]> Git — Sourcephile - julm/julm-nix.git/blob - nixpkgs/patches/openvpn.diff
sourcephile / git / julm / julm-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nix: cleanup
[julm/julm-nix.git] / nixpkgs / patches / openvpn.diff
1 diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
2 index e5f9c673c18..e331312bdb7 100644
3 --- a/nixos/modules/module-list.nix
4 +++ b/nixos/modules/module-list.nix
5 @@ -862,6 +862,7 @@
6 ./services/networking/ndppd.nix
7 ./services/networking/nebula.nix
8 ./services/networking/networkmanager.nix
9 + ./services/networking/netns.nix
10 ./services/networking/nextdns.nix
11 ./services/networking/nftables.nix
12 ./services/networking/ngircd.nix
13 diff --git a/nixos/modules/services/networking/netns.nix b/nixos/modules/services/networking/netns.nix
14 new file mode 100644
15 index 00000000000..2e62738089d
16 --- /dev/null
17 +++ b/nixos/modules/services/networking/netns.nix
18 @@ -0,0 +1,106 @@
19 +{ pkgs, lib, config, options, ... }:
20 +with lib;
21 +let
22 + cfg = config.services.netns;
23 + inherit (config) networking;
24 + # Escape as required by: https://www.freedesktop.org/software/systemd/man/systemd.unit.html
25 + escapeUnitName = name:
26 + lib.concatMapStrings (s: if lib.isList s then "-" else s)
27 + (builtins.split "[^a-zA-Z0-9_.\\-]+" name);
28 +in
29 +{
30 +options.services.netns = {
31 + namespaces = mkOption {
32 + description = ''
33 + Network namespaces to create.
34 +
35 + Other services can join a network namespace named <code>netns</code> with:
36 + <screen>
37 + PrivateNetwork=true;
38 + JoinsNamespaceOf="netns-''${netns}.service";
39 + </screen>
40 +
41 + So can <literal>iproute</literal> with:
42 + <code>ip -n ''${netns}</code>
43 +
44 + <warning><para>
45 + You should usually create (or update via your VPN configuration's up script)
46 + a file named <literal>/etc/netns/''${netns}/resolv.conf</literal>
47 + that will be bind-mounted by <code>ip -n ''${netns}</code> onto <literal>/etc/resolv.conf</literal>,
48 + which you'll also want to configure in the services joining this network namespace:
49 + <screen>
50 + BindReadOnlyPaths = ["/etc/netns/''${netns}/resolv.conf:/etc/resolv.conf"];
51 + </screen>
52 + </para></warning>
53 + '';
54 + default = {};
55 + type = types.attrsOf (types.submodule {
56 + options.nftables = mkOption {
57 + description = "Nftables ruleset within the network namespace.";
58 + type = types.lines;
59 + default = networking.nftables.ruleset;
60 + defaultText = "config.networking.nftables.ruleset";
61 + };
62 + options.sysctl = options.boot.kernel.sysctl // {
63 + description = "sysctl within the network namespace.";
64 + default = config.boot.kernel.sysctl;
65 + defaultText = "config.boot.kernel.sysctl";
66 + };
67 + options.service = mkOption {
68 + description = "Systemd configuration specific to this netns service";
69 + type = types.attrs;
70 + default = {};
71 + };
72 + });
73 + };
74 +};
75 +config = {
76 + systemd.services = mapAttrs' (name: c:
77 + nameValuePair "netns-${escapeUnitName name}" (mkMerge [
78 + { description = "${name} network namespace";
79 + before = [ "network.target" ];
80 + serviceConfig = {
81 + Type = "oneshot";
82 + RemainAfterExit = true;
83 + # Let systemd create the netns so that PrivateNetwork=true
84 + # with JoinsNamespaceOf="netns-${name}.service" works.
