pyrox.dev / nixpkgs
lol
fork atom

nixos/nebula: don't run as root; support relays

Morgan Jones 90581c97 9f722762

options
unified split
Changed files
+66 -26
nixos
doc
manual
from_md
release-notes
rl-2305.section.xml
release-notes
rl-2305.section.md
modules
services
networking
nebula.nix
tests
nebula.nix
+22
nixos/doc/manual/from_md/release-notes/rl-2305.section.xml 
···

       
414

       
 

       
      </listitem>


     

       
415

       
 

       
      <listitem>


     

       
416

       
 

       
        <para>


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
417

       
 

       
          In <literal>mastodon</literal> it is now necessary to specify


     

       
418

       
 

       
          location of file with <literal>PostgreSQL</literal> database


     

       
419

       
 

       
          password. In


     
···

       
792

       
 

       
          <link xlink:href="options.html#opt-services.garage.package">services.garage.package</link>


     

       
793

       
 

       
          or upgrade accordingly


     

       
794

       
 

       
          <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>.


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
795

       
 

       
        </para>


     

       
796

       
 

       
      </listitem>


     

       
797

       
 

       
      <listitem>


     
···

       
414

       
 

       
      </listitem>


     

       
415

       
 

       
      <listitem>


     

       
416

       
 

       
        <para>


     

       
417

       
+

       
          Nebula now runs as a system user and group created for each


     

       
418

       
+

       
          nebula network, using the <literal>CAP_NET_ADMIN</literal>


     

       
419

       
+

       
          ambient capability on launch rather than starting as root.


     

       
420

       
+

       
          Ensure that any files each Nebula instance needs to access are


     

       
421

       
+

       
          owned by the correct user and group, by default


     

       
422

       
+

       
          <literal>nebula-${networkName}</literal>.


     

       
423

       
+

       
        </para>


     

       
424

       
+

       
      </listitem>


     

       
425

       
+

       
      <listitem>


     

       
426

       
+

       
        <para>


     

       
427

       
 

       
          In <literal>mastodon</literal> it is now necessary to specify


     

       
428

       
 

       
          location of file with <literal>PostgreSQL</literal> database


     

       
429

       
 

       
          password. In


     
···

       
802

       
 

       
          <link xlink:href="options.html#opt-services.garage.package">services.garage.package</link>


     

       
803

       
 

       
          or upgrade accordingly


     

       
804

       
 

       
          <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>.


     

       
805

       
+

       
        </para>


     

       
806

       
+

       
      </listitem>


     

       
807

       
+

       
      <listitem>


     

       
808

       
+

       
        <para>


     

       
809

       
+

       
          Nebula now supports the


     

       
810

       
+

       
          <literal>services.nebula.networks.&lt;name&gt;.isRelay</literal>


     

       
811

       
+

       
          and


     

       
812

       
+

       
          <literal>services.nebula.networks.&lt;name&gt;.relays</literal>


     

       
813

       
+

       
          configuration options for setting up or allowing traffic


     

       
814

       
+

       
          relaying. See the


     

       
815

       
+

       
          <link xlink:href="https://www.defined.net/blog/announcing-relay-support-in-nebula/">announcement</link>


     

       
816

       
+

       
          for more details about relays.


     

       
817

       
 

       
        </para>


     

       
818

       
 

       
      </listitem>


     

       
819

       
 

       
      <listitem>
+4
nixos/doc/manual/release-notes/rl-2305.section.md 
···

       
99

       
 

       



     

       
100

       
 

       
- The [services.wordpress.sites.&lt;name&gt;.plugins](#opt-services.wordpress.sites._name_.plugins) and [services.wordpress.sites.&lt;name&gt;.themes](#opt-services.wordpress.sites._name_.themes) options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name.


     

       
101

       
 

       



     

       

       

       
     

       

       

       
     

       
102

       
 

       
- In `mastodon` it is now necessary to specify location of file with `PostgreSQL` database password. In `services.mastodon.database.passwordFile` parameter default value `/var/lib/mastodon/secrets/db-password` has been changed to `null`.


