceConfig + // config.networking.netns.enthalpy.serviceConfig // { Type = "forking"; Restart = "on-failure"; @@ -77,11 +77,11 @@ in ]; PrivateDevices = false; }; - after = [ "netns-${cfg.netns}.service" ]; - partOf = [ "netns-${cfg.netns}.service" ]; + after = [ "netns-enthalpy.service" ]; + partOf = [ "netns-enthalpy.service" ]; wantedBy = [ "multi-user.target" - "netns-${cfg.netns}.service" + "netns-enthalpy.service" ]; }; }; diff --git a/nixos/modules/services/enthalpy/common.nix b/nixos/modules/services/enthalpy/common.nix index 76465c2..69e2984 100644 --- a/nixos/modules/services/enthalpy/common.nix +++ b/nixos/modules/services/enthalpy/common.nix @@ -27,13 +27,6 @@ in Address to be added into the enthalpy network as source address. ''; }; - netns = mkOption { - type = types.str; - default = "enthalpy"; - description = '' - Name of the network namespace for enthalpy interfaces. - ''; - }; network = mkOption { type = types.str; description = '' @@ -43,8 +36,8 @@ in }; config = mkIf cfg.enable { - networking.netns."${cfg.netns}" = { - interface = cfg.netns; + networking.netns.enthalpy = { + interface = "enthalpy"; address = singleton "${cfg.address}/128"; enableIPv4Forwarding = false; enableIPv6Forwarding = true; diff --git a/nixos/modules/services/enthalpy/exit.nix b/nixos/modules/services/enthalpy/exit.nix index a0e957e..fb7d317 100644 --- a/nixos/modules/services/enthalpy/exit.nix +++ b/nixos/modules/services/enthalpy/exit.nix @@ -10,10 +10,7 @@ with lib; let cfg = config.services.enthalpy; birdPrefix = filter (p: p.type == "bird") cfg.exit.prefix; - staticPrefix = subtractLists birdPrefix cfg.exit.prefix; - staticRoutes = map ( - p: "${p.destination} from ${p.source} via fe80::ff:fe00:1 dev enthalpy" - ) staticPrefix; + staticPrefix = filter (p: p.type == "static") cfg.exit.prefix; in { options.services.enthalpy.exit = { @@ -45,29 +42,53 @@ in }; config = mkIf (cfg.enable && cfg.exit.enable) { + systemd.network.networks."50-enthalpy" = { + matchConfig.Name = "enthalpy"; + routes = singleton { + Destination = cfg.network; + Gateway = "fe80::ff:fe00:2"; + }; + linkConfig.RequiredForOnline = false; + }; + services.enthalpy.bird.config = '' protocol static { ipv6 sadr; ${ concatMapStringsSep "\n" (p: '' - route ${p.destination} from ${p.source} via fe80::ff:fe00:1 dev "enthalpy"; + route ${p.destination} from ${p.source} via fe80::ff:fe00:1 dev "host"; '') birdPrefix } } ''; - systemd.services.enthalpy-exit = mkIf (staticRoutes != [ ]) { + systemd.services.enthalpy-exit = { + path = with pkgs; [ + coreutils + iproute2 + ]; + script = '' + ip link add enthalpy mtu 1400 address 02:00:00:00:00:01 type veth \ + peer host mtu 1400 address 02:00:00:00:00:02 netns enthalpy + ip link set enthalpy up + ip -n enthalpy link set host up + ${concatMapStringsSep "\n" ( + p: "ip -n enthalpy -6 route add ${p.destination} from ${p.source} via fe80::ff:fe00:1 dev host" + ) staticPrefix} + ''; + preStop = '' + ip link del enthalpy + ''; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStart = builtins.map (route: "${pkgs.iproute2}/bin/ip -6 route add ${route}") staticRoutes; - ExecStop = builtins.map (route: "${pkgs.iproute2}/bin/ip -6 route del ${route}") staticRoutes; }; - after = [ "network.target" ]; - wants = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; + after = [ "netns-enthalpy.service" ]; + partOf = [ "netns-enthalpy.service" ]; + wantedBy = [ + "multi-user.target" + "netns-enthalpy.service" + ]; }; - - services.enthalpy.services.enthalpy-exit = mkIf (staticRoutes != [ ]) { }; }; } diff --git a/nixos/modules/services/enthalpy/gost.nix b/nixos/modules/services/enthalpy/gost.nix index 05e21d3..fa9f21c 100644 --- a/nixos/modules/services/enthalpy/gost.nix +++ b/nixos/modules/services/enthalpy/gost.nix @@ -25,15 +25,15 @@ in DynamicUser = true; ExecStart = "${pkgs.gost}/bin/gost -L=socks5://[::1]:${toString config.networking.ports.enthalpy-gost}"; }; - after = [ "netns-${cfg.netns}.service" ]; - partOf = [ "netns-${cfg.netns}.service" ]; + after = [ "netns-enthalpy.service" ]; + partOf = [ "netns-enthalpy.service" ]; wantedBy = [ "multi-user.target" - "netns-${cfg.netns}.service" + "netns-enthalpy.service" ]; }; - networking.netns."${cfg.netns}".forwardPorts = singleton { + networking.netns.enthalpy.forwardPorts = singleton { protocol = "tcp"; netns = "default"; source = "[::1]:${toString config.networking.ports.enthalpy-gost}"; diff --git a/nixos/modules/services/enthalpy/ipsec.nix b/nixos/modules/services/enthalpy/ipsec.nix index 929ee53..e5ac57e 100644 --- a/nixos/modules/services/enthalpy/ipsec.nix +++ b/nixos/modules/services/enthalpy/ipsec.nix @@ -4,6 +4,7 @@ config, lib, pkgs, + mylib, ... }: with lib; @@ -42,14 +43,6 @@ in List of endpoints available on this node. ''; }; - port = mkOption { - type = types.port; - default = config.networking.ports.enthalpy-ipsec; - readOnly = true; - description = '' - UDP port used by IKEv2. NAT-T is enabled by default. - ''; - }; interfaces = mkOption { type = types.listOf types.str; default = [ ]; @@ -99,30 +92,30 @@ in } ]; - environment.systemPackages = with pkgs; [ strongswan ]; - - environment.etc."ranet/config.json".source = (pkgs.formats.json { }).generate "config.json" { - organization = cfg.ipsec.organization; - common_name = cfg.ipsec.commonName; - endpoints = builtins.map (ep: { - serial_number = ep.serialNumber; - address_family = ep.addressFamily; - address = ep.address; - port = cfg.ipsec.port; - updown = pkgs.writeShellScript "updown" '' - LINK=enta$(printf '%08x\n' "$PLUTO_IF_ID_OUT") - case "$PLUTO_VERB" in - up-client) - ip link add "$LINK" type xfrm if_id "$PLUTO_IF_ID_OUT" - ip link set "$LINK" netns ${cfg.netns} multicast on mtu 1400 up - ;; - down-client) - ip -n ${cfg.netns} link del "$LINK" - ;; - esac - ''; - }) cfg.ipsec.endpoints; - }; + environment.etc."enthalpy/ranet/config.json".source = + (pkgs.formats.json { }).generate "enthalpy-ranet-config-json" + { + organization = cfg.ipsec.organization; + common_name = cfg.ipsec.commonName; + endpoints = builtins.map (ep: { + serial_number = ep.serialNumber; + address_family = ep.addressFamily; + address = ep.address; + port = config.networking.ports.enthalpy-ipsec; + updown = pkgs.writeShellScript "updown" '' + LINK=enta$(printf '%08x\n' "$PLUTO_IF_ID_OUT") + case "$PLUTO_VERB" in + up-client) + ip link add "$LINK" type xfrm if_id "$PLUTO_IF_ID_OUT" + ip link set "$LINK" netns enthalpy multicast on mtu 1400 up + ;; + down-client) + ip -n enthalpy link del "$LINK" + ;; + esac + ''; + }) cfg.ipsec.endpoints; + }; services.strongswan-swanctl = { enable = true; @@ -130,7 +123,7 @@ in charon { interfaces_use = ${strings.concatStringsSep "," cfg.ipsec.interfaces} port = 0 - port_nat_t = ${toString cfg.ipsec.port} + port_nat_t = ${toString config.networking.ports.enthalpy-ipsec} retransmit_base = 1 plugins { socket-default { @@ -168,7 +161,7 @@ in '' else cfg.ipsec.registry; - command = "ranet -c /etc/ranet/config.json -r ${registry} -k ${cfg.ipsec.privateKeyPath}"; + command = "ranet -c /etc/enthalpy/ranet/config.json -r ${registry} -k ${cfg.ipsec.privateKeyPath}"; in { path = with pkgs; [ @@ -178,7 +171,7 @@ in script = "${command} up"; reload = "${command} up"; preStop = "${command} down"; - serviceConfig = { + serviceConfig = mylib.misc.serviceHardened // { Type = "oneshot"; RemainAfterExit = true; }; @@ -189,16 +182,17 @@ in "network-online.target" "strongswan-swanctl.service" ]; - requires = [ - "netns-enthalpy.service" - ]; after = [ "network-online.target" + "netns-enthalpy.service" "strongswan-swanctl.service" + ]; + partOf = [ "netns-enthalpy.service" ]; + wantedBy = [ + "multi-user.target" "netns-enthalpy.service" ]; - wantedBy = [ "multi-user.target" ]; - reloadTriggers = [ config.environment.etc."ranet/config.json".source ]; + reloadTriggers = [ config.environment.etc."enthalpy/ranet/config.json".source ]; }; }; } diff --git a/nixos/modules/services/enthalpy/nat64.nix b/nixos/modules/services/enthalpy/nat64.nix index aef1f07..8c52d39 100644 --- a/nixos/modules/services/enthalpy/nat64.nix +++ b/nixos/modules/services/enthalpy/nat64.nix @@ -4,6 +4,7 @@ config, lib, pkgs, + mylib, ... }: with lib; @@ -13,14 +14,6 @@ in { options.services.enthalpy.nat64 = { enable = mkEnableOption "NAT64"; - table = mkOption { - type = types.int; - default = config.networking.routingTables.nat64; - readOnly = true; - description = '' - Routing table used for NAT64 entries. - ''; - }; prefix = mkOption { type = types.str; default = "64:ff9b::/96"; @@ -38,19 +31,14 @@ in }; config = mkIf (cfg.enable && cfg.nat64.enable) { - systemd.network.config = { - networkConfig = { - IPv6Forwarding = true; - ManageForeignRoutes = false; - }; - }; + systemd.network.config.networkConfig.IPv6Forwarding = true; systemd.network.networks."70-nat64" = { matchConfig.Name = "nat64"; routes = [ { Destination = cfg.nat64.prefix; - Table = cfg.nat64.table; + Table = config.networking.routingTables.nat64; } { Destination = cfg.nat64.dynamicPool; } ]; @@ -59,7 +47,7 @@ in }; systemd.services.enthalpy-nat64 = { - serviceConfig = { + serviceConfig = mylib.misc.serviceHardened // { Type = "forking"; Restart = "on-failure"; RestartSec = 5; @@ -73,32 +61,27 @@ in ''}"; CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; AmbientCapabilities = [ "CAP_NET_ADMIN" ]; - ProtectSystem = "full"; - ProtectHome = "yes"; - ProtectKernelTunables = true; - ProtectControlGroups = true; - PrivateTmp = true; - SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io"; - MemoryDenyWriteExecute = "yes"; + PrivateDevices = false; }; - wants = [ "network.target" ]; - after = [ + after = [ "netns-enthalpy.service" ]; + partOf = [ "netns-enthalpy.service" ]; + wantedBy = [ + "multi-user.target" "netns-enthalpy.service" - "network.target" ]; - requires = [ "netns-enthalpy.service" ]; - wantedBy = [ "multi-user.target" ]; }; - networking.nftables.enable = true; - networking.nftables.tables.enthalpy4 = { - family = "ip"; - content = '' - chain forward { - type filter hook forward priority 0; - tcp flags syn tcp option maxseg size set 1200 - } - ''; + networking.nftables = { + enable = true; + tables.enthalpy4 = { + family = "ip"; + content = '' + chain forward { + type filter hook forward priority 0; + tcp flags syn tcp option maxseg size set 1200 + } + ''; + }; }; }; } diff --git a/nixos/modules/services/enthalpy/services.nix b/nixos/modules/services/enthalpy/services.nix deleted file mode 100644 index 3a087b0..0000000 --- a/nixos/modules/services/enthalpy/services.nix +++ /dev/null @@ -1,63 +0,0 @@ -# Portions of this file are sourced from -# https://github.com/NickCao/flakes/blob/3b03efb676ea602575c916b2b8bc9d9cd13b0d85/modules/gravity/default.nix -{ - config, - lib, - ... -}: -with lib; -let - cfg = config.services.enthalpy; -in -{ - options.services.enthalpy = { - services = mkOption { - type = types.attrsOf ( - types.submodule { - options = { - overrideStrategy = mkOption { - type = types.str; - default = "asDropinIfExists"; - }; - }; - } - ); - default = { }; - description = '' - Services that need to run inside the enthalpy network namespace. - ''; - }; - users = mkOption { - type = types.attrsOf (types.submodule { }); - default = { }; - description = '' - Users utilizing the enthalpy network namespace. - ''; - }; - }; - - config = mkIf cfg.enable (mkMerge [ - { - systemd.services = mapAttrs (_name: value: { - inherit (value) overrideStrategy; - serviceConfig = { - NetworkNamespacePath = "/run/netns/${cfg.netns}"; - BindReadOnlyPaths = [ - "/etc/netns/${cfg.netns}/resolv.conf:/etc/resolv.conf:norbind" - "/etc/netns/${cfg.netns}/nsswitch.conf:/etc/nsswitch.conf:norbind" - "/run/netns-${cfg.netns}/nscd:/run/nscd:norbind" - ]; - }; - after = [ "netns-enthalpy.service" ]; - requires = [ "netns-enthalpy.service" ]; - }) cfg.services; - - services.enthalpy.services = mapAttrs' ( - name: _value: - nameValuePair "user@${toString config.users.users.${name}.uid}" { - overrideStrategy = "asDropin"; - } - ) cfg.users; - } - ]); -} diff --git a/nixos/modules/services/enthalpy/srv6.nix b/nixos/modules/services/enthalpy/srv6.nix index 8ab1477..179e037 100644 --- a/nixos/modules/services/enthalpy/srv6.nix +++ b/nixos/modules/services/enthalpy/srv6.nix @@ -24,10 +24,13 @@ in }; actions = mkOption { type = types.listOf types.str; - default = [ - "${cidr.host 1 cfg.srv6.prefix} encap seg6local action End.DT6 table main dev enthalpy table localsid" - "${cidr.host 2 cfg.srv6.prefix} encap seg6local action End.DT6 table nat64 dev enthalpy table localsid" - ]; + default = + [ + "${cidr.host 1 cfg.srv6.prefix} encap seg6local action End.DT6 table main dev enthalpy table localsid" + ] + ++ optionals cfg.nat64.enable [ + "${cidr.host 2 cfg.srv6.prefix} encap seg6local action End.DT6 table nat64 dev enthalpy table localsid" + ]; description = '' List of SRv6 actions configured in the default network namespace. ''; @@ -57,27 +60,34 @@ in }; }; + services.enthalpy.exit = { + enable = true; + prefix = singleton { + type = "static"; + destination = cfg.srv6.prefix; + source = cfg.network; + }; + }; + systemd.services.enthalpy-srv6 = { - path = with pkgs; [ iproute2 ]; + path = with pkgs; [ + iproute2 + ]; + script = concatMapStringsSep "\n" (p: "ip -6 route add ${p}") cfg.srv6.actions; + preStop = concatMapStringsSep "\n" (p: "ip -6 route del ${p}") cfg.srv6.actions; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStartPre = [ - "${pkgs.iproute2}/bin/ip -n ${cfg.netns} -6 r a ${cfg.srv6.prefix} from ${cfg.network} via fe80::ff:fe00:1 dev enthalpy" - ]; - ExecStart = builtins.map (route: "${pkgs.iproute2}/bin/ip -6 r a ${route}") cfg.srv6.actions; - ExecStop = builtins.map (route: "${pkgs.iproute2}/bin/ip -6 r d ${route}") cfg.srv6.actions; - ExecStopPost = [ - "${pkgs.iproute2}/bin/ip -n ${cfg.netns} -6 r d ${cfg.srv6.prefix} from ${cfg.network} via fe80::ff:fe00:1 dev enthalpy" - ]; }; - after = [ + after = [ "netns-enthalpy.service" ]; + partOf = [ + "netns-enthalpy.service" + "enthalpy-exit.service" + ]; + wantedBy = [ + "multi-user.target" "netns-enthalpy.service" - "network-online.target" ]; - requires = [ "netns-enthalpy.service" ]; - wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; }; }; }