85 + PrivateNetwork = true;
86 + ExecStart = [
87 + # For convenience, register the netns to the tracking mecanism of iproute,
88 + # and make sure resolv.conf can be used in BindReadOnlyPaths=
89 + # For propagating changes in that file to the services bind mounting it,
90 + # updating must not remove the file, but only truncate it.
91 + (pkgs.writeShellScript "ip-netns-attach" ''
92 + ${pkgs.iproute}/bin/ip netns attach ${escapeShellArg name} $$
93 + mkdir -p /etc/netns/${escapeShellArg name}
94 + touch /etc/netns/${escapeShellArg name}/resolv.conf
95 + '')
96 +
97 + # Bringing the loopback interface is almost always a good thing.
98 + "${pkgs.iproute}/bin/ip link set dev lo up"
99 +
100 + # Use --ignore because some keys may no longer exist in that new namespace,
101 + # like net.ipv6.conf.eth0.addr_gen_mode or net.core.rmem_max
102 + ''${pkgs.procps}/bin/sysctl --ignore -p ${pkgs.writeScript "sysctl"
103 + (concatStrings (mapAttrsToList (n: v:
104 + optionalString (v != null)
105 + "${n}=${if v == false then "0" else toString v}\n"
106 + ) c.sysctl))}
107 + ''
108 + ] ++
109 + # Load the nftables ruleset of this netns.
110 + optional networking.nftables.enable (pkgs.writeScript "nftables-ruleset" ''
111 + #!${pkgs.nftables}/bin/nft -f
112 + flush ruleset
113 + ${c.nftables}
114 + '');
115 + # Unregister the netns from the tracking mecanism of iproute.
116 + ExecStop = "${pkgs.iproute}/bin/ip netns delete ${escapeShellArg name}";
117 + };
118 + }
119 + c.service
120 + ]
121 + )) cfg.namespaces;
122 + meta.maintainers = with lib.maintainers; [ julm ];
123 +};
124 +}
125 diff --git a/nixos/modules/services/networking/openvpn.nix b/nixos/modules/services/networking/openvpn.nix
126 index 492a0936fdb..adb1c8b5f0d 100644
127 --- a/nixos/modules/services/networking/openvpn.nix
128 +++ b/nixos/modules/services/networking/openvpn.nix
129 @@ -5,71 +5,216 @@ with lib;
130 let
131
132 cfg = config.services.openvpn;
133 + enabledServers = filterAttrs (name: srv: srv.enable) cfg.servers;
134
135 inherit (pkgs) openvpn;
136
137 + PATH = name: makeBinPath config.systemd.services."openvpn-${name}".path;
138 +
139 makeOpenVPNJob = cfg: name:
140 let
141
142 - path = makeBinPath (getAttr "openvpn-${name}" config.systemd.services).path;
143 + configFile = pkgs.writeText "openvpn-config-${name}" (
144 + generators.toKeyValue {
145 + mkKeyValue = key: value:
146 + if hasAttr key scripts
147 + then "${key} " + pkgs.writeShellScript "openvpn-${name}-${key}" (scripts.${key} value)
148 + else if builtins.isBool value
149 + then optionalString value key
150 + else if builtins.isPath value
151 + then "${key} ${value}"
152 + else if builtins.isList value
153 + then concatMapStringsSep "\n" (v: "${key} ${generators.mkValueStringDefault {} v}") value
154 + else "${key} ${generators.mkValueStringDefault {} value}";
155 + } cfg.settings
156 + );
157
158 - upScript = ''
159 - #! /bin/sh
160 - export PATH=${path}
161 + scripts = {
162 + up = script:
163 + let init = ''
164 + export PATH=${PATH name}
165
166 - # For convenience in client scripts, extract the remote domain
167 - # name and name server.
168 - for var in ''${!foreign_option_*}; do
169 - x=(''${!var})
170 - if [ "''${x[0]}" = dhcp-option ]; then
171 - if [ "''${x[1]}" = DOMAIN ]; then domain="''${x[2]}"
172 - elif [ "''${x[1]}" = DNS ]; then nameserver="''${x[2]}"
173 - fi
174 - fi
175 - done
176 + # For convenience in client scripts, extract the remote domain
177 + # name and name server.