     

       
103

       
 

       



     

       
104

       
 

       
- The `--target-host` and `--build-host` options of `nixos-rebuild` no longer treat the `localhost` value specially – to build on/deploy to local machine, omit the relevant flag.


     
···

       
196

       
 

       
  - Increased the minimum length of a response that will be gzipped.


     

       
197

       
 

       



     

       
198

       
 

       
- [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and force [services.garage.package](options.html#opt-services.garage.package) or upgrade accordingly [system.stateVersion](options.html#opt-system.stateVersion).


     

       

       

       
     

       

       

       
     

       
199

       
 

       



     

       
200

       
 

       
- `hip` has been separated into `hip`, `hip-common` and `hipcc`.


     

       
201

       
 

       



     
···

       
99

       
 

       



     

       
100

       
 

       
- The [services.wordpress.sites.&lt;name&gt;.plugins](#opt-services.wordpress.sites._name_.plugins) and [services.wordpress.sites.&lt;name&gt;.themes](#opt-services.wordpress.sites._name_.themes) options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name.


     

       
101

       
 

       



     

       
102

       
+

       
- Nebula now runs as a system user and group created for each nebula network, using the `CAP_NET_ADMIN` ambient capability on launch rather than starting as root. Ensure that any files each Nebula instance needs to access are owned by the correct user and group, by default `nebula-${networkName}`.


     

       
103

       
+

       



     

       
104

       
 

       
- In `mastodon` it is now necessary to specify location of file with `PostgreSQL` database password. In `services.mastodon.database.passwordFile` parameter default value `/var/lib/mastodon/secrets/db-password` has been changed to `null`.


     

       
105

       
 

       



     

       
106

       
 

       
- The `--target-host` and `--build-host` options of `nixos-rebuild` no longer treat the `localhost` value specially – to build on/deploy to local machine, omit the relevant flag.


     
···

       
198

       
 

       
  - Increased the minimum length of a response that will be gzipped.


     

       
199

       
 

       



     

       
200

       
 

       
- [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and force [services.garage.package](options.html#opt-services.garage.package) or upgrade accordingly [system.stateVersion](options.html#opt-system.stateVersion).


     

       
201

       
+

       



     

       
202

       
+

       
- Nebula now supports the `services.nebula.networks.<name>.isRelay` and `services.nebula.networks.<name>.relays` configuration options for setting up or allowing traffic relaying. See the [announcement](https://www.defined.net/blog/announcing-relay-support-in-nebula/) for more details about relays.


     

       
203

       
 

       



     

       
204

       
 

       
- `hip` has been separated into `hip`, `hip-common` and `hipcc`.


     

       
205
+31 -18
nixos/modules/services/networking/nebula.nix 
···

       
68

       
 

       
              description = lib.mdDoc "Whether this node is a lighthouse.";


     

       
69

       
 

       
            };


     

       
70

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
71

       
 

       
            lighthouses = mkOption {


     

       
72

       
 

       
              type = types.listOf types.str;


     

       
73

       
 

       
              default = [];


     

       
74

       
 

       
              description = lib.mdDoc ''


     

       
75

       
 

       
                List of IPs of lighthouse hosts this node should report to and query from. This should be empty on lighthouse


     

       
76

       
 

       
                nodes. The IPs should be the lighthouse's Nebula IPs, not their external IPs.


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
77

       
 

       
              '';


     

       
78

       
 

       
              example = [ "192.168.100.1" ];


     

       
79

       
 

       
            };


     
···

       
157

       
 

       
            am_lighthouse = netCfg.isLighthouse;


     

       
158

       
 

       
            hosts = netCfg.lighthouses;


     

       
159

       
 

       
          };


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
160

       
 

       
          listen = {


     

       
161

       
 

       
            host = netCfg.listen.host;


     

       
162

       
 

       
            port = netCfg.listen.port;


     
···

       
173

       
 

       
        configFile = format.generate "nebula-config-${netName}.yml" settings;


     

       
174

       
 

       
        in


     

       
175

       
 

       
        {


     

