programs: achieve network sandboxing without "sane-vpn do"

2024-01-21 03:45:39 +00:00 · 2024-01-21 03:45:39 +00:00 · 992194a1f0
commit 992194a1f0
parent bad6a7bfee
2 changed files with 17 additions and 7 deletions
--- a/modules/programs.nix
+++ b/modules/programs.nix
@ -38,7 +38,10 @@ let
      package
    else if net == "vpn" then
      let
-        defaultVpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
+        vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
+        firejailFlags = [
+          "--net=${vpn.bridgeDevice}"
+        ] ++ (builtins.map (addr: "--dns=${addr}") vpn.dns);
      in
        # TODO: update the package's `.desktop` files to ensure they exec the sandboxed app.
        pkgs.symlinkJoin {
@ -49,7 +52,7 @@ let
              unlink "$out/bin/$p"
              cat <<EOF >> "$out/bin/$p"
            #!/bin/sh
-            exec ${pkgs.sane-scripts.vpn}/bin/sane-vpn do ${defaultVpn.name} "${package}/bin/$p" "\$@"
+            exec ${pkgs.firejail}/bin/firejail ${lib.concatStringsSep " " firejailFlags} "${package}/bin/$p" "\$@"
            EOF
              chmod +x "$out/bin/$p"
            done
--- a/modules/vpn.nix
+++ b/modules/vpn.nix
@ -60,6 +60,13 @@ let
          dns servers to use for traffic associated with this VPN.
        '';
      };
+      bridgeDevice = mkOption {
+        type = types.str;
+        default = "br-${name}";
+        description = ''
+          name of the bridge net device which will be created and configured so as to route all its outbound traffic over the VPN.
+        '';
+      };
      privateKeyFile = mkOption {
        type = types.either types.str types.path;
        description = ''
@ -74,7 +81,7 @@ let
      default = builtins.all (other: config.id <= other.id) (builtins.attrValues cfg);
    };
  });
-  mkVpnConfig = name: { id, dns, endpoint, publicKey, addrV4, privateKeyFile, ... }: let
+  mkVpnConfig = name: { id, dns, endpoint, publicKey, addrV4, privateKeyFile, bridgeDevice, ... }: let
    fwmark = id + 10000;
    bridgeAddrV4 = "10.20.${builtins.toString id}.1/24";
  in {
@ -138,12 +145,12 @@ let
      linkConfig.RequiredForOnline = false;
    };

-    systemd.network.netdevs."99-br-${name}" = {
+    systemd.network.netdevs."99-${bridgeDevice}" = {
      netdevConfig.Kind = "bridge";
-      netdevConfig.Name = "br-${name}";
+      netdevConfig.Name = bridgeDevice;
    };
-    systemd.network.networks."51-br-${name}" = {
-      matchConfig.Name = "br-${name}";
+    systemd.network.networks."51-${bridgeDevice}" = {
+      matchConfig.Name = bridgeDevice;
      networkConfig.Description = "NATs inbound traffic to ${name}, intended for container isolation";
      networkConfig.Address = [ bridgeAddrV4 ];
      networkConfig.DNS = dns;