diff options
Diffstat (limited to 'hosts/surtr/vpn')
| -rw-r--r-- | hosts/surtr/vpn/default.nix | 50 | ||||
| -rw-r--r-- | hosts/surtr/vpn/sif.priv | 16 |
2 files changed, 33 insertions, 33 deletions
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 636dab1a..3f7483bd 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix | |||
| @@ -15,18 +15,22 @@ in { | |||
| 15 | containers."vpn" = { | 15 | containers."vpn" = { |
| 16 | autoStart = true; | 16 | autoStart = true; |
| 17 | ephemeral = true; | 17 | ephemeral = true; |
| 18 | additionalCapabilities = [ | ||
| 19 | "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN" | ||
| 20 | ]; | ||
| 18 | extraFlags = [ | 21 | extraFlags = [ |
| 22 | "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv" | ||
| 19 | "--network-ipvlan=ens3:upstream" | 23 | "--network-ipvlan=ens3:upstream" |
| 20 | "--load-credential=surtr.priv:${config.sops.secrets.vpn.path}" | ||
| 21 | ]; | 24 | ]; |
| 22 | |||
| 23 | config = { | 25 | config = { |
| 24 | boot.kernel.sysctl = { | 26 | boot.kernel.sysctl = { |
| 25 | "net.core.rmem_max" = 4194304; | 27 | "net.core.rmem_max" = 4194304; |
| 26 | "net.core.wmem_max" = 4194304; | 28 | "net.core.wmem_max" = 4194304; |
| 29 | |||
| 27 | "net.ipv6.conf.all.forwarding" = 1; | 30 | "net.ipv6.conf.all.forwarding" = 1; |
| 28 | "net.ipv6.conf.default.forwarding"= 1; | 31 | "net.ipv6.conf.default.forwarding" = 1; |
| 29 | "net.ipv4.conf.all.forwarding" = 1; | 32 | "net.ipv4.conf.all.forwarding" = 1; |
| 33 | "net.ipv4.conf.default.forwarding" = 1; | ||
| 30 | }; | 34 | }; |
| 31 | 35 | ||
| 32 | environment = { | 36 | environment = { |
| @@ -81,10 +85,8 @@ in { | |||
| 81 | ListenPort = 51820; | 85 | ListenPort = 51820; |
| 82 | }; | 86 | }; |
| 83 | wireguardPeers = imap1 (i: { name, ip ? i }: { | 87 | wireguardPeers = imap1 (i: { name, ip ? i }: { |
| 84 | wireguardPeerConfig = { | 88 | AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"]; |
| 85 | AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"]; | 89 | PublicKey = trim (readFile (./. + "/${name}.pub")); |
| 86 | PublicKey = trim (readFile (./. + "/${name}.pub")); | ||
| 87 | }; | ||
| 88 | }) [ { name = "geri"; } { name = "sif"; } ]; | 90 | }) [ { name = "geri"; } { name = "sif"; } ]; |
| 89 | }; | 91 | }; |
| 90 | }; | 92 | }; |
| @@ -104,19 +106,13 @@ in { | |||
| 104 | MulticastDNS = false; | 106 | MulticastDNS = false; |
| 105 | }; | 107 | }; |
| 106 | routes = [ | 108 | routes = [ |
| 107 | { routeConfig = { | 109 | { Destination = "202.61.240.1"; |
| 108 | Destination = "202.61.240.1"; | ||
| 109 | }; | ||
| 110 | } | 110 | } |
| 111 | { routeConfig = { | 111 | { Destination = "0.0.0.0/0"; |
| 112 | Destination = "0.0.0.0/0"; | 112 | Gateway = "202.61.240.1"; |
| 113 | Gateway = "202.61.240.1"; | ||
| 114 | }; | ||
| 115 | } | 113 | } |
| 116 | { routeConfig = { | 114 | { Destination = "::/0"; |
| 117 | Destination = "::/0"; | 115 | Gateway = "fe80::1"; |
| 118 | Gateway = "fe80::1"; | ||
| 119 | }; | ||
| 120 | } | 116 | } |
| 121 | ]; | 117 | ]; |
| 122 | extraConfig = '' | 118 | extraConfig = '' |
| @@ -132,13 +128,9 @@ in { | |||
| 132 | }; | 128 | }; |
| 133 | address = ["${prefix6}::/96" "${prefix4}.0/32"]; | 129 | address = ["${prefix6}::/96" "${prefix4}.0/32"]; |
| 134 | routes = [ | 130 | routes = [ |
| 135 | { routeConfig = { | 131 | { Destination = "${prefix6}::/80"; |
| 136 | Destination = "${prefix6}::/80"; | ||
| 137 | }; | ||
| 138 | } | 132 | } |
| 139 | { routeConfig = { | 133 | { Destination = "${prefix4}.0/24"; |
| 140 | Destination = "${prefix4}.0/24"; | ||
| 141 | }; | ||
