From 992194a1f05e5195d519599fb61c197e747f901e Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sun, 21 Jan 2024 03:45:39 +0000
Subject: [PATCH] programs: achieve network sandboxing without "sane-vpn do"

---
 modules/programs.nix |  7 +++++--
 modules/vpn.nix      | 17 ++++++++++++-----
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/modules/programs.nix b/modules/programs.nix
index 81aac7ba..4baeaab5 100644
--- a/modules/programs.nix
+++ b/modules/programs.nix
@@ -38,7 +38,10 @@ let
       package
     else if net == "vpn" then
       let
-        defaultVpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
+        vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
+        firejailFlags = [
+          "--net=${vpn.bridgeDevice}"
+        ] ++ (builtins.map (addr: "--dns=${addr}") vpn.dns);
       in
         # TODO: update the package's `.desktop` files to ensure they exec the sandboxed app.
         pkgs.symlinkJoin {
@@ -49,7 +52,7 @@ let
               unlink "$out/bin/$p"
               cat <<EOF >> "$out/bin/$p"
             #!/bin/sh
-            exec ${pkgs.sane-scripts.vpn}/bin/sane-vpn do ${defaultVpn.name} "${package}/bin/$p" "\$@"
+            exec ${pkgs.firejail}/bin/firejail ${lib.concatStringsSep " " firejailFlags} "${package}/bin/$p" "\$@"
             EOF
               chmod +x "$out/bin/$p"
             done
diff --git a/modules/vpn.nix b/modules/vpn.nix
index 48526acc..d7324d65 100644
--- a/modules/vpn.nix
+++ b/modules/vpn.nix
@@ -60,6 +60,13 @@ let
           dns servers to use for traffic associated with this VPN.
         '';
       };
+      bridgeDevice = mkOption {
+        type = types.str;
+        default = "br-${name}";
+        description = ''
+          name of the bridge net device which will be created and configured so as to route all its outbound traffic over the VPN.
+        '';
+      };
       privateKeyFile = mkOption {
         type = types.either types.str types.path;
         description = ''
@@ -74,7 +81,7 @@ let
       default = builtins.all (other: config.id <= other.id) (builtins.attrValues cfg);
     };
   });
-  mkVpnConfig = name: { id, dns, endpoint, publicKey, addrV4, privateKeyFile, ... }: let
+  mkVpnConfig = name: { id, dns, endpoint, publicKey, addrV4, privateKeyFile, bridgeDevice, ... }: let
     fwmark = id + 10000;
     bridgeAddrV4 = "10.20.${builtins.toString id}.1/24";
   in {
@@ -138,12 +145,12 @@ let
       linkConfig.RequiredForOnline = false;
     };
 
-    systemd.network.netdevs."99-br-${name}" = {
+    systemd.network.netdevs."99-${bridgeDevice}" = {
       netdevConfig.Kind = "bridge";
-      netdevConfig.Name = "br-${name}";
+      netdevConfig.Name = bridgeDevice;
     };
-    systemd.network.networks."51-br-${name}" = {
-      matchConfig.Name = "br-${name}";
+    systemd.network.networks."51-${bridgeDevice}" = {
+      matchConfig.Name = bridgeDevice;
       networkConfig.Description = "NATs inbound traffic to ${name}, intended for container isolation";
       networkConfig.Address = [ bridgeAddrV4 ];
       networkConfig.DNS = dns;