       
176

       
-

       
          # Create systemd service for Nebula.


     

       
177

       
 

       
          "nebula@${netName}" = {


     

       
178

       
 

       
            description = "Nebula VPN service for ${netName}";


     

       
179

       
 

       
            wants = [ "basic.target" ];


     

       
180

       
 

       
            after = [ "basic.target" "network.target" ];


     

       
181

       
 

       
            before = [ "sshd.service" ];


     

       
182

       
 

       
            wantedBy = [ "multi-user.target" ];


     

       
183

       
-

       
            serviceConfig = mkMerge [


     

       
184

       
-

       
              {


     

       
185

       
-

       
                Type = "simple";


     

       
186

       
-

       
                Restart = "always";


     

       
187

       
-

       
                ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";


     

       
188

       
-

       
              }


     

       
189

       
-

       
              # The service needs to launch as root to access the tun device, if it's enabled.


     

       
190

       
-

       
              (mkIf netCfg.tun.disable {


     

       
191

       
-

       
                User = networkId;


     

       
192

       
-

       
                Group = networkId;


     

       
193

       
-

       
              })


     

       
194

       
-

       
            ];


     

       
195

       
 

       
            unitConfig.StartLimitIntervalSec = 0; # ensure Restart=always is always honoured (networks can go down for arbitrarily long)


     

       
196

       
 

       
          };


     

       
197

       
 

       
        }) enabledNetworks);


     
···

       
202

       
 

       



     

       
203

       
 

       
    # Create the service users and groups.


     

       
204

       
 

       
    users.users = mkMerge (mapAttrsToList (netName: netCfg:


     

       
205

       
-

       
      mkIf netCfg.tun.disable {


     

       
206

       
 

       
        ${nameToId netName} = {


     

       
207

       
 

       
          group = nameToId netName;


     

       
208

       
 

       
          description = "Nebula service user for network ${netName}";


     
···

       
210

       
 

       
        };


     

       
211

       
 

       
      }) enabledNetworks);


     

       
212

       
 

       



     

       
213

       
-

       
    users.groups = mkMerge (mapAttrsToList (netName: netCfg:


     

       
214

       
-

       
      mkIf netCfg.tun.disable {


     

       
215

       
-

       
        ${nameToId netName} = {};


     

       
216

       
-

       
      }) enabledNetworks);


     

       
217

       
 

       
  };


     

       
218

       
 

       
}


     
···

       
68

       
 

       
              description = lib.mdDoc "Whether this node is a lighthouse.";


     

       
69

       
 

       
            };


     

       
70

       
 

       



     

       
71

       
+

       
            isRelay = mkOption {


     

       
72

       
+

       
              type = types.bool;


     

       
73

       
+

       
              default = false;


     

       
74

       
+

       
              description = lib.mdDoc "Whether this node is a relay.";


     

       
75

       
+

       
            };


     

       
76

       
+

       



     

       
77

       
 

       
            lighthouses = mkOption {


     

       
78

       
 

       
              type = types.listOf types.str;


     

       
79

       
 

       
              default = [];


     

       
80

       
 

       
              description = lib.mdDoc ''


     

       
81

       
 

       
                List of IPs of lighthouse hosts this node should report to and query from. This should be empty on lighthouse


     

       
82

       
 

       
                nodes. The IPs should be the lighthouse's Nebula IPs, not their external IPs.


     

       
83

       
+

       
              '';


     

       
84

       
+

       
              example = [ "192.168.100.1" ];


     

       
85

       
+

       
            };


     

       
86

       
+

       



     

       
87

       
+

       
            relays = mkOption {


     

       
88

       
+

       
              type = types.listOf types.str;


     

       
89

       
+

       
              default = [];


     

       
90

       
+

       
              description = lib.mdDoc ''


     

       
91

       
+

       
                List of IPs of relays that this node should allow traffic from.


