Loading nixos/modules/services/networking/nebula.nix +45 −7 Original line number Diff line number Diff line Loading @@ -84,6 +84,28 @@ in description = "Whether this node is a relay."; }; lighthouse.dns.enable = lib.mkOption { type = lib.types.bool; default = false; description = "Whether this lighthouse node should serve DNS."; }; lighthouse.dns.host = lib.mkOption { type = lib.types.str; default = "localhost"; description = '' IP address on which nebula lighthouse should serve DNS. 'localhost' is a good default to ensure the service does not listen on public interfaces; use a Nebula address like 10.0.0.5 to make DNS resolution available to nebula hosts only. ''; }; lighthouse.dns.port = lib.mkOption { type = lib.types.nullOr lib.types.port; default = 5353; description = "UDP port number for lighthouse DNS server."; }; lighthouses = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; Loading Loading @@ -172,10 +194,7 @@ in ''; example = lib.literalExpression '' { lighthouse.dns = { host = "0.0.0.0"; port = 53; }; lighthouse.interval = 15; } ''; }; Loading Loading @@ -203,6 +222,9 @@ in lighthouse = { am_lighthouse = netCfg.isLighthouse; hosts = netCfg.lighthouses; serve_dns = netCfg.lighthouse.dns.enable; dns.host = netCfg.lighthouse.dns.host; dns.port = netCfg.lighthouse.dns.port; }; relay = { am_relay = netCfg.isRelay; Loading Loading @@ -231,6 +253,19 @@ in '' settings ); capabilities = let nebulaPort = if !settings.tun.disabled then settings.listen.port else 0; dnsPort = if settings.lighthouse.serve_dns then settings.lighthouse.dns.port else 0; in lib.concatStringsSep " " ( # creation of tunnel interfaces lib.optional (!settings.tun.disabled) "CAP_NET_ADMIN" # binding to privileged ports ++ lib.optional ( nebulaPort > 0 && nebulaPort < 1024 || dnsPort > 0 && dnsPort < 1024 ) "CAP_NET_BIND_SERVICE" ); in { # Create the systemd service for Nebula. Loading @@ -248,8 +283,8 @@ in Restart = "always"; ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; UMask = "0027"; CapabilityBoundingSet = "CAP_NET_ADMIN"; AmbientCapabilities = "CAP_NET_ADMIN"; CapabilityBoundingSet = capabilities; AmbientCapabilities = capabilities; LockPersonality = true; NoNewPrivileges = true; PrivateDevices = false; # needs access to /dev/net/tun (below) Loading Loading @@ -302,5 +337,8 @@ in ); }; meta.maintainers = with lib.maintainers; [ numinit ]; meta.maintainers = with lib.maintainers; [ numinit siriobalmelli ]; } nixos/tests/nebula.nix +14 −1 Original line number Diff line number Diff line Loading @@ -14,7 +14,10 @@ import ./make-test-python.nix ( lib.mkMerge [ { # Expose nebula for doing cert signing. environment.systemPackages = [ pkgs.nebula ]; environment.systemPackages = [ pkgs.dig pkgs.nebula ]; users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; services.openssh.enable = true; networking.firewall.enable = true; # Implicitly true, but let's make sure. Loading Loading @@ -51,6 +54,7 @@ import ./make-test-python.nix ( lighthouse = { ... }@args: makeNebulaNode args "lighthouse" { networking.firewall.allowedUDPPorts = [ 53 ]; networking.interfaces.eth1.ipv4.addresses = lib.mkForce [ { address = "192.168.1.1"; Loading @@ -77,6 +81,13 @@ import ./make-test-python.nix ( } ]; }; lighthouse = { dns = { enable = true; host = "10.0.100.1"; # bind to lighthouse interface port = 53; # answer on standard DNS port }; }; }; }; Loading Loading @@ -338,6 +349,8 @@ import ./make-test-python.nix ( # allowAny can ping the lighthouse, but not allowFromLighthouse because of its inbound firewall allowAny.succeed("ping -c3 10.0.100.1") allowAny.fail("ping -c3 10.0.100.3") # allowAny can also resolve DNS on lighthouse allowAny.succeed("dig @10.0.100.1 allowToLighthouse | grep -E 'allowToLighthouse\.\s+[0-9]+\s+IN\s+A\s+10\.0\.100\.4'") # allowFromLighthouse can ping the lighthouse and allowAny allowFromLighthouse.succeed("ping -c3 10.0.100.1") Loading Loading
