modules/netns: rename options for better grouping

This commit is contained in:
2024-11-11 02:37:00 +00:00
parent 23913c9cd2
commit 309bd04037
9 changed files with 54 additions and 47 deletions

View File

@@ -7,15 +7,14 @@
# if the tunnel breaks, restart it manually: # if the tunnel breaks, restart it manually:
# - `systemctl restart netns-doof.service` # - `systemctl restart netns-doof.service`
sane.netns.doof = { sane.netns.doof = {
hostVethIpv4 = "10.0.2.5"; veth.initns.ipv4 = "10.0.2.5";
netnsVethIpv4 = "10.0.2.6"; veth.netns.ipv4 = "10.0.2.6";
netnsPubIpv4 = "205.201.63.12";
routeTable = 12; routeTable = 12;
wg.privateKeyFile = config.sops.secrets.wg_doof_privkey.path; wg.privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
wg.address.ipv4 = "205.201.63.12";
wg.peer.publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU="; wg.peer.publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
# TODO: configure DNS within the doof ns and use tun-sea.doof.net endpoint wg.peer.endpoint = "tun-sea.doof.net:53263";
# endpoint = "tun-sea.doof.net:53263"; # wg.peer.endpoint = "205.201.63.44:53263";
wg.peer.endpoint = "205.201.63.44:53263";
}; };
# inside doof, forward DNS requests back to the root machine # inside doof, forward DNS requests back to the root machine
@@ -23,5 +22,5 @@
# and we're not forwarding external DNS requests here # and we're not forwarding external DNS requests here
# XXX: ACTUALLY, CAN'T EASILY DO THAT BECAUSE HICKORY-DNS IS ALREADY USING PORT 53 # XXX: ACTUALLY, CAN'T EASILY DO THAT BECAUSE HICKORY-DNS IS ALREADY USING PORT 53
# TODO: have `sane.netns` resolve the wg endpoint before connecting to it # TODO: have `sane.netns` resolve the wg endpoint before connecting to it
# sane.netns.doof.dns = config.sane.netns.doof.netnsVethIpv4; # sane.netns.doof.dns = config.sane.netns.doof.veth.netns.ipv4;
} }

View File

@@ -6,15 +6,14 @@
# OVPN CONFIG (https://www.ovpn.com): # OVPN CONFIG (https://www.ovpn.com):
# DOCS: https://nixos.wiki/wiki/WireGuard # DOCS: https://nixos.wiki/wiki/WireGuard
sane.netns.ovpns = { sane.netns.ovpns = {
hostVethIpv4 = "10.0.1.5"; veth.initns.ipv4 = "10.0.1.5";
netnsVethIpv4 = "10.0.1.6"; veth.netns.ipv4 = "10.0.1.6";
netnsPubIpv4 = "185.157.162.178";
routeTable = 11; routeTable = 11;
dns = "46.227.67.134"; #< DNS requests inside the namespace are forwarded here dns = "46.227.67.134"; #< DNS requests inside the namespace are forwarded here
wg.privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path; wg.privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
wg.address.ipv4 = "185.157.162.178";
wg.peer.publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs="; wg.peer.publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";
# alternatively: use hostname, but that presents bootstrapping issues wg.peer.endpoint = "vpn36.prd.amsterdam.ovpn.com:9930";
# endpoint = "vpn36.prd.amsterdam.ovpn.com:9930"; # wg.peer.endpoint = "185.157.162.10:9930";
wg.peer.endpoint = "185.157.162.10:9930";
}; };
} }

View File

@@ -129,11 +129,11 @@ in
"verbose" "verbose"
# "Verbose" #< even MORE verbosity than "verbose" (it's TOO MUCH verbosity really) # "Verbose" #< even MORE verbosity than "verbose" (it's TOO MUCH verbosity really)
"no-multicast-peers" # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3) "no-multicast-peers" # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3)
# "listening-ip=${config.sane.netns.ovpns.hostVethIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}" #< 2024/04/25: works, if running in root namespace # "listening-ip=${config.sane.netns.ovpns.veth.initns.ipv4}" "external-ip=${config.sane.netns.ovpns.wg.address.ipv4}" #< 2024/04/25: works, if running in root namespace
"listening-ip=${config.sane.netns.ovpns.netnsPubIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}" "listening-ip=${config.sane.netns.ovpns.wg.address.ipv4}" "external-ip=${config.sane.netns.ovpns.wg.address.ipv4}"
# old attempts: # old attempts:
# "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}/${config.sane.netns.ovpns.hostVethIpv4}" # "external-ip=${config.sane.netns.ovpns.wg.address.ipv4}/${config.sane.netns.ovpns.veth.initns.ipv4}"
# "listening-ip=10.78.79.51" # can be specified multiple times; omit for * # "listening-ip=10.78.79.51" # can be specified multiple times; omit for *
# "external-ip=97.113.128.229/10.78.79.51" # "external-ip=97.113.128.229/10.78.79.51"
# "external-ip=97.113.128.229" # "external-ip=97.113.128.229"

