nix-files/config/net.nix

{ config, pkgs, ... }:

{
  networking.domain = "uninsane.org";

  networking.firewall.enable = false;
  # networking.firewall.enable = true;
  # networking.firewall.allowedTCPPorts = [ 25 80 143 443 993 ];
  # # DLNA ports: https://jellyfin.org/docs/general/networking/index.html
  # networking.firewall.allowedUDPPorts = [ 1900 7359 ];

  # we need to use externally-visible nameservers in order for VPNs to be able to resolve hosts.
  networking.nameservers = [
    "1.1.1.1"
    "9.9.9.9"
  ];

  # OVPN CONFIG:
  # DOCS: https://nixos.wiki/wiki/WireGuard
  networking.wireguard.enable = true;
  networking.wireguard.interfaces.wg0 = {
    privateKeyFile = "/etc/nixos/secrets/wireguard.private";
    # wg is active only in this namespace.
    # run e.g. ip netns ovpns <some command like ping/curl/etc, it'll go through wg>
    # note: without the namespace, you'll need to add a specific route through eth0 for the peer (185.157.162.7/32)
    interfaceNamespace = "ovpns";
    preSetup = "${pkgs.iproute2}/bin/ip netns add ovpns || true";
    postShutdown = "${pkgs.iproute2}/bin/ip netns delete ovpns";
    ips = [
      "185.157.162.190/32"
    ];
    peers = [
      {
        publicKey = "Qno+hILmJ8TZ6/PpOOhtspmncyILY2phiTBFaER9IFE=";
        endpoint = "vpn29.prd.amsterdam.ovpn.com:9930";
        allowedIPs = [ "0.0.0.0/0" ];
        # nixOS says this is important for keeping NATs active
        persistentKeepalive = 25;
      }
    ];
  };

  systemd.services.wg0veth = {
    description = "veth pair to allow communication between host and wg0 netns";
    after = [ "wireguard-wg0.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;

      ExecStart = with pkgs; writeScript "wg0veth-start" ''
        #!${bash}/bin/bash
        # create veth pair
        ${iproute2}/bin/ip link add ovpns-veth-a type veth peer name ovpns-veth-b
        ${iproute2}/bin/ip addr add 10.0.1.5/24 dev ovpns-veth-a
        ${iproute2}/bin/ip link set ovpns-veth-a up
        # mv veth-b into the ovpns namespace
        ${iproute2}/bin/ip link set ovpns-veth-b netns ovpns
        ${iproute2}/bin/ip -n ovpns addr add 10.0.1.6/24 dev ovpns-veth-b
        ${iproute2}/bin/ip -n ovpns link set ovpns-veth-b up
        # forward HTTP traffic, which we need for letsencrypt to work
        ${iproute2}/bin/ip netns exec ovpns ${socat}/bin/socat TCP4-LISTEN:80,reuseaddr,fork,su=nobody TCP4:10.0.1.5:80 &
      '';

      ExecStop = with pkgs; writeScript "wg0veth-stop" ''
        #!${bash}/bin/bash
        ${iproute2}/bin/ip -n wg0 link del ovpns-veth-b
        ${iproute2}/bin/ip link del ovpns-veth-a
      '';
    };
  };

  # HURRICANE ELECTRIC CONFIG:
  # networking.sits = {
  #   hurricane = {
  #     remote = "216.218.226.238";
  #     local = "192.168.0.5";
  #     # local = "10.0.0.5";
  #     # remote = "10.0.0.1";
  #     # local = "10.0.0.22";
  #     dev = "eth0";
  #     ttl = 255;
  #   };
  # };
  # networking.interfaces."hurricane".ipv6 = {
  #   addresses = [
  #     # mx.uninsane.org (publically routed /64)
  #     {
  #       address = "2001:470:b:465::1";
  #       prefixLength = 128;
  #     }
  #     # client addr
  #     # {
  #     #   address = "2001:470:a:466::2";
  #     #   prefixLength = 64;
  #     # }
  #   ];
  #   routes = [
  #     {
  #       address = "::";
  #       prefixLength = 0;
  #       # via = "2001:470:a:466::1";
  #     }
  #   ];
  # };

