diff options
Diffstat (limited to 'nixos/modules/services/networking/tcpcrypt.nix')
-rw-r--r-- | nixos/modules/services/networking/tcpcrypt.nix | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/tcpcrypt.nix b/nixos/modules/services/networking/tcpcrypt.nix new file mode 100644 index 00000000000..5a91054e166 --- /dev/null +++ b/nixos/modules/services/networking/tcpcrypt.nix @@ -0,0 +1,80 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.networking.tcpcrypt; + +in + +{ + + ###### interface + + options = { + + networking.tcpcrypt.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable opportunistic TCP encryption. If the other end + speaks Tcpcrypt, then your traffic will be encrypted; otherwise + it will be sent in clear text. Thus, Tcpcrypt alone provides no + guarantees -- it is best effort. If, however, a Tcpcrypt + connection is successful and any attackers that exist are + passive, then Tcpcrypt guarantees privacy. + ''; + }; + }; + + config = mkIf cfg.enable { + + users.users.tcpcryptd = { + uid = config.ids.uids.tcpcryptd; + description = "tcpcrypt daemon user"; + }; + + systemd.services.tcpcrypt = { + description = "tcpcrypt"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ]; + + preStart = '' + mkdir -p /run/tcpcryptd + chown tcpcryptd /run/tcpcryptd + sysctl -n net.ipv4.tcp_ecn > /run/tcpcryptd/pre-tcpcrypt-ecn-state + sysctl -w net.ipv4.tcp_ecn=0 + + iptables -t raw -N nixos-tcpcrypt + iptables -t raw -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666 + iptables -t raw -I PREROUTING -j nixos-tcpcrypt + + iptables -t mangle -N nixos-tcpcrypt + iptables -t mangle -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666 + iptables -t mangle -I POSTROUTING -j nixos-tcpcrypt + ''; + + script = "tcpcryptd -x 0x10"; + + postStop = '' + if [ -f /run/tcpcryptd/pre-tcpcrypt-ecn-state ]; then + sysctl -w net.ipv4.tcp_ecn=$(cat /run/tcpcryptd/pre-tcpcrypt-ecn-state) + fi + + iptables -t mangle -D POSTROUTING -j nixos-tcpcrypt || true + iptables -t raw -D PREROUTING -j nixos-tcpcrypt || true + + iptables -t raw -F nixos-tcpcrypt || true + iptables -t raw -X nixos-tcpcrypt || true + + iptables -t mangle -F nixos-tcpcrypt || true + iptables -t mangle -X nixos-tcpcrypt || true + ''; + }; + }; + +} |