services/enthalpy: begin migration to networking.netns

2024-12-06 17:11:23 +08:00 · 2024-12-06 17:11:23 +08:00 · b7566b7975
parent bb65636b38
commit b7566b7975
9 changed files with 33 additions and 132 deletions
--- a/nixos/hosts/marisa-7d76/networking.nix
+++ b/nixos/hosts/marisa-7d76/networking.nix
@ -6,6 +6,7 @@
  services.enthalpy = {
    users.rebmit = { };
    services.nix-daemon = { };
    ipsec.interfaces = [ "enp14s0" ];
    clat = {
      enable = true;
--- a/nixos/hosts/marisa-a7s/networking.nix
+++ b/nixos/hosts/marisa-a7s/networking.nix
@ -6,6 +6,7 @@
  services.enthalpy = {
    users.rebmit = { };
    services.nix-daemon = { };
    ipsec = {
      interfaces = [ "wlan0" ];
      whitelist = [ "rebmit's edge network" ];
--- a/nixos/modules/networking/netns.nix
+++ b/nixos/modules/networking/netns.nix
@ -422,7 +422,7 @@ in
          _name: cfg:
          (imap (
            index: fp:
-            nameValuePair "netns-${cfg.netns}-port-forward-${fp.netns}-${fp.protocol}-${toString index}" (
+            nameValuePair "netns-${cfg.netns}-port-forward-${toString index}-${fp.netns}-${fp.protocol}" (
              mkPortForwardService cfg fp
            )
          ) cfg.forwardPorts)
@ -433,7 +433,7 @@ in
          _name: cfg:
          (imap (
            index: ev:
-            nameValuePair "netns-${cfg.netns}-extra-veth-${ev.netns}-${toString index}" (
+            nameValuePair "netns-${cfg.netns}-extra-veth-${toString index}-${ev.netns}" (
              mkExtraVethService cfg ev
            )
          ) cfg.extraVeths)
--- a/nixos/modules/services/enthalpy/common.nix
+++ b/nixos/modules/services/enthalpy/common.nix
@ -44,38 +44,11 @@ in
  };
  config = mkIf cfg.enable {
-    systemd.network.networks."50-enthalpy" = {
+    networking.netns."${cfg.netns}" = {
-      matchConfig.Name = "enthalpy";
+      interface = cfg.netns;
-      linkConfig.RequiredForOnline = false;
+      address = singleton "${cfg.address}/128";
-    };
+      enableIPv4Forwarding = false;
-
+      enableIPv6Forwarding = true;
    systemd.services.enthalpy = {
      path = with pkgs; [
        iproute2
        coreutils
        procps
      ];
      script = ''
        ip netns add ${cfg.netns}
        ip link add enthalpy mtu 1400 address 02:00:00:00:00:01 type veth peer enthalpy mtu 1400 address 02:00:00:00:00:00 netns ${cfg.netns}
        ip -n ${cfg.netns} link set lo up
        ip -n ${cfg.netns} link set enthalpy up
        ip -n ${cfg.netns} addr add ${cfg.address}/128 dev enthalpy
        ip netns exec ${cfg.netns} sysctl -w net.ipv6.conf.default.forwarding=1
        ip netns exec ${cfg.netns} sysctl -w net.ipv6.conf.all.forwarding=1
        ip netns exec ${cfg.netns} sysctl -w net.ipv4.conf.default.forwarding=0
        ip netns exec ${cfg.netns} sysctl -w net.ipv4.conf.all.forwarding=0
      '';
      preStop = ''
        ip netns del ${cfg.netns}
      '';
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      wants = [ "network.target" ];
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
    };
  };
 }
--- a/nixos/modules/services/enthalpy/gost.nix
+++ b/nixos/modules/services/enthalpy/gost.nix
@ -4,11 +4,13 @@
  config,
  lib,
  pkgs,
  mylib,
  ...
