{ pkgs, config, lib, ... }: with lib; let trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str; prefix4 = "10.84.47"; prefix6 = "2a03:4000:52:ada:5"; in { config = { boot.kernel.sysctl = { "net.netfilter.nf_log_all_netns" = true; }; containers."vpn" = { autoStart = true; ephemeral = true; additionalCapabilities = [ "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN" ]; extraFlags = [ "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv" "--network-ipvlan=ens3:upstream" ]; config = { boot.kernel.sysctl = { "net.core.rmem_max" = 4194304; "net.core.wmem_max" = 4194304; "net.ipv6.conf.all.forwarding" = 1; "net.ipv6.conf.default.forwarding" = 1; "net.ipv4.conf.all.forwarding" = 1; "net.ipv4.conf.default.forwarding" = 1; }; environment = { systemPackages = with pkgs; [ wireguard-tools ]; }; networking = { useDHCP = false; useNetworkd = true; useHostResolvConf = false; firewall.enable = false; nftables = { enable = true; rulesetFile = ./ruleset.nft; }; }; services.resolved.fallbackDns = [ "9.9.9.10#dns10.quad9.net" "149.112.112.10#dns10.quad9.net" "2620:fe::10#dns10.quad9.net" "2620:fe::fe:10#dns10.quad9.net" ]; systemd.services."systemd-networkd" = { serviceConfig = { LoadCredential = [ "surtr.priv" ]; }; }; systemd.network = { netdevs = { upstream = { netdevConfig = { Name = "upstream"; Kind = "ipvlan"; }; ipvlanConfig = { Mode = "L2"; }; }; vpn = { netdevConfig = { Name = "vpn"; Kind = "wireguard"; }; wireguardConfig = { PrivateKeyFile = "/run/credentials/systemd-networkd.service/surtr.priv"; ListenPort = 51820; }; wireguardPeers = imap1 (i: { name, ip ? i }: { AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"]; PublicKey = trim (readFile (./. + "/${name}.pub")); }) [ { name = "geri"; } { name = "sif"; } ]; }; }; networks = { upstream = { name = "upstream"; matchConfig = { Name = "upstream"; }; linkConfig = { RequiredForOnline = true; }; networkConfig = { Address = [ "185.243.10.86/32" "2a03:4000:20:259::/64" ]; LLMNR = false; MulticastDNS = false; }; routes = [ { Destination = "202.61.240.1"; } { Destination = "0.0.0.0/0"; Gateway = "202.61.240.1"; } { Destination = "::/0"; Gateway = "fe80::1"; } ]; extraConfig = '' [Neighbor] Address=202.61.240.1 LinkLayerAddress=00:00:5e:00:01:01 ''; }; vpn = { name = "vpn"; matchConfig = { Name = "vpn"; }; address = ["${prefix6}::/96" "${prefix4}.0/32"]; routes = [ { Destination = "${prefix6}::/80"; } { Destination = "${prefix4}.0/24"; } ]; linkConfig = { RequiredForOnline = false; }; networkConfig = { LLMNR = false; MulticastDNS = false; }; }; }; }; }; }; systemd.services = { "container@vpn" = { serviceConfig = { LoadCredential = [ "surtr.priv:${config.sops.secrets.vpn.path}" ]; }; }; }; sops.secrets.vpn = { format = "binary"; sopsFile = ./surtr.priv; }; }; }