View File

@@ -102,14 +102,14 @@ in
} }
{ {
# binding this means any doof client can connect (TLS only) # binding this means any doof client can connect (TLS only)
address = config.sane.netns.doof.hostVethIpv4; address = config.sane.netns.doof.veth.initns.ipv4;
port = 990; port = 990;
debug = true; debug = true;
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command. tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
} }
{ {
# binding this means any LAN client can connect via `ftp.uninsane.org` (TLS only) # binding this means any LAN client can connect via `ftp.uninsane.org` (TLS only)
address = config.sane.netns.doof.netnsPubIpv4; address = config.sane.netns.doof.wg.address.ipv4;
port = 990; port = 990;
debug = true; debug = true;
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command. tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.

View File

@@ -86,9 +86,9 @@ in
sane.services.hickory-dns.enable = true; sane.services.hickory-dns.enable = true;
sane.services.hickory-dns.instances = let sane.services.hickory-dns.instances = let
mkSubstitutions = flavor: { mkSubstitutions = flavor: {
"%ADOOF%" = config.sane.netns.doof.netnsPubIpv4; "%ADOOF%" = config.sane.netns.doof.wg.address.ipv4;
"%ANATIVE%" = nativeAddrs."servo.${flavor}"; "%ANATIVE%" = nativeAddrs."servo.${flavor}";
"%AOVPNS%" = config.sane.netns.ovpns.netnsPubIpv4; "%AOVPNS%" = config.sane.netns.ovpns.wg.address.ipv4;
"%AWAN%" = "$(cat '${dyn-dns.ipPath}')"; "%AWAN%" = "$(cat '${dyn-dns.ipPath}')";
"%CNAMENATIVE%" = "servo.${flavor}"; "%CNAMENATIVE%" = "servo.${flavor}";
}; };
@@ -97,10 +97,10 @@ in
doof = { doof = {
substitutions = mkSubstitutions "doof"; substitutions = mkSubstitutions "doof";
listenAddrsIpv4 = [ listenAddrsIpv4 = [
config.sane.netns.doof.hostVethIpv4 config.sane.netns.doof.veth.initns.ipv4
config.sane.netns.doof.netnsPubIpv4 config.sane.netns.doof.wg.address.ipv4
nativeAddrs."servo.lan" nativeAddrs."servo.lan"
# config.sane.netns.ovpns.hostVethIpv4 # config.sane.netns.ovpns.veth.initns.ipv4
]; ];
}; };
# hn = { # hn = {

View File

@@ -13,7 +13,10 @@ in
# run this behind the OVPN static VPN # run this behind the OVPN static VPN
sane.netns.ovpns.services = [ "jackett" ]; sane.netns.ovpns.services = [ "jackett" ];
systemd.services.jackett = { systemd.services.jackett = {
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected serviceConfig.ExecStartPre = [
# abort if public IP is not as expected
"${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.wg.address.ipv4}"
];
# patch in `--ListenPublic` so that it's reachable from the netns veth. # patch in `--ListenPublic` so that it's reachable from the netns veth.
# this also makes it reachable from the VPN pub address. oh well. # this also makes it reachable from the VPN pub address. oh well.
serviceConfig.ExecStart = lib.mkForce "${lib.getExe' cfg.package "Jackett"} --ListenPublic --NoUpdates --DataFolder '${cfg.dataDir}'"; serviceConfig.ExecStart = lib.mkForce "${lib.getExe' cfg.package "Jackett"} --ListenPublic --NoUpdates --DataFolder '${cfg.dataDir}'";
@@ -53,7 +56,7 @@ in
enableACME = true; enableACME = true;
# inherit kTLS; # inherit kTLS;
locations."/" = { locations."/" = {
proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9117"; proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:9117";
recommendedProxySettings = true; recommendedProxySettings = true;
}; };
locations."= /robots.txt".extraConfig = '' locations."= /robots.txt".extraConfig = ''

View File

@@ -34,7 +34,7 @@
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:5030"; proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:5030";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
@@ -73,7 +73,10 @@
systemd.services.slskd = { systemd.services.slskd = {
# run this behind the OVPN static VPN # run this behind the OVPN static VPN
serviceConfig.NetworkNamespacePath = "/run/netns/ovpns"; serviceConfig.NetworkNamespacePath = "/run/netns/ovpns";
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected serviceConfig.ExecStartPre = [
# abort if public IP is not as expected
"${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.wg.address.ipv4}"
];
serviceConfig.Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server serviceConfig.Restart = lib.mkForce "always"; # exits "success" when it fails to connect to soulseek server
serviceConfig.RestartSec = "60s"; serviceConfig.RestartSec = "60s";

