services/enthalpy: fixup dns leak in network namespace
This commit is contained in:
parent
a67263f5dd
commit
dc56af5c6b
SSH key fingerprint:
SHA256:3px8QV1zEerIrEWHaqtH5rR9kjetyRST5EipOPrd+bU
|
|
@ -77,9 +77,5 @@ in
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.etc."netns/enthalpy/resolv.conf".text = lib.mkDefault ''
|
|
||||||
nameserver 2606:4700:4700::1111
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -88,7 +88,7 @@ in
|
||||||
config = mkIf (cfg.enable && cfg.ipsec.enable) {
|
config = mkIf (cfg.enable && cfg.ipsec.enable) {
|
||||||
assertions = [
|
assertions = [
|
||||||
{
|
{
|
||||||
assertion = builtins.all (lib.id) [
|
assertion = builtins.all id [
|
||||||
(cfg.ipsec.blacklist != null -> cfg.ipsec.whitelist == null)
|
(cfg.ipsec.blacklist != null -> cfg.ipsec.whitelist == null)
|
||||||
(cfg.ipsec.whitelist != null -> cfg.ipsec.blacklist == null)
|
(cfg.ipsec.whitelist != null -> cfg.ipsec.blacklist == null)
|
||||||
];
|
];
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,7 @@
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib;
|
with lib;
|
||||||
|
|
@ -36,12 +37,17 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable (mkMerge [
|
||||||
|
{
|
||||||
systemd.services = mapAttrs (_name: value: {
|
systemd.services = mapAttrs (_name: value: {
|
||||||
inherit (value) overrideStrategy;
|
inherit (value) overrideStrategy;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
NetworkNamespacePath = "/run/netns/${cfg.netns}";
|
NetworkNamespacePath = "/run/netns/${cfg.netns}";
|
||||||
BindReadOnlyPaths = "/etc/netns/${cfg.netns}/resolv.conf:/etc/resolv.conf:norbind";
|
BindReadOnlyPaths = [
|
||||||
|
"/etc/netns/${cfg.netns}/resolv.conf:/etc/resolv.conf:norbind"
|
||||||
|
"/etc/netns/${cfg.netns}/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
||||||
|
"/run/enthalpy/nscd:/run/nscd:norbind"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
after = [ "enthalpy.service" ];
|
after = [ "enthalpy.service" ];
|
||||||
requires = [ "enthalpy.service" ];
|
requires = [ "enthalpy.service" ];
|
||||||
|
|
@ -53,5 +59,64 @@ in
|
||||||
overrideStrategy = "asDropin";
|
overrideStrategy = "asDropin";
|
||||||
}
|
}
|
||||||
) cfg.users;
|
) cfg.users;
|
||||||
};
|
}
|
||||||
|
|
||||||
|
# https://philipdeljanov.com/posts/2019/05/31/dns-leaks-with-network-namespaces
|
||||||
|
# https://flokli.de/posts/2022-11-18-nsncd
|
||||||
|
(mkIf (cfg.services != { }) {
|
||||||
|
environment.etc."netns/enthalpy/resolv.conf".text = mkDefault ''
|
||||||
|
nameserver 2606:4700:4700::1111
|
||||||
|
'';
|
||||||
|
|
||||||
|
environment.etc."netns/enthalpy/nsswitch.conf".text = ''
|
||||||
|
passwd: ${concatStringsSep " " config.system.nssDatabases.passwd}
|
||||||
|
group: ${concatStringsSep " " config.system.nssDatabases.group}
|
||||||
|
shadow: ${concatStringsSep " " config.system.nssDatabases.shadow}
|
||||||
|
sudoers: ${concatStringsSep " " config.system.nssDatabases.sudoers}
|
||||||
|
|
||||||
|
hosts: ${concatStringsSep " " (remove "resolve [!UNAVAIL=return]" config.system.nssDatabases.hosts)}
|
||||||
|
networks: files
|
||||||
|
|
||||||
|
ethers: files
|
||||||
|
services: ${concatStringsSep " " config.system.nssDatabases.services}
|
||||||
|
protocols: files
|
||||||
|
rpc: files
|
||||||
|
'';
|
||||||
|
|
||||||
|
systemd.services.enthalpy-nsncd = {
|
||||||
|
serviceConfig = {
|
||||||
|
NetworkNamespacePath = "/run/netns/${cfg.netns}";
|
||||||
|
BindReadOnlyPaths = [
|
||||||
|
"/etc/netns/${cfg.netns}/resolv.conf:/etc/resolv.conf:norbind"
|
||||||
|
"/etc/netns/${cfg.netns}/nsswitch.conf:/etc/nsswitch.conf:norbind"
|
||||||
|
];
|
||||||
|
BindPaths = [
|
||||||
|
"/run/enthalpy/nscd:/run/nscd:norbind"
|
||||||
|
];
|
||||||
|
ExecStart = "${pkgs.nsncd}/bin/nsncd";
|
||||||
|
Type = "notify";
|
||||||
|
DynamicUser = true;
|
||||||
|
RemoveIPC = true;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
ProtectHome = "read-only";
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
RuntimeDirectory = "enthalpy/nscd";
|
||||||
|
Restart = "always";
|
||||||
|
SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
|
||||||
|
MemoryDenyWriteExecute = "yes";
|
||||||
|
};
|
||||||
|
environment.LD_LIBRARY_PATH = config.system.nssModules.path;
|
||||||
|
after = [
|
||||||
|
"enthalpy.service"
|
||||||
|
"network.target"
|
||||||
|
];
|
||||||
|
requires = [ "enthalpy.service" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
};
|
||||||
|
})
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,6 @@
|
||||||
llmnr = "false";
|
llmnr = "false";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
MulticastDNS=off
|
MulticastDNS=off
|
||||||
DNSStubListener=no
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue