netns: improve bridge setup

- Explain why we don't use option `networking.bridges`
- Make the bridge setup service part of NixOS' network-setup.service.
  This yields no noticable functional changes for now, but it's
  conceptually cleaner to finish the network setup before network.target
  becomes active.
- Add 'nb-' prefix to service name
This commit is contained in:
Erik Arvstedt 2020-08-21 22:36:05 +02:00
parent b7450877a0
commit 809e754851
No known key found for this signature in database
GPG Key ID: 33312B944DD97846

View File

@ -99,6 +99,7 @@ in {
services.tor.client.socksListenAddress = "${bridgeIp}:9050"; services.tor.client.socksListenAddress = "${bridgeIp}:9050";
networking.firewall.interfaces.nb-br.allowedTCPPorts = [ 9050 ]; networking.firewall.interfaces.nb-br.allowedTCPPorts = [ 9050 ];
boot.kernel.sysctl."net.ipv4.ip_forward" = true; boot.kernel.sysctl."net.ipv4.ip_forward" = true;
security.wrappers.netns-exec = { security.wrappers.netns-exec = {
source = "${pkgs.nix-bitcoin.netns-exec}/netns-exec"; source = "${pkgs.nix-bitcoin.netns-exec}/netns-exec";
capabilities = "cap_sys_admin=ep"; capabilities = "cap_sys_admin=ep";
@ -107,10 +108,18 @@ in {
}; };
systemd.services = { systemd.services = {
netns-bridge = { # Due to a NixOS bug we can't currently use option `networking.bridges` to
description = "Create bridge"; # setup the bridge while `networking.useDHCP` is enabled.
requiredBy = [ "tor.service" ]; nb-netns-bridge = {
before = [ "tor.service" ]; description = "nix-bitcoin netns bridge";
wantedBy = [ "network-setup.service" ];
partOf = [ "network-setup.service" ];
before = [ "network-setup.service" ];
after = [ "network-pre.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
};
script = '' script = ''
${ip} link add name nb-br type bridge ${ip} link add name nb-br type bridge
${ip} link set nb-br up ${ip} link set nb-br up
@ -121,10 +130,6 @@ in {
${iptables} -w -t nat -D POSTROUTING -s 169.254.${toString cfg.addressblock}.0/24 -j MASQUERADE ${iptables} -w -t nat -D POSTROUTING -s 169.254.${toString cfg.addressblock}.0/24 -j MASQUERADE
${ip} link del nb-br ${ip} link del nb-br
''; '';
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
};
}; };
} // } //
(let (let
@ -138,8 +143,8 @@ in {
"${n}".serviceConfig.NetworkNamespacePath = "/var/run/netns/${netnsName}"; "${n}".serviceConfig.NetworkNamespacePath = "/var/run/netns/${netnsName}";
"netns-${n}" = rec { "netns-${n}" = rec {
requires = [ "netns-bridge.service" ]; requires = [ "nb-netns-bridge.service" ];
after = [ "netns-bridge.service" ]; after = [ "nb-netns-bridge.service" ];
bindsTo = [ "${n}.service" ]; bindsTo = [ "${n}.service" ];
requiredBy = bindsTo; requiredBy = bindsTo;
before = bindsTo; before = bindsTo;