  # # after configuration, we want the hurricane device to look like this:
  # # hurricane: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1480
  # #            inet6 2001:470:a:450::2  prefixlen 64  scopeid 0x0<global>
  # #            inet6 fe80::c0a8:16  prefixlen 64  scopeid 0x20<link>
  # #            sit  txqueuelen 1000  (IPv6-in-IPv4)
  # # test with:
  # #   curl --interface hurricane http://[2607:f8b0:400a:80b::2004]
  # #   ping 2607:f8b0:400a:80b::2004
}
prototype postfix config. disabled until i configure virtual alias map 2022-04-27 08:48:40 +00:00			`{ config, pkgs, ... }:`

			`{`
			`networking.domain = "uninsane.org";`

postfix: fix DKIM signing although gmail doesn't seem to be accepting my messages yet :'( 2022-05-06 11:43:17 +00:00			`networking.firewall.enable = false;`
			`# networking.firewall.enable = true;`
enable dovecot for IMAP tested and working. still need to enable the submission service. 2022-05-07 02:25:18 +00:00			`# networking.firewall.allowedTCPPorts = [ 25 80 143 443 993 ];`
postfix: fix DKIM signing although gmail doesn't seem to be accepting my messages yet :'( 2022-05-06 11:43:17 +00:00			`# # DLNA ports: https://jellyfin.org/docs/general/networking/index.html`
			`# networking.firewall.allowedUDPPorts = [ 1900 7359 ];`
net conf: add OVPN wireguard netns i'll be migrating the postfix install to use this net namespace so that IPv4-only mailservers have a port25-unblocked IP to contact (HurricaneElectric gives a port-25 IPv6 /64 block for free, but Zoho won't send mail to it. gmail does. didn't test other providers) 2022-05-02 08:23:09 +00:00
enable transmission, protected behind rpc auth 2022-05-03 09:45:36 +00:00			`# we need to use externally-visible nameservers in order for VPNs to be able to resolve hosts.`
			`networking.nameservers = [`
			`"1.1.1.1"`
			`"9.9.9.9"`
			`];`

net conf: add OVPN wireguard netns i'll be migrating the postfix install to use this net namespace so that IPv4-only mailservers have a port25-unblocked IP to contact (HurricaneElectric gives a port-25 IPv6 /64 block for free, but Zoho won't send mail to it. gmail does. didn't test other providers) 2022-05-02 08:23:09 +00:00			`# OVPN CONFIG:`
			`# DOCS: https://nixos.wiki/wiki/WireGuard`
			`networking.wireguard.enable = true;`
			`networking.wireguard.interfaces.wg0 = {`
config: restructure config tree and file names: ``` config/ \|- services/ \|- \|- <service-name>.nix ``` 2022-05-05 23:25:15 +00:00			`privateKeyFile = "/etc/nixos/secrets/wireguard.private";`
netconf: remove old Hurricane HW addr 2022-05-02 08:44:49 +00:00			`# wg is active only in this namespace.`
			`# run e.g. ip netns ovpns <some command like ping/curl/etc, it'll go through wg>`
			`# note: without the namespace, you'll need to add a specific route through eth0 for the peer (185.157.162.7/32)`
net conf: add OVPN wireguard netns i'll be migrating the postfix install to use this net namespace so that IPv4-only mailservers have a port25-unblocked IP to contact (HurricaneElectric gives a port-25 IPv6 /64 block for free, but Zoho won't send mail to it. gmail does. didn't test other providers) 2022-05-02 08:23:09 +00:00			`interfaceNamespace = "ovpns";`
			`preSetup = "${pkgs.iproute2}/bin/ip netns add ovpns \|\| true";`
			`postShutdown = "${pkgs.iproute2}/bin/ip netns delete ovpns";`
			`ips = [`
			`"185.157.162.190/32"`
			`];`
			`peers = [`
			`{`
			`publicKey = "Qno+hILmJ8TZ6/PpOOhtspmncyILY2phiTBFaER9IFE=";`
			`endpoint = "vpn29.prd.amsterdam.ovpn.com:9930";`
netconf: remove old Hurricane HW addr 2022-05-02 08:44:49 +00:00			`allowedIPs = [ "0.0.0.0/0" ];`
net conf: add OVPN wireguard netns i'll be migrating the postfix install to use this net namespace so that IPv4-only mailservers have a port25-unblocked IP to contact (HurricaneElectric gives a port-25 IPv6 /64 block for free, but Zoho won't send mail to it. gmail does. didn't test other providers) 2022-05-02 08:23:09 +00:00			`# nixOS says this is important for keeping NATs active`
			`persistentKeepalive = 25;`
			`}`
			`];`
			`};`

net: communicate with the OVPNs network locally instead of over the public internet 2022-05-06 00:22:36 +00:00			`systemd.services.wg0veth = {`
			`description = "veth pair to allow communication between host and wg0 netns";`
			`after = [ "wireguard-wg0.service" ];`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = true;`

