modules/netns: rename options for better grouping
This commit is contained in:
@@ -7,15 +7,14 @@
|
|||||||
# if the tunnel breaks, restart it manually:
|
# if the tunnel breaks, restart it manually:
|
||||||
# - `systemctl restart netns-doof.service`
|
# - `systemctl restart netns-doof.service`
|
||||||
sane.netns.doof = {
|
sane.netns.doof = {
|
||||||
hostVethIpv4 = "10.0.2.5";
|
veth.initns.ipv4 = "10.0.2.5";
|
||||||
netnsVethIpv4 = "10.0.2.6";
|
veth.netns.ipv4 = "10.0.2.6";
|
||||||
netnsPubIpv4 = "205.201.63.12";
|
|
||||||
routeTable = 12;
|
routeTable = 12;
|
||||||
wg.privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
|
wg.privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
|
||||||
|
wg.address.ipv4 = "205.201.63.12";
|
||||||
wg.peer.publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
|
wg.peer.publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
|
||||||
# TODO: configure DNS within the doof ns and use tun-sea.doof.net endpoint
|
wg.peer.endpoint = "tun-sea.doof.net:53263";
|
||||||
# endpoint = "tun-sea.doof.net:53263";
|
# wg.peer.endpoint = "205.201.63.44:53263";
|
||||||
wg.peer.endpoint = "205.201.63.44:53263";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# inside doof, forward DNS requests back to the root machine
|
# inside doof, forward DNS requests back to the root machine
|
||||||
@@ -23,5 +22,5 @@
|
|||||||
# and we're not forwarding external DNS requests here
|
# and we're not forwarding external DNS requests here
|
||||||
# XXX: ACTUALLY, CAN'T EASILY DO THAT BECAUSE HICKORY-DNS IS ALREADY USING PORT 53
|
# XXX: ACTUALLY, CAN'T EASILY DO THAT BECAUSE HICKORY-DNS IS ALREADY USING PORT 53
|
||||||
# TODO: have `sane.netns` resolve the wg endpoint before connecting to it
|
# TODO: have `sane.netns` resolve the wg endpoint before connecting to it
|
||||||
# sane.netns.doof.dns = config.sane.netns.doof.netnsVethIpv4;
|
# sane.netns.doof.dns = config.sane.netns.doof.veth.netns.ipv4;
|
||||||
}
|
}
|
||||||
|
@@ -6,15 +6,14 @@
|
|||||||
# OVPN CONFIG (https://www.ovpn.com):
|
# OVPN CONFIG (https://www.ovpn.com):
|
||||||
# DOCS: https://nixos.wiki/wiki/WireGuard
|
# DOCS: https://nixos.wiki/wiki/WireGuard
|
||||||
sane.netns.ovpns = {
|
sane.netns.ovpns = {
|
||||||
hostVethIpv4 = "10.0.1.5";
|
veth.initns.ipv4 = "10.0.1.5";
|
||||||
netnsVethIpv4 = "10.0.1.6";
|
veth.netns.ipv4 = "10.0.1.6";
|
||||||
netnsPubIpv4 = "185.157.162.178";
|
|
||||||
routeTable = 11;
|
routeTable = 11;
|
||||||
dns = "46.227.67.134"; #< DNS requests inside the namespace are forwarded here
|
dns = "46.227.67.134"; #< DNS requests inside the namespace are forwarded here
|
||||||
wg.privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
|
wg.privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
|
||||||
|
wg.address.ipv4 = "185.157.162.178";
|
||||||
wg.peer.publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";
|
wg.peer.publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";
|
||||||
# alternatively: use hostname, but that presents bootstrapping issues
|
wg.peer.endpoint = "vpn36.prd.amsterdam.ovpn.com:9930";
|
||||||
# endpoint = "vpn36.prd.amsterdam.ovpn.com:9930";
|
# wg.peer.endpoint = "185.157.162.10:9930";
|
||||||
wg.peer.endpoint = "185.157.162.10:9930";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@@ -129,11 +129,11 @@ in
|
|||||||
"verbose"
|
"verbose"
|
||||||
# "Verbose" #< even MORE verbosity than "verbose" (it's TOO MUCH verbosity really)
|
# "Verbose" #< even MORE verbosity than "verbose" (it's TOO MUCH verbosity really)
|
||||||
"no-multicast-peers" # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3)
|
"no-multicast-peers" # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3)
|
||||||
# "listening-ip=${config.sane.netns.ovpns.hostVethIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}" #< 2024/04/25: works, if running in root namespace
|