View File

@@ -58,8 +58,8 @@ in
# DOCUMENTATION/options list: <https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options> # DOCUMENTATION/options list: <https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options>
# message-level = 3; #< enable for debug logging. 0-3, default is 2. # message-level = 3; #< enable for debug logging. 0-3, default is 2.
# ovpns.netnsVethIpv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be. # ovpns.veth.netns.ipv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
rpc-bind-address = config.sane.netns.ovpns.netnsVethIpv4; rpc-bind-address = config.sane.netns.ovpns.veth.netns.ipv4;
#rpc-host-whitelist = "bt.uninsane.org"; #rpc-host-whitelist = "bt.uninsane.org";
#rpc-whitelist = "*.*.*.*"; #rpc-whitelist = "*.*.*.*";
rpc-authentication-required = true; rpc-authentication-required = true;
@@ -70,7 +70,7 @@ in
rpc-whitelist-enabled = false; rpc-whitelist-enabled = false;
# force behind ovpns in case the NetworkNamespace fails somehow # force behind ovpns in case the NetworkNamespace fails somehow
bind-address-ipv4 = config.sane.netns.ovpns.netnsPubIpv4; bind-address-ipv4 = config.sane.netns.ovpns.wg.address.ipv4;
port-forwarding-enabled = false; port-forwarding-enabled = false;
# hopefully, make the downloads world-readable # hopefully, make the downloads world-readable
@@ -111,7 +111,10 @@ in
sane.netns.ovpns.services = [ "transmission" ]; sane.netns.ovpns.services = [ "transmission" ];
systemd.services.transmission = { systemd.services.transmission = {
environment.TR_DEBUG = "1"; environment.TR_DEBUG = "1";
serviceConfig.ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ]; # abort if public IP is not as expected serviceConfig.ExecStartPre = [
# abort if public IP is not as expected
"${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.wg.address.ipv4}"
];
serviceConfig.Restart = "on-failure"; serviceConfig.Restart = "on-failure";
serviceConfig.RestartSec = "30s"; serviceConfig.RestartSec = "30s";
@@ -155,7 +158,7 @@ in
# inherit kTLS; # inherit kTLS;
locations."/" = { locations."/" = {
# proxyPass = "http://ovpns.uninsane.org:9091"; # proxyPass = "http://ovpns.uninsane.org:9091";
proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9091"; proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:9091";
}; };
}; };

View File

@@ -11,13 +11,10 @@ let
type = types.str; type = types.str;
default = "1.1.1.1"; default = "1.1.1.1";
}; };
hostVethIpv4 = mkOption { veth.initns.ipv4 = mkOption {
type = types.str; type = types.str;
}; };
netnsVethIpv4 = mkOption { veth.netns.ipv4 = mkOption {
type = types.str;
};
netnsPubIpv4 = mkOption {
type = types.str; type = types.str;
}; };
routeTable = mkOption { routeTable = mkOption {
@@ -30,6 +27,9 @@ let
wg.privateKeyFile = mkOption { wg.privateKeyFile = mkOption {
type = types.path; type = types.path;
}; };
wg.address.ipv4 = mkOption {
type = types.str;
};
wg.peer.publicKey = mkOption { wg.peer.publicKey = mkOption {
type = types.str; type = types.str;
}; };
@@ -86,21 +86,21 @@ let
# - iptables primer: <https://danielmiessler.com/study/iptables/> # - iptables primer: <https://danielmiessler.com/study/iptables/>
# create veth pair # create veth pair
${ip} link add ${name}-veth-a type veth peer name ${name}-veth-b || echo "${name}-veth-{a,b} aleady exists" ${ip} link add ${name}-veth-a type veth peer name ${name}-veth-b || echo "${name}-veth-{a,b} aleady exists"
${ip} addr add ${hostVethIpv4}/24 dev ${name}-veth-a || echo "${name}-veth-a aleady has IP address" ${ip} addr add ${veth.initns.ipv4}/24 dev ${name}-veth-a || echo "${name}-veth-a aleady has IP address"
${ip} link set ${name}-veth-a up ${ip} link set ${name}-veth-a up
# move veth-b into the namespace # move veth-b into the namespace
${ip} link set ${name}-veth-b netns ${name} || echo "${name}-veth-b was already moved into its netns" ${ip} link set ${name}-veth-b netns ${name} || echo "${name}-veth-b was already moved into its netns"
${in-ns} ${ip} addr add ${netnsVethIpv4}/24 dev ${name}-veth-b || echo "${name}-veth-b aleady has IP address" ${in-ns} ${ip} addr add ${veth.netns.ipv4}/24 dev ${name}-veth-b || echo "${name}-veth-b aleady has IP address"
${in-ns} ${ip} link set ${name}-veth-b up ${in-ns} ${ip} link set ${name}-veth-b up
# make it so traffic originating from the host side of the veth # make it so traffic originating from the host side of the veth
# is sent over the veth no matter its destination. # is sent over the veth no matter its destination.
${ip} rule add from ${hostVethIpv4} lookup ${name} pref 50 || echo "${name} already has ip rules (pref 50)" ${ip} rule add from ${veth.initns.ipv4} lookup ${name} pref 50 || echo "${name} already has ip rules (pref 50)"
# for traffic originating at the host veth to the WAN, use the veth as our gateway # for traffic originating at the host veth to the WAN, use the veth as our gateway
# not sure if the metric 1002 matters. # not sure if the metric 1002 matters.
${ip} route add default via ${netnsVethIpv4} dev ${name}-veth-a proto kernel src ${hostVethIpv4} metric 1002 table ${name} || \ ${ip} route add default via ${veth.netns.ipv4} dev ${name}-veth-a proto kernel src ${veth.initns.ipv4} metric 1002 table ${name} || \
echo "${name} already has default route" echo "${name} already has default route"
# give the default route lower priority # give the default route lower priority
${ip} rule add from all lookup local pref 100 || echo "${name}: already has ip rules (pref 100)" ${ip} rule add from all lookup local pref 100 || echo "${name}: already has ip rules (pref 100)"
@@ -110,8 +110,8 @@ let
"-${in-ns} ${ip} link del ${name}-veth-b" "-${in-ns} ${ip} link del ${name}-veth-b"
"-${ip} link del ${name}-veth-a" "-${ip} link del ${name}-veth-a"
# restore rules/routes # restore rules/routes
"-${ip} rule del from ${hostVethIpv4} lookup ${name} pref 50" "-${ip} rule del from ${veth.initns.ipv4} lookup ${name} pref 50"
"-${ip} route del default via ${netnsVethIpv4} dev ${name}-veth-a proto kernel src ${hostVethIpv4} metric 1002 table ${name}" "-${ip} route del default via ${veth.netns.ipv4} dev ${name}-veth-a proto kernel src ${veth.initns.ipv4} metric 1002 table ${name}"
# FIXME: if there are other net namespaces active, changing the prefs here may break those! # FIXME: if there are other net namespaces active, changing the prefs here may break those!
"-${ip} rule add from all lookup local pref 0" "-${ip} rule add from all lookup local pref 0"
"-${ip} rule del from all lookup local pref 100" "-${ip} rule del from all lookup local pref 100"
@@ -133,8 +133,8 @@ let
config.sane.ports.ports config.sane.ports.ports
; ;
bridgePort = port: proto: '' bridgePort = port: proto: ''
${iptables} -A PREROUTING -t nat -p ${proto} --dport ${port} -m iprange --dst-range ${netnsPubIpv4} \ ${iptables} -A PREROUTING -t nat -p ${proto} --dport ${port} -m iprange --dst-range ${wg.address.ipv4} \
-j DNAT --to-destination ${hostVethIpv4} -j DNAT --to-destination ${veth.initns.ipv4}
''; '';
bridgeStatements = lib.foldlAttrs bridgeStatements = lib.foldlAttrs
(acc: port: portCfg: acc ++ (builtins.map (bridgePort port) portCfg.protocol)) (acc: port: portCfg: acc ++ (builtins.map (bridgePort port) portCfg.protocol))
@@ -193,7 +193,7 @@ let
${ip} link set wg-${name} netns ${name} ${ip} link set wg-${name} netns ${name}
${in-ns} ${wg'} set wg-${name} private-key ${wg.privateKeyFile} ${in-ns} ${wg'} set wg-${name} private-key ${wg.privateKeyFile}
${in-ns} ${ip} address add ${netnsPubIpv4} dev wg-${name} ${in-ns} ${ip} address add ${wg.address.ipv4} dev wg-${name}
${in-ns} ${ip} link set up dev wg-${name} ${in-ns} ${ip} link set up dev wg-${name}
# in the namespace, make this device the default route # in the namespace, make this device the default route
@@ -237,7 +237,7 @@ let
# abort if public IP is not as expected. # abort if public IP is not as expected.
# copy this snippet to the service definition site if you want it: it has to be defined as close to the service definition as possible to be useful # copy this snippet to the service definition site if you want it: it has to be defined as close to the service definition as possible to be useful
# serviceConfig.ExecStartPre = [ # serviceConfig.ExecStartPre = [
# "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${opts.netnsPubIpv4}" # "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${opts.address.ipv4}"
# ]; # ];
})) }))
]; ];