modules/netns: rename options for better grouping
This commit is contained in:
@@ -7,15 +7,14 @@
|
||||
# if the tunnel breaks, restart it manually:
|
||||
# - `systemctl restart netns-doof.service`
|
||||
sane.netns.doof = {
|
||||
hostVethIpv4 = "10.0.2.5";
|
||||
netnsVethIpv4 = "10.0.2.6";
|
||||
netnsPubIpv4 = "205.201.63.12";
|
||||
veth.initns.ipv4 = "10.0.2.5";
|
||||
veth.netns.ipv4 = "10.0.2.6";
|
||||
routeTable = 12;
|
||||
wg.privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
|
||||
wg.address.ipv4 = "205.201.63.12";
|
||||
wg.peer.publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
|
||||
# TODO: configure DNS within the doof ns and use tun-sea.doof.net endpoint
|
||||
# endpoint = "tun-sea.doof.net:53263";
|
||||
wg.peer.endpoint = "205.201.63.44:53263";
|
||||
wg.peer.endpoint = "tun-sea.doof.net:53263";
|
||||
# wg.peer.endpoint = "205.201.63.44:53263";
|
||||
};
|
||||
|
||||
# inside doof, forward DNS requests back to the root machine
|
||||
@@ -23,5 +22,5 @@
|
||||
# and we're not forwarding external DNS requests here
|
||||
# XXX: ACTUALLY, CAN'T EASILY DO THAT BECAUSE HICKORY-DNS IS ALREADY USING PORT 53
|
||||
# TODO: have `sane.netns` resolve the wg endpoint before connecting to it
|
||||
# sane.netns.doof.dns = config.sane.netns.doof.netnsVethIpv4;
|
||||
# sane.netns.doof.dns = config.sane.netns.doof.veth.netns.ipv4;
|
||||
}
|
||||
|
@@ -6,15 +6,14 @@
|
||||
# OVPN CONFIG (https://www.ovpn.com):
|
||||
# DOCS: https://nixos.wiki/wiki/WireGuard
|
||||
sane.netns.ovpns = {
|
||||
hostVethIpv4 = "10.0.1.5";
|
||||
netnsVethIpv4 = "10.0.1.6";
|
||||
netnsPubIpv4 = "185.157.162.178";
|
||||
veth.initns.ipv4 = "10.0.1.5";
|
||||
veth.netns.ipv4 = "10.0.1.6";
|
||||
routeTable = 11;
|
||||
dns = "46.227.67.134"; #< DNS requests inside the namespace are forwarded here
|
||||
wg.privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
|
||||
wg.address.ipv4 = "185.157.162.178";
|
||||
wg.peer.publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";
|
||||
# alternatively: use hostname, but that presents bootstrapping issues
|
||||
# endpoint = "vpn36.prd.amsterdam.ovpn.com:9930";
|
||||
wg.peer.endpoint = "185.157.162.10:9930";
|
||||
wg.peer.endpoint = "vpn36.prd.amsterdam.ovpn.com:9930";
|
||||
# wg.peer.endpoint = "185.157.162.10:9930";
|
||||
};
|
||||
}
|
||||
|
@@ -129,11 +129,11 @@ in
|
||||
"verbose"
|
||||
# "Verbose" #< even MORE verbosity than "verbose" (it's TOO MUCH verbosity really)
|
||||
"no-multicast-peers" # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3)
|
||||
# "listening-ip=${config.sane.netns.ovpns.hostVethIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}" #< 2024/04/25: works, if running in root namespace
|
||||
"listening-ip=${config.sane.netns.ovpns.netnsPubIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}"
|
||||
# "listening-ip=${config.sane.netns.ovpns.veth.initns.ipv4}" "external-ip=${config.sane.netns.ovpns.wg.address.ipv4}" #< 2024/04/25: works, if running in root namespace
|
||||
"listening-ip=${config.sane.netns.ovpns.wg.address.ipv4}" "external-ip=${config.sane.netns.ovpns.wg.address.ipv4}"
|
||||
|
||||
# old attempts:
|
||||
# "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}/${config.sane.netns.ovpns.hostVethIpv4}"
|
||||
# "external-ip=${config.sane.netns.ovpns.wg.address.ipv4}/${config.sane.netns.ovpns.veth.initns.ipv4}"
|
||||
# "listening-ip=10.78.79.51" # can be specified multiple times; omit for *
|
||||
