nixos/nebula: add DNS options

Add the options: - lighthouse.serve_dns - lighthouse.dns.host - lighthouse.dns.port Improve systemd capabilities handling: - do not give CAP_NET_ADMIN when tunnel interface is disabled - give CAP_NET_BIND_SERVICE when DNS is enabled Add self as maintainer: I'm using Nebula on NixOS in prod. Signed-off-by: Sirio Balmelli <[email protected]>
NixOS · Dec 21, 2024 · ae7d05c · ae7d05c
1 parent da676f2
commit ae7d05c
Showing 1 changed file with 29 additions and 7 deletions.
diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix
@@ -84,6 +84,24 @@ in
                 description = "Whether this node is a relay.";
               };
 
+              lighthouse.serveDns = lib.mkOption {
+                type = lib.types.bool;
+                default = false;
+                description = "Whether this lighthouse node should serve DNS.";
+              };
+
+              lighthouse.dns.host = lib.mkOption {
+                type = lib.types.str;
+                default = "0.0.0.0";
+                description = "IP address on which nebula lighthouse should serve DNS.";
+              };
+
+              lighthouse.dns.port = lib.mkOption {
+                type = lib.types.nullOr lib.types.port;
+                default = 53;
+                description = "UDP port number for lighthouse DNS server.";
+              };
+
               lighthouses = lib.mkOption {
                 type = lib.types.listOf lib.types.str;
                 default = [ ];
@@ -172,10 +190,7 @@ in
                 '';
                 example = lib.literalExpression ''
                   {
-                    lighthouse.dns = {
-                      host = "0.0.0.0";
-                      port = 53;
-                    };
+                    lighthouse.interval = 15;
                   }
                 '';
               };
@@ -203,6 +218,9 @@ in
             lighthouse = {
               am_lighthouse = netCfg.isLighthouse;
               hosts = netCfg.lighthouses;
+              serve_dns = netCfg.serveDns;
+              dns.host = netCfg.lighthouse.dns.host;
+              dns.port = netCfg.lighthouse.dns.port;
             };
             relay = {
               am_relay = netCfg.isRelay;
@@ -231,6 +249,10 @@ in
               ''
               settings
           );
+          capabilities = lib.concatStringsSep " " (
+            (lib.optional (!settings.tun.disabled) "CAP_NET_ADMIN")
+            ++ (lib.optional settings.lighthouse.serve_dns "CAP_NET_BIND_SERVICE")
+          );
         in
         {
           # Create the systemd service for Nebula.
@@ -248,8 +270,8 @@ in
               Restart = "always";
               ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";
               UMask = "0027";
-              CapabilityBoundingSet = "CAP_NET_ADMIN";
-              AmbientCapabilities = "CAP_NET_ADMIN";
+              CapabilityBoundingSet = capabilities;
+              AmbientCapabilities = capabilities;
               LockPersonality = true;
               NoNewPrivileges = true;
               PrivateDevices = false; # needs access to /dev/net/tun (below)
@@ -302,5 +324,5 @@ in
     );
   };
 
-  meta.maintainers = with lib.maintainers; [ numinit ];
+  meta.maintainers = with lib.maintainers; [ numinit siriobalmelli ];
 }