programs: achieve network sandboxing without "sane-vpn do"
This commit is contained in:
parent
bad6a7bfee
commit
992194a1f0
|
@ -38,7 +38,10 @@ let
|
||||||
package
|
package
|
||||||
else if net == "vpn" then
|
else if net == "vpn" then
|
||||||
let
|
let
|
||||||
defaultVpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
|
vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
|
||||||
|
firejailFlags = [
|
||||||
|
"--net=${vpn.bridgeDevice}"
|
||||||
|
] ++ (builtins.map (addr: "--dns=${addr}") vpn.dns);
|
||||||
in
|
in
|
||||||
# TODO: update the package's `.desktop` files to ensure they exec the sandboxed app.
|
# TODO: update the package's `.desktop` files to ensure they exec the sandboxed app.
|
||||||
pkgs.symlinkJoin {
|
pkgs.symlinkJoin {
|
||||||
|
@ -49,7 +52,7 @@ let
|
||||||
unlink "$out/bin/$p"
|
unlink "$out/bin/$p"
|
||||||
cat <<EOF >> "$out/bin/$p"
|
cat <<EOF >> "$out/bin/$p"
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
exec ${pkgs.sane-scripts.vpn}/bin/sane-vpn do ${defaultVpn.name} "${package}/bin/$p" "\$@"
|
exec ${pkgs.firejail}/bin/firejail ${lib.concatStringsSep " " firejailFlags} "${package}/bin/$p" "\$@"
|
||||||
EOF
|
EOF
|
||||||
chmod +x "$out/bin/$p"
|
chmod +x "$out/bin/$p"
|
||||||
done
|
done
|
||||||
|
|
|
@ -60,6 +60,13 @@ let
|
||||||
dns servers to use for traffic associated with this VPN.
|
dns servers to use for traffic associated with this VPN.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
bridgeDevice = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "br-${name}";
|
||||||
|
description = ''
|
||||||
|
name of the bridge net device which will be created and configured so as to route all its outbound traffic over the VPN.
|
||||||
|
'';
|
||||||
|
};
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = mkOption {
|
||||||
type = types.either types.str types.path;
|
type = types.either types.str types.path;
|
||||||
description = ''
|
description = ''
|
||||||
|
@ -74,7 +81,7 @@ let
|
||||||
default = builtins.all (other: config.id <= other.id) (builtins.attrValues cfg);
|
default = builtins.all (other: config.id <= other.id) (builtins.attrValues cfg);
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
mkVpnConfig = name: { id, dns, endpoint, publicKey, addrV4, privateKeyFile, ... }: let
|
mkVpnConfig = name: { id, dns, endpoint, publicKey, addrV4, privateKeyFile, bridgeDevice, ... }: let
|
||||||
fwmark = id + 10000;
|
fwmark = id + 10000;
|
||||||
bridgeAddrV4 = "10.20.${builtins.toString id}.1/24";
|
bridgeAddrV4 = "10.20.${builtins.toString id}.1/24";
|
||||||
in {
|
in {
|
||||||
|
@ -138,12 +145,12 @@ let
|
||||||
linkConfig.RequiredForOnline = false;
|
linkConfig.RequiredForOnline = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.network.netdevs."99-br-${name}" = {
|
systemd.network.netdevs."99-${bridgeDevice}" = {
|
||||||
netdevConfig.Kind = "bridge";
|
netdevConfig.Kind = "bridge";
|
||||||
netdevConfig.Name = "br-${name}";
|
netdevConfig.Name = bridgeDevice;
|
||||||
};
|
};
|
||||||
systemd.network.networks."51-br-${name}" = {
|
systemd.network.networks."51-${bridgeDevice}" = {
|
||||||
matchConfig.Name = "br-${name}";
|
matchConfig.Name = bridgeDevice;
|
||||||
networkConfig.Description = "NATs inbound traffic to ${name}, intended for container isolation";
|
networkConfig.Description = "NATs inbound traffic to ${name}, intended for container isolation";
|
||||||
networkConfig.Address = [ bridgeAddrV4 ];
|
networkConfig.Address = [ bridgeAddrV4 ];
|
||||||
networkConfig.DNS = dns;
|
networkConfig.DNS = dns;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user