summaryrefslogtreecommitdiff
path: root/hosts/surtr/vpn/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/vpn/default.nix')
-rw-r--r--hosts/surtr/vpn/default.nix50
1 files changed, 26 insertions, 24 deletions
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 636dab1a..3f7483bd 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -15,18 +15,22 @@ in {
15 containers."vpn" = { 15 containers."vpn" = {
16 autoStart = true; 16 autoStart = true;
17 ephemeral = true; 17 ephemeral = true;
18 additionalCapabilities = [
19 "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN"
20 ];
18 extraFlags = [ 21 extraFlags = [
22 "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv"
19 "--network-ipvlan=ens3:upstream" 23 "--network-ipvlan=ens3:upstream"
20 "--load-credential=surtr.priv:${config.sops.secrets.vpn.path}"
21 ]; 24 ];
22
23 config = { 25 config = {
24 boot.kernel.sysctl = { 26 boot.kernel.sysctl = {
25 "net.core.rmem_max" = 4194304; 27 "net.core.rmem_max" = 4194304;
26 "net.core.wmem_max" = 4194304; 28 "net.core.wmem_max" = 4194304;
29
27 "net.ipv6.conf.all.forwarding" = 1; 30 "net.ipv6.conf.all.forwarding" = 1;
28 "net.ipv6.conf.default.forwarding"= 1; 31 "net.ipv6.conf.default.forwarding" = 1;
29 "net.ipv4.conf.all.forwarding" = 1; 32 "net.ipv4.conf.all.forwarding" = 1;
33 "net.ipv4.conf.default.forwarding" = 1;
30 }; 34 };
31 35
32 environment = { 36 environment = {
@@ -81,10 +85,8 @@ in {
81 ListenPort = 51820; 85 ListenPort = 51820;
82 }; 86 };
83 wireguardPeers = imap1 (i: { name, ip ? i }: { 87 wireguardPeers = imap1 (i: { name, ip ? i }: {
84 wireguardPeerConfig = { 88 AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"];
85 AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"]; 89 PublicKey = trim (readFile (./. + "/${name}.pub"));
86 PublicKey = trim (readFile (./. + "/${name}.pub"));
87 };
88 }) [ { name = "geri"; } { name = "sif"; } ]; 90 }) [ { name = "geri"; } { name = "sif"; } ];
89 }; 91 };
90 }; 92 };
@@ -104,19 +106,13 @@ in {
104 MulticastDNS = false; 106 MulticastDNS = false;
105 }; 107 };
106 routes = [ 108 routes = [
107 { routeConfig = { 109 { Destination = "202.61.240.1";
108 Destination = "202.61.240.1";
109 };
110 } 110 }
111 { routeConfig = { 111 { Destination = "0.0.0.0/0";
112 Destination = "0.0.0.0/0"; 112 Gateway = "202.61.240.1";
113 Gateway = "202.61.240.1";
114 };
115 } 113 }
116 { routeConfig = { 114 { Destination = "::/0";
117 Destination = "::/0"; 115 Gateway = "fe80::1";
118 Gateway = "fe80::1";
119 };
120 } 116 }
121 ]; 117 ];
122 extraConfig = '' 118 extraConfig = ''
@@ -132,13 +128,9 @@ in {
132 }; 128 };
133 address = ["${prefix6}::/96" "${prefix4}.0/32"]; 129 address = ["${prefix6}::/96" "${prefix4}.0/32"];
134 routes = [ 130 routes = [
135 { routeConfig = { 131 { Destination = "${prefix6}::/80";
136 Destination = "${prefix6}::/80";
137 };
138 } 132 }
139 { routeConfig = { 133 { Destination = "${prefix4}.0/24";
140 Destination = "${prefix4}.0/24";
141 };
142 } 134 }
143 ]; 135 ];
144 linkConfig = { 136 linkConfig = {
@@ -154,6 +146,16 @@ in {
154 }; 146 };
155 }; 147 };
156 148
149 systemd.services = {
150 "container@vpn" = {
151 serviceConfig = {
152 LoadCredential = [
153 "surtr.priv:${config.sops.secrets.vpn.path}"
154 ];
155 };
156 };
157 };
158
157 sops.secrets.vpn = { 159 sops.secrets.vpn = {
158 format = "binary"; 160 format = "binary";
159 sopsFile = ./surtr.priv; 161 sopsFile = ./surtr.priv;
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-10 17:37:30 +0000