summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/surtr/vpn/default.nix59
1 files changed, 21 insertions, 38 deletions
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 74a9fb22..636dab1a 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -12,12 +12,21 @@ in {
12 "net.netfilter.nf_log_all_netns" = true; 12 "net.netfilter.nf_log_all_netns" = true;
13 }; 13 };
14 14
15 networking.namespaces = { 15 containers."vpn" = {
16 enable = true; 16 autoStart = true;
17 containers."vpn".config = { 17 ephemeral = true;
18 extraFlags = [
19 "--network-ipvlan=ens3:upstream"
20 "--load-credential=surtr.priv:${config.sops.secrets.vpn.path}"
21 ];
22
23 config = {
18 boot.kernel.sysctl = { 24 boot.kernel.sysctl = {
19 "net.core.rmem_max" = 4194304; 25 "net.core.rmem_max" = 4194304;
20 "net.core.wmem_max" = 4194304; 26 "net.core.wmem_max" = 4194304;
27 "net.ipv6.conf.all.forwarding" = 1;
28 "net.ipv6.conf.default.forwarding"= 1;
29 "net.ipv4.conf.all.forwarding" = 1;
21 }; 30 };
22 31
23 environment = { 32 environment = {
@@ -53,6 +62,15 @@ in {
53 62
54 systemd.network = { 63 systemd.network = {
55 netdevs = { 64 netdevs = {
65 upstream = {
66 netdevConfig = {
67 Name = "upstream";
68 Kind = "ipvlan";
69 };
70 ipvlanConfig = {
71 Mode = "L2";
72 };
73 };
56 vpn = { 74 vpn = {
57 netdevConfig = { 75 netdevConfig = {
58 Name = "vpn"; 76 Name = "vpn";
@@ -136,41 +154,6 @@ in {
136 }; 154 };
137 }; 155 };
138 156
139 systemd.services = {
140 "vpn-upstream" = {
141 bindsTo = ["netns@vpn.service"];
142 after = ["netns@vpn.service"];
143 serviceConfig = {
144 Type = "oneshot";
145 RemainAfterExit = true;
146 ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream";
147 };
148 path = with pkgs; [ iproute2 procps ];
149 script = ''
150 ip netns exec vpn sysctl \
151 net.ipv6.conf.all.forwarding=1 \
152 net.ipv6.conf.default.forwarding=1 \
153 net.ipv4.conf.all.forwarding=1 \
154 net.ipv4.conf.default.forwarding=1
155
156 ip link add link ens3 name upstream type ipvlan mode l2
157 ip link set upstream netns vpn
158 '';
159 };
160
161 "netns-container@vpn" = {
162 wantedBy = ["multi-user.target" "network-online.target"];
163 after = ["vpn-upstream.service"];
164 bindsTo = ["vpn-upstream.service"];
165
166 serviceConfig = {
167 LoadCredential = [
168 "surtr.priv:${config.sops.secrets.vpn.path}"
169 ];
170 };
171 };
172 };
173
174 sops.secrets.vpn = { 157 sops.secrets.vpn = {
175 format = "binary"; 158 format = "binary";
176 sopsFile = ./surtr.priv; 159 sopsFile = ./surtr.priv;