			`ExecStart = with pkgs; writeScript "wg0veth-start" ''`
			`#!${bash}/bin/bash`
			`# create veth pair`
			`${iproute2}/bin/ip link add ovpns-veth-a type veth peer name ovpns-veth-b`
			`${iproute2}/bin/ip addr add 10.0.1.5/24 dev ovpns-veth-a`
			`${iproute2}/bin/ip link set ovpns-veth-a up`
			`# mv veth-b into the ovpns namespace`
			`${iproute2}/bin/ip link set ovpns-veth-b netns ovpns`
			`${iproute2}/bin/ip -n ovpns addr add 10.0.1.6/24 dev ovpns-veth-b`
			`${iproute2}/bin/ip -n ovpns link set ovpns-veth-b up`
acme: procure a cert for mx.uninsane.org we can use this later to allow SMTPS 2022-05-07 03:24:39 +00:00			`# forward HTTP traffic, which we need for letsencrypt to work`
			`${iproute2}/bin/ip netns exec ovpns ${socat}/bin/socat TCP4-LISTEN:80,reuseaddr,fork,su=nobody TCP4:10.0.1.5:80 &`
net: communicate with the OVPNs network locally instead of over the public internet 2022-05-06 00:22:36 +00:00			`'';`

			`ExecStop = with pkgs; writeScript "wg0veth-stop" ''`
			`#!${bash}/bin/bash`
			`${iproute2}/bin/ip -n wg0 link del ovpns-veth-b`
			`${iproute2}/bin/ip link del ovpns-veth-a`
			`'';`
			`};`
			`};`

net conf: add OVPN wireguard netns i'll be migrating the postfix install to use this net namespace so that IPv4-only mailservers have a port25-unblocked IP to contact (HurricaneElectric gives a port-25 IPv6 /64 block for free, but Zoho won't send mail to it. gmail does. didn't test other providers) 2022-05-02 08:23:09 +00:00			`# HURRICANE ELECTRIC CONFIG:`
			`# networking.sits = {`
			`# hurricane = {`
			`# remote = "216.218.226.238";`
			`# local = "192.168.0.5";`
			`# # local = "10.0.0.5";`
			`# # remote = "10.0.0.1";`
			`# # local = "10.0.0.22";`
			`# dev = "eth0";`
			`# ttl = 255;`
			`# };`
			`# };`
			`# networking.interfaces."hurricane".ipv6 = {`
			`# addresses = [`
			`# # mx.uninsane.org (publically routed /64)`
			`# {`
			`# address = "2001:470:b:465::1";`
			`# prefixLength = 128;`
			`# }`
			`# # client addr`
			`# # {`
			`# # address = "2001:470:a:466::2";`
			`# # prefixLength = 64;`
			`# # }`
			`# ];`
			`# routes = [`
			`# {`
			`# address = "::";`
			`# prefixLength = 0;`
			`# # via = "2001:470:a:466::1";`
			`# }`
			`# ];`
			`# };`

			`# # after configuration, we want the hurricane device to look like this:`
			`# # hurricane: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1480`
			`# # inet6 2001:470:a:450::2 prefixlen 64 scopeid 0x0<global>`
			`# # inet6 fe80::c0a8:16 prefixlen 64 scopeid 0x20<link>`
			`# # sit txqueuelen 1000 (IPv6-in-IPv4)`
			`# # test with:`
			`# # curl --interface hurricane http://[2607:f8b0:400a:80b::2004]`
			`# # ping 2607:f8b0:400a:80b::2004`
prototype postfix config. disabled until i configure virtual alias map 2022-04-27 08:48:40 +00:00			`}`