178 + for var in ''${!foreign_option_*}; do
179 + x=(''${!var})
180 + if [ "''${x[0]}" = dhcp-option ]; then
181 + if [ "''${x[1]}" = DOMAIN ]; then domain="''${x[2]}"
182 + elif [ "''${x[1]}" = DNS ]; then nameserver="''${x[2]}"
183 + fi
184 + fi
185 + done
186
187 - ${cfg.up}
188 - ${optionalString cfg.updateResolvConf
189 - "${pkgs.update-resolv-conf}/libexec/openvpn/update-resolv-conf"}
190 - '';
191 + ${optionalString cfg.updateResolvConf
192 + "${pkgs.update-resolv-conf}/libexec/openvpn/update-resolv-conf"}
193 + '';
194 + # Add DNS settings given in foreign DHCP options to the resolv.conf of the netns.
195 + # Note that JoinsNamespaceOf="netns-${cfg.netns}.service" will not
196 + # BindReadOnlyPaths=["/etc/netns/${cfg.netns}/resolv.conf:/etc/resolv.conf"];
197 + # this will have to be added in each service joining the namespace.
198 + setNetNSResolvConf = ''
199 + mkdir -p /etc/netns/${cfg.netns}
200 + # This file is normally created by netns-${cfg.netns}.service,
201 + # care must be taken to not delete it but to truncate it
202 + # in order to propagate the changes to bind-mounted versions.
203 + : > /etc/netns/${cfg.netns}/resolv.conf
204 + chmod 644 /etc/netns/${cfg.netns}/resolv.conf
205 + foreign_opt_domains=
206 + process_foreign_option () {
207 + case "$1:$2" in
208 + dhcp-option:DNS) echo "nameserver $3" >>/etc/netns/'${cfg.netns}'/resolv.conf ;;
209 + dhcp-option:DOMAIN) foreign_opt_domains="$foreign_opt_domains $3" ;;
210 + esac
211 + }
212 + i=1
213 + while
214 + eval opt=\"\''${foreign_option_$i-}\"
215 + [ -n "$opt" ]
216 + do
217 + process_foreign_option $opt
218 + i=$(( i + 1 ))
219 + done
220 + for d in $foreign_opt_domains; do
221 + printf '%s\n' "domain $1" "search $*" \
222 + >>/etc/netns/'${cfg.netns}'/resolv.conf
223 + done
224 + '';
225 + in
226 + if cfg.netns == null
227 + then ''
228 + ${init}
229 + ${script}
230 + ''
231 + else ''
232 + export PATH=${PATH name}
233 + set -eux
234 + ${setNetNSResolvConf}
235 + ip link set dev '${cfg.settings.dev}' up netns '${cfg.netns}' mtu "$tun_mtu"
236 + ip netns exec '${cfg.netns}' ${pkgs.writeShellScript "openvpn-${name}-up-netns.sh" ''
237 + ${init}
238 + set -eux
239 + export PATH=${PATH name}
240
241 - downScript = ''
242 - #! /bin/sh
243 - export PATH=${path}
244 - ${optionalString cfg.updateResolvConf
245 - "${pkgs.update-resolv-conf}/libexec/openvpn/update-resolv-conf"}
246 - ${cfg.down}
247 - '';
248 + ip link set dev lo up
249
250 - configFile = pkgs.writeText "openvpn-config-${name}"
251 - ''
252 - errors-to-stderr
253 - ${optionalString (cfg.up != "" || cfg.down != "" || cfg.updateResolvConf) "script-security 2"}
254 - ${cfg.config}
255 - ${optionalString (cfg.up != "" || cfg.updateResolvConf)
256 - "up ${pkgs.writeScript "openvpn-${name}-up" upScript}"}
