Merge fort-nix/nix-bitcoin#423: Misc. improvements

4a74b7de08 clightning: work around unsupported seccomp syscall (Erik Arvstedt)
38a843d005 clightning: update python pkgs to new version (Erik Arvstedt)
6ad7107ddb update nixpkgs (Erik Arvstedt)
f58d67677e netns-isolation: separate host and netns setup (Erik Arvstedt)
cb6e5ef702 netns-isolation: fix routing issues due to netns restarting (Erik Arvstedt)
7f77147b60 makeShell: minor improvements (Erik Arvstedt)
a5730eb736 makeShell: make the help msg a shell derivation variable (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 4a74b7de08

Tree-SHA512: 75454b51db6d7ab41590d8579e0a5136e5ac1be78d5c2f547c6ef1982c0de679968879bb9bac57dd66413f59a4659236601ab75414486b0137c7c43d73d22759

modules/clightning.nix

@@ -137,6 +137,14 @@ in {
         Restart = "on-failure";
         RestartSec = "10s";
         ReadWritePaths = cfg.dataDir;
+
+        # TODO-EXTERNAL:
+        # The seccomp version used by systemd in NixOS 21.05 doesn't support
+        # handling syscall 436 (close_range), which has only recently been added:
+        # https://github.com/seccomp/libseccomp/commit/ac849e7960547d418009a783da654d5917dbfe2d
+        #
+        # Disable seccomp filtering because clightning depends on this syscall.
+        SystemCallFilter = [];
       } // nbLib.allowedIPAddresses cfg.enforceTor;
       # Wait until the rpc socket appears
       postStart = ''

modules/netns-isolation.nix

@@ -155,41 +155,55 @@ in {
         veth = "nb-veth-${toString v.id}";
         peer = "nb-veth-br-${toString v.id}";
         inherit (v) netnsName;
-        ipNetns = "${ip} -n ${netnsName}";
-        netnsIptables = "${ip} netns exec ${netnsName} ${config.networking.firewall.package}/bin/iptables";
+        nsenter = "${pkgs.utillinux}/bin/nsenter";
         allowedAddresses = concatMapStringsSep "," (available: netns.${available}.address) v.availableNetns;
+
+        setup = ''
+          ${ip} netns add ${netnsName}
+          ${ip} link add ${veth} type veth peer name ${peer}
+          ${ip} link set ${veth} netns ${netnsName}
+          # The peer link is never used directly, so don't auto-assign an IPv6 address
+          echo 1 > /proc/sys/net/ipv6/conf/${peer}/disable_ipv6
+          ${ip} link set ${peer} up
+          ${ip} link set ${peer} master nb-br
+          exec ${nsenter} --net=/run/netns/${netnsName} ${script "in-netns" setupInNetns}
+        '';
+
+        setupInNetns = ''
+          ${ip} link set lo up
+          ${ip} addr add ${v.address}/24 dev ${veth}
+          ${ip} link set ${veth} up
+          ${ip} route add default via ${bridgeIp}
+
+          ${iptables} -w -P INPUT DROP
+          ${iptables} -w -A INPUT -s 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
+          # allow return traffic to outgoing connections initiated by the service itself
+          ${iptables} -w -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+        '' + optionalString (config.services.${n}.enforceTor or false) ''
+          ${iptables} -w -P OUTPUT DROP
+          ${iptables} -w -A OUTPUT -d 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
+        '' + optionalString (v.availableNetns != []) ''
+          ${iptables} -w -A INPUT -s ${allowedAddresses} -j ACCEPT
+          ${iptables} -w -A OUTPUT -d ${allowedAddresses} -j ACCEPT
+        '';
+
+        script = name: src: pkgs.writers.writeDash name ''
+          set -e
+          ${src}
+        '';
       in {
         "${n}".serviceConfig.NetworkNamespacePath = "/var/run/netns/${netnsName}";
 
         "netns-${n}" = rec {
           requires = [ "nb-netns-bridge.service" ];
           after = [ "nb-netns-bridge.service" ];
-          bindsTo = [ "${n}.service" ];
-          requiredBy = bindsTo;
-          before = bindsTo;
-          script = ''
-            ${ip} netns add ${netnsName}
-            ${ipNetns} link set lo up
-            ${ip} link add ${veth} type veth peer name ${peer}
-            ${ip} link set ${veth} netns ${netnsName}
-            ${ipNetns} addr add ${v.address}/24 dev ${veth}
-            # The peer link is never used directly, so don't auto-assign an IPv6 address
-            echo 1 > /proc/sys/net/ipv6/conf/${peer}/disable_ipv6
-            ${ip} link set ${peer} up
-            ${ipNetns} link set ${veth} up
-            ${ip} link set ${peer} master nb-br
-            ${ipNetns} route add default via ${bridgeIp}
-            ${netnsIptables} -w -P INPUT DROP
-            ${netnsIptables} -w -A INPUT -s 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
-            # allow return traffic to outgoing connections initiated by the service itself
-            ${netnsIptables} -w -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-          '' + optionalString (config.services.${n}.enforceTor or false) ''
-            ${netnsIptables} -w -P OUTPUT DROP
-            ${netnsIptables} -w -A OUTPUT -d 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
-          '' + optionalString (v.availableNetns != []) ''
-            ${netnsIptables} -w -A INPUT -s ${allowedAddresses} -j ACCEPT
-            ${netnsIptables} -w -A OUTPUT -d ${allowedAddresses} -j ACCEPT
-          '';
+          requiredBy = [ "${n}.service" ];
+          before = requiredBy;
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            ExecStart = script "setup" setup;
+          };
           # Link deletion is implicit in netns deletion, but it sometimes only happens
           # after `netns delete` finishes. Add an extra `link del` to ensure that
           # the link is deleted before the service stops, which is needed for service
@@ -198,10 +212,7 @@ in {
             ${ip} netns delete ${netnsName}
             ${ip} link del ${peer} 2> /dev/null || true
           '';
-          serviceConfig = {
-            Type = "oneshot";
-            RemainAfterExit = true;
-          };
+
         };
       };
     in foldl (services: n: