summaryrefslogtreecommitdiff
path: root/hosts/surtr/vpn/default.nix
blob: 3f7483bdf63a223127bc26fa1bde6e8061d1fb3f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
{ pkgs, config, lib, ... }:

with lib;

let
  trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
  prefix4 = "10.84.47";
  prefix6 = "2a03:4000:52:ada:5";
in {
  config = {
    boot.kernel.sysctl = {
      "net.netfilter.nf_log_all_netns" = true;
    };

    containers."vpn" = {
      autoStart = true;
      ephemeral = true;
      additionalCapabilities = [
        "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN"
      ];
      extraFlags = [
        "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv"
        "--network-ipvlan=ens3:upstream"
      ];
      config = {
        boot.kernel.sysctl = {
          "net.core.rmem_max" = 4194304;
          "net.core.wmem_max" = 4194304;

          "net.ipv6.conf.all.forwarding" = 1;
          "net.ipv6.conf.default.forwarding" = 1;
          "net.ipv4.conf.all.forwarding" = 1;
          "net.ipv4.conf.default.forwarding" = 1;
        };

        environment = {
          noXlibs = true;
          systemPackages = with pkgs; [ wireguard-tools ];
        };

        networking = {
          useDHCP = false;
          useNetworkd = true;
          useHostResolvConf = false;
          firewall.enable = false;
          nftables = {
            enable = true;
            rulesetFile = ./ruleset.nft;
          };
        };

        services.resolved.fallbackDns = [
          "9.9.9.10#dns10.quad9.net"
          "149.112.112.10#dns10.quad9.net"
          "2620:fe::10#dns10.quad9.net"
          "2620:fe::fe:10#dns10.quad9.net"
        ];

        systemd.services."systemd-networkd" = {
          serviceConfig = {
            LoadCredential = [
              "surtr.priv"
            ];
          };
        };

        systemd.network = {
          netdevs = {
            upstream = {
              netdevConfig = {
                Name = "upstream";
                Kind = "ipvlan";
              };
              ipvlanConfig = {
                Mode = "L2";
              };
            };
            vpn = {
              netdevConfig = {
                Name = "vpn";
                Kind = "wireguard";
              };
              wireguardConfig = {
                PrivateKeyFile = "/run/credentials/systemd-networkd.service/surtr.priv";
                ListenPort = 51820;
              };
              wireguardPeers = imap1 (i: { name, ip ? i }: {
                AllowedIPs = ["${prefix6}:${toString ip}::/96" "${prefix4}.${toString ip}/32"];
                PublicKey = trim (readFile (./. + "/${name}.pub"));
              }) [ { name = "geri"; } { name = "sif"; } ];
            };
          };

          networks = {
            upstream = {
              name = "upstream";
              matchConfig = {
                Name = "upstream";
              };
              linkConfig = {
                RequiredForOnline = true;
              };
              networkConfig = {
                Address = [ "185.243.10.86/32" "2a03:4000:20:259::/64" ];
                LLMNR = false;
                MulticastDNS = false;
              };
              routes = [
                { Destination = "202.61.240.1";
                }
                { Destination = "0.0.0.0/0";
                  Gateway = "202.61.240.1";
                }
                { Destination = "::/0";
                  Gateway = "fe80::1";
                }
              ];
              extraConfig = ''
                [Neighbor]
                Address=202.61.240.1
                LinkLayerAddress=00:00:5e:00:01:01
              '';
            };
            vpn = {
              name = "vpn";
              matchConfig = {
                Name = "vpn";
              };
              address = ["${prefix6}::/96" "${prefix4}.0/32"];
              routes = [
                { Destination = "${prefix6}::/80";
                }
                { Destination = "${prefix4}.0/24";
                }
              ];
              linkConfig = {
                RequiredForOnline = false;
              };
              networkConfig = {
                LLMNR = false;
                MulticastDNS = false;
              };
            };
          };
        };
      };
    };

    systemd.services = {
      "container@vpn" = {
        serviceConfig = {
          LoadCredential = [
            "surtr.priv:${config.sops.secrets.vpn.path}"
          ];
        };
      };
    };

    sops.secrets.vpn = {
      format = "binary";
      sopsFile = ./surtr.priv;
    };
  };
}