servo: fold wg0 setup into one single service

it doesn't restart cleanly (maybe i can't kill a netns while stuff lives
inside it?). problem for another day.

hosts/servo/net.nix

@@ -54,15 +54,18 @@
   networking.wireguard.interfaces.wg0 = let
     ip = "${pkgs.iproute2}/bin/ip";
     in-ns = "${ip} netns exec ovpns";
+    iptables = "${pkgs.iptables}/bin/iptables";
+    veth-host-ip = "10.0.1.5";
+    veth-local-ip = "10.0.1.6";
+    vpn-ip = "185.157.162.178";
+    # DNS = 46.227.67.134, 192.165.9.158, 2a07:a880:4601:10f0:cd45::1, 2001:67c:750:1:cafe:cd45::1
+    vpn-dns = "46.227.67.134";
   in {
     privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
     # wg is active only in this namespace.
     # run e.g. ip netns exec ovpns <some command like ping/curl/etc, it'll go through wg>
     #   sudo ip netns exec ovpns ping www.google.com
-    # TODO: fold wg0veth service into `postSetup` here
     interfaceNamespace = "ovpns";
-    preSetup = "${ip} netns add ovpns || true";
-    postShutdown = "${ip} netns delete ovpns";
     ips = [
       "185.157.162.178/32"
     ];
@@ -83,34 +86,15 @@
         # dynamicEndpointRefreshRestartSeconds = 5;
       }
     ];
-  };
+    preSetup = "" + ''
-
+      ${ip} netns add ovpns || echo "ovpns already exists"
-  # create a new routing table that we can use to proxy traffic out of the root namespace
-  # through the ovpns namespace, and to the WAN via VPN.
-  networking.iproute2.rttablesExtraConfig = ''
-  5 ovpns
     '';
-  networking.iproute2.enable = true;
+    postShutdown = "" + ''
-
+      ${in-ns} ip link del ovpns-veth-b || echo "couldn't delete ovpns-veth-b"
-  systemd.services.wg0veth = {
+      ${ip} link del ovpns-veth-a || echo "couldn't delete ovpns-veth-a"
-    description = "veth pair to allow communication between host and wg0 netns";
+      ${ip} netns delete ovpns || echo "couldn't delete ovpns"
-    after = [ "wireguard-wg0.service" ];
+    '';
-    wantedBy = [ "multi-user.target" ];
+    postSetup = "" + ''
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-
-      ExecStart = let
-        veth-host-ip = "10.0.1.5";
-        veth-local-ip = "10.0.1.6";
-        vpn-ip = "185.157.162.178";
-        # DNS = 46.227.67.134, 192.165.9.158, 2a07:a880:4601:10f0:cd45::1, 2001:67c:750:1:cafe:cd45::1
-        vpn-dns = "46.227.67.134";
-        ip = "${pkgs.iproute2}/bin/ip";
-        in-ns = "${ip} netns exec ovpns";
-        iptables = "${pkgs.iptables}/bin/iptables";
-      in pkgs.writeScript "wg0veth-start" ''
-        #!${pkgs.bash}/bin/bash
       # DOCS:
       # - some of this approach is described here: <https://josephmuia.ca/2018-05-16-net-namespaces-veth-nat/>
       # - iptables primer: <https://danielmiessler.com/study/iptables/>
@@ -121,8 +105,8 @@
 
       # mv veth-b into the ovpns namespace
       ${ip} link set ovpns-veth-b netns ovpns
-        ${ip} -n ovpns addr add ${veth-local-ip}/24 dev ovpns-veth-b
+      ${in-ns} ip addr add ${veth-local-ip}/24 dev ovpns-veth-b
-        ${ip} -n ovpns link set ovpns-veth-b up
+      ${in-ns} ip link set ovpns-veth-b up
 
       # make it so traffic originating from the host side of the veth
       # is sent over the veth no matter its destination.
@@ -149,14 +133,14 @@
       # - alternatively, we could fix DNS servers like 1.1.1.1.
       ${in-ns} ${iptables} -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.53 -j DNAT --to-destination ${vpn-dns}:53
     '';
+  };
 
-      ExecStop = with pkgs; writeScript "wg0veth-stop" ''
+  # create a new routing table that we can use to proxy traffic out of the root namespace
-        #!${bash}/bin/bash
+  # through the ovpns namespace, and to the WAN via VPN.
-        ${iproute2}/bin/ip -n wg0 link del ovpns-veth-b
+  networking.iproute2.rttablesExtraConfig = ''
-        ${iproute2}/bin/ip link del ovpns-veth-a
+  5 ovpns
   '';
-    };
+  networking.iproute2.enable = true;
-  };
 
   sops.secrets."wg_ovpns_privkey" = {
     sopsFile = ../../secrets/servo.yaml;

hosts/servo/services/jackett.nix

@@ -7,7 +7,7 @@
   ];
   services.jackett.enable = true;
 
-  systemd.services.jackett.after = ["wg0veth.service"];
+  systemd.services.jackett.after = ["wireguard-wg0.service"];
   systemd.services.jackett.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";

hosts/servo/services/postfix.nix

@@ -64,7 +64,7 @@ in
   services.postfix.enableSubmissions = true;
   services.postfix.submissionsOptions = submissionOptions;
 
-  systemd.services.postfix.after = [ "wg0veth.service" ];
+  systemd.services.postfix.after = [ "wireguard-wg0.service" ];
   systemd.services.postfix.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
@@ -85,7 +85,7 @@ in
   # keeping this the same as the hostname seems simplest
   services.opendkim.selector = "mx";
 
-  systemd.services.opendkim.after = [ "wg0veth.service" ];
+  systemd.services.opendkim.after = [ "wireguard-wg0.service" ];
   systemd.services.opendkim.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";

hosts/servo/services/transmission.nix

@@ -40,7 +40,7 @@
   # transmission will by default not allow the world to read its files.
   services.transmission.downloadDirPermissions = "775";
 
-  systemd.services.transmission.after = ["wg0veth.service"];
+  systemd.services.transmission.after = ["wireguard-wg0.service"];
   systemd.services.transmission.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";

pkgs/sane-scripts/src/sane-stop-all-servo

@@ -8,4 +8,4 @@ sudo systemctl stop nginx
 sudo systemctl stop postgresql
 sudo systemctl stop duplicity.timer
 sudo systemctl stop duplicity
-sudo systemctl stop wg0veth wireguard-wg0
+sudo systemctl stop wireguard-wg0