Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/nebula: add CAP_NET_BIND_SERVICE when lighthouse node serves DNS #353665

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

siriobalmelli
Copy link
Contributor

Serving DNS fails in the absence of CAP_NET_BIND_SERVICE.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

Sorry, something went wrong.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Nov 4, 2024
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Nov 5, 2024
@siriobalmelli siriobalmelli force-pushed the sb/nebula-dns branch 2 times, most recently from 4fdd4f0 to 51d1018 Compare November 5, 2024 17:03
@siriobalmelli siriobalmelli marked this pull request as draft November 5, 2024 17:04
@siriobalmelli siriobalmelli marked this pull request as ready for review November 6, 2024 06:54
@siriobalmelli
Copy link
Contributor Author

@numinit I would appreciate your review on this 🙏

@@ -210,6 +210,11 @@ in
''
settings
);
capabilities = concatStringsSep " " ([
"CAP_NET_ADMIN"
] ++ (optionals (settings.lighthouse.serve_dns or false) [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This condition should probably be:

let
  nebulaPort = settings.listen.port;
  dnsPort = if (settings.lighthouse.serve_dns or false) then settings.lighthouse.dns.port or -1 else -1;
in nebulaPort > 0 && nebulaPort < 1024 || dnsPort > 0 && dnsPort < 1024;

Do you mind adding services.nebula.networks.<name>.dns.{enable,port,host} as well? The port should likely default to 5353 so we don't need the extra capability.

@numinit
Copy link
Contributor

numinit commented Nov 17, 2024

May be worth updating the NixOS test too.

@siriobalmelli siriobalmelli marked this pull request as draft November 19, 2024 11:00
@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Dec 10, 2024
@siriobalmelli siriobalmelli force-pushed the sb/nebula-dns branch 2 times, most recently from ae7d05c to 2ceb113 Compare December 21, 2024 23:32

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
Add the options:

- lighthouse.serve_dns
- lighthouse.dns.host
- lighthouse.dns.port

Improve systemd capabilities handling:

- do not give CAP_NET_ADMIN when tunnel interface is disabled
- give CAP_NET_BIND_SERVICE when DNS is enabled

Add self as maintainer: I'm using Nebula on NixOS in prod.

Signed-off-by: Sirio Balmelli <[email protected]>
@numinit
Copy link
Contributor

numinit commented Dec 21, 2024

Hey, thanks for taking this btw! Let me know if you need any help getting it across the finish line.

@ofborg ofborg bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Dec 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants