diff options
Diffstat (limited to 'hosts/surtr/vpn/default.nix')
-rw-r--r-- | hosts/surtr/vpn/default.nix | 46 |
1 files changed, 17 insertions, 29 deletions
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 61a9d544..1d31a6f2 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix | |||
@@ -12,12 +12,25 @@ in { | |||
12 | "net.netfilter.nf_log_all_netns" = true; | 12 | "net.netfilter.nf_log_all_netns" = true; |
13 | }; | 13 | }; |
14 | 14 | ||
15 | networking.namespaces = { | 15 | containers."vpn" = { |
16 | enable = true; | 16 | autoStart = true; |
17 | containers."vpn".config = { | 17 | ephemeral = true; |
18 | additionalCapabilities = [ | ||
19 | "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN" | ||
20 | ]; | ||
21 | extraFlags = [ | ||
22 | "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv" | ||
23 | "--network-ipvlan=ens3:upstream" | ||
24 | ]; | ||
25 | config = { | ||
18 | boot.kernel.sysctl = { | 26 | boot.kernel.sysctl = { |
19 | "net.core.rmem_max" = 4194304; | 27 | "net.core.rmem_max" = 4194304; |
20 | "net.core.wmem_max" = 4194304; | 28 | "net.core.wmem_max" = 4194304; |
29 | |||
30 | "net.ipv6.conf.all.forwarding" = 1; | ||
31 | "net.ipv6.conf.default.forwarding" = 1; | ||
32 | "net.ipv4.conf.all.forwarding" = 1; | ||
33 | "net.ipv4.conf.default.forwarding" = 1; | ||
21 | }; | 34 | }; |
22 | 35 | ||
23 | environment = { | 36 | environment = { |
@@ -125,32 +138,7 @@ in { | |||
125 | }; | 138 | }; |
126 | 139 | ||
127 | systemd.services = { | 140 | systemd.services = { |
128 | "vpn-upstream" = { | 141 | "container@vpn" = { |
129 | bindsTo = ["netns@vpn.service"]; | ||
130 | after = ["netns@vpn.service"]; | ||
131 | serviceConfig = { | ||
132 | Type = "oneshot"; | ||
133 | RemainAfterExit = true; | ||
134 | ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream"; | ||
135 | }; | ||
136 | path = with pkgs; [ iproute2 procps ]; | ||
137 | script = '' | ||
138 | ip netns exec vpn sysctl \ | ||
139 | net.ipv6.conf.all.forwarding=1 \ | ||
140 | net.ipv6.conf.default.forwarding=1 \ | ||
141 | net.ipv4.conf.all.forwarding=1 \ | ||
142 | net.ipv4.conf.default.forwarding=1 | ||
143 | |||
144 | ip link add link ens3 name upstream type ipvlan mode l2 | ||
145 | ip link set upstream netns vpn | ||
146 | ''; | ||
147 | }; | ||
148 | |||
149 | "netns-container@vpn" = { | ||
150 | wantedBy = ["multi-user.target" "network-online.target"]; | ||
151 | after = ["vpn-upstream.service"]; | ||
152 | bindsTo = ["vpn-upstream.service"]; | ||
153 | |||
154 | serviceConfig = { | 142 | serviceConfig = { |
155 | LoadCredential = [ | 143 | LoadCredential = [ |
156 | "surtr.priv:${config.sops.secrets.vpn.path}" | 144 | "surtr.priv:${config.sops.secrets.vpn.path}" |