@ -19,7 +19,10 @@ let
" i n t e r f a c e ${ name } ${ paramsString interface } \n " ;
configFile = with cfg ; pkgs . writeText " b a b e l d . c o n f " (
( optionalString ( cfg . interfaceDefaults != null ) ''
''
skip-kernel-setup true
''
+ ( optionalString ( cfg . interfaceDefaults != null ) ''
default $ { paramsString cfg . interfaceDefaults }
'' )
+ ( concatMapStrings interfaceConfig ( attrNames cfg . interfaces ) )
@ -84,13 +87,22 @@ in
config = mkIf config . services . babeld . enable {
boot . kernel . sysctl = {
" n e t . i p v 6 . c o n f . a l l . f o r w a r d i n g " = 1 ;
" n e t . i p v 6 . c o n f . a l l . a c c e p t _ r e d i r e c t s " = 0 ;
" n e t . i p v 4 . c o n f . a l l . f o r w a r d i n g " = 1 ;
" n e t . i p v 4 . c o n f . a l l . r p _ f i l t e r " = 0 ;
} // lib . mapAttrs' ( ifname : _ : lib . nameValuePair " n e t . i p v 4 . c o n f . ${ ifname } . r p _ f i l t e r " ( lib . mkDefault 0 ) ) config . services . babeld . interfaces ;
systemd . services . babeld = {
description = " B a b e l r o u t i n g d a e m o n " ;
after = [ " n e t w o r k . t a r g e t " ] ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
serviceConfig = {
ExecStart = " ${ pkgs . babeld } / b i n / b a b e l d - c ${ configFile } - I / r u n / b a b e l d / b a b e l d . p i d - S / v a r / l i b / b a b e l d / s t a t e " ;
AmbientCapabilities = [ " C A P _ N E T _ A D M I N " ] ;
CapabilityBoundingSet = [ " C A P _ N E T _ A D M I N " ] ;
DynamicUser = true ;
IPAddressAllow = [ " f e 8 0 : : / 6 4 " " f f 0 0 : : / 8 " " : : 1 / 1 2 8 " " 1 2 7 . 0 . 0 . 0 / 8 " ] ;
IPAddressDeny = " a n y " ;
LockPersonality = true ;
@ -98,7 +110,7 @@ in
MemoryDenyWriteExecute = true ;
ProtectSystem = " s t r i c t " ;
ProtectClock = true ;
ProtectKernelTunables = false ; # Couldn't write sysctl: Read-only file system
ProtectKernelTunables = true ;
ProtectKernelModules = true ;
ProtectKernelLogs = true ;
ProtectControlGroups = true ;