# "external-ip=97.113.128.229/10.78.79.51"
|
||||
# "external-ip=97.113.128.229"
|
||||
|
@@ -102,14 +102,14 @@ in
|
||||
}
|
||||
{
|
||||
# binding this means any doof client can connect (TLS only)
|
||||
address = config.sane.netns.doof.hostVethIpv4;
|
||||
address = config.sane.netns.doof.veth.initns.ipv4;
|
||||
port = 990;
|
||||
debug = true;
|
||||
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
|
||||
}
|
||||
{
|
||||
# binding this means any LAN client can connect via `ftp.uninsane.org` (TLS only)
|
||||
address = config.sane.netns.doof.netnsPubIpv4;
|
||||
address = config.sane.netns.doof.wg.address.ipv4;
|
||||
port = 990;
|
||||
debug = true;
|
||||
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
|
||||
|
@@ -86,9 +86,9 @@ in
|
||||
sane.services.hickory-dns.enable = true;
|
||||
sane.services.hickory-dns.instances = let
|
||||
mkSubstitutions = flavor: {
|
||||
"%ADOOF%" = config.sane.netns.doof.netnsPubIpv4;
|
||||
"%ADOOF%" = config.sane.netns.doof.wg.address.ipv4;
|
||||
"%ANATIVE%" = nativeAddrs."servo.${flavor}";
|
||||
"%AOVPNS%" = config.sane.netns.ovpns.netnsPubIpv4;
|
||||
"%AOVPNS%" = config.sane.netns.ovpns.wg.address.ipv4;
|
||||
"%AWAN%" = "$(cat '${dyn-dns.ipPath}')";
|
||||
"%CNAMENATIVE%" = "servo.${flavor}";
|
||||
};
|
||||
@@ -97,10 +97,10 @@ in
|
||||
doof = {
|
||||
substitutions = mkSubstitutions "doof";
|
||||
listenAddrsIpv4 = [
|
||||
config.sane.netns.doof.hostVethIpv4
|
||||
config.sane.netns.doof.netnsPubIpv4
|
||||
config.sane.netns.doof.veth.initns.ipv4
|
||||
config.sane.netns.doof.wg.address.ipv4
|
||||
nativeAddrs."servo.lan"
|
||||
# config.sane.netns.ovpns.hostVethIpv4
|
||||
# config.sane.netns.ovpns.veth.initns.ipv4
|
||||
];
|
||||
};
|
||||
# hn = {
|
||||
|
@@ -13,7 +13,10 @@ in
|
||||
# run this behind the OVPN static VPN
|
||||
sane.netns.ovpns.services = [ "jackett" ];
|
||||
systemd.services.jackett = {
|
||||
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
|
||||
serviceConfig.ExecStartPre = [
|
||||
# abort if public IP is not as expected
|
||||
"${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.wg.address.ipv4}"
|
||||
];
|
||||
# patch in `--ListenPublic` so that it's reachable from the netns veth.
|
||||
# this also makes it reachable from the VPN pub address. oh well.
|
||||
serviceConfig.ExecStart = lib.mkForce "${lib.getExe' cfg.package "Jackett"} --ListenPublic --NoUpdates --DataFolder '${cfg.dataDir}'";
|
||||
@@ -53,7 +56,7 @@ in
|
||||
enableACME = true;
|
||||
# inherit kTLS;
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9117";
|
||||
proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:9117";
|
||||
recommendedProxySettings = true;
|
||||
};
|
||||
locations."= /robots.txt".extraConfig = ''
|
||||
|
@@ -34,7 +34,7 @@
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:5030";
|
||||
proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:5030";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
@@ -73,7 +73,10 @@
|
||||
systemd.services.slskd = {
|
||||
# run this behind the OVPN static VPN
|
||||
serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
|
||||
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
|
||||
serviceConfig.ExecStartPre = [
|
||||
# abort if public IP is not as expected
|
||||
"${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.wg.address.ipv4}"
|
||||
];
|
||||
|
||||
serviceConfig.Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server
|
||||
serviceConfig.RestartSec = "60s";