# "listening-ip=${config.sane.netns.ovpns.veth.initns.ipv4}" "external-ip=${config.sane.netns.ovpns.wg.address.ipv4}" #< 2024/04/25: works, if running in root namespace
|
||||||
"listening-ip=${config.sane.netns.ovpns.netnsPubIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}"
|
"listening-ip=${config.sane.netns.ovpns.wg.address.ipv4}" "external-ip=${config.sane.netns.ovpns.wg.address.ipv4}"
|
||||||
|
|
||||||
# old attempts:
|
# old attempts:
|
||||||
# "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}/${config.sane.netns.ovpns.hostVethIpv4}"
|
# "external-ip=${config.sane.netns.ovpns.wg.address.ipv4}/${config.sane.netns.ovpns.veth.initns.ipv4}"
|
||||||
# "listening-ip=10.78.79.51" # can be specified multiple times; omit for *
|
# "listening-ip=10.78.79.51" # can be specified multiple times; omit for *
|
||||||
# "external-ip=97.113.128.229/10.78.79.51"
|
# "external-ip=97.113.128.229/10.78.79.51"
|
||||||
# "external-ip=97.113.128.229"
|
# "external-ip=97.113.128.229"
|
||||||
|
@@ -102,14 +102,14 @@ in
|
|||||||
}
|
}
|
||||||
{
|
{
|
||||||
# binding this means any doof client can connect (TLS only)
|
# binding this means any doof client can connect (TLS only)
|
||||||
address = config.sane.netns.doof.hostVethIpv4;
|
address = config.sane.netns.doof.veth.initns.ipv4;
|
||||||
port = 990;
|
port = 990;
|
||||||
debug = true;
|
debug = true;
|
||||||
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
|
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
# binding this means any LAN client can connect via `ftp.uninsane.org` (TLS only)
|
# binding this means any LAN client can connect via `ftp.uninsane.org` (TLS only)
|
||||||
address = config.sane.netns.doof.netnsPubIpv4;
|
address = config.sane.netns.doof.wg.address.ipv4;
|
||||||
port = 990;
|
port = 990;
|
||||||
debug = true;
|
debug = true;
|
||||||
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
|
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
|
||||||
|
@@ -86,9 +86,9 @@ in
|
|||||||
sane.services.hickory-dns.enable = true;
|
sane.services.hickory-dns.enable = true;
|
||||||
sane.services.hickory-dns.instances = let
|
sane.services.hickory-dns.instances = let
|
||||||
mkSubstitutions = flavor: {
|
mkSubstitutions = flavor: {
|
||||||
"%ADOOF%" = config.sane.netns.doof.netnsPubIpv4;
|
"%ADOOF%" = config.sane.netns.doof.wg.address.ipv4;
|
||||||
"%ANATIVE%" = nativeAddrs."servo.${flavor}";
|
"%ANATIVE%" = nativeAddrs."servo.${flavor}";
|
||||||
"%AOVPNS%" = config.sane.netns.ovpns.netnsPubIpv4;
|
"%AOVPNS%" = config.sane.netns.ovpns.wg.address.ipv4;
|
||||||
"%AWAN%" = "$(cat '${dyn-dns.ipPath}')";
|
"%AWAN%" = "$(cat '${dyn-dns.ipPath}')";
|
||||||
"%CNAMENATIVE%" = "servo.${flavor}";
|
"%CNAMENATIVE%" = "servo.${flavor}";
|
||||||
};
|
};
|
||||||
@@ -97,10 +97,10 @@ in
|
|||||||
doof = {
|
doof = {
|
||||||
substitutions = mkSubstitutions "doof";
|
substitutions = mkSubstitutions "doof";
|
||||||
listenAddrsIpv4 = [
|
listenAddrsIpv4 = [
|
||||||
config.sane.netns.doof.hostVethIpv4
|
config.sane.netns.doof.veth.initns.ipv4
|
||||||
config.sane.netns.doof.netnsPubIpv4
|
config.sane.netns.doof.wg.address.ipv4
|
||||||
nativeAddrs."servo.lan"
|
nativeAddrs."servo.lan"
|
||||||
# config.sane.netns.ovpns.hostVethIpv4
|
# config.sane.netns.ovpns.veth.initns.ipv4
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
# hn = {
|
# hn = {
|
||||||
|
@@ -13,7 +13,10 @@ in
|
|||||||
# run this behind the OVPN static VPN
|
# run this behind the OVPN static VPN
|
||||||
sane.netns.ovpns.services = [ "jackett" ];
|
sane.netns.ovpns.services = [ "jackett" ];
|
||||||
systemd.services.jackett = {
|
systemd.services.jackett = {
|
||||||
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
|
serviceConfig.ExecStartPre = [
|
||||||
|
# abort if public IP is not as expected
|
||||||
|
"${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.wg.address.ipv4}"
|
||||||
|
];