     

       
92

       
 

       
              '';


     

       
93

       
 

       
              example = [ "192.168.100.1" ];


     

       
94

       
 

       
            };


     
···

       
172

       
 

       
            am_lighthouse = netCfg.isLighthouse;


     

       
173

       
 

       
            hosts = netCfg.lighthouses;


     

       
174

       
 

       
          };


     

       
175

       
+

       
          relay = {


     

       
176

       
+

       
            am_relay = netCfg.isRelay;


     

       
177

       
+

       
            relays = netCfg.relays;


     

       
178

       
+

       
          };


     

       
179

       
 

       
          listen = {


     

       
180

       
 

       
            host = netCfg.listen.host;


     

       
181

       
 

       
            port = netCfg.listen.port;


     
···

       
192

       
 

       
        configFile = format.generate "nebula-config-${netName}.yml" settings;


     

       
193

       
 

       
        in


     

       
194

       
 

       
        {


     

       
195

       
+

       
          # Create the systemd service for Nebula.


     

       
196

       
 

       
          "nebula@${netName}" = {


     

       
197

       
 

       
            description = "Nebula VPN service for ${netName}";


     

       
198

       
 

       
            wants = [ "basic.target" ];


     

       
199

       
 

       
            after = [ "basic.target" "network.target" ];


     

       
200

       
 

       
            before = [ "sshd.service" ];


     

       
201

       
 

       
            wantedBy = [ "multi-user.target" ];


     

       
202

       
+

       
            serviceConfig = {


     

       
203

       
+

       
              Type = "simple";


     

       
204

       
+

       
              Restart = "always";


     

       
205

       
+

       
              ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";


     

       
206

       
+

       
              CapabilityBoundingSet = "CAP_NET_ADMIN";


     

       
207

       
+

       
              AmbientCapabilities = "CAP_NET_ADMIN";


     

       
208

       
+

       
              User = networkId;


     

       
209

       
+

       
              Group = networkId;


     

       
210

       
+

       
            };


     

       

       

       
     

       

       

       
     

       

       

       
     

       
211

       
 

       
            unitConfig.StartLimitIntervalSec = 0; # ensure Restart=always is always honoured (networks can go down for arbitrarily long)


     

       
212

       
 

       
          };


     

       
213

       
 

       
        }) enabledNetworks);


     
···

       
218

       
 

       



     

       
219

       
 

       
    # Create the service users and groups.


     

       
220

       
 

       
    users.users = mkMerge (mapAttrsToList (netName: netCfg:


     

       
221

       
+

       
      {


     

       
222

       
 

       
        ${nameToId netName} = {


     

       
223

       
 

       
          group = nameToId netName;


     

       
224

       
 

       
          description = "Nebula service user for network ${netName}";


     
···

       
226

       
 

       
        };


     

       
227

       
 

       
      }) enabledNetworks);


     

       
228

       
 

       



     

       
229

       
+

       
    users.groups = mkMerge (mapAttrsToList (netName: netCfg: { ${nameToId netName} = {}; }) enabledNetworks);


     

       

       

       
     

       

       

       
     

       

       

       
     

       
230

       
 

       
  };


     

       
231

       
 

       
}
+9 -8
nixos/tests/nebula.nix 
···

       
123

       
 

       
  testScript = let


     

       
124

       
 

       



     

       
125

       
 

       
    setUpPrivateKey = name: ''


     

       
126

       
-

       
    ${name}.succeed(


     

       
127

       
-

       
        "mkdir -p /root/.ssh",


     

       
128

       
-

       
        "chown 700 /root/.ssh",


     

       
129

       
-

       
        "cat '${snakeOilPrivateKey}' > /root/.ssh/id_snakeoil",


     

       
130

       
-

       
        "chown 600 /root/.ssh/id_snakeoil",


     

       
131

       
-

       
    )


     

       

       

       
     

       
132

       
 

       
    '';


     

       
133

       
 

       



     

       
134

       
 

       
    # From what I can tell, StrictHostKeyChecking=no is necessary for ssh to work between machines.


     
···

       
154

       
 

       
      ${name}.succeed(


     

       
155

       
 

       
          "scp ${sshOpts} 192.168.1.1:/tmp/${name}.crt /etc/nebula/${name}.crt",


     

