nixpkgs/nixos/modules/services/networking/tcpcrypt.nix

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.networking.tcpcrypt;

in

{

  ###### interface

  options = {

    networking.tcpcrypt.enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to enable opportunistic TCP encryption. If the other end
        speaks Tcpcrypt, then your traffic will be encrypted; otherwise
        it will be sent in clear text. Thus, Tcpcrypt alone provides no
        guarantees -- it is best effort. If, however, a Tcpcrypt
        connection is successful and any attackers that exist are
        passive, then Tcpcrypt guarantees privacy.
      '';
    };
  };

  config = mkIf cfg.enable {

    users.users.tcpcryptd = {
      uid = config.ids.uids.tcpcryptd;
      description = "tcpcrypt daemon user";
    };

    systemd.services.tcpcrypt = {
      description = "tcpcrypt";

      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ];

      preStart = ''
        mkdir -p /run/tcpcryptd
        chown tcpcryptd /run/tcpcryptd
        sysctl -n net.ipv4.tcp_ecn > /run/tcpcryptd/pre-tcpcrypt-ecn-state
        sysctl -w net.ipv4.tcp_ecn=0

        iptables -t raw -N nixos-tcpcrypt
        iptables -t raw -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666
        iptables -t raw -I PREROUTING -j nixos-tcpcrypt

        iptables -t mangle -N nixos-tcpcrypt
        iptables -t mangle -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666
        iptables -t mangle -I POSTROUTING -j nixos-tcpcrypt
      '';

      script = "tcpcryptd -x 0x10";

      postStop = ''
        if [ -f /run/tcpcryptd/pre-tcpcrypt-ecn-state ]; then
          sysctl -w net.ipv4.tcp_ecn=$(cat /run/tcpcryptd/pre-tcpcrypt-ecn-state)
        fi

        iptables -t mangle -D POSTROUTING -j nixos-tcpcrypt || true
        iptables -t raw -D PREROUTING -j nixos-tcpcrypt || true

        iptables -t raw -F nixos-tcpcrypt || true
        iptables -t raw -X nixos-tcpcrypt || true

        iptables -t mangle -F nixos-tcpcrypt || true
        iptables -t mangle -X nixos-tcpcrypt || true
      '';
    };
  };

}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
Add support for opportunistic TCP encryption. Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption based on the user-space tools available from <http://tcpcrypt.org>. Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical. Opportunistic encryption cannot protect against active attackers, but it does protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to stop active attacks, too, if the application using it performs authentication. A complete description of the protocol extension can be found at <http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>. 2013-09-10 23:32:55 +02:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`with lib;`
Add support for opportunistic TCP encryption. Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption based on the user-space tools available from <http://tcpcrypt.org>. Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical. Opportunistic encryption cannot protect against active attackers, but it does protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to stop active attacks, too, if the application using it performs authentication. A complete description of the protocol extension can be found at <http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>. 2013-09-10 23:32:55 +02:00
			`let`

			`cfg = config.networking.tcpcrypt;`

			`in`

			`{`

			`###### interface`

			`options = {`

			`networking.tcpcrypt.enable = mkOption {`
treewide: add types to boolean / enable options or make use of mkEnableOption 2020-04-27 09:04:07 +02:00			`type = types.bool;`
Add support for opportunistic TCP encryption. Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption based on the user-space tools available from <http://tcpcrypt.org>. Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical. Opportunistic encryption cannot protect against active attackers, but it does protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to stop active attacks, too, if the application using it performs authentication. A complete description of the protocol extension can be found at <http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>. 2013-09-10 23:32:55 +02:00			`default = false;`
			`description = ''`
			`Whether to enable opportunistic TCP encryption. If the other end`
			`speaks Tcpcrypt, then your traffic will be encrypted; otherwise`
			`it will be sent in clear text. Thus, Tcpcrypt alone provides no`
			`guarantees -- it is best effort. If, however, a Tcpcrypt`
			`connection is successful and any attackers that exist are`
			`passive, then Tcpcrypt guarantees privacy.`
			`'';`
			`};`
			`};`