| 142 | } | 134 | } |
| 143 | ]; | 135 | ]; |
| 144 | linkConfig = { | 136 | linkConfig = { |
| @@ -154,6 +146,16 @@ in { | |||
| 154 | }; | 146 | }; |
| 155 | }; | 147 | }; |
| 156 | 148 | ||
| 149 | systemd.services = { | ||
| 150 | "container@vpn" = { | ||
| 151 | serviceConfig = { | ||
| 152 | LoadCredential = [ | ||
| 153 | "surtr.priv:${config.sops.secrets.vpn.path}" | ||
| 154 | ]; | ||
| 155 | }; | ||
| 156 | }; | ||
| 157 | }; | ||
| 158 | |||
| 157 | sops.secrets.vpn = { | 159 | sops.secrets.vpn = { |
| 158 | format = "binary"; | 160 | format = "binary"; |
| 159 | sopsFile = ./surtr.priv; | 161 | sopsFile = ./surtr.priv; |
diff --git a/hosts/surtr/vpn/sif.priv b/hosts/surtr/vpn/sif.priv index a3c13416..25afb9fa 100644 --- a/hosts/surtr/vpn/sif.priv +++ b/hosts/surtr/vpn/sif.priv | |||
| @@ -7,19 +7,17 @@ | |||
| 7 | "hc_vault": null, | 7 | "hc_vault": null, |
| 8 | "age": [ | 8 | "age": [ |
| 9 | { | 9 | { |
| 10 | "recipient": "age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d", | 10 | "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866", |
| 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVzdKYllJMkJ5TE1lY25D\nOTh6WGtYcmRhY244MUdyRnFCa3ZTMGx4ZVFjCllRaElWVlZ1b0dKL09qUWNEYkhS\nNnowRFdjSDVnSzNLQVByQm00Q1NHWFEKLS0tIDhiN2pjeU1nL2tWMFFrZUl1TGto\nY04wY0o3ZEhsR3hrQjh1eHREZHgrUXcKhd3BZiC6NfQ1kDvpN+HG4z6xdLJZaR7B\nvyEQ/p0VpNKXW83BhiM+FFzJ0WLP7nS7gQ89RyjAOQ0/oIb+b29xiw==\n-----END AGE ENCRYPTED FILE-----\n" | 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArOEFxOWNVZEVHRUlXTHg0\nTXV1Q2ZuQmtmek5GeHZXbFZwaU5tbDVnY2lrCnBldG9KTXEvM3kyVjFFQmF3OUxW\neE5oODVKSmVaTnZJSnhjVmZlVGpMbzgKLS0tIGptV3VFai90RHlHT2JyN2k4UFBK\nTHVXL3N3MjdOV1lJZ2ZDM3Z4SFlUZnMKGJEoiGIUJYqDKa24LV5Et8g2oTzGZFPW\n7+/sUTwqsbxPNhHscx89G063QoLjoWGCJ5RERUj+6Qcd49ja4jn07Q==\n-----END AGE ENCRYPTED FILE-----\n" |
| 12 | }, | ||
| 13 | { | ||
| 14 | "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne", | ||
| 15 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdmJKR0REWUVZL3Z4ODlT\nS1J6SUsvaTBpRXlHR1hON1RldUZ3TklMUGlBClZVMG4yQ0ppcWRhcTZTNmsvQnl2\nTGJ2VlhVS3U5NU9tTXZ5ZURqbkxBejgKLS0tIDkxOTF3WDk2Slp3K3pTYkNFOEt5\ndDU0bjl4RDRyM25ZUmNMOWNHYVFya0UKn8ptfrHhagqepWz1wKxmiM7U0pSv41xh\n0RHpQwFXCUjIPuntZD2e4fLxfU11gpPvdVB42uILG/IYhJUX9ejf+w==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 12 | } | 16 | } |
| 13 | ], | 17 | ], |
| 14 | "lastmodified": "2022-07-29T12:15:02Z", | 18 | "lastmodified": "2022-07-29T12:15:02Z", |
| 15 | "mac": "ENC[AES256_GCM,data:MQFmmdTgHlwYplUt51VdMUAnezhypB0Yh0PW5LX4L0lsF0/qlHofRXvqHYI6sx21r8UuTjvLIZ+7LSo8px2wELDol77ufh1zxSDBdbGq6J2ITPEMtmqIXwGJQKweEBr4B4H4mxoiIVQUgNj5TxzxhL7KTm+sVi1uCqTcJjnSY5o=,iv:YJ1GuHd3I4QaJxSJitLrUagaBth1jcQNlIAIahiOCgs=,tag:pcFpscLzTe1egToIzcZh8Q==,type:str]", | 19 | "mac": "ENC[AES256_GCM,data:MQFmmdTgHlwYplUt51VdMUAnezhypB0Yh0PW5LX4L0lsF0/qlHofRXvqHYI6sx21r8UuTjvLIZ+7LSo8px2wELDol77ufh1zxSDBdbGq6J2ITPEMtmqIXwGJQKweEBr4B4H4mxoiIVQUgNj5TxzxhL7KTm+sVi1uCqTcJjnSY5o=,iv:YJ1GuHd3I4QaJxSJitLrUagaBth1jcQNlIAIahiOCgs=,tag:pcFpscLzTe1egToIzcZh8Q==,type:str]", |
| 16 | "pgp": [ | 20 | "pgp": null, |
| 17 | { | ||
| 18 | "created_at": "2023-01-30T10:58:41Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA8xX+2sUmk2pxjs8kIEoCSijlD2Fpc+4iDBfFbT5Apxkw\nTQYHXzajO77NqiRFu/6s/pzZRhzqlWb6+SqZ31BCws/IZjChXQjrV3p1biAQh5Y7\n0lwBVMoawwg2glvW1CanysrUTC4T0r70CViYhoM7RuwRp79FA4r7xKWct+Igsk8V\n6wy13zSRhPqK5yC9Xk5GmMlUiSu1f5SDTQ+dD+QNjHp0JninoNmTxfPrBbLfpg==\n=eeWj\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | 21 | "unencrypted_suffix": "_unencrypted", |
| 24 | "version": "3.7.3" | 22 | "version": "3.7.3" |
| 25 | } | 23 | } |