diff --git a/nixos/hosts/marisa-7d76/networking.nix b/nixos/hosts/marisa-7d76/networking.nix index 365a21c..0654f5b 100644 --- a/nixos/hosts/marisa-7d76/networking.nix +++ b/nixos/hosts/marisa-7d76/networking.nix @@ -6,6 +6,7 @@ services.enthalpy = { users.rebmit = { }; + services.nix-daemon = { }; ipsec.interfaces = [ "enp14s0" ]; clat = { enable = true; diff --git a/nixos/hosts/marisa-a7s/networking.nix b/nixos/hosts/marisa-a7s/networking.nix index 482bac6..412c4ef 100644 --- a/nixos/hosts/marisa-a7s/networking.nix +++ b/nixos/hosts/marisa-a7s/networking.nix @@ -6,6 +6,7 @@ services.enthalpy = { users.rebmit = { }; + services.nix-daemon = { }; ipsec = { interfaces = [ "wlan0" ]; whitelist = [ "rebmit's edge network" ]; diff --git a/nixos/modules/networking/netns.nix b/nixos/modules/networking/netns.nix index c8b4078..42eabea 100644 --- a/nixos/modules/networking/netns.nix +++ b/nixos/modules/networking/netns.nix @@ -422,7 +422,7 @@ in _name: cfg: (imap ( index: fp: - nameValuePair "netns-${cfg.netns}-port-forward-${fp.netns}-${fp.protocol}-${toString index}" ( + nameValuePair "netns-${cfg.netns}-port-forward-${toString index}-${fp.netns}-${fp.protocol}" ( mkPortForwardService cfg fp ) ) cfg.forwardPorts) @@ -433,7 +433,7 @@ in _name: cfg: (imap ( index: ev: - nameValuePair "netns-${cfg.netns}-extra-veth-${ev.netns}-${toString index}" ( + nameValuePair "netns-${cfg.netns}-extra-veth-${toString index}-${ev.netns}" ( mkExtraVethService cfg ev ) ) cfg.extraVeths) diff --git a/nixos/modules/services/enthalpy/common.nix b/nixos/modules/services/enthalpy/common.nix index 6ead0e9..14d4d59 100644 --- a/nixos/modules/services/enthalpy/common.nix +++ b/nixos/modules/services/enthalpy/common.nix @@ -44,38 +44,11 @@ in }; config = mkIf cfg.enable { - systemd.network.networks."50-enthalpy" = { - matchConfig.Name = "enthalpy"; - linkConfig.RequiredForOnline = false; - }; - - systemd.services.enthalpy = { - path = with pkgs; [ - iproute2 - coreutils - procps - ]; - script = '' - ip netns add ${cfg.netns} - ip link add enthalpy mtu 1400 address 02:00:00:00:00:01 type veth peer enthalpy mtu 1400 address 02:00:00:00:00:00 netns ${cfg.netns} - ip -n ${cfg.netns} link set lo up - ip -n ${cfg.netns} link set enthalpy up - ip -n ${cfg.netns} addr add ${cfg.address}/128 dev enthalpy - ip netns exec ${cfg.netns} sysctl -w net.ipv6.conf.default.forwarding=1 - ip netns exec ${cfg.netns} sysctl -w net.ipv6.conf.all.forwarding=1 - ip netns exec ${cfg.netns} sysctl -w net.ipv4.conf.default.forwarding=0 - ip netns exec ${cfg.netns} sysctl -w net.ipv4.conf.all.forwarding=0 - ''; - preStop = '' - ip netns del ${cfg.netns} - ''; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - wants = [ "network.target" ]; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; + networking.netns."${cfg.netns}" = { + interface = cfg.netns; + address = singleton "${cfg.address}/128"; + enableIPv4Forwarding = false; + enableIPv6Forwarding = true; }; }; } diff --git a/nixos/modules/services/enthalpy/gost.nix b/nixos/modules/services/enthalpy/gost.nix index 9ad2a5c..d387798 100644 --- a/nixos/modules/services/enthalpy/gost.nix +++ b/nixos/modules/services/enthalpy/gost.nix @@ -4,11 +4,13 @@ config, lib, pkgs, + mylib, ... }: with lib; let cfg = config.services.enthalpy; + gostPort = config.networking.ports.enthalpy-gost; in { options.services.enthalpy.gost = { @@ -16,43 +18,25 @@ in }; config = mkIf (cfg.enable && cfg.gost.enable) { - systemd.network.networks."50-enthalpy" = { - address = singleton "fc00::"; - routes = singleton { Destination = cfg.address; }; - }; - systemd.services.enthalpy-gost = { - serviceConfig = { + serviceConfig = mylib.misc.serviceHardened // { Type = "simple"; - Restart = "on-failure"; + Restart = "always"; RestartSec = 5; DynamicUser = true; - ExecStart = "${pkgs.gost}/bin/gost -L=socks5://[fc00::]:${toString config.networking.ports.enthalpy-gost}"; - ProtectSystem = "full"; - ProtectHome = "yes"; - ProtectKernelTunables = true; - ProtectControlGroups = true; - PrivateTmp = true; - PrivateDevices = true; - SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io"; - MemoryDenyWriteExecute = "yes"; + ExecStart = "${pkgs.gost}/bin/gost -L=socks5://[::1]:${toString gostPort}"; }; - wants = [ "network-online.target" ]; - after = [ - "enthalpy.service" - "network-online.target" - ]; - requires = [ "enthalpy.service" ]; - wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "network-online.target" ]; }; - services.enthalpy.exit.enable = true; - services.enthalpy.exit.prefix = singleton { - type = "static"; - destination = "fc00::/128"; - source = "${cfg.address}/128"; - }; - - networking.hosts."fc00::" = singleton "enthalpy-gost"; + networking.netns."