colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sane-vpn: port to sanebox/pasta (no more firejail)

Browse Source
This commit is contained in:
Colin
2024-05-25 10:09:10 +00:00
parent 7c6813ff37
commit a5e1a804c9
2 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
hosts/common/programs/sane-scripts.nix
View File

@@ -230,6 +230,8 @@ in
priorityMain=${builtins.toString vpnCfg.priorityMain} priorityMain=${builtins.toString vpnCfg.priorityMain}
priorityFwMark=${builtins.toString vpnCfg.priorityFwMark} priorityFwMark=${builtins.toString vpnCfg.priorityFwMark}
bridgeDevice=${vpnCfg.bridgeDevice} bridgeDevice=${vpnCfg.bridgeDevice}
addrV4=${vpnCfg.addrV4}
name=${vpnCfg.name}
dns=(${lib.concatStringsSep " " vpnCfg.dns}) dns=(${lib.concatStringsSep " " vpnCfg.dns})
''; '';
} // (lib.optionalAttrs vpnCfg.isDefault { } // (lib.optionalAttrs vpnCfg.isDefault {
@@ -239,10 +241,11 @@ in
{} {}
(builtins.attrNames config.sane.vpn); (builtins.attrNames config.sane.vpn);
"sane-scripts.vpn".sandbox = { "sane-scripts.vpn".sandbox = {
method = "landlock"; #< bwrap can't handle `ip link` stuff even with cap_net_admin enable = false; #< bwrap can't handle `ip link`, and landlock can't handle bwrap/pasta for `sane-vpn do`
net = "all"; # method = "landlock"; #< bwrap can't handle `ip link` stuff even with cap_net_admin
capabilities = [ "net_admin" ]; # net = "all";
extraHomePaths = [ ".config/sane-vpn" ]; # capabilities = [ "net_admin" ];
# extraHomePaths = [ ".config/sane-vpn" ];
}; };
"sane-scripts.which".sandbox = { "sane-scripts.which".sandbox = {

10
pkgs/additional/sane-scripts/src/sane-vpn
View File

@@ -1,6 +1,8 @@
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#!nix-shell -i bash -p coreutils-full -p sane-scripts.ip-check #!nix-shell -i bash -p coreutils-full -p sane-scripts.ip-check
set -e
usageDescription() { usageDescription() {
echo "sane-vpn: tool to route all system internet traffic through some VPN, or just one application's" echo "sane-vpn: tool to route all system internet traffic through some VPN, or just one application's"
echo 'and, thanks to cap_net_admin, we can do all this without superuser!' echo 'and, thanks to cap_net_admin, we can do all this without superuser!'
@@ -50,6 +52,8 @@ sourceVpn() {
# - prioMain # - prioMain
# - prioFwMark # - prioFwMark
# - bridgeDevice # - bridgeDevice
# - addrV4
# - name
# - dns # - dns
debug "sourcing: ~/.config/sane-vpn/vpns/$1" debug "sourcing: ~/.config/sane-vpn/vpns/$1"
# TODO: don't blindly source this, but parse explicitly as `K=V` # TODO: don't blindly source this, but parse explicitly as `K=V`
@@ -95,10 +99,10 @@ vpnToggle() {
vpnDo() { vpnDo() {
debug "vpnDo with:" debug "vpnDo with:"
debug " bridgeDevice='$bridgeDevice'" debug " name='$name'"
debug " addrV4='$addrV4'"
debug " dns='$dns'" debug " dns='$dns'"
# TODO: switch to bwrap, or `sanebox`! sanebox --sanebox-method pastaonly --sanebox-net-dev "$name" --sanebox-net-gateway "$addrV4" --sanebox-dns "$dns" "$@"
firejail --noprofile --net="$bridgeDevice" --dns="$dns" "$@"
} }
usage() { usage() {