From bda1a6b603a3944223707a6d090622b574ea7505 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Fri, 29 Jul 2022 11:07:19 +0200 Subject: bump & vpn --- hosts/surtr/vpn/default.nix | 177 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 hosts/surtr/vpn/default.nix (limited to 'hosts/surtr/vpn/default.nix') diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix new file mode 100644 index 00000000..4f334105 --- /dev/null +++ b/hosts/surtr/vpn/default.nix @@ -0,0 +1,177 @@ +{ pkgs, config, lib, ... }: + +with lib; + +let + trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str; + prefix4 = "10.84.47"; + prefix6 = "2a03:4000:52:ada:5"; +in { + config = { + boot.kernel.sysctl = { + "net.netfilter.nf_log_all_netns" = true; + }; + + networking.namespaces = { + enable = true; + containers."vpn".config = { + boot.kernel.sysctl = { + "net.core.rmem_max" = "4194304"; + "net.core.wmem_max" = "4194304"; + }; + + environment = { + noXlibs = true; + systemPackages = with pkgs; [ wireguard-tools ]; + }; + + networking = { + useDHCP = false; + useNetworkd = true; + useHostResolvConf = false; + firewall.enable = false; + nftables = { + enable = true; + rulesetFile = ./ruleset.nft; + }; + }; + + services.resolved.fallbackDns = [ + "9.9.9.9#dns.quad9.net" + "149.112.112.112#dns.quad9.net" + "2620:fe::fe#dns.quad9.net" + "2620:fe::9#dns.quad9.net" + ]; + + systemd.tmpfiles.rules = [ + "d /etc/wireguard 0755 root systemd-network - -" + "C /etc/wireguard/surtr.priv 0640 root systemd-network - /run/host/credentials/surtr.priv" + ]; + + systemd.network = { + netdevs = { + vpn = { + netdevConfig = { + Name = "vpn"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = "/etc/wireguard/surtr.priv"; + ListenPort = 51820; + }; + wireguardPeers = [ + { wireguardPeerConfig = { + AllowedIPs = ["${prefix6}:1::/96" "${prefix4}.1/32"]; + PublicKey = trim (readFile ./geri.pub); + }; + } + ]; + }; + }; + + networks = { + upstream = { + name = "upstream"; + matchConfig = { + Name = "upstream"; + }; + linkConfig = { + RequiredForOnline = true; + }; + networkConfig = { + Address = [ "185.243.10.86/32" "2a03:4000:20:259::/64" ]; + LLMNR = false; + MulticastDNS = false; + }; + routes = [ + { routeConfig = { + Destination = "202.61.240.0/22"; + }; + } + { routeConfig = { + Destination = "0.0.0.0/0"; + Gateway = "202.61.240.1"; + }; + } + { routeConfig = { + Destination = "::/0"; + Gateway = "fe80::1"; + }; + } + ]; + extraConfig = '' + [Neighbor] + Address=202.61.240.1 + LinkLayerAddress=00:00:5e:00:01:01 + ''; + }; + vpn = { + name = "vpn"; + matchConfig = { + Name = "vpn"; + }; + address = ["${prefix6}::/96" "${prefix4}.0/32"]; + routes = [ + { routeConfig = { + Destination = "${prefix6}::/80"; + }; + } + { routeConfig = { + Destination = "${prefix4}.0/24"; + }; + } + ]; + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + LLMNR = false; + MulticastDNS = false; + }; + }; + }; + }; + }; + }; + + systemd.services = { + "vpn-upstream" = { + bindsTo = ["netns@vpn.service"]; + after = ["netns@vpn.service"]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "${pkgs.iproute}/bin/ip netns exec vpn ip link delete upstream"; + }; + path = with pkgs; [ iproute procps ]; + script = '' + ip netns exec vpn sysctl \ + net.ipv6.conf.all.forwarding=1 \ + net.ipv6.conf.default.forwarding=1 \ + net.ipv4.conf.all.forwarding=1 \ + net.ipv4.conf.default.forwarding=1 + + ip link add link ens3 name upstream type ipvlan mode l2 + ip link set upstream netns vpn + ''; + }; + + "netns-container@vpn" = { + wantedBy = ["multi-user.target" "network-online.target"]; + after = ["vpn-upstream.service"]; + bindsTo = ["vpn-upstream.service"]; + + serviceConfig = { + LoadCredential = [ + "surtr.priv:${config.sops.secrets.vpn.path}" + ]; + }; + }; + }; + + sops.secrets.vpn = { + format = "binary"; + sopsFile = ./surtr.priv; + }; + }; +} -- cgit v1.2.3