			`config = mkIf cfg.enable {`

treewide: use attrs instead of list for types.loaOf options 2019-09-14 19:51:29 +02:00			`users.users.tcpcryptd = {`
Add support for opportunistic TCP encryption. Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption based on the user-space tools available from <http://tcpcrypt.org>. Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical. Opportunistic encryption cannot protect against active attackers, but it does protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to stop active attacks, too, if the application using it performs authentication. A complete description of the protocol extension can be found at <http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>. 2013-09-10 23:32:55 +02:00			`uid = config.ids.uids.tcpcryptd;`
			`description = "tcpcrypt daemon user";`
			`};`

jobs -> systemd.services 2016-01-06 06:50:18 +00:00			`systemd.services.tcpcrypt = {`
Add support for opportunistic TCP encryption. Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption based on the user-space tools available from <http://tcpcrypt.org>. Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical. Opportunistic encryption cannot protect against active attackers, but it does protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to stop active attacks, too, if the application using it performs authentication. A complete description of the protocol extension can be found at <http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>. 2013-09-10 23:32:55 +02:00			`description = "tcpcrypt";`

jobs -> systemd.services 2016-01-06 06:50:18 +00:00			`wantedBy = [ "multi-user.target" ];`
tcpcrypt service: remove use of network-interfaces.target 2016-09-10 20:18:39 +02:00			`after = [ "network.target" ];`
Add support for opportunistic TCP encryption. Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption based on the user-space tools available from <http://tcpcrypt.org>. Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical. Opportunistic encryption cannot protect against active attackers, but it does protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to stop active attacks, too, if the application using it performs authentication. A complete description of the protocol extension can be found at <http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>. 2013-09-10 23:32:55 +02:00
			`path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ];`

			`preStart = ''`
nixos: tcpcrypt: /var/run -> /run, don't drop files out of rundir 2018-01-06 12:57:35 +00:00			`mkdir -p /run/tcpcryptd`
			`chown tcpcryptd /run/tcpcryptd`
			`sysctl -n net.ipv4.tcp_ecn > /run/tcpcryptd/pre-tcpcrypt-ecn-state`
Add support for opportunistic TCP encryption. Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption based on the user-space tools available from <http://tcpcrypt.org>. Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical. Opportunistic encryption cannot protect against active attackers, but it does protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to stop active attacks, too, if the application using it performs authentication. A complete description of the protocol extension can be found at <http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>. 2013-09-10 23:32:55 +02:00			`sysctl -w net.ipv4.tcp_ecn=0`

			`iptables -t raw -N nixos-tcpcrypt`
			`iptables -t raw -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666`
			`iptables -t raw -I PREROUTING -j nixos-tcpcrypt`

			`iptables -t mangle -N nixos-tcpcrypt`
			`iptables -t mangle -A nixos-tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666`
			`iptables -t mangle -I POSTROUTING -j nixos-tcpcrypt`
			`'';`

jobs -> systemd.services 2016-01-06 06:50:18 +00:00			`script = "tcpcryptd -x 0x10";`
Add support for opportunistic TCP encryption. Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption based on the user-space tools available from <http://tcpcrypt.org>. Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical. Opportunistic encryption cannot protect against active attackers, but it does protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to stop active attacks, too, if the application using it performs authentication. A complete description of the protocol extension can be found at <http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>. 2013-09-10 23:32:55 +02:00
			`postStop = ''`
nixos: tcpcrypt: /var/run -> /run, don't drop files out of rundir 2018-01-06 12:57:35 +00:00			`if [ -f /run/tcpcryptd/pre-tcpcrypt-ecn-state ]; then`
			`sysctl -w net.ipv4.tcp_ecn=$(cat /run/tcpcryptd/pre-tcpcrypt-ecn-state)`
Add support for opportunistic TCP encryption. Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption based on the user-space tools available from <http://tcpcrypt.org>. Network attackers come in two varieties: passive and active (man-in-the-middle). Passive attacks are much simpler to execute because they just require listening on the network. Active attacks are much harder as they require listening and modifying network traffic, often requiring very precise timing that can make some attacks impractical. Opportunistic encryption cannot protect against active attackers, but it does protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to stop active attacks, too, if the application using it performs authentication. A complete description of the protocol extension can be found at <http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>. 2013-09-10 23:32:55 +02:00			`fi`

			`iptables -t mangle -D POSTROUTING -j nixos-tcpcrypt \|\| true`
			`iptables -t raw -D PREROUTING -j nixos-tcpcrypt \|\| true`

			`iptables -t raw -F nixos-tcpcrypt \|\| true`
			`iptables -t raw -X nixos-tcpcrypt \|\| true`

			`iptables -t mangle -F nixos-tcpcrypt \|\| true`
			`iptables -t mangle -X nixos-tcpcrypt \|\| true`
			`'';`
			`};`
			`};`

			`}`