From 809e75485169c4761ee438807df55eacd20731de Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Fri, 21 Aug 2020 22:36:05 +0200
Subject: [PATCH] netns: improve bridge setup

- Explain why we don't use option `networking.bridges`
- Make the bridge setup service part of NixOS' network-setup.service.
  This yields no noticable functional changes for now, but it's
  conceptually cleaner to finish the network setup before network.target
  becomes active.
- Add 'nb-' prefix to service name
---
 modules/netns-isolation.nix | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix
index 1d39d40..5a19914 100644
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@@ -99,6 +99,7 @@ in {
     services.tor.client.socksListenAddress = "${bridgeIp}:9050";
     networking.firewall.interfaces.nb-br.allowedTCPPorts = [ 9050 ];
     boot.kernel.sysctl."net.ipv4.ip_forward" = true;
+
     security.wrappers.netns-exec = {
       source  = "${pkgs.nix-bitcoin.netns-exec}/netns-exec";
       capabilities = "cap_sys_admin=ep";
@@ -107,10 +108,18 @@ in {
     };
 
     systemd.services = {
-      netns-bridge = {
-        description = "Create bridge";
-        requiredBy = [ "tor.service" ];
-        before = [ "tor.service" ];
+      # Due to a NixOS bug we can't currently use option `networking.bridges` to
+      # setup the bridge while `networking.useDHCP` is enabled.
+      nb-netns-bridge = {
+        description = "nix-bitcoin netns bridge";
+        wantedBy = [ "network-setup.service" ];
+        partOf = [ "network-setup.service" ];
+        before = [ "network-setup.service" ];
+        after = [ "network-pre.target" ];
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = "yes";
+        };
         script = ''
           ${ip} link add name nb-br type bridge
           ${ip} link set nb-br up
@@ -121,10 +130,6 @@ in {
           ${iptables} -w -t nat -D POSTROUTING -s 169.254.${toString cfg.addressblock}.0/24 -j MASQUERADE
           ${ip} link del nb-br
         '';
-        serviceConfig = {
-          Type = "oneshot";
-          RemainAfterExit = "yes";
-        };
       };
     } //
     (let
@@ -138,8 +143,8 @@ in {
         "${n}".serviceConfig.NetworkNamespacePath = "/var/run/netns/${netnsName}";
 
         "netns-${n}" = rec {
-          requires = [ "netns-bridge.service" ];
-          after = [ "netns-bridge.service" ];
+          requires = [ "nb-netns-bridge.service" ];
+          after = [ "nb-netns-bridge.service" ];
           bindsTo = [ "${n}.service" ];
           requiredBy = bindsTo;
           before = bindsTo;