diff options
| -rw-r--r-- | modules/misc/ids.nix | 1 | ||||
| -rw-r--r-- | modules/module-list.nix | 1 | ||||
| -rw-r--r-- | modules/services/networking/tcpcrypt.nix | 77 |
3 files changed, 79 insertions, 0 deletions
diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index ca1cc4dc1996..0dec1c8b1674 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -100,6 +100,7 @@ amule = 90; minidlna = 91; elasticsearch = 92; + tcpcryptd = 666; # When adding a uid, make sure it doesn't match an existing gid. diff --git a/modules/module-list.nix b/modules/module-list.nix index 1c863c3d1d7f..717828fbd70d 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -148,6 +148,7 @@ ./services/networking/dnsmasq.nix ./services/networking/ejabberd.nix ./services/networking/firewall.nix + ./services/networking/tcpcrypt.nix ./services/networking/flashpolicyd.nix ./services/networking/freenet.nix ./services/networking/git-daemon.nix diff --git a/modules/services/networking/tcpcrypt.nix b/modules/services/networking/tcpcrypt.nix new file mode 100644 index 000000000000..3d8eeab155f0 --- /dev/null +++ b/modules/services/networking/tcpcrypt.nix @@ -0,0 +1,77 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + + cfg = config.networking.tcpcrypt; + +in + +{ + + ###### interface + + options = { + + networking.tcpcrypt.enable = mkOption { + default = false; + description = '' + Whether to enable opportunistic TCP encryption. If the other end + speaks Tcpcrypt, then your traffic will be encrypted; otherwise + it will be sent in clear text. Thus, Tcpcrypt alone provides no + guarantees -- it is best effort. If, however, a Tcpcrypt + connection is successful and any attackers that exist are + passive, then Tcpcrypt guarantees privacy. + ''; + }; + }; + + config = mkIf cfg.enable { + + users.extraUsers = singleton { + name = "tcpcryptd"; + uid = config.ids.uids.tcpcryptd; + description = "tcpcrypt daemon user"; + }; + + jobs.tcpcrypt = { + description = "tcpcrypt"; + + startOn = "started network-interfaces"; + + path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ]; + + preStart = '' + sysctl -n net.ipv4.tcp_ecn >/run/pre-tcpcrypt-ecn-state + sysctl -w net.ipv4.tcp_ecn=0 + + iptables -t raw -N nixos-tcpcrypt + iptables -t raw -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666 + iptables -t raw -I PREROUTING -j nixos-tcpcrypt + + iptables -t mangle -N nixos-tcpcrypt + iptables -t mangle -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666 + iptables -t mangle -I POSTROUTING -j nixos-tcpcrypt + ''; + + exec = "tcpcryptd -x 0x10"; + + postStop = '' + if [ -f /run/pre-tcpcrypt-ecn-state ]; then + sysctl -w net.ipv4.tcp_ecn=$(cat /run/pre-tcpcrypt-ecn-state) + fi + + iptables -t mangle -D POSTROUTING -j nixos-tcpcrypt || true + iptables -t raw -D PREROUTING -j nixos-tcpcrypt || true + + iptables -t raw -F nixos-tcpcrypt || true + iptables -t raw -X nixos-tcpcrypt || true + + iptables -t mangle -F nixos-tcpcrypt || true + iptables -t mangle -X nixos-tcpcrypt || true + ''; + }; + }; + +} |