|
||||||
# patch in `--ListenPublic` so that it's reachable from the netns veth.
|
# patch in `--ListenPublic` so that it's reachable from the netns veth.
|
||||||
# this also makes it reachable from the VPN pub address. oh well.
|
# this also makes it reachable from the VPN pub address. oh well.
|
||||||
serviceConfig.ExecStart = lib.mkForce "${lib.getExe' cfg.package "Jackett"} --ListenPublic --NoUpdates --DataFolder '${cfg.dataDir}'";
|
serviceConfig.ExecStart = lib.mkForce "${lib.getExe' cfg.package "Jackett"} --ListenPublic --NoUpdates --DataFolder '${cfg.dataDir}'";
|
||||||
@@ -53,7 +56,7 @@ in
|
|||||||
enableACME = true;
|
enableACME = true;
|
||||||
# inherit kTLS;
|
# inherit kTLS;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9117";
|
proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:9117";
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
};
|
};
|
||||||
locations."= /robots.txt".extraConfig = ''
|
locations."= /robots.txt".extraConfig = ''
|
||||||
|
@@ -34,7 +34,7 @@
|
|||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:5030";
|
proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:5030";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@@ -73,7 +73,10 @@
|
|||||||
systemd.services.slskd = {
|
systemd.services.slskd = {
|
||||||
# run this behind the OVPN static VPN
|
# run this behind the OVPN static VPN
|
||||||
serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
|
serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
|
||||||
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
|
serviceConfig.ExecStartPre = [
|
||||||
|
# abort if public IP is not as expected
|
||||||
|
"${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.wg.address.ipv4}"
|
||||||
|
];
|
||||||
|
|
||||||
serviceConfig.Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server
|
serviceConfig.Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server
|
||||||
serviceConfig.RestartSec = "60s";
|
serviceConfig.RestartSec = "60s";
|
||||||
|
@@ -58,8 +58,8 @@ in
|
|||||||
# DOCUMENTATION/options list: <https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options>
|
# DOCUMENTATION/options list: <https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options>
|
||||||
|
|
||||||
# message-level = 3; #< enable for debug logging. 0-3, default is 2.
|
# message-level = 3; #< enable for debug logging. 0-3, default is 2.
|
||||||
# ovpns.netnsVethIpv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
|
# ovpns.veth.netns.ipv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
|
||||||
rpc-bind-address = config.sane.netns.ovpns.netnsVethIpv4;
|
rpc-bind-address = config.sane.netns.ovpns.veth.netns.ipv4;
|
||||||
#rpc-host-whitelist = "bt.uninsane.org";
|
#rpc-host-whitelist = "bt.uninsane.org";
|
||||||
#rpc-whitelist = "*.*.*.*";
|
#rpc-whitelist = "*.*.*.*";
|
||||||
rpc-authentication-required = true;
|
rpc-authentication-required = true;
|
||||||
@@ -70,7 +70,7 @@ in
|
|||||||
rpc-whitelist-enabled = false;
|
rpc-whitelist-enabled = false;
|
||||||
|
|
||||||
# force behind ovpns in case the NetworkNamespace fails somehow
|
# force behind ovpns in case the NetworkNamespace fails somehow
|
||||||
bind-address-ipv4 = config.sane.netns.ovpns.netnsPubIpv4;
|
bind-address-ipv4 = config.sane.netns.ovpns.wg.address.ipv4;
|
||||||
port-forwarding-enabled = false;
|
port-forwarding-enabled = false;
|
||||||
|
|
||||||
# hopefully, make the downloads world-readable
|
# hopefully, make the downloads world-readable
|
||||||
@@ -111,7 +111,10 @@ in
|
|||||||
sane.netns.ovpns.services = [ "transmission" ];
|
sane.netns.ovpns.services = [ "transmission" ];
|
||||||
systemd.services.transmission = {
