From 3fe20560cc33c9f89d4c65f9c72df7901e22ae6f Mon Sep 17 00:00:00 2001 From: Julien Moutinho <julm+julm-nix@sourcephile.fr> Date: Wed, 17 Apr 2024 05:38:53 +0200 Subject: [PATCH] dnscrypt-proxy2: support nftables --- hosts/aubergine/networking/nftables.nix | 1 - hosts/courge/networking/nftables.nix | 1 - hosts/oignon/networking/nftables.nix | 1 - hosts/patate/networking/nftables.nix | 1 - nixos/profiles/dnscrypt-proxy2.nix | 10 +++++++++- nixpkgs/patches.nix | 5 +++++ 6 files changed, 14 insertions(+), 5 deletions(-) diff --git a/hosts/aubergine/networking/nftables.nix b/hosts/aubergine/networking/nftables.nix index e66cdda..a53ca5e 100644 --- a/hosts/aubergine/networking/nftables.nix +++ b/hosts/aubergine/networking/nftables.nix @@ -38,7 +38,6 @@ in udp dport 60000-61000 counter accept comment "Mosh" tcp dport { http, https } counter accept comment "HTTP" udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP" - meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2" tcp dport git counter accept comment "Git" tcp dport 5201 counter accept comment "iperf" } diff --git a/hosts/courge/networking/nftables.nix b/hosts/courge/networking/nftables.nix index 30927b0..869c5c7 100644 --- a/hosts/courge/networking/nftables.nix +++ b/hosts/courge/networking/nftables.nix @@ -48,7 +48,6 @@ in tcp dport { ssh, 2222, 20022 } counter accept comment "SSH" udp dport 60001-60100 counter accept comment "Mosh" udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP" - meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2" tcp dport { http, https } counter accept comment "HTTP" tcp dport git counter accept comment "Git" tcp dport imaps counter accept comment "IMAPS" diff --git a/hosts/oignon/networking/nftables.nix b/hosts/oignon/networking/nftables.nix index 8ebec85..1ec0a97 100644 --- a/hosts/oignon/networking/nftables.nix +++ b/hosts/oignon/networking/nftables.nix @@ -45,7 +45,6 @@ in tcp dport { ssh, 2222, 20022 } counter accept comment "SSH" udp dport 60001-60100 counter accept comment "Mosh" udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP" - meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2" tcp dport { http, https } counter accept comment "HTTP" tcp dport git counter accept comment "Git" tcp dport imaps counter accept comment "IMAPS" diff --git a/hosts/patate/networking/nftables.nix b/hosts/patate/networking/nftables.nix index f891169..01bfd37 100644 --- a/hosts/patate/networking/nftables.nix +++ b/hosts/patate/networking/nftables.nix @@ -48,7 +48,6 @@ in tcp dport { ssh, 2222, 20022 } counter accept comment "SSH" udp dport 60001-60100 counter accept comment "Mosh" udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP" - meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2" tcp dport { http, https } counter accept comment "HTTP" tcp dport git counter accept comment "Git" tcp dport imaps counter accept comment "IMAPS" diff --git a/nixos/profiles/dnscrypt-proxy2.nix b/nixos/profiles/dnscrypt-proxy2.nix index dbc1e79..14f4e3e 100644 --- a/nixos/profiles/dnscrypt-proxy2.nix +++ b/nixos/profiles/dnscrypt-proxy2.nix @@ -1,4 +1,5 @@ -{ lib, ... }: +{ lib, config, ... }: +let inherit (config) users; in with lib; { networking = { @@ -60,4 +61,11 @@ with lib; use_syslog = true; }; }; + networking.nftables.ruleset = '' + table inet filter { + chain output-net { + meta l4proto { udp, tcp } th dport domain skuid ${users.users.dnscrypt-proxy2.name} counter accept comment "DHCP" + } + } + ''; } diff --git a/nixpkgs/patches.nix b/nixpkgs/patches.nix index 950a2fc..2611c0f 100644 --- a/nixpkgs/patches.nix +++ b/nixpkgs/patches.nix @@ -9,6 +9,11 @@ url = "https://github.com/NixOS/nixpkgs/pull/276014.diff"; sha256 = "sha256-SUftUE++06TqRmK88VxQKiI9NaJs7XtC8I97ScQHF/Y="; } + { + meta.description = "dnscrypt-proxy2"; + url = "https://github.com/NixOS/nixpkgs/pull/304810.diff"; + sha256 = "sha256-YGQZibCIKz7YYS1bw2QNtHbJPWWV6nZqWwddWsAFK5Q="; + } /* { meta.description = "nixos/syncoid: enable N:N dataset mappings"; -- 2.47.0