257 - ${optionalString (cfg.down != "" || cfg.updateResolvConf)
258 - "down ${pkgs.writeScript "openvpn-${name}-down" downScript}"}
259 - ${optionalString (cfg.authUserPass != null)
260 - "auth-user-pass ${pkgs.writeText "openvpn-credentials-${name}" ''
261 - ${cfg.authUserPass.username}
262 - ${cfg.authUserPass.password}
263 - ''}"}
264 - '';
265 + netmask4="''${ifconfig_netmask:-30}"
266 + netbits6="''${ifconfig_ipv6_netbits:-112}"
267 + if [ -n "''${ifconfig_local-}" ]; then
268 + if [ -n "''${ifconfig_remote-}" ]; then
269 + ip -4 addr replace \
270 + local "$ifconfig_local" \
271 + peer "$ifconfig_remote/$netmask4" \
272 + ''${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"} \
273 + dev '${cfg.settings.dev}'
274 + else
275 + ip -4 addr replace \
276 + local "$ifconfig_local/$netmask4" \
277 + ''${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"} \
278 + dev '${cfg.settings.dev}'
279 + fi
280 + fi
281 + if [ -n "''${ifconfig_ipv6_local-}" ]; then
282 + if [ -n "''${ifconfig_ipv6_remote-}" ]; then
283 + ip -6 addr replace \
284 + local "$ifconfig_ipv6_local" \
285 + peer "$ifconfig_ipv6_remote/$netbits6" \
286 + dev '${cfg.settings.dev}'
287 + else
288 + ip -6 addr replace \
289 + local "$ifconfig_ipv6_local/$netbits6" \
290 + dev '${cfg.settings.dev}'
291 + fi
292 + fi
293 + set +eux
294 + ${script}
295 + ''}
296 + '';
297 + route-up = script:
298 + if cfg.netns == null
299 + then script
300 + else ''
301 + export PATH=${PATH name}
302 + set -eux
303 + ip netns exec '${cfg.netns}' ${pkgs.writeShellScript "openvpn-${name}-route-up-netns" ''
304 + export PATH=${PATH name}
305 + set -eux
306 + i=1
307 + while
308 + eval net=\"\''${route_network_$i-}\"
309 + eval mask=\"\''${route_netmask_$i-}\"
310 + eval gw=\"\''${route_gateway_$i-}\"
311 + eval mtr=\"\''${route_metric_$i-}\"
312 + [ -n "$net" ]
313 + do
314 + ip -4 route replace "$net/$mask" via "$gw" ''${mtr:+metric "$mtr"}
315 + i=$(( i + 1 ))
316 + done
317 +
318 + if [ -n "''${route_vpn_gateway-}" ]; then
319 + ip -4 route replace default via "$route_vpn_gateway"
320 + fi
321 +
322 + i=1
323 + while
324 + # There doesn't seem to be $route_ipv6_metric_<n>
325 + # according to the manpage.
326 + eval net=\"\''${route_ipv6_network_$i-}\"
327 + eval gw=\"\''${route_ipv6_gateway_$i-}\"
328 + [ -n "$net" ]
329 + do
330 + ip -6 route replace "$net" via "$gw" metric 100
331 + i=$(( i + 1 ))
332 + done
333 +
334 + # There's no $route_vpn_gateway for IPv6. It's not
335 + # documented if OpenVPN includes default route in
336 + # $route_ipv6_*. Set default route to remote VPN
337 + # endpoint address if there is one. Use higher metric
338 + # than $route_ipv6_* routes to give preference to a
339 + # possible default route in them.
