2014-04-14 15:26:48 +01:00
|
|
|
{ config, lib, pkgs, ... }:
|
2013-09-10 22:32:55 +01:00
|
|
|
|
2014-04-14 15:26:48 +01:00
|
|
|
with lib;
|
2013-09-10 22:32:55 +01:00
|
|
|
|
|
|
|
let
|
|
|
|
|
|
|
|
cfg = config.networking.tcpcrypt;
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
###### interface
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
|
|
|
networking.tcpcrypt.enable = mkOption {
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
Whether to enable opportunistic TCP encryption. If the other end
|
|
|
|
speaks Tcpcrypt, then your traffic will be encrypted; otherwise
|
|
|
|
it will be sent in clear text. Thus, Tcpcrypt alone provides no
|
|
|
|
guarantees -- it is best effort. If, however, a Tcpcrypt
|
|
|
|
connection is successful and any attackers that exist are
|
|
|
|
passive, then Tcpcrypt guarantees privacy.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
2019-09-14 18:51:29 +01:00
|
|
|
users.users.tcpcryptd = {
|
2013-09-10 22:32:55 +01:00
|
|
|
uid = config.ids.uids.tcpcryptd;
|
|
|
|
description = "tcpcrypt daemon user";
|
|
|
|
};
|
|
|
|
|
2016-01-06 06:50:18 +00:00
|
|
|
systemd.services.tcpcrypt = {
|
2013-09-10 22:32:55 +01:00
|
|
|
description = "tcpcrypt";
|
|
|
|
|
2016-01-06 06:50:18 +00:00
|
|
|
wantedBy = [ "multi-user.target" ];
|
2016-09-10 19:18:39 +01:00
|
|
|
after = [ "network.target" ];
|
2013-09-10 22:32:55 +01:00
|
|
|
|
|
|
|
path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ];
|
|
|
|
|
|
|
|
preStart = ''
|
2018-01-06 12:57:35 +00:00
|
|
|
mkdir -p /run/tcpcryptd
|
|
|
|
chown tcpcryptd /run/tcpcryptd
|
|
|
|
sysctl -n net.ipv4.tcp_ecn > /run/tcpcryptd/pre-tcpcrypt-ecn-state
|
2013-09-10 22:32:55 +01:00
|
|
|
sysctl -w net.ipv4.tcp_ecn=0
|
|
|
|
|
|
|
|
iptables -t raw -N nixos-tcpcrypt
|
|
|
|
iptables -t raw -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666
|
|
|
|
iptables -t raw -I PREROUTING -j nixos-tcpcrypt
|
|
|
|
|
|
|
|
iptables -t mangle -N nixos-tcpcrypt
|
|
|
|
iptables -t mangle -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666
|
|
|
|
iptables -t mangle -I POSTROUTING -j nixos-tcpcrypt
|
|
|
|
'';
|
|
|
|
|
2016-01-06 06:50:18 +00:00
|
|
|
script = "tcpcryptd -x 0x10";
|
2013-09-10 22:32:55 +01:00
|
|
|
|
|
|
|
postStop = ''
|
2018-01-06 12:57:35 +00:00
|
|
|
if [ -f /run/tcpcryptd/pre-tcpcrypt-ecn-state ]; then
|
|
|
|
sysctl -w net.ipv4.tcp_ecn=$(cat /run/tcpcryptd/pre-tcpcrypt-ecn-state)
|
2013-09-10 22:32:55 +01:00
|
|
|
fi
|
|
|
|
|
|
|
|
iptables -t mangle -D POSTROUTING -j nixos-tcpcrypt || true
|
|
|
|
iptables -t raw -D PREROUTING -j nixos-tcpcrypt || true
|
|
|
|
|
|
|
|
iptables -t raw -F nixos-tcpcrypt || true
|
|
|
|
iptables -t raw -X nixos-tcpcrypt || true
|
|
|
|
|
|
|
|
iptables -t mangle -F nixos-tcpcrypt || true
|
|
|
|
iptables -t mangle -X nixos-tcpcrypt || true
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
}
|