blob: 1bdcf74e60df0b75353cd9272ac801902b06f55c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
{ pkgs, config, lib, ... }:
with lib;
let
trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
prefix4 = "10.84.47";
prefix6 = "2a03:4000:52:ada:5";
in {
config = {
boot.kernel.sysctl = {
"net.netfilter.nf_log_all_netns" = true;
};
containers."vpn" = {
autoStart = true;
ephemeral = true;
additionalCapabilities = [
"CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN"
];
extraFlags = [
"--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv"
"--network-ipvlan=ens3:upstream"
];
config = {
boot.kernel.sysctl = {
"net.core.rmem_max" = 4194304;
"net.core.wmem_max" = 4194304;
"net.ipv6.conf.all.forwarding" = 1;
"net.ipv6.conf.default.forwarding" = 1;
"net.ipv4.conf.all.forwarding" = 1;
"net.ipv4.conf.default.forwarding" = 1;
};
environment = {
systemPackages = with pkgs; [ wireguard-tools ];
};
networking = {
useDHCP = false;
useNetworkd = true;
useHostResolvConf = false;
firewall.enable = false;
nftables = {
enable = true;
rulesetFile = ./ruleset.nft;
};
};
services.resolved.fallbackDns = [
"9.9.9.10#dns10.quad9.net"
"149.112.112.10#dns10.quad9.net"
"2620:fe::10#dns10.quad9.net"
"2620:fe::fe:10#dns10.quad9.net"
];
systemd.services."systemd-networkd" = {
serviceConfig = {
LoadCredential = [
"surtr.priv"
];
};
};
systemd.network = {
netdevs = {
upstream = {
netdevConfig = {
Name = "upstream";
Kind = "ipvlan";
};
ipvlanConfig = {
Mode = "L2";
};
};
vpn = {
netdevConfig = {
Name = "vpn";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = "/run/credentials/systemd-networkd.service/surtr.priv";
ListenPort = 51820;
};
wireguardPeers = imap1 (i: { name, ip ? i }: {
AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"];
PublicKey = trim (readFile (./. + "/${name}.pub"));
}) [ { name = "geri"; } { name = "sif"; } ];
};
};
networks = {
upstream = {
name = "upstream";
matchConfig = {
Name = "upstream";
};
linkConfig = {
RequiredForOnline = true;
};
networkConfig = {
Address = [ "185.243.10.86/32" "2a03:4000:20:259::/64" ];
LLMNR = false;
MulticastDNS = false;
};
routes = [
{ Destination = "202.61.240.1";
}
{ Destination = "0.0.0.0/0";
Gateway = "202.61.240.1";
}
{ Destination = "::/0";
Gateway = "fe80::1";
}
];
extraConfig = ''
[Neighbor]
Address=202.61.240.1
LinkLayerAddress=00:00:5e:00:01:01
'';
};
vpn = {
name = "vpn";
matchConfig = {
Name = "vpn";
};
address = ["${prefix6}::/96" "${prefix4}.0/32"];
routes = [
{ Destination = "${prefix6}::/80";
}
{ Destination = "${prefix4}.0/24";
}
];
linkConfig = {
RequiredForOnline = false;
};
networkConfig = {
LLMNR = false;
MulticastDNS = false;
};
};
};
};
};
};
systemd.services = {
"container@vpn" = {
serviceConfig = {
LoadCredential = [
"surtr.priv:${config.sops.secrets.vpn.path}"
];
};
};
};
sops.secrets.vpn = {
format = "binary";
sopsFile = ./surtr.priv;
};
};
}
|