340 + if [ -n "''${ifconfig_ipv6_remote-}" ]; then
341 + ip -6 route replace default \
342 + via "$ifconfig_ipv6_remote" metric 200
343 + fi
344 + ${script}
345 + ''}
346 + '';
347 + down = script:
348 + let init = ''
349 + export PATH=${PATH name}
350 + ${optionalString cfg.updateResolvConf
351 + "${pkgs.update-resolv-conf}/libexec/openvpn/update-resolv-conf"}
352 + ''; in
353 + if cfg.netns == null
354 + then ''
355 + ${init}
356 + ${script}
357 + ''
358 + else ''
359 + export PATH=${PATH name}
360 + ip netns exec '${cfg.netns}' ${pkgs.writeShellScript "openvpn-${name}-down-netns.sh" ''
361 + ${init}
362 + ${script}
363 + ''}
364 + rm -f /etc/netns/'${cfg.netns}'/resolv.conf
365 + '';
366 + };
367
368 in {
369 description = "OpenVPN instance ‘${name}’";
370
371 wantedBy = optional cfg.autoStart "multi-user.target";
372 after = [ "network.target" ];
373 + bindsTo = optional (cfg.netns != null) "netns-${cfg.netns}.service";
374 + requires = optional (cfg.netns != null) "netns-${cfg.netns}.service";
375
376 path = [ pkgs.iptables pkgs.iproute2 pkgs.nettools ];
377
378 serviceConfig.ExecStart = "@${openvpn}/sbin/openvpn openvpn --suppress-timestamps --config ${configFile}";
379 serviceConfig.Restart = "always";
380 + serviceConfig.RestartSec = "5s";
381 serviceConfig.Type = "notify";
382 };
383 -
384 in
385
386 {
387 @@ -87,30 +232,30 @@ in
388 example = literalExpression ''
389 {
390 server = {
391 - config = '''
392 + settings = {
393 # Simplest server configuration: https://community.openvpn.net/openvpn/wiki/StaticKeyMiniHowto
394 # server :
395 - dev tun
396 - ifconfig 10.8.0.1 10.8.0.2
397 - secret /root/static.key
398 - ''';
399 - up = "ip route add ...";
400 - down = "ip route del ...";
401 + dev = "tun";
402 + ifconfig = "10.8.0.1 10.8.0.2";
403 + secret = "/root/static.key";
404 + up = "ip route add ...";
405 + down = "ip route del ...";
406 + };
407 };
408
409 client = {
410 - config = '''
411 - client
412 - remote vpn.example.org
413 - dev tun
414 - proto tcp-client
415 - port 8080
416 - ca /root/.vpn/ca.crt
417 - cert /root/.vpn/alice.crt
418 - key /root/.vpn/alice.key
419 - ''';
420 - up = "echo nameserver $nameserver | ''${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
421 - down = "''${pkgs.openresolv}/sbin/resolvconf -d $dev";
422 + settings = {
423 + client = true;
424 + remote = "vpn.example.org";
425 + dev = "tun";
426 + proto = "tcp-client";
427 + port = 8080;
428 + ca = "/root/.vpn/ca.crt";
429 + cert = "/root/.vpn/alice.crt";
430 + key = "/root/.vpn/alice.key";
431 + up = "echo nameserver $nameserver | ''${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
432 + down = "''${pkgs.openresolv}/sbin/resolvconf -d $dev";
433 + };
434 };
435 }
436 '';
437 @@ -124,36 +269,77 @@ in
438 attribute name.
439 '';
440
441 - type = with types; attrsOf (submodule {
442 + type = with types; attrsOf (submodule ({name, config, options, ...}: {
443
444 - options = {
445 + options = rec {
446 + enable = mkEnableOption "OpenVPN server" // { default = true; };
447
448 - config = mkOption {
449 - type = types.lines;
450 + settings = mkOption {
451 description = lib.mdDoc ''
452 Configuration of this OpenVPN instance. See
453 {manpage}`openvpn(8)`
454 for details.
455
456 To import an external config file, use the following definition:
457 - `config = "config /path/to/config.ovpn"`
458 - '';
459 - };
460 -
461 - up = mkOption {
462 - default = "";
463 - type = types.lines;
464 - description = lib.mdDoc ''
465 - Shell commands executed when the instance is starting.
