summaryrefslogtreecommitdiff
path: root/hosts/surtr/vpn/default.nix
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-07-29 11:07:19 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2022-07-29 11:07:19 +0200
commitbda1a6b603a3944223707a6d090622b574ea7505 (patch)
treee223290d0c3e4f91862f429e65f083d3ecb3b1cd /hosts/surtr/vpn/default.nix
parentece84e99219c1d57dcee7ee93045edc81cd0cbc7 (diff)
downloadnixos-bda1a6b603a3944223707a6d090622b574ea7505.tar
nixos-bda1a6b603a3944223707a6d090622b574ea7505.tar.gz
nixos-bda1a6b603a3944223707a6d090622b574ea7505.tar.bz2
nixos-bda1a6b603a3944223707a6d090622b574ea7505.tar.xz
nixos-bda1a6b603a3944223707a6d090622b574ea7505.zip
bump & vpn
Diffstat (limited to 'hosts/surtr/vpn/default.nix')
-rw-r--r--hosts/surtr/vpn/default.nix177
1 files changed, 177 insertions, 0 deletions
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
new file mode 100644
index 00000000..4f334105
--- /dev/null
+++ b/hosts/surtr/vpn/default.nix
@@ -0,0 +1,177 @@
1{ pkgs, config, lib, ... }:
2
3with lib;
4
5let
6 trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
7 prefix4 = "10.84.47";
8 prefix6 = "2a03:4000:52:ada:5";
9in {
10 config = {
11 boot.kernel.sysctl = {
12 "net.netfilter.nf_log_all_netns" = true;
13 };
14
15 networking.namespaces = {
16 enable = true;
17 containers."vpn".config = {
18 boot.kernel.sysctl = {
19 "net.core.rmem_max" = "4194304";
20 "net.core.wmem_max" = "4194304";
21 };
22
23 environment = {
24 noXlibs = true;
25 systemPackages = with pkgs; [ wireguard-tools ];
26 };
27
28 networking = {
29 useDHCP = false;
30 useNetworkd = true;
31 useHostResolvConf = false;
32 firewall.enable = false;
33 nftables = {
34 enable = true;
35 rulesetFile = ./ruleset.nft;
36 };
37 };
38
39 services.resolved.fallbackDns = [
40 "9.9.9.9#dns.quad9.net"
41 "149.112.112.112#dns.quad9.net"
42 "2620:fe::fe#dns.quad9.net"
43 "2620:fe::9#dns.quad9.net"
44 ];
45
46 systemd.tmpfiles.rules = [
47 "d /etc/wireguard 0755 root systemd-network - -"
48 "C /etc/wireguard/surtr.priv 0640 root systemd-network - /run/host/credentials/surtr.priv"
49 ];
50
51 systemd.network = {
52 netdevs = {
53 vpn = {
54 netdevConfig = {
55 Name = "vpn";
56 Kind = "wireguard";
57 };
58 wireguardConfig = {
59 PrivateKeyFile = "/etc/wireguard/surtr.priv";
60 ListenPort = 51820;
61 };
62 wireguardPeers = [
63 { wireguardPeerConfig = {
64 AllowedIPs = ["${prefix6}:1::/96" "${prefix4}.1/32"];
65 PublicKey = trim (readFile ./geri.pub);
66 };
67 }
68 ];
69 };
70 };
71
72 networks = {
73 upstream = {
74 name = "upstream";
75 matchConfig = {
76 Name = "upstream";
77 };
78 linkConfig = {
79 RequiredForOnline = true;
80 };
81 networkConfig = {
82 Address = [ "185.243.10.86/32" "2a03:4000:20:259::/64" ];
83 LLMNR = false;
84 MulticastDNS = false;
85 };
86 routes = [
87 { routeConfig = {
88 Destination = "202.61.240.0/22";
89 };
90 }
91 { routeConfig = {
92 Destination = "0.0.0.0/0";
93 Gateway = "202.61.240.1";
94 };
95 }
96 { routeConfig = {
97 Destination = "::/0";
98 Gateway = "fe80::1";
99 };
100 }
101 ];
102 extraConfig = ''
103 [Neighbor]
104 Address=202.61.240.1
105 LinkLayerAddress=00:00:5e:00:01:01
106 '';
107 };
108 vpn = {
109 name = "vpn";
110 matchConfig = {
111 Name = "vpn";
112 };
113 address = ["${prefix6}::/96" "${prefix4}.0/32"];
114 routes = [
115 { routeConfig = {
116 Destination = "${prefix6}::/80";
117 };
118 }
119 { routeConfig = {
120 Destination = "${prefix4}.0/24";
121 };
122 }
123 ];
124 linkConfig = {
125 RequiredForOnline = false;
126 };
127 networkConfig = {
128 LLMNR = false;
129 MulticastDNS = false;
130 };
131 };
132 };
133 };
134 };
135 };
136
137 systemd.services = {
138 "vpn-upstream" = {
139 bindsTo = ["netns@vpn.service"];
140 after = ["netns@vpn.service"];
141 serviceConfig = {
142 Type = "oneshot";
143 RemainAfterExit = true;
144 ExecStop = "${pkgs.iproute}/bin/ip netns exec vpn ip link delete upstream";
145 };
146 path = with pkgs; [ iproute procps ];
147 script = ''
148 ip netns exec vpn sysctl \
149 net.ipv6.conf.all.forwarding=1 \
150 net.ipv6.conf.default.forwarding=1 \
151 net.ipv4.conf.all.forwarding=1 \
152 net.ipv4.conf.default.forwarding=1
153
154 ip link add link ens3 name upstream type ipvlan mode l2
155 ip link set upstream netns vpn
156 '';
157 };
158
159 "netns-container@vpn" = {
160 wantedBy = ["multi-user.target" "network-online.target"];
161 after = ["vpn-upstream.service"];
162 bindsTo = ["vpn-upstream.service"];
163
164 serviceConfig = {
165 LoadCredential = [
166 "surtr.priv:${config.sops.secrets.vpn.path}"
167 ];
168 };
169 };
170 };
171
172 sops.secrets.vpn = {
173 format = "binary";
174 sopsFile = ./surtr.priv;
175 };
176 };
177}