|
||||
|
@@ -58,8 +58,8 @@ in
|
||||
# DOCUMENTATION/options list: <https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options>
|
||||
|
||||
# message-level = 3; #< enable for debug logging. 0-3, default is 2.
|
||||
# ovpns.netnsVethIpv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
|
||||
rpc-bind-address = config.sane.netns.ovpns.netnsVethIpv4;
|
||||
# ovpns.veth.netns.ipv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
|
||||
rpc-bind-address = config.sane.netns.ovpns.veth.netns.ipv4;
|
||||
#rpc-host-whitelist = "bt.uninsane.org";
|
||||
#rpc-whitelist = "*.*.*.*";
|
||||
rpc-authentication-required = true;
|
||||
@@ -70,7 +70,7 @@ in
|
||||
rpc-whitelist-enabled = false;
|
||||
|
||||
# force behind ovpns in case the NetworkNamespace fails somehow
|
||||
bind-address-ipv4 = config.sane.netns.ovpns.netnsPubIpv4;
|
||||
bind-address-ipv4 = config.sane.netns.ovpns.wg.address.ipv4;
|
||||
port-forwarding-enabled = false;
|
||||
|
||||
# hopefully, make the downloads world-readable
|
||||
@@ -111,7 +111,10 @@ in
|
||||
sane.netns.ovpns.services = [ "transmission" ];
|
||||
systemd.services.transmission = {
|
||||
environment.TR_DEBUG = "1";
|
||||
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
|
||||
serviceConfig.ExecStartPre = [
|
||||
# abort if public IP is not as expected
|
||||
"${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.wg.address.ipv4}"
|
||||
];
|
||||
|
||||
serviceConfig.Restart = "on-failure";
|
||||
serviceConfig.RestartSec = "30s";
|
||||
@@ -155,7 +158,7 @@ in
|
||||
# inherit kTLS;
|
||||
locations."/" = {
|
||||
# proxyPass = "http://ovpns.uninsane.org:9091";
|
||||
proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9091";
|
||||
proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:9091";
|
||||
};
|
||||
};
|
||||
|
||||
|
@@ -11,13 +11,10 @@ let
|
||||
type = types.str;
|
||||
default = "1.1.1.1";
|
||||
};
|
||||
hostVethIpv4 = mkOption {
|
||||
veth.initns.ipv4 = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
netnsVethIpv4 = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
netnsPubIpv4 = mkOption {
|
||||
veth.netns.ipv4 = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
routeTable = mkOption {
|
||||
@@ -30,6 +27,9 @@ let
|
||||
wg.privateKeyFile = mkOption {
|
||||
type = types.path;
|
||||
};
|
||||
wg.address.ipv4 = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
wg.peer.publicKey = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
@@ -86,21 +86,21 @@ let
|
||||
# - iptables primer: <https://danielmiessler.com/study/iptables/>
|
||||
# create veth pair
|
||||
${ip} link add ${name}-veth-a type veth peer name ${name}-veth-b || echo "${name}-veth-{a,b} aleady exists"
|
||||
${ip} addr add ${hostVethIpv4}/24 dev ${name}-veth-a || echo "${name}-veth-a aleady has IP address"
|
||||
${ip} addr add ${veth.initns.ipv4}/24 dev ${name}-veth-a || echo "${name}-veth-a aleady has IP address"
|
||||
${ip} link set ${name}-veth-a up
|
||||
|
||||
# move veth-b into the namespace
|
||||
${ip} link set ${name}-veth-b netns ${name} || echo "${name}-veth-b was already moved into its netns"
|
||||
${in-ns} ${ip} addr add ${netnsVethIpv4}/24 dev ${name}-veth-b || echo "${name}-veth-b aleady has IP address"
|
||||
${in-ns} ${ip} addr add ${veth.netns.ipv4}/24 dev ${name}-veth-b || echo "${name}-veth-b aleady has IP address"