       
156

       
 

       
          "scp ${sshOpts} 192.168.1.1:/etc/nebula/ca.crt /etc/nebula/ca.crt",


     

       

       

       
     

       
157

       
 

       
      )


     

       
158

       
 

       
    '';


     

       
159

       
 

       



     

       
160

       
 

       
  in ''


     

       
161

       
-

       
    start_all()


     

       
162

       
-

       



     

       
163

       
 

       
    # Create the certificate and sign the lighthouse's keys.


     

       
164

       
 

       
    ${setUpPrivateKey "lighthouse"}


     

       
165

       
 

       
    lighthouse.succeed(


     

       
166

       
 

       
        "mkdir -p /etc/nebula",


     

       
167

       
 

       
        'nebula-cert ca -name "Smoke Test" -out-crt /etc/nebula/ca.crt -out-key /etc/nebula/ca.key',


     

       
168

       
 

       
        'nebula-cert sign -ca-crt /etc/nebula/ca.crt -ca-key /etc/nebula/ca.key -name "lighthouse" -groups "lighthouse" -ip "10.0.100.1/24" -out-crt /etc/nebula/lighthouse.crt -out-key /etc/nebula/lighthouse.key',


     

       

       

       
     

       
169

       
 

       
    )


     

       
170

       
 

       



     

       
171

       
 

       
    # Reboot the lighthouse and verify that the nebula service comes up on boot.


     
···

       
123

       
 

       
  testScript = let


     

       
124

       
 

       



     

       
125

       
 

       
    setUpPrivateKey = name: ''


     

       
126

       
+

       
      ${name}.start()


     

       
127

       
+

       
      ${name}.succeed(


     

       
128

       
+

       
          "mkdir -p /root/.ssh",


     

       
129

       
+

       
          "chown 700 /root/.ssh",


     

       
130

       
+

       
          "cat '${snakeOilPrivateKey}' > /root/.ssh/id_snakeoil",


     

       
131

       
+

       
          "chown 600 /root/.ssh/id_snakeoil",


     

       
132

       
+

       
      )


     

       
133

       
 

       
    '';


     

       
134

       
 

       



     

       
135

       
 

       
    # From what I can tell, StrictHostKeyChecking=no is necessary for ssh to work between machines.


     
···

       
155

       
 

       
      ${name}.succeed(


     

       
156

       
 

       
          "scp ${sshOpts} 192.168.1.1:/tmp/${name}.crt /etc/nebula/${name}.crt",


     

       
157

       
 

       
          "scp ${sshOpts} 192.168.1.1:/etc/nebula/ca.crt /etc/nebula/ca.crt",


     

       
158

       
+

       
          '(id nebula-smoke >/dev/null && chown -R nebula-smoke:nebula-smoke /etc/nebula) || true'


     

       
159

       
 

       
      )


     

       
160

       
 

       
    '';


     

       
161

       
 

       



     

       
162

       
 

       
  in ''


     

       

       

       
     

       

       

       
     

       
163

       
 

       
    # Create the certificate and sign the lighthouse's keys.


     

       
164

       
 

       
    ${setUpPrivateKey "lighthouse"}


     

       
165

       
 

       
    lighthouse.succeed(


     

       
166

       
 

       
        "mkdir -p /etc/nebula",


     

       
167

       
 

       
        'nebula-cert ca -name "Smoke Test" -out-crt /etc/nebula/ca.crt -out-key /etc/nebula/ca.key',


     

       
168

       
 

       
        'nebula-cert sign -ca-crt /etc/nebula/ca.crt -ca-key /etc/nebula/ca.key -name "lighthouse" -groups "lighthouse" -ip "10.0.100.1/24" -out-crt /etc/nebula/lighthouse.crt -out-key /etc/nebula/lighthouse.key',


     

       
169

       
+

       
        'chown -R nebula-smoke:nebula-smoke /etc/nebula'


     

       
170

       
 

       
    )


     

       
171

       
 

       



     

       
172

       
 

       
    # Reboot the lighthouse and verify that the nebula service comes up on boot.