netns: improve bridge setup
- Explain why we don't use option `networking.bridges` - Make the bridge setup service part of NixOS' network-setup.service. This yields no noticable functional changes for now, but it's conceptually cleaner to finish the network setup before network.target becomes active. - Add 'nb-' prefix to service name
This commit is contained in:
parent
b7450877a0
commit
809e754851
@ -99,6 +99,7 @@ in {
|
|||||||
services.tor.client.socksListenAddress = "${bridgeIp}:9050";
|
services.tor.client.socksListenAddress = "${bridgeIp}:9050";
|
||||||
networking.firewall.interfaces.nb-br.allowedTCPPorts = [ 9050 ];
|
networking.firewall.interfaces.nb-br.allowedTCPPorts = [ 9050 ];
|
||||||
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
||||||
|
|
||||||
security.wrappers.netns-exec = {
|
security.wrappers.netns-exec = {
|
||||||
source = "${pkgs.nix-bitcoin.netns-exec}/netns-exec";
|
source = "${pkgs.nix-bitcoin.netns-exec}/netns-exec";
|
||||||
capabilities = "cap_sys_admin=ep";
|
capabilities = "cap_sys_admin=ep";
|
||||||
@ -107,10 +108,18 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
systemd.services = {
|
systemd.services = {
|
||||||
netns-bridge = {
|
# Due to a NixOS bug we can't currently use option `networking.bridges` to
|
||||||
description = "Create bridge";
|
# setup the bridge while `networking.useDHCP` is enabled.
|
||||||
requiredBy = [ "tor.service" ];
|
nb-netns-bridge = {
|
||||||
before = [ "tor.service" ];
|
description = "nix-bitcoin netns bridge";
|
||||||
|
wantedBy = [ "network-setup.service" ];
|
||||||
|
partOf = [ "network-setup.service" ];
|
||||||
|
before = [ "network-setup.service" ];
|
||||||
|
after = [ "network-pre.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = "yes";
|
||||||
|
};
|
||||||
script = ''
|
script = ''
|
||||||
${ip} link add name nb-br type bridge
|
${ip} link add name nb-br type bridge
|
||||||
${ip} link set nb-br up
|
${ip} link set nb-br up
|
||||||
@ -121,10 +130,6 @@ in {
|
|||||||
${iptables} -w -t nat -D POSTROUTING -s 169.254.${toString cfg.addressblock}.0/24 -j MASQUERADE
|
${iptables} -w -t nat -D POSTROUTING -s 169.254.${toString cfg.addressblock}.0/24 -j MASQUERADE
|
||||||
${ip} link del nb-br
|
${ip} link del nb-br
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
RemainAfterExit = "yes";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
} //
|
} //
|
||||||
(let
|
(let
|
||||||
@ -138,8 +143,8 @@ in {
|
|||||||
"${n}".serviceConfig.NetworkNamespacePath = "/var/run/netns/${netnsName}";
|
"${n}".serviceConfig.NetworkNamespacePath = "/var/run/netns/${netnsName}";
|
||||||
|
|
||||||
"netns-${n}" = rec {
|
"netns-${n}" = rec {
|
||||||
requires = [ "netns-bridge.service" ];
|
requires = [ "nb-netns-bridge.service" ];
|
||||||
after = [ "netns-bridge.service" ];
|
after = [ "nb-netns-bridge.service" ];
|
||||||
bindsTo = [ "${n}.service" ];
|
bindsTo = [ "${n}.service" ];
|
||||||
requiredBy = bindsTo;
|
requiredBy = bindsTo;
|
||||||
before = bindsTo;
|
before = bindsTo;
|
||||||
|
Loading…
Reference in New Issue
Block a user