 }:
 with lib;
 let
  cfg = config.services.enthalpy;
  gostPort = config.networking.ports.enthalpy-gost;
 in
 {
  options.services.enthalpy.gost = {
@ -16,43 +18,25 @@ in
  };
  config = mkIf (cfg.enable && cfg.gost.enable) {
    systemd.network.networks."50-enthalpy" = {
      address = singleton "fc00::";
      routes = singleton { Destination = cfg.address; };
    };
    systemd.services.enthalpy-gost = {
-      serviceConfig = {
+      serviceConfig = mylib.misc.serviceHardened // {
        Type = "simple";
-        Restart = "on-failure";
+        Restart = "always";
        RestartSec = 5;
        DynamicUser = true;
-        ExecStart = "${pkgs.gost}/bin/gost -L=socks5://[fc00::]:${toString config.networking.ports.enthalpy-gost}";
+        ExecStart = "${pkgs.gost}/bin/gost -L=socks5://[::1]:${toString gostPort}";
        ProtectSystem = "full";
        ProtectHome = "yes";
        ProtectKernelTunables = true;
        ProtectControlGroups = true;
        PrivateTmp = true;
        PrivateDevices = true;
        SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
        MemoryDenyWriteExecute = "yes";
      };
-      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
-      after = [
+      wantedBy = [ "network-online.target" ];
        "enthalpy.service"
        "network-online.target"
      ];
      requires = [ "enthalpy.service" ];
      wantedBy = [ "multi-user.target" ];
    };
-    services.enthalpy.exit.enable = true;
+    networking.netns."${cfg.netns}".forwardPorts = [
-    services.enthalpy.exit.prefix = singleton {
+      {
-      type = "static";
+        protocol = "tcp";
-      destination = "fc00::/128";
+        netns = "default";
-      source = "${cfg.address}/128";
+        source = "[::1]:${toString gostPort}";
-    };
+        target = "[::1]:${toString gostPort}";
-
+      }
-    networking.hosts."fc00::" = singleton "enthalpy-gost";
+    ];
  };
 }
--- a/nixos/modules/services/enthalpy/ipsec.nix
+++ b/nixos/modules/services/enthalpy/ipsec.nix
@ -190,12 +190,12 @@ in
          "strongswan-swanctl.service"
        ];
        requires = [
-          "enthalpy.service"
+          "netns-enthalpy.service"
        ];
        after = [
          "network-online.target"
          "strongswan-swanctl.service"
-          "enthalpy.service"
+          "netns-enthalpy.service"
        ];
        wantedBy = [ "multi-user.target" ];
        reloadTriggers = [ config.environment.etc."ranet/config.json".source ];
--- a/nixos/modules/services/enthalpy/nat64.nix
+++ b/nixos/modules/services/enthalpy/nat64.nix
@ -83,10 +83,10 @@ in
      };
      wants = [ "network.target" ];
      after = [
-        "enthalpy.service"
+        "netns-enthalpy.service"
        "network.target"
      ];
-      requires = [ "enthalpy.service" ];
+      requires = [ "netns-enthalpy.service" ];
      wantedBy = [ "multi-user.target" ];
    };
--- a/nixos/modules/services/enthalpy/services.nix
+++ b/nixos/modules/services/enthalpy/services.nix
@ -46,11 +46,11 @@ in
          BindReadOnlyPaths = [
            "/etc/netns/${cfg.netns}/resolv.conf:/etc/resolv.conf:norbind"
            "/etc/netns/${cfg.netns}/nsswitch.conf:/etc/nsswitch.conf:norbind"
-            "/run/enthalpy/nscd:/run/nscd:norbind"
+            "/run/netns-${cfg.netns}/nscd:/run/nscd:norbind"
          ];
        };
-        after = [ "enthalpy.service" ];
+        after = [ "netns-enthalpy.service" ];
-        requires = [ "enthalpy.service" ];
+        requires = [ "netns-enthalpy.service" ];
      }) cfg.services;
      services.enthalpy.services = mapAttrs' (
@ -60,63 +60,5 @@ in
        }
      ) cfg.users;
    }
    # https://philipdeljanov.com/posts/2019/05/31/dns-leaks-with-network-namespaces
    # https://flokli.de/posts/2022-11-18-nsncd
    (mkIf (cfg.services != { }) {
      environment.etc."netns/enthalpy/resolv.conf".text = mkDefault ''
        nameserver 2606:4700:4700::1111
      '';
      environment.etc."netns/enthalpy/nsswitch.conf".text = ''
        passwd:    ${concatStringsSep " " config.system.nssDatabases.passwd}
        group:     ${concatStringsSep " " config.system.nssDatabases.group}
        shadow:    ${concatStringsSep " " config.system.nssDatabases.shadow}
        sudoers:   ${concatStringsSep " " config.system.nssDatabases.sudoers}
        hosts:     ${concatStringsSep " " (remove "resolve [!UNAVAIL=return]" config.system.nssDatabases.hosts)}
        networks:  files
        ethers:    files
        services:  ${concatStringsSep " " config.system.nssDatabases.services}
        protocols: files
        rpc:       files
      '';
      systemd.services.enthalpy-nsncd = {
        serviceConfig = {
          NetworkNamespacePath = "/run/netns/${cfg.netns}";
          BindReadOnlyPaths = [
            "/etc/netns/${cfg.netns}/resolv.conf:/etc/resolv.conf:norbind"
            "/etc/netns/${cfg.netns}/nsswitch.conf:/etc/nsswitch.conf:norbind"
          ];
          BindPaths = [
            "/run/enthalpy/nscd:/run/nscd:norbind"
          ];
          ExecStart = "${pkgs.nsncd}/bin/nsncd";
          Type = "notify";
          DynamicUser = true;
          RemoveIPC = true;
          NoNewPrivileges = true;
          RestrictSUIDSGID = true;
          ProtectSystem = "strict";
          ProtectHome = "read-only";
          ProtectKernelTunables = true;
          ProtectControlGroups = true;
          PrivateTmp = true;
          RuntimeDirectory = "enthalpy/nscd";
          Restart = "always";
          SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
          MemoryDenyWriteExecute = "yes";
        };
        environment.LD_LIBRARY_PATH = config.system.nssModules.path;
        after = [
          "enthalpy.service"
          "network.target"
        ];
        requires = [ "enthalpy.service" ];
        wantedBy = [ "multi-user.target" ];
      };
    })
  ]);
 }
--- a/nixos/modules/services/enthalpy/srv6.nix
+++ b/nixos/modules/services/enthalpy/srv6.nix
@ -72,10 +72,10 @@ in
        ];
      };
      after = [
-        "enthalpy.service"
+        "netns-enthalpy.service"
        "network-online.target"
      ];
-      requires = [ "enthalpy.service" ];
+      requires = [ "netns-enthalpy.service" ];
      wants = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
    };