diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2024-06-22 21:09:58 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2024-06-22 21:09:58 +0200 |
| commit | e4e7651887bca1179348c4303a319f2f3e339942 (patch) | |
| tree | 74d7f0fd8b11fc60a3d164b53526ca8413b9e5a1 /hosts/surtr/vpn | |
| parent | 7850385f9b285d31d79d26d82ab8a858839d29ea (diff) | |
| download | nixos-e4e7651887bca1179348c4303a319f2f3e339942.tar nixos-e4e7651887bca1179348c4303a319f2f3e339942.tar.gz nixos-e4e7651887bca1179348c4303a319f2f3e339942.tar.bz2 nixos-e4e7651887bca1179348c4303a319f2f3e339942.tar.xz nixos-e4e7651887bca1179348c4303a319f2f3e339942.zip | |
surtr: fix vpn
Diffstat (limited to 'hosts/surtr/vpn')
| -rw-r--r-- | hosts/surtr/vpn/default.nix | 59 |
1 files changed, 21 insertions, 38 deletions
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 74a9fb22..636dab1a 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix | |||
| @@ -12,12 +12,21 @@ in { | |||
| 12 | "net.netfilter.nf_log_all_netns" = true; | 12 | "net.netfilter.nf_log_all_netns" = true; |
| 13 | }; | 13 | }; |
| 14 | 14 | ||
| 15 | networking.namespaces = { | 15 | containers."vpn" = { |
| 16 | enable = true; | 16 | autoStart = true; |
| 17 | containers."vpn".config = { | 17 | ephemeral = true; |
| 18 | extraFlags = [ | ||
| 19 | "--network-ipvlan=ens3:upstream" | ||
| 20 | "--load-credential=surtr.priv:${config.sops.secrets.vpn.path}" | ||
| 21 | ]; | ||
| 22 | |||
| 23 | config = { | ||
| 18 | boot.kernel.sysctl = { | 24 | boot.kernel.sysctl = { |
| 19 | "net.core.rmem_max" = 4194304; | 25 | "net.core.rmem_max" = 4194304; |
| 20 | "net.core.wmem_max" = 4194304; | 26 | "net.core.wmem_max" = 4194304; |
| 27 | "net.ipv6.conf.all.forwarding" = 1; | ||
| 28 | "net.ipv6.conf.default.forwarding"= 1; | ||
| 29 | "net.ipv4.conf.all.forwarding" = 1; | ||
| 21 | }; | 30 | }; |
| 22 | 31 | ||
| 23 | environment = { | 32 | environment = { |
| @@ -53,6 +62,15 @@ in { | |||
| 53 | 62 | ||
| 54 | systemd.network = { | 63 | systemd.network = { |
| 55 | netdevs = { | 64 | netdevs = { |
| 65 | upstream = { | ||
| 66 | netdevConfig = { | ||
| 67 | Name = "upstream"; | ||
| 68 | Kind = "ipvlan"; | ||
| 69 | }; | ||
| 70 | ipvlanConfig = { | ||
| 71 | Mode = "L2"; | ||
| 72 | }; | ||
| 73 | }; | ||
| 56 | vpn = { | 74 | vpn = { |
| 57 | netdevConfig = { | 75 | netdevConfig = { |
| 58 | Name = "vpn"; | 76 | Name = "vpn"; |
| @@ -136,41 +154,6 @@ in { | |||
| 136 | }; | 154 | }; |
| 137 | }; | 155 | }; |
| 138 | 156 | ||
| 139 | systemd.services = { | ||
| 140 | "vpn-upstream" = { | ||
| 141 | bindsTo = ["netns@vpn.service"]; | ||
| 142 | after = ["netns@vpn.service"]; | ||
| 143 | serviceConfig = { | ||
| 144 | Type = "oneshot"; | ||
| 145 | RemainAfterExit = true; | ||
| 146 | ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream"; | ||
| 147 | }; | ||
| 148 | path = with pkgs; [ iproute2 procps ]; | ||
| 149 | script = '' | ||
| 150 | ip netns exec vpn sysctl \ | ||
| 151 | net.ipv6.conf.all.forwarding=1 \ | ||
| 152 | net.ipv6.conf.default.forwarding=1 \ | ||
| 153 | net.ipv4.conf.all.forwarding=1 \ | ||
| 154 | net.ipv4.conf.default.forwarding=1 | ||
| 155 | |||
| 156 | ip link add link ens3 name upstream type ipvlan mode l2 | ||
| 157 | ip link set upstream netns vpn | ||
| 158 | ''; | ||
| 159 | }; | ||
| 160 | |||
| 161 | "netns-container@vpn" = { | ||
| 162 | wantedBy = ["multi-user.target" "network-online.target"]; | ||
| 163 | after = ["vpn-upstream.service"]; | ||
| 164 | bindsTo = ["vpn-upstream.service"]; | ||
| 165 | |||
| 166 | serviceConfig = { | ||
| 167 | LoadCredential = [ | ||
| 168 | "surtr.priv:${config.sops.secrets.vpn.path}" | ||
| 169 | ]; | ||
| 170 | }; | ||
| 171 | }; | ||
| 172 | }; | ||
| 173 | |||
| 174 | sops.secrets.vpn = { | 157 | sops.secrets.vpn = { |
| 175 | format = "binary"; | 158 | format = "binary"; |
| 176 | sopsFile = ./surtr.priv; | 159 | sopsFile = ./surtr.priv; |