diff options
-rw-r--r-- | hosts/surtr/vpn/default.nix | 59 |
1 files changed, 21 insertions, 38 deletions
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 74a9fb22..636dab1a 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix | |||
@@ -12,12 +12,21 @@ in { | |||
12 | "net.netfilter.nf_log_all_netns" = true; | 12 | "net.netfilter.nf_log_all_netns" = true; |
13 | }; | 13 | }; |
14 | 14 | ||
15 | networking.namespaces = { | 15 | containers."vpn" = { |
16 | enable = true; | 16 | autoStart = true; |
17 | containers."vpn".config = { | 17 | ephemeral = true; |
18 | extraFlags = [ | ||
19 | "--network-ipvlan=ens3:upstream" | ||
20 | "--load-credential=surtr.priv:${config.sops.secrets.vpn.path}" | ||
21 | ]; | ||
22 | |||
23 | config = { | ||
18 | boot.kernel.sysctl = { | 24 | boot.kernel.sysctl = { |
19 | "net.core.rmem_max" = 4194304; | 25 | "net.core.rmem_max" = 4194304; |
20 | "net.core.wmem_max" = 4194304; | 26 | "net.core.wmem_max" = 4194304; |
27 | "net.ipv6.conf.all.forwarding" = 1; | ||
28 | "net.ipv6.conf.default.forwarding"= 1; | ||
29 | "net.ipv4.conf.all.forwarding" = 1; | ||
21 | }; | 30 | }; |
22 | 31 | ||
23 | environment = { | 32 | environment = { |
@@ -53,6 +62,15 @@ in { | |||
53 | 62 | ||
54 | systemd.network = { | 63 | systemd.network = { |
55 | netdevs = { | 64 | netdevs = { |
65 | upstream = { | ||
66 | netdevConfig = { | ||
67 | Name = "upstream"; | ||
68 | Kind = "ipvlan"; | ||
69 | }; | ||
70 | ipvlanConfig = { | ||
71 | Mode = "L2"; | ||
72 | }; | ||
73 | }; | ||
56 | vpn = { | 74 | vpn = { |
57 | netdevConfig = { | 75 | netdevConfig = { |
58 | Name = "vpn"; | 76 | Name = "vpn"; |
@@ -136,41 +154,6 @@ in { | |||
136 | }; | 154 | }; |
137 | }; | 155 | }; |
138 | 156 | ||
139 | systemd.services = { | ||
140 | "vpn-upstream" = { | ||
141 | bindsTo = ["netns@vpn.service"]; | ||
142 | after = ["netns@vpn.service"]; | ||
143 | serviceConfig = { | ||
144 | Type = "oneshot"; | ||
145 | RemainAfterExit = true; | ||
146 | ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream"; | ||
147 | }; | ||
148 | path = with pkgs; [ iproute2 procps ]; | ||
149 | script = '' | ||
150 | ip netns exec vpn sysctl \ | ||
151 | net.ipv6.conf.all.forwarding=1 \ | ||
152 | net.ipv6.conf.default.forwarding=1 \ | ||
153 | net.ipv4.conf.all.forwarding=1 \ | ||
154 | net.ipv4.conf.default.forwarding=1 | ||
155 | |||
156 | ip link add link ens3 name upstream type ipvlan mode l2 | ||
157 | ip link set upstream netns vpn | ||
158 | ''; | ||
159 | }; | ||
160 | |||
161 | "netns-container@vpn" = { | ||
162 | wantedBy = ["multi-user.target" "network-online.target"]; | ||
163 | after = ["vpn-upstream.service"]; | ||
164 | bindsTo = ["vpn-upstream.service"]; | ||
165 | |||
166 | serviceConfig = { | ||
167 | LoadCredential = [ | ||
168 | "surtr.priv:${config.sops.secrets.vpn.path}" | ||
169 | ]; | ||
170 | }; | ||
171 | }; | ||
172 | }; | ||
173 | |||
174 | sops.secrets.vpn = { | 157 | sops.secrets.vpn = { |
175 | format = "binary"; | 158 | format = "binary"; |
176 | sopsFile = ./surtr.priv; | 159 | sopsFile = ./surtr.priv; |