servo: bridge to doof.net

hosts/by-name/servo/net.nix

@@ -38,6 +38,37 @@ in
     #   FallbackDNS=1.1.1.1 9.9.9.9
     # '';
 
+    # tun-sea config
+    networking.wireguard.interfaces.wg-doof = let
+      ip = "${pkgs.iproute2}/bin/ip";
+    in {
+      privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
+      # wg is active only in this namespace.
+      # run e.g. ip netns exec doof <some command like ping/curl/etc, it'll go through wg>
+      #   sudo ip netns exec doof ping www.google.com
+      interfaceNamespace = "doof";
+      ips = [
+        "205.201.63.12/32"
+        "2602:fce8:106::/64"
+      ];
+      peers = [
+        {
+          publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
+          # TODO: configure DNS within the doof ns and use tun-sea.doof.net endpoint
+          # endpoint = "tun-sea.doof.net:53263";
+          endpoint = "205.201.63.44:53263";
+          allowedIPs = [ "0.0.0.0/0" "::/0" ];
+          persistentKeepalive = 25; #< keep the NAT alive
+        }
+      ];
+      preSetup = ''
+        ${ip} netns add doof || (test -e /run/netns/doof && echo "doof already exists")
+      '';
+      postShutdown = ''
+        ${ip} netns delete doof || echo "couldn't delete doof"
+      '';
+    };
+
     # OVPN CONFIG (https://www.ovpn.com):
     # DOCS: https://nixos.wiki/wiki/WireGuard
     # if you `systemctl restart wireguard-wg-ovpns`, make sure to also restart any other services in `NetworkNamespacePath = .../ovpns`.

secrets/servo/wg_doof_privkey.bin

@@ -0,0 +1,32 @@
+{
+	"data": "ENC[AES256_GCM,data:lkTVvy1+e3CmXafngZfU9YMAhDAyUs2EAAKyllxU7pecbn1xMOkCYa1Yikcl,iv:5izufYHrTMemzTZCCK8E/aBJIW1qW5um/R2T6cbhpPo=,tag:1IgerPUitDhGRGOhtfn4uQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNjhROXVWaVFPNEhwSW9l\nSzhhYjBqNGprYnJOd3hEdmw3WFJhcUV3cURRCjJ5SllBRkZ2clFNa1NZZjRMc1lw\nblg5dkJSQUlRMHBVZEFlWi9tM1R0dncKLS0tIDdYVll3d3NXVVJoS1d3Z3lIZHdq\nTDdieDZGamFTbEdHNHh1eG1zclFVUlEK0ovxvMBUQOPjhN5wiObigQQVh66+e9iB\nMqJ7vZQzseu1Kw6DgnTXla7f90KNpOv4N9i1wK5ZSuR1yHKuBHkR2Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETTdYVEdBQ0x6anZ1MEFY\nbzlXVmU4Q3FuRXd6eDJieXJ5UnpTWjIzdm5NCjhwNFJZU3lxbGV4dUFPRU03aWhr\neVBaaUplN3J0QWlGUjNPRUsxQXJ0RVUKLS0tIHNnY2tMVkRNRU92T0htbk1JN0ho\nU0MxakdBcGxJZkFDTjNWSjFsZFlneTgK3mPTbmhqnMAP7u2dMcpSgCEKrZ6zaehM\nYTSFA08FCWZ7JC4IzDss6Cgo0yYTqtDADPsYrVFzWV4WUQgyQKNDZA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNUhuSVZpcGpDUllJZ3Bj\nOFJ4aG9HQTVTSTNLWHdDNmJic0tFMVhnRTMwCkVObVhWMlMyMmRmN1hubEhLdDJi\nR0ZzZ2xyMjJBL3JTT2x1N3ZZejZKMmsKLS0tIHhLZUYyMzV6Wll0a3d5WENwd0s1\nODFZcXpkcjJ5bFh4a3hIWExhYTAwSVUKSKbYAyHXy6zThxBbR4Zt51x/mPwHn5bd\nX1cwRoOHJh2PgXfXhhWWPel9j3oK+MWwdOJAfB2ug25L7Rawdnx5BQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4aUtSaTRIMyt4V3VGQTBa\ndnJ4SVR5b0JtZ21Ea1d5emxzRml5T05TNlZrCjY3RHB5bmc2dStRU0lzU0Q3TkZF\ndll4WURxdUFsUkM5b0NOalR5REY1bDQKLS0tIGtVR0ZzbmN2OTNrWFYyQmN2QTFT\nSlR0dEJiU2t6UkFvMHBWaW1sLzFSaFkKyeOtKY+KdkpBHdl2jvyRbRJdYcgkR2HZ\nuwIsMXjy929OFrX8iKI1JAXDZF2AOhzUMba9IR2+yipCgev11hXnhA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-05-20T04:17:15Z",
+		"mac": "ENC[AES256_GCM,data:Ct77I+3tD7u+j2lDuRhngQQ50fqfPFEsOJRfSj71HQmUTkyVdfiXceZijQ2ho526K17jrCU+srn6v3BWklFqefQbe7ox1yzNrMqLQB36u1NKHiov/2gnFLpeMi8b/yeKGzbEI5+02YiqILg+LKvc+1QHa8n6KVGCr/JcteLj+Tg=,iv:sk1GV03X2d5M7pH1K2CicQdoyJMOUsT2qEcAiCq9h5s=,tag:CgNVbdmqaUWk07xHSjkO/Q==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}