jacobpascual/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

netns-isolation: netns architecture

Browse Source 
- Adds network namespace instantiation and routing architecture.
- netns-isolation disabled by default. Can be enabled with
  configuration.nix FIXME.
- Uses mkMerge to toggle certain options for non netns and netns
  systems.
- Adds security wrapper for netns-exec which allows operator to exec
  with cap_sys_admin
- User can select the 169.254.N.0/24 addressblock netns's are created in.
- nix-bitcoin-services IpAddressAllow is amended with link-local
  addresses
This commit is contained in:
nixbitcoin
2020-05-29 10:53:35 +00:00
parent 4a7199a3da
commit e5e07b91f7
5 changed files with 181 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
examples/configuration.nix
View File

@@ -117,6 +117,13 @@
# `docs/usage.md`.
# services.hardware-wallets.trezor = true;
### netns-isolation (EXPERIMENTAL)
# Enable this module to use Network Namespace Isolation. This feature places
# every service in its own network namespace and only allows truly necessary
# connections between network namespaces, making sure services are isolated on
# a network-level as much as possible.
# nix-bitcoin.netns-isolation.enable = true;
# FIXME: Define your hostname.
networking.hostName = "nix-bitcoin";
time.timeZone = "UTC";