modules/netns: rename options for better grouping

This commit is contained in:
2024-11-11 02:37:00 +00:00
parent 23913c9cd2
commit 309bd04037
9 changed files with 54 additions and 47 deletions

View File

@@ -7,15 +7,14 @@
# if the tunnel breaks, restart it manually:
# - `systemctl restart netns-doof.service`
sane.netns.doof = {
hostVethIpv4 = "10.0.2.5";
netnsVethIpv4 = "10.0.2.6";
netnsPubIpv4 = "205.201.63.12";
veth.initns.ipv4 = "10.0.2.5";
veth.netns.ipv4 = "10.0.2.6";
routeTable = 12;
wg.privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
wg.address.ipv4 = "205.201.63.12";
wg.peer.publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
# TODO: configure DNS within the doof ns and use tun-sea.doof.net endpoint
# endpoint = "tun-sea.doof.net:53263";
wg.peer.endpoint = "205.201.63.44:53263";
wg.peer.endpoint = "tun-sea.doof.net:53263";
# wg.peer.endpoint = "205.201.63.44:53263";
};
# inside doof, forward DNS requests back to the root machine
@@ -23,5 +22,5 @@
# and we're not forwarding external DNS requests here
# XXX: ACTUALLY, CAN'T EASILY DO THAT BECAUSE HICKORY-DNS IS ALREADY USING PORT 53
# TODO: have `sane.netns` resolve the wg endpoint before connecting to it
# sane.netns.doof.dns = config.sane.netns.doof.netnsVethIpv4;
# sane.netns.doof.dns = config.sane.netns.doof.veth.netns.ipv4;
}

View File

@@ -6,15 +6,14 @@
# OVPN CONFIG (https://www.ovpn.com):
# DOCS: https://nixos.wiki/wiki/WireGuard
sane.netns.ovpns = {
hostVethIpv4 = "10.0.1.5";
netnsVethIpv4 = "10.0.1.6";
netnsPubIpv4 = "185.157.162.178";
veth.initns.ipv4 = "10.0.1.5";
veth.netns.ipv4 = "10.0.1.6";
routeTable = 11;
dns = "46.227.67.134"; #< DNS requests inside the namespace are forwarded here
wg.privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
wg.address.ipv4 = "185.157.162.178";
wg.peer.publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";
# alternatively: use hostname, but that presents bootstrapping issues
# endpoint = "vpn36.prd.amsterdam.ovpn.com:9930";
wg.peer.endpoint = "185.157.162.10:9930";
wg.peer.endpoint = "vpn36.prd.amsterdam.ovpn.com:9930";
# wg.peer.endpoint = "185.157.162.10:9930";
};
}

View File

@@ -129,11 +129,11 @@ in
"verbose"
# "Verbose" #< even MORE verbosity than "verbose" (it's TOO MUCH verbosity really)
"no-multicast-peers" # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3)
# "listening-ip=${config.sane.netns.ovpns.hostVethIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}" #< 2024/04/25: works, if running in root namespace
"listening-ip=${config.sane.netns.ovpns.netnsPubIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}"
# "listening-ip=${config.sane.netns.ovpns.veth.initns.ipv4}" "external-ip=${config.sane.netns.ovpns.wg.address.ipv4}" #< 2024/04/25: works, if running in root namespace
"listening-ip=${config.sane.netns.ovpns.wg.address.ipv4}" "external-ip=${config.sane.netns.ovpns.wg.address.ipv4}"
# old attempts:
# "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}/${config.sane.netns.ovpns.hostVethIpv4}"
# "external-ip=${config.sane.netns.ovpns.wg.address.ipv4}/${config.sane.netns.ovpns.veth.initns.ipv4}"
# "listening-ip=10.78.79.51" # can be specified multiple times; omit for *
# "external-ip=97.113.128.229/10.78.79.51"
# "external-ip=97.113.128.229"

View File

@@ -102,14 +102,14 @@ in
}
{
# binding this means any doof client can connect (TLS only)
address = config.sane.netns.doof.hostVethIpv4;
address = config.sane.netns.doof.veth.initns.ipv4;
port = 990;
debug = true;
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
}
{
# binding this means any LAN client can connect via `ftp.uninsane.org` (TLS only)
address = config.sane.netns.doof.netnsPubIpv4;
address = config.sane.netns.doof.wg.address.ipv4;
port = 990;
debug = true;
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.

View File

@@ -86,9 +86,9 @@ in
sane.services.hickory-dns.enable = true;
sane.services.hickory-dns.instances = let
mkSubstitutions = flavor: {
"%ADOOF%" = config.sane.netns.doof.netnsPubIpv4;
"%ADOOF%" = config.sane.netns.doof.wg.address.ipv4;
"%ANATIVE%" = nativeAddrs."servo.${flavor}";
"%AOVPNS%" = config.sane.netns.ovpns.netnsPubIpv4;
"%AOVPNS%" = config.sane.netns.ovpns.wg.address.ipv4;
"%AWAN%" = "$(cat '${dyn-dns.ipPath}')";
"%CNAMENATIVE%" = "servo.${flavor}";
};
@@ -97,10 +97,10 @@ in
doof = {
substitutions = mkSubstitutions "doof";
listenAddrsIpv4 = [
config.sane.netns.doof.hostVethIpv4
config.sane.netns.doof.netnsPubIpv4
config.sane.netns.doof.veth.initns.ipv4
config.sane.netns.doof.wg.address.ipv4
nativeAddrs."servo.lan"
# config.sane.netns.ovpns.hostVethIpv4
# config.sane.netns.ovpns.veth.initns.ipv4
];
};
# hn = {

View File

@@ -13,7 +13,10 @@ in
# run this behind the OVPN static VPN
sane.netns.ovpns.services = [ "jackett" ];
systemd.services.jackett = {
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
serviceConfig.ExecStartPre = [
# abort if public IP is not as expected
"${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.wg.address.ipv4}"
];
# patch in `--ListenPublic` so that it's reachable from the netns veth.
# this also makes it reachable from the VPN pub address. oh well.
serviceConfig.ExecStart = lib.mkForce "${lib.getExe' cfg.package "Jackett"} --ListenPublic --NoUpdates --DataFolder '${cfg.dataDir}'";
@@ -53,7 +56,7 @@ in
enableACME = true;
# inherit kTLS;
locations."/" = {
proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9117";
proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:9117";
recommendedProxySettings = true;
};
locations."= /robots.txt".extraConfig = ''

View File

@@ -34,7 +34,7 @@
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:5030";
proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:5030";
proxyWebsockets = true;
};
};
@@ -73,7 +73,10 @@
systemd.services.slskd = {
# run this behind the OVPN static VPN
serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
serviceConfig.ExecStartPre = [
# abort if public IP is not as expected
"${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.wg.address.ipv4}"
];
serviceConfig.Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server
serviceConfig.RestartSec = "60s";

View File

@@ -58,8 +58,8 @@ in
# DOCUMENTATION/options list: <https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options>
# message-level = 3; #< enable for debug logging. 0-3, default is 2.
# ovpns.netnsVethIpv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
rpc-bind-address = config.sane.netns.ovpns.netnsVethIpv4;
# ovpns.veth.netns.ipv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
rpc-bind-address = config.sane.netns.ovpns.veth.netns.ipv4;
#rpc-host-whitelist = "bt.uninsane.org";
#rpc-whitelist = "*.*.*.*";
rpc-authentication-required = true;
@@ -70,7 +70,7 @@ in
rpc-whitelist-enabled = false;
# force behind ovpns in case the NetworkNamespace fails somehow
bind-address-ipv4 = config.sane.netns.ovpns.netnsPubIpv4;
bind-address-ipv4 = config.sane.netns.ovpns.wg.address.ipv4;
port-forwarding-enabled = false;
# hopefully, make the downloads world-readable
@@ -111,7 +111,10 @@ in
sane.netns.ovpns.services = [ "transmission" ];
systemd.services.transmission = {
environment.TR_DEBUG = "1";
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
serviceConfig.ExecStartPre = [
# abort if public IP is not as expected
"${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.wg.address.ipv4}"
];
serviceConfig.Restart = "on-failure";
serviceConfig.RestartSec = "30s";
@@ -155,7 +158,7 @@ in
# inherit kTLS;
locations."/" = {
# proxyPass = "http://ovpns.uninsane.org:9091";
proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9091";
proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:9091";
};
};