${cfg.netns}".forwardPorts = [ + { + protocol = "tcp"; + netns = "default"; + source = "[::1]:${toString gostPort}"; + target = "[::1]:${toString gostPort}"; + } + ]; }; } diff --git a/nixos/modules/services/enthalpy/ipsec.nix b/nixos/modules/services/enthalpy/ipsec.nix index 34eabc0..929ee53 100644 --- a/nixos/modules/services/enthalpy/ipsec.nix +++ b/nixos/modules/services/enthalpy/ipsec.nix @@ -190,12 +190,12 @@ in "strongswan-swanctl.service" ]; requires = [ - "enthalpy.service" + "netns-enthalpy.service" ]; after = [ "network-online.target" "strongswan-swanctl.service" - "enthalpy.service" + "netns-enthalpy.service" ]; wantedBy = [ "multi-user.target" ]; reloadTriggers = [ config.environment.etc."ranet/config.json".source ]; diff --git a/nixos/modules/services/enthalpy/nat64.nix b/nixos/modules/services/enthalpy/nat64.nix index 27301b8..aef1f07 100644 --- a/nixos/modules/services/enthalpy/nat64.nix +++ b/nixos/modules/services/enthalpy/nat64.nix @@ -83,10 +83,10 @@ in }; wants = [ "network.target" ]; after = [ - "enthalpy.service" + "netns-enthalpy.service" "network.target" ]; - requires = [ "enthalpy.service" ]; + requires = [ "netns-enthalpy.service" ]; wantedBy = [ "multi-user.target" ]; }; diff --git a/nixos/modules/services/enthalpy/services.nix b/nixos/modules/services/enthalpy/services.nix index 1c4bd6c..8675e88 100644 --- a/nixos/modules/services/enthalpy/services.nix +++ b/nixos/modules/services/enthalpy/services.nix @@ -46,11 +46,11 @@ in BindReadOnlyPaths = [ "/etc/netns/${cfg.netns}/resolv.conf:/etc/resolv.conf:norbind" "/etc/netns/${cfg.netns}/nsswitch.conf:/etc/nsswitch.conf:norbind" - "/run/enthalpy/nscd:/run/nscd:norbind" + "/run/netns-${cfg.netns}/nscd:/run/nscd:norbind" ]; }; - after = [ "enthalpy.service" ]; - requires = [ "enthalpy.service" ]; + after = [ "netns-enthalpy.service" ]; + requires = [ "netns-enthalpy.service" ]; }) cfg.services; services.enthalpy.services = mapAttrs' ( @@ -60,63 +60,5 @@ in } ) cfg.users; } - - # https://philipdeljanov.com/posts/2019/05/31/dns-leaks-with-network-namespaces - # https://flokli.de/posts/2022-11-18-nsncd - (mkIf (cfg.services != { }) { - environment.etc."netns/enthalpy/resolv.conf".text = mkDefault '' - nameserver 2606:4700:4700::1111 - ''; - - environment.etc."netns/enthalpy/nsswitch.conf".text = '' - passwd: ${concatStringsSep " " config.system.nssDatabases.passwd} - group: ${concatStringsSep " " config.system.nssDatabases.group} - shadow: ${concatStringsSep " " config.system.nssDatabases.shadow} - sudoers: ${concatStringsSep " " config.system.nssDatabases.sudoers} - - hosts: ${concatStringsSep " " (remove "resolve [!UNAVAIL=return]" config.system.nssDatabases.hosts)} - networks: files - - ethers: files - services: ${concatStringsSep " " config.system.nssDatabases.services} - protocols: files - rpc: files - ''; - - systemd.services.enthalpy-nsncd = { - serviceConfig = { - NetworkNamespacePath = "/run/netns/${cfg.netns}"; - BindReadOnlyPaths = [ - "/etc/netns/${cfg.netns}/resolv.conf:/etc/resolv.conf:norbind" - "/etc/netns/${cfg.netns}/nsswitch.conf:/etc/nsswitch.conf:norbind" - ]; - BindPaths = [ - "/run/enthalpy/nscd:/run/nscd:norbind" - ]; - ExecStart = "${pkgs.nsncd}/bin/nsncd"; - Type = "notify"; - DynamicUser = true; - RemoveIPC = true; - NoNewPrivileges = true; - RestrictSUIDSGID = true; - ProtectSystem = "strict"; - ProtectHome = "read-only"; - ProtectKernelTunables = true; - ProtectControlGroups = true; - PrivateTmp = true; - RuntimeDirectory = "enthalpy/nscd"; - Restart = "always"; - SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io"; - MemoryDenyWriteExecute = "yes"; - }; - environment.LD_LIBRARY_PATH = config.system.nssModules.path; - after = [ - "enthalpy.service" - "network.target" - ]; - requires = [ "enthalpy.service" ]; - wantedBy = [ "multi-user.target" ]; - }; - }) ]); } diff --git a/nixos/modules/services/enthalpy/srv6.nix b/nixos/modules/services/enthalpy/srv6.nix index 7de88f0..8ab1477 100644 --- a/nixos/modules/services/enthalpy/srv6.nix +++ b/nixos/modules/services/enthalpy/srv6.nix @@ -72,10 +72,10 @@ in ]; }; after = [ - "enthalpy.service" + "netns-enthalpy.service" "network-online.target" ]; - requires = [ "enthalpy.service" ]; + requires = [ "netns-enthalpy.service" ]; wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; };