pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / tcpcrypt.nix
at 25.11-pre 2.3 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7 8with lib; 9 10let 11 12 cfg = config.networking.tcpcrypt; 13 14in 15 16{ 17 18 ###### interface 19 20 options = { 21 22 networking.tcpcrypt.enable = mkOption { 23 type = types.bool; 24 default = false; 25 description = '' 26 Whether to enable opportunistic TCP encryption. If the other end 27 speaks Tcpcrypt, then your traffic will be encrypted; otherwise 28 it will be sent in clear text. Thus, Tcpcrypt alone provides no 29 guarantees -- it is best effort. If, however, a Tcpcrypt 30 connection is successful and any attackers that exist are 31 passive, then Tcpcrypt guarantees privacy. 32 ''; 33 }; 34 }; 35 36 config = mkIf cfg.enable { 37 38 users.users.tcpcryptd = { 39 uid = config.ids.uids.tcpcryptd; 40 description = "tcpcrypt daemon user"; 41 }; 42 43 systemd.services.tcpcrypt = { 44 description = "tcpcrypt"; 45 46 wantedBy = [ "multi-user.target" ]; 47 after = [ "network.target" ]; 48 49 path = [ 50 pkgs.iptables 51 pkgs.tcpcrypt 52 pkgs.procps 53 ]; 54 55 preStart = '' 56 mkdir -p /run/tcpcryptd 57 chown tcpcryptd /run/tcpcryptd 58 sysctl -n net.ipv4.tcp_ecn > /run/tcpcryptd/pre-tcpcrypt-ecn-state 59 sysctl -w net.ipv4.tcp_ecn=0 60 61 iptables -t raw -N nixos-tcpcrypt 62 iptables -t raw -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666 63 iptables -t raw -I PREROUTING -j nixos-tcpcrypt 64 65 iptables -t mangle -N nixos-tcpcrypt 66 iptables -t mangle -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666 67 iptables -t mangle -I POSTROUTING -j nixos-tcpcrypt 68 ''; 69 70 script = "tcpcryptd -x 0x10"; 71 72 postStop = '' 73 if [ -f /run/tcpcryptd/pre-tcpcrypt-ecn-state ]; then 74 sysctl -w net.ipv4.tcp_ecn=$(cat /run/tcpcryptd/pre-tcpcrypt-ecn-state) 75 fi 76 77 iptables -t mangle -D POSTROUTING -j nixos-tcpcrypt || true 78 iptables -t raw -D PREROUTING -j nixos-tcpcrypt || true 79 80 iptables -t raw -F nixos-tcpcrypt || true 81 iptables -t raw -X nixos-tcpcrypt || true 82 83 iptables -t mangle -F nixos-tcpcrypt || true 84 iptables -t mangle -X nixos-tcpcrypt || true 85 ''; 86 }; 87 }; 88 89}