nixos/modules/services/networking/nebula.nix +45 −7 Original line number Diff line number Diff line Loading @@ -84,6 +84,28 @@ in description = "Whether this node is a relay."; }; lighthouse.dns.enable = lib.mkOption { type = lib.types.bool; default = false; description = "Whether this lighthouse node should serve DNS."; }; lighthouse.dns.host = lib.mkOption { type = lib.types.str; default = "localhost"; description = '' IP address on which nebula lighthouse should serve DNS. 'localhost' is a good default to ensure the service does not listen on public interfaces; use a Nebula address like 10.0.0.5 to make DNS resolution available to nebula hosts only. ''; }; lighthouse.dns.port = lib.mkOption { type = lib.types.nullOr lib.types.port; default = 5353; description = "UDP port number for lighthouse DNS server."; }; lighthouses = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; Loading Loading @@ -172,10 +194,7 @@ in ''; example = lib.literalExpression '' { lighthouse.dns = { host = "0.0.0.0"; port = 53; }; lighthouse.interval = 15; } ''; }; Loading Loading @@ -203,6 +222,9 @@ in lighthouse = { am_lighthouse = netCfg.isLighthouse; hosts = netCfg.lighthouses; serve_dns = netCfg.lighthouse.dns.enable; dns.host = netCfg.lighthouse.dns.host; dns.port = netCfg.lighthouse.dns.port; }; relay = { am_relay = netCfg.isRelay; Loading Loading @@ -231,6 +253,19 @@ in '' settings ); capabilities = let nebulaPort = if !settings.tun.disabled then settings.listen.port else 0; dnsPort = if settings.lighthouse.serve_dns then settings.lighthouse.dns.port else 0; in lib.concatStringsSep " " ( # creation of tunnel interfaces lib.optional (!settings.tun.disabled) "CAP_NET_ADMIN" # binding to privileged ports ++ lib.optional ( nebulaPort > 0 && nebulaPort < 1024 || dnsPort > 0 && dnsPort < 1024 ) "CAP_NET_BIND_SERVICE" ); in { # Create the systemd service for Nebula. Loading @@ -248,8 +283,8 @@ in Restart = "always"; ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}"; UMask = "0027"; CapabilityBoundingSet = "CAP_NET_ADMIN"; AmbientCapabilities = "CAP_NET_ADMIN"; CapabilityBoundingSet = capabilities; AmbientCapabilities = capabilities; LockPersonality = true; NoNewPrivileges = true; PrivateDevices = false; # needs access to /dev/net/tun (below) Loading Loading @@ -302,5 +337,8 @@ in ); }; meta.maintainers = with lib.maintainers; [ numinit ]; meta.maintainers = with lib.maintainers; [ numinit siriobalmelli ]; }
nixos/tests/nebula.nix +14 −1 Original line number Diff line number Diff line Loading @@ -14,7 +14,10 @@ import ./make-test-python.nix ( lib.mkMerge [ { # Expose nebula for doing cert signing. environment.systemPackages = [ pkgs.nebula ]; environment.systemPackages = [ pkgs.dig pkgs.nebula ]; users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; services.openssh.enable = true; networking.firewall.enable = true; # Implicitly true, but let's make sure. Loading Loading @@ -51,6 +54,7 @@ import ./make-test-python.nix ( lighthouse = { ... }@args: makeNebulaNode args "lighthouse" { networking.firewall.allowedUDPPorts = [ 53 ]; networking.interfaces.eth1.ipv4.addresses = lib.mkForce [ { address = "192.168.1.1"; Loading @@ -77,6 +81,13 @@ import ./make-test-python.nix ( } ]; }; lighthouse = { dns = { enable = true; host = "10.0.100.1"; # bind to lighthouse interface port = 53; # answer on standard DNS port }; }; }; }; Loading Loading @@ -338,6 +349,8 @@ import ./make-test-python.nix ( # allowAny can ping the lighthouse, but not allowFromLighthouse because of its inbound firewall allowAny.succeed("ping -c3 10.0.100.1") allowAny.fail("ping -c3 10.0.100.3") # allowAny can also resolve DNS on lighthouse allowAny.succeed("dig @10.0.100.1 allowToLighthouse | grep -E 'allowToLighthouse\.\s+[0-9]+\s+IN\s+A\s+10\.0\.100\.4'") # allowFromLighthouse can ping the lighthouse and allowAny allowFromLighthouse.succeed("ping -c3 10.0.100.1") Loading