|
systemd.services.transmission = {
|
||||||
environment.TR_DEBUG = "1";
|
environment.TR_DEBUG = "1";
|
||||||
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected
|
serviceConfig.ExecStartPre = [
|
||||||
|
# abort if public IP is not as expected
|
||||||
|
"${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.wg.address.ipv4}"
|
||||||
|
];
|
||||||
|
|
||||||
serviceConfig.Restart = "on-failure";
|
serviceConfig.Restart = "on-failure";
|
||||||
serviceConfig.RestartSec = "30s";
|
serviceConfig.RestartSec = "30s";
|
||||||
@@ -155,7 +158,7 @@ in
|
|||||||
# inherit kTLS;
|
# inherit kTLS;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
# proxyPass = "http://ovpns.uninsane.org:9091";
|
# proxyPass = "http://ovpns.uninsane.org:9091";
|
||||||
proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9091";
|
proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:9091";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@@ -11,13 +11,10 @@ let
|
|||||||
type = types.str;
|
type = types.str;
|
||||||
default = "1.1.1.1";
|
default = "1.1.1.1";
|
||||||
};
|
};
|
||||||
hostVethIpv4 = mkOption {
|
veth.initns.ipv4 = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
netnsVethIpv4 = mkOption {
|
veth.netns.ipv4 = mkOption {
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
netnsPubIpv4 = mkOption {
|
|
||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
routeTable = mkOption {
|
routeTable = mkOption {
|
||||||
@@ -30,6 +27,9 @@ let
|
|||||||
wg.privateKeyFile = mkOption {
|
wg.privateKeyFile = mkOption {
|
||||||
type = types.path;
|
type = types.path;
|
||||||
};
|
};
|
||||||
|
wg.address.ipv4 = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
wg.peer.publicKey = mkOption {
|
wg.peer.publicKey = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
@@ -86,21 +86,21 @@ let
|
|||||||
# - iptables primer: <https://danielmiessler.com/study/iptables/>
|
# - iptables primer: <https://danielmiessler.com/study/iptables/>
|
||||||
# create veth pair
|
# create veth pair
|
||||||
${ip} link add ${name}-veth-a type veth peer name ${name}-veth-b || echo "${name}-veth-{a,b} aleady exists"
|
${ip} link add ${name}-veth-a type veth peer name ${name}-veth-b || echo "${name}-veth-{a,b} aleady exists"
|
||||||
${ip} addr add ${hostVethIpv4}/24 dev ${name}-veth-a || echo "${name}-veth-a aleady has IP address"
|
${ip} addr add ${veth.initns.ipv4}/24 dev ${name}-veth-a || echo "${name}-veth-a aleady has IP address"
|
||||||
${ip} link set ${name}-veth-a up
|
${ip} link set ${name}-veth-a up
|
||||||
|
|
||||||
# move veth-b into the namespace
|
# move veth-b into the namespace
|
||||||
${ip} link set ${name}-veth-b netns ${name} || echo "${name}-veth-b was already moved into its netns"
|
${ip} link set ${name}-veth-b netns ${name} || echo "${name}-veth-b was already moved into its netns"
|
||||||
${in-ns} ${ip} addr add ${netnsVethIpv4}/24 dev ${name}-veth-b || echo "${name}-veth-b aleady has IP address"
|
${in-ns} ${ip} addr add ${veth.netns.ipv4}/24 dev ${name}-veth-b || echo "${name}-veth-b aleady has IP address"
|
||||||
${in-ns} ${ip} link set ${name}-veth-b up
|
${in-ns} ${ip} link set ${name}-veth-b up
|
||||||
|
|
||||||
# make it so traffic originating from the host side of the veth
|
# make it so traffic originating from the host side of the veth
|
||||||
# is sent over the veth no matter its destination.
|
# is sent over the veth no matter its destination.
|
||||||
${ip} rule add from ${hostVethIpv4} lookup ${name} pref 50 || echo "${name} already has ip rules (pref 50)"
|
${ip} rule add from ${veth.initns.ipv4} lookup ${name} pref 50 || echo "${name} already has ip rules (pref 50)"
|
||||||
|
|
||||||
# for traffic originating at the host veth to the WAN, use the veth as our gateway
|
# for traffic originating at the host veth to the WAN, use the veth as our gateway
|
||||||
# not sure if the metric 1002 matters.
|
# not sure if the metric 1002 matters.
|
||||||
${ip} route add default via ${netnsVethIpv4} dev ${name}-veth-a proto kernel src ${hostVethIpv4} metric 1002 table ${name} || \
|
${ip} route add default via ${veth.netns.ipv4} dev ${name}-veth-a proto kernel src ${veth.initns.ipv4} metric 1002 table ${name} || \
|
||||||
echo "${name} already has default route"
|
echo "${name} already has default route"
|
||||||
# give the default route lower priority
|
# give the default route lower priority
|
||||||
${ip} rule add from all lookup local pref 100 || echo "${name}: already has ip rules (pref 100)"
|
${ip} rule add from all lookup local pref 100 || echo "${name}: already has ip rules (pref 100)"
|
||||||
@@ -110,8 +110,8 @@ let
|
|||||||
"-${in-ns} ${ip} link del ${name}-veth-b"
|
"-${in-ns} ${ip} link del ${name}-veth-b"
|
||||||
"-${ip} link del ${name}-veth-a"
|
"-${ip} link del ${name}-veth-a"
|
||||||
# restore rules/routes
|
# restore rules/routes
|
||||||
"-${ip} rule del from ${hostVethIpv4} lookup ${name} pref 50"
|
"-${ip} rule del from ${veth.initns.ipv4} lookup ${name} pref 50"
|
||||||
"-${ip} route del default via ${netnsVethIpv4} dev ${name}-veth-a proto kernel src ${hostVethIpv4} metric 1002 table ${name}"
|
"-${ip} route del default via ${veth.netns.ipv4} dev ${name}-veth-a proto kernel src ${veth.initns.ipv4} metric 1002 table ${name}"
|
||||||
# FIXME: if there are other net namespaces active, changing the prefs here may break those!
|
# FIXME: if there are other net namespaces active, changing the prefs here may break those!
|
||||||
"-${ip} rule add from all lookup local pref 0"
|
"-${ip} rule add from all lookup local pref 0"
|
||||||
"-${ip} rule del from all lookup local pref 100"
|
"-${ip} rule del from all lookup local pref 100"
|
||||||
@@ -133,8 +133,8 @@ let
|
|||||||
config.sane.ports.ports
|
config.sane.ports.ports
|
||||||
;
|
;
|
||||||
bridgePort = port: proto: ''
|
bridgePort = port: proto: ''
|
||||||
${iptables} -A PREROUTING -t nat -p ${proto} --dport ${port} -m iprange --dst-range ${netnsPubIpv4} \
|
${iptables} -A PREROUTING -t nat -p ${proto} --dport ${port} -m iprange --dst-range ${wg.address.ipv4} \
|
||||||
-j DNAT --to-destination ${hostVethIpv4}
|
-j DNAT --to-destination ${veth.initns.ipv4}
|
||||||
'';
|
'';
|
||||||
bridgeStatements = lib.foldlAttrs
|
bridgeStatements = lib.foldlAttrs
|
||||||
(acc: port: portCfg: acc ++ (builtins.map (bridgePort port) portCfg.protocol))
|
(acc: port: portCfg: acc ++ (builtins.map (bridgePort port) portCfg.protocol))
|
||||||
@@ -193,7 +193,7 @@ let
|
|||||||
${ip} link set wg-${name} netns ${name}
|
${ip} link set wg-${name} netns ${name}
|
||||||
|
|
||||||
${in-ns} ${wg'} set wg-${name} private-key ${wg.privateKeyFile}
|
${in-ns} ${wg'} set wg-${name} private-key ${wg.privateKeyFile}
|
||||||
${in-ns} ${ip} address add ${netnsPubIpv4} dev wg-${name}
|
${in-ns} ${ip} address add ${wg.address.ipv4} dev wg-${name}
|
||||||
${in-ns} ${ip} link set up dev wg-${name}
|
${in-ns} ${ip} link set up dev wg-${name}
|
||||||
|
|
||||||
# in the namespace, make this device the default route
|
# in the namespace, make this device the default route
|
||||||
@@ -237,7 +237,7 @@ let
|
|||||||
# abort if public IP is not as expected.
|
# abort if public IP is not as expected.
|
||||||
# copy this snippet to the service definition site if you want it: it has to be defined as close to the service definition as possible to be useful
|
# copy this snippet to the service definition site if you want it: it has to be defined as close to the service definition as possible to be useful
|
||||||
# serviceConfig.ExecStartPre = [
|
# serviceConfig.ExecStartPre = [
|
||||||
# "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${opts.netnsPubIpv4}"
|
# "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${opts.address.ipv4}"
|
||||||
# ];
|
# ];
|
||||||
}))
|
}))
|
||||||
];
|
];
|
||||||
|
Reference in New Issue
Block a user