nixos/modules/services/networking/tcpcrypt.nix at 17.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / tcpcrypt.nix
at 17.09-beta 2.2 kB view raw
 1{ config, lib, pkgs, ... }:
 2
 3with lib;
 4
 5let
 6
 7  cfg = config.networking.tcpcrypt;
 8
 9in
10
11{
12
13  ###### interface
14
15  options = {
16
17    networking.tcpcrypt.enable = mkOption {
18      default = false;
19      description = ''
20        Whether to enable opportunistic TCP encryption. If the other end
21        speaks Tcpcrypt, then your traffic will be encrypted; otherwise
22        it will be sent in clear text. Thus, Tcpcrypt alone provides no
23        guarantees -- it is best effort. If, however, a Tcpcrypt
24        connection is successful and any attackers that exist are
25        passive, then Tcpcrypt guarantees privacy.
26      '';
27    };
28  };
29
30  config = mkIf cfg.enable {
31
32    users.extraUsers = singleton {
33      name = "tcpcryptd";
34      uid = config.ids.uids.tcpcryptd;
35      description = "tcpcrypt daemon user";
36    };
37
38    systemd.services.tcpcrypt = {
39      description = "tcpcrypt";
40
41      wantedBy = [ "multi-user.target" ];
42      after = [ "network.target" ];
43
44      path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ];
45
46      preStart = ''
47        mkdir -p /var/run/tcpcryptd
48        chown tcpcryptd /var/run/tcpcryptd
49        sysctl -n net.ipv4.tcp_ecn >/run/pre-tcpcrypt-ecn-state
50        sysctl -w net.ipv4.tcp_ecn=0
51
52        iptables -t raw -N nixos-tcpcrypt
53        iptables -t raw -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666
54        iptables -t raw -I PREROUTING -j nixos-tcpcrypt
55
56        iptables -t mangle -N nixos-tcpcrypt
57        iptables -t mangle -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666
58        iptables -t mangle -I POSTROUTING -j nixos-tcpcrypt
59      '';
60
61      script = "tcpcryptd -x 0x10";
62
63      postStop = ''
64        if [ -f /run/pre-tcpcrypt-ecn-state ]; then
65          sysctl -w net.ipv4.tcp_ecn=$(cat /run/pre-tcpcrypt-ecn-state)
66        fi
67
68        iptables -t mangle -D POSTROUTING -j nixos-tcpcrypt || true
69        iptables -t raw -D PREROUTING -j nixos-tcpcrypt || true
70
71        iptables -t raw -F nixos-tcpcrypt || true
72        iptables -t raw -X nixos-tcpcrypt || true
73
74        iptables -t mangle -F nixos-tcpcrypt || true
75        iptables -t mangle -X nixos-tcpcrypt || true
76      '';
77    };
78  };
79
80}