summaryrefslogtreecommitdiff
path: root/hosts/surtr/vpn/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/vpn/default.nix')
-rw-r--r--hosts/surtr/vpn/default.nix46
1 files changed, 17 insertions, 29 deletions
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 61a9d544..1d31a6f2 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -12,12 +12,25 @@ in {
12 "net.netfilter.nf_log_all_netns" = true; 12 "net.netfilter.nf_log_all_netns" = true;
13 }; 13 };
14 14
15 networking.namespaces = { 15 containers."vpn" = {
16 enable = true; 16 autoStart = true;
17 containers."vpn".config = { 17 ephemeral = true;
18 additionalCapabilities = [
19 "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN"
20 ];
21 extraFlags = [
22 "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv"
23 "--network-ipvlan=ens3:upstream"
24 ];
25 config = {
18 boot.kernel.sysctl = { 26 boot.kernel.sysctl = {
19 "net.core.rmem_max" = 4194304; 27 "net.core.rmem_max" = 4194304;
20 "net.core.wmem_max" = 4194304; 28 "net.core.wmem_max" = 4194304;
29
30 "net.ipv6.conf.all.forwarding" = 1;
31 "net.ipv6.conf.default.forwarding" = 1;
32 "net.ipv4.conf.all.forwarding" = 1;
33 "net.ipv4.conf.default.forwarding" = 1;
21 }; 34 };
22 35
23 environment = { 36 environment = {
@@ -125,32 +138,7 @@ in {
125 }; 138 };
126 139
127 systemd.services = { 140 systemd.services = {
128 "vpn-upstream" = { 141 "container@vpn" = {
129 bindsTo = ["netns@vpn.service"];
130 after = ["netns@vpn.service"];
131 serviceConfig = {
132 Type = "oneshot";
133 RemainAfterExit = true;
134 ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream";
135 };
136 path = with pkgs; [ iproute2 procps ];
137 script = ''
138 ip netns exec vpn sysctl \
139 net.ipv6.conf.all.forwarding=1 \
140 net.ipv6.conf.default.forwarding=1 \
141 net.ipv4.conf.all.forwarding=1 \
142 net.ipv4.conf.default.forwarding=1
143
144 ip link add link ens3 name upstream type ipvlan mode l2
145 ip link set upstream netns vpn
146 '';
147 };
148
149 "netns-container@vpn" = {
150 wantedBy = ["multi-user.target" "network-online.target"];
151 after = ["vpn-upstream.service"];
152 bindsTo = ["vpn-upstream.service"];
153
154 serviceConfig = { 142 serviceConfig = {
155 LoadCredential = [ 143 LoadCredential = [
156 "surtr.priv:${config.sops.secrets.vpn.path}" 144 "surtr.priv:${config.sops.secrets.vpn.path}"