View File

@@ -11,13 +11,10 @@ let
type = types.str;
default = "1.1.1.1";
};
hostVethIpv4 = mkOption {
veth.initns.ipv4 = mkOption {
type = types.str;
};
netnsVethIpv4 = mkOption {
type = types.str;
};
netnsPubIpv4 = mkOption {
veth.netns.ipv4 = mkOption {
type = types.str;
};
routeTable = mkOption {
@@ -30,6 +27,9 @@ let
wg.privateKeyFile = mkOption {
type = types.path;
};
wg.address.ipv4 = mkOption {
type = types.str;
};
wg.peer.publicKey = mkOption {
type = types.str;
};
@@ -86,21 +86,21 @@ let
# - iptables primer: <https://danielmiessler.com/study/iptables/>
# create veth pair
${ip} link add ${name}-veth-a type veth peer name ${name}-veth-b || echo "${name}-veth-{a,b} aleady exists"
${ip} addr add ${hostVethIpv4}/24 dev ${name}-veth-a || echo "${name}-veth-a aleady has IP address"
${ip} addr add ${veth.initns.ipv4}/24 dev ${name}-veth-a || echo "${name}-veth-a aleady has IP address"
${ip} link set ${name}-veth-a up
# move veth-b into the namespace
${ip} link set ${name}-veth-b netns ${name} || echo "${name}-veth-b was already moved into its netns"
${in-ns} ${ip} addr add ${netnsVethIpv4}/24 dev ${name}-veth-b || echo "${name}-veth-b aleady has IP address"
${in-ns} ${ip} addr add ${veth.netns.ipv4}/24 dev ${name}-veth-b || echo "${name}-veth-b aleady has IP address"
${in-ns} ${ip} link set ${name}-veth-b up
# make it so traffic originating from the host side of the veth
# is sent over the veth no matter its destination.
${ip} rule add from ${hostVethIpv4} lookup ${name} pref 50 || echo "${name} already has ip rules (pref 50)"
${ip} rule add from ${veth.initns.ipv4} lookup ${name} pref 50 || echo "${name} already has ip rules (pref 50)"
# for traffic originating at the host veth to the WAN, use the veth as our gateway
# not sure if the metric 1002 matters.
${ip} route add default via ${netnsVethIpv4} dev ${name}-veth-a proto kernel src ${hostVethIpv4} metric 1002 table ${name} || \
${ip} route add default via ${veth.netns.ipv4} dev ${name}-veth-a proto kernel src ${veth.initns.ipv4} metric 1002 table ${name} || \
echo "${name} already has default route"
# give the default route lower priority
${ip} rule add from all lookup local pref 100 || echo "${name}: already has ip rules (pref 100)"
@@ -110,8 +110,8 @@ let
"-${in-ns} ${ip} link del ${name}-veth-b"
"-${ip} link del ${name}-veth-a"
# restore rules/routes
"-${ip} rule del from ${hostVethIpv4} lookup ${name} pref 50"
"-${ip} route del default via ${netnsVethIpv4} dev ${name}-veth-a proto kernel src ${hostVethIpv4} metric 1002 table ${name}"
"-${ip} rule del from ${veth.initns.ipv4} lookup ${name} pref 50"
"-${ip} route del default via ${veth.netns.ipv4} dev ${name}-veth-a proto kernel src ${veth.initns.ipv4} metric 1002 table ${name}"
# FIXME: if there are other net namespaces active, changing the prefs here may break those!
"-${ip} rule add from all lookup local pref 0"
"-${ip} rule del from all lookup local pref 100"
@@ -133,8 +133,8 @@ let
config.sane.ports.ports
;
bridgePort = port: proto: ''
${iptables} -A PREROUTING -t nat -p ${proto} --dport ${port} -m iprange --dst-range ${netnsPubIpv4} \
-j DNAT --to-destination ${hostVethIpv4}
${iptables} -A PREROUTING -t nat -p ${proto} --dport ${port} -m iprange --dst-range ${wg.address.ipv4} \
-j DNAT --to-destination ${veth.initns.ipv4}
'';
bridgeStatements = lib.foldlAttrs
(acc: port: portCfg: acc ++ (builtins.map (bridgePort port) portCfg.protocol))
@@ -193,7 +193,7 @@ let
${ip} link set wg-${name} netns ${name}
${in-ns} ${wg'} set wg-${name} private-key ${wg.privateKeyFile}
${in-ns} ${ip} address add ${netnsPubIpv4} dev wg-${name}
${in-ns} ${ip} address add ${wg.address.ipv4} dev wg-${name}
${in-ns} ${ip} link set up dev wg-${name}
# in the namespace, make this device the default route
@@ -237,7 +237,7 @@ let
# abort if public IP is not as expected.
# copy this snippet to the service definition site if you want it: it has to be defined as close to the service definition as possible to be useful
# serviceConfig.ExecStartPre = [
# "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${opts.netnsPubIpv4}"
# "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${opts.address.ipv4}"
# ];
}))
];