clerie/nixfiles
1
0
Fork 0
Code Activity
Files
a7255e67419680d2c2b9f445f9a592295b5eb703
nixfiles/profiles/ds-lite/default.nix

151 lines
3.9 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.profiles.clerie.ds-lite;
dsLiteDhcpcdConfig = ''
allowinterfaces ${cfg.wanInterfaceName} ${concatMapStringsSep " " (interface: interface.name) cfg.lanInterfaces}
option dhcp6_name_servers
option dhcp6_aftr_name
waitip 6
ipv6only
ipv6ra_noautoconf
noipv6rs
interface ${cfg.wanInterfaceName}
ipv6ra_autoconf
ipv6rs
ia_pd 1/::/48 ${concatMapStringsSep " " (interface: "${interface.name}/${toString interface.sla_id}/${toString interface.prefix_len}") cfg.lanInterfaces}
${concatMapStrings (interface: ''
interface ${interface.name}
nolink
'') cfg.lanInterfaces}
'';
dsLiteDhcpcdConfigFile = pkgs.writeTextFile {
name = "dhcpcd.conf";
text = dsLiteDhcpcdConfig;
};
dsLiteDhcpcdHookWrapperFile = pkgs.writeShellScript "ds-lite-dhcpcd-hook-wrapper" ''
DS_LITE_WAN_INTERFACE_NAME=${lib.escapeShellArg cfg.wanInterfaceName};
export DS_LITE_WAN_INTERFACE_NAME
DS_LITE_TUNNEL_INTERFACE_NAME=${lib.escapeShellArg cfg.tunnelInterfaceName};
export DS_LITE_TUNNEL_INTERFACE_NAME
exec ${lib.getExe pkgs.ds-lite-dhcpcd-hook}
'';
in {
options.profiles.clerie.ds-lite = {
enable = mkEnableOption "DS-Lite setup";
wanInterfaceName = mkOption {
type = types.str;
description = "Interface with IPv6 connectivity to provider";
};
tunnelInterfaceName = mkOption {
type = types.str;
description = "Interface with IPv4 connectivity to provider";
};
lanInterfaces = mkOption {
type = with types; listOf (submodule ({ ... }: {
options = {
name = mkOption {
type = types.str;
};
sla_id = mkOption {
type = types.ints.unsigned;
};
prefix_len = mkOption {
type = types.ints.between 48 128;
};
};
}));
default = [];
description = "Interfaces to provisn with an IPv6 prefix";
};
};
config = mkIf cfg.enable {
systemd.services.ds-lite-dhcpcd = {
description = "DS-Lite dhcpcd";
wantedBy = [ "multi-user.target" ];
environment = {
};
serviceConfig = {
Type = "simple";
User = "ds-lite";
Group = "ds-lite";
StateDirectory = "ds-lite-dhcpcd";
RuntimeDirectory = "ds-lite-dhcpcd";
ExecStart = "${pkgs.ds-lite-dhcpcd}/bin/dhcpcd --ipv6only --nobackground --config ${dsLiteDhcpcdConfigFile} --script ${dsLiteDhcpcdHookWrapperFile}";
Restart = "always";
AmbientCapabilities = [
"CAP_NET_ADMIN"
"CAP_NET_RAW"
"CAP_NET_BIND_SERVICE"
];
ReadWritePaths = [
"/proc/sys/net/ipv6"
];
DeviceAllow = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = false;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = "tmpfs"; # allow exceptions to be added to ReadOnlyPaths, etc.
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_PACKET"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallFilter = [
"@system-service"
"~@keyring"
"~@memlock"
"~@mount"
];
SystemCallArchitectures = "native";
UMask = "0027";
};
};
users.users.ds-lite = {
isSystemUser = true;
group = "ds-lite";
};
users.groups.ds-lite = { };
};
}
View Git Blame Copy Permalink