From 73d2f99c28366f7375bb5e7a5b813c653198ee1d Mon Sep 17 00:00:00 2001 From: Sirio Balmelli Date: Sun, 22 Dec 2024 00:14:46 +0100 Subject: [PATCH] nixos/nebula: add DNS options Add the options: - lighthouse.serve_dns - lighthouse.dns.host - lighthouse.dns.port Improve systemd capabilities handling: - do not give CAP_NET_ADMIN when tunnel interface is disabled - give CAP_NET_BIND_SERVICE when DNS is enabled Add self as maintainer: I'm using Nebula on NixOS in prod. Signed-off-by: Sirio Balmelli --- nixos/modules/services/networking/nebula.nix | 39 ++++++++++++++++---- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix index 35d7fafb43b576..fe077c774f7f0b 100644 --- a/nixos/modules/services/networking/nebula.nix +++ b/nixos/modules/services/networking/nebula.nix @@ -84,6 +84,24 @@ in description = "Whether this node is a relay."; }; + lighthouse.serveDns = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether this lighthouse node should serve DNS."; + }; + + lighthouse.dns.host = lib.mkOption { + type = lib.types.str; + default = "0.0.0.0"; + description = "IP address on which nebula lighthouse should serve DNS."; + }; + + lighthouse.dns.port = lib.mkOption { + type = lib.types.nullOr lib.types.port; + default = 53; + description = "UDP port number for lighthouse DNS server."; + }; + lighthouses = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; @@ -172,10 +190,7 @@ in ''; example = lib.literalExpression '' { - lighthouse.dns = { - host = "0.0.0.0"; - port = 53; - }; + lighthouse.interval = 15; } ''; }; @@ -203,6 +218,9 @@ in lighthouse = { am_lighthouse = netCfg.isLighthouse; hosts = netCfg.lighthouses; + serve_dns = netCfg.lighthouse.serveDns; + dns.host = netCfg.lighthouse.dns.host; + dns.port = netCfg.lighthouse.dns.port; }; relay = { am_relay = netCfg.isRelay; @@ -231,6 +249,10 @@ in '' settings ); + capabilities = lib.concatStringsSep " " ( + (lib.optional (!settings.tun.disabled) "CAP_NET_ADMIN") + ++ (lib.optional settings.lighthouse.serve_dns "CAP_NET_BIND_SERVICE") + ); in { # Create the systemd service for Nebula. @@ -248,8 +270,8 @@ in Restart = "always"; ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; UMask = "0027"; - CapabilityBoundingSet = "CAP_NET_ADMIN"; - AmbientCapabilities = "CAP_NET_ADMIN"; + CapabilityBoundingSet = capabilities; + AmbientCapabilities = capabilities; LockPersonality = true; NoNewPrivileges = true; PrivateDevices = false; # needs access to /dev/net/tun (below) @@ -302,5 +324,8 @@ in ); }; - meta.maintainers = with lib.maintainers; [ numinit ]; + meta.maintainers = with lib.maintainers; [ + numinit + siriobalmelli + ]; }