466 - '';
467 - };
468 -
469 - down = mkOption {
470 - default = "";
471 - type = types.lines;
472 - description = lib.mdDoc ''
473 - Shell commands executed when the instance is shutting down.
474 + <literal>config = /path/to/config.ovpn;</literal>
475 '';
476 + default = {};
477 + type = types.submodule {
478 + freeformType = with types;
479 + attrsOf (
480 + nullOr (
481 + oneOf [
482 + bool int str path
483 + (listOf (oneOf [bool int str path]))
484 + ]
485 + )
486 + );
487 + options.dev = mkOption {
488 + default = null;
489 + type = types.str;
490 + description = lib.mkDoc ''
491 + Shell commands executed when the instance is starting.
492 + '';
493 + };
494 + options.down = mkOption {
495 + default = "";
496 + type = types.lines;
497 + description = lib.mkDoc ''
498 + Shell commands executed when the instance is shutting down.
499 + '';
500 + };
501 + options.errors-to-stderr = mkOption {
502 + default = true;
503 + type = types.bool;
504 + description = lib.mkDoc ''
505 + Output errors to stderr instead of stdout
506 + unless log output is redirected by one of the <code>--log</code> options.
507 + '';
508 + };
509 + options.route-up = mkOption {
510 + default = "";
511 + type = types.lines;
512 + description = lib.mkDoc ''
513 + Run command after routes are added.
514 + '';
515 + };
516 + options.up = mkOption {
517 + default = "";
518 + type = types.lines;
519 + description = lib.mkDoc ''
520 + Shell commands executed when the instance is starting.
521 + '';
522 + };
523 + options.script-security = mkOption {
524 + default = 1;
525 + type = types.enum [1 2 3];
526 + description = lib.mkDoc ''
527 + 1 — (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.
528 + 2 — Allow calling of built-in executables and user-defined scripts.
529 + 3 — Allow passwords to be passed to scripts via environmental variables (potentially unsafe).
530 + '';
531 + };
532 + };
533 };
534
535 autoStart = mkOption {
536 @@ -162,6 +348,10 @@ in
537 description = lib.mdDoc "Whether this OpenVPN instance should be started automatically.";
538 };
539
540 + # Legacy options
541 + down = (elemAt settings.type.functor.payload.modules 0).options.down;
542 + up = (elemAt settings.type.functor.payload.modules 0).options.up;
543 +
544 updateResolvConf = mkOption {
545 default = false;
546 type = types.bool;
547 @@ -195,9 +385,39 @@ in
548 };
549 });
550 };
551 +
552 + netns = mkOption {
553 + default = true;
554 + type = with types; nullOr str;
555 + description = lib.mkDoc "Network namespace.";
556 + };
557 };
558
559 - });
560 + config.settings = mkMerge
561 + [ (mkIf (config.netns != null) {
562 + # Useless to setup the interface
563 + # because moving it to the netns will reset it
564 + ifconfig-noexec = true;
565 + route-noexec = true;
566 + script-security = 2;
567 + })
568 + (mkIf (config.authUserPass != null) {
569 + auth-user-pass = pkgs.writeText "openvpn-auth-user-pass-${name}" ''
570 + ${config.authUserPass.username}
571 + ${config.authUserPass.password}
572 + '';
573 + })
574 + (mkIf config.updateResolvConf {
575 + script-security = 2;
576 + })
577 + { # Aliases legacy options
578 + down = mkAliasDefinitions (mkDefault options.down or { });
579 + up = mkAliasDefinitions (mkDefault options.up or { });
580 + }
581 + ];
582 +
583 +
584 + }));
585
586 };
587
588 @@ -206,9 +426,9 @@ in
589
590 ###### implementation
591
592 - config = mkIf (cfg.servers != {}) {
593 + config = mkIf (enabledServers != {}) {
594
595 - systemd.services = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers);
596 + systemd.services = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) enabledServers);
597
598 environment.systemPackages = [ openvpn ];
599
julm's NixOS and home-manager configs