From 14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 8 Aug 2024 11:36:56 +0200 Subject: ... --- hosts/surtr/vpn/default.nix | 46 +++++++++++++++++---------------------------- 1 file changed, 17 insertions(+), 29 deletions(-) (limited to 'hosts/surtr/vpn') diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 61a9d544..1d31a6f2 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix @@ -12,12 +12,25 @@ in { "net.netfilter.nf_log_all_netns" = true; }; - networking.namespaces = { - enable = true; - containers."vpn".config = { + containers."vpn" = { + autoStart = true; + ephemeral = true; + additionalCapabilities = [ + "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN" + ]; + extraFlags = [ + "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv" + "--network-ipvlan=ens3:upstream" + ]; + config = { boot.kernel.sysctl = { "net.core.rmem_max" = 4194304; "net.core.wmem_max" = 4194304; + + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.default.forwarding" = 1; + "net.ipv4.conf.all.forwarding" = 1; + "net.ipv4.conf.default.forwarding" = 1; }; environment = { @@ -125,32 +138,7 @@ in { }; systemd.services = { - "vpn-upstream" = { - bindsTo = ["netns@vpn.service"]; - after = ["netns@vpn.service"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream"; - }; - path = with pkgs; [ iproute2 procps ]; - script = '' - ip netns exec vpn sysctl \ - net.ipv6.conf.all.forwarding=1 \ - net.ipv6.conf.default.forwarding=1 \ - net.ipv4.conf.all.forwarding=1 \ - net.ipv4.conf.default.forwarding=1 - - ip link add link ens3 name upstream type ipvlan mode l2 - ip link set upstream netns vpn - ''; - }; - - "netns-container@vpn" = { - wantedBy = ["multi-user.target" "network-online.target"]; - after = ["vpn-upstream.service"]; - bindsTo = ["vpn-upstream.service"]; - + "container@vpn" = { serviceConfig = { LoadCredential = [ "surtr.priv:${config.sops.secrets.vpn.path}" -- cgit v1.2.3