|
||||
${in-ns} ${ip} link set ${name}-veth-b up
|
||||
|
||||
# make it so traffic originating from the host side of the veth
|
||||
# is sent over the veth no matter its destination.
|
||||
${ip} rule add from ${hostVethIpv4} lookup ${name} pref 50 || echo "${name} already has ip rules (pref 50)"
|
||||
${ip} rule add from ${veth.initns.ipv4} lookup ${name} pref 50 || echo "${name} already has ip rules (pref 50)"
|
||||
|
||||
# for traffic originating at the host veth to the WAN, use the veth as our gateway
|
||||
# not sure if the metric 1002 matters.
|
||||
${ip} route add default via ${netnsVethIpv4} dev ${name}-veth-a proto kernel src ${hostVethIpv4} metric 1002 table ${name} || \
|
||||
${ip} route add default via ${veth.netns.ipv4} dev ${name}-veth-a proto kernel src ${veth.initns.ipv4} metric 1002 table ${name} || \
|
||||
echo "${name} already has default route"
|
||||
# give the default route lower priority
|
||||
${ip} rule add from all lookup local pref 100 || echo "${name}: already has ip rules (pref 100)"
|
||||
@@ -110,8 +110,8 @@ let
|
||||
"-${in-ns} ${ip} link del ${name}-veth-b"
|
||||
"-${ip} link del ${name}-veth-a"
|
||||
# restore rules/routes
|
||||
"-${ip} rule del from ${hostVethIpv4} lookup ${name} pref 50"
|
||||
"-${ip} route del default via ${netnsVethIpv4} dev ${name}-veth-a proto kernel src ${hostVethIpv4} metric 1002 table ${name}"
|
||||
"-${ip} rule del from ${veth.initns.ipv4} lookup ${name} pref 50"
|
||||
"-${ip} route del default via ${veth.netns.ipv4} dev ${name}-veth-a proto kernel src ${veth.initns.ipv4} metric 1002 table ${name}"
|
||||
# FIXME: if there are other net namespaces active, changing the prefs here may break those!
|
||||
"-${ip} rule add from all lookup local pref 0"
|
||||
"-${ip} rule del from all lookup local pref 100"
|
||||
@@ -133,8 +133,8 @@ let
|
||||
config.sane.ports.ports
|
||||
;
|
||||
bridgePort = port: proto: ''
|
||||
${iptables} -A PREROUTING -t nat -p ${proto} --dport ${port} -m iprange --dst-range ${netnsPubIpv4} \
|
||||
-j DNAT --to-destination ${hostVethIpv4}
|
||||
${iptables} -A PREROUTING -t nat -p ${proto} --dport ${port} -m iprange --dst-range ${wg.address.ipv4} \
|
||||
-j DNAT --to-destination ${veth.initns.ipv4}
|
||||
'';
|
||||
bridgeStatements = lib.foldlAttrs
|
||||
(acc: port: portCfg: acc ++ (builtins.map (bridgePort port) portCfg.protocol))
|
||||
@@ -193,7 +193,7 @@ let
|
||||
${ip} link set wg-${name} netns ${name}
|
||||
|
||||
${in-ns} ${wg'} set wg-${name} private-key ${wg.privateKeyFile}
|
||||
${in-ns} ${ip} address add ${netnsPubIpv4} dev wg-${name}
|
||||
${in-ns} ${ip} address add ${wg.address.ipv4} dev wg-${name}
|
||||
${in-ns} ${ip} link set up dev wg-${name}
|
||||
|
||||
# in the namespace, make this device the default route
|
||||
@@ -237,7 +237,7 @@ let
|
||||
# abort if public IP is not as expected.
|
||||
# copy this snippet to the service definition site if you want it: it has to be defined as close to the service definition as possible to be useful
|
||||
# serviceConfig.ExecStartPre = [
|
||||
# "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${opts.netnsPubIpv4}"
|
||||
# "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${opts.address.ipv4}"
|
||||
# ];
|
||||
}))
|
||||
];
|
||||
|
Reference in New Issue
Block a user