servo: doof net: add the capability to forward ports

2024-06-17 06:58:06 +00:00 · 2024-06-17 06:58:06 +00:00 · 456e0de872
commit 456e0de872
parent 7825ddc123
1 changed files with 15 additions and 15 deletions
--- a/hosts/by-name/servo/net.nix
+++ b/hosts/by-name/servo/net.nix
@ -10,6 +10,13 @@ let
          whether to forward inbound traffic on the OVPN vpn port to the corresponding localhost port.
        '';
      };
+      visibleTo.doof = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          whether to forward inbound traffic on the doofnet vpn port to the corresponding localhost port.
+        '';
+      };
    };
  };

@ -113,19 +120,15 @@ in

    # tun-sea config
    sane.dns.zones."uninsane.org".inet.A."doof.tunnel" = "205.201.63.12";
-    sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51";
-    networking.wireguard.interfaces.wg-doof = let
-      ip = "${pkgs.iproute2}/bin/ip";
-    in {
+    # sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51";  #< TODO: enable IPv6
+    networking.wireguard.interfaces.wg-doof = bridgedWireguardNamespace {
      privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
      # wg is active only in this namespace.
      # run e.g. ip netns exec doof <some command like ping/curl/etc, it'll go through wg>
      #   sudo ip netns exec doof ping www.google.com
-      interfaceNamespace = "doof";
-      ips = [
-        "205.201.63.12/32"
-        "2602:fce8:106::51/128"
-      ];
+      name = "doof";
+      ip4 = "205.201.63.12";
+      # ip6 = "2602:fce8:106::51/128"  #< TODO: enable IPv6
      peers = [
        {
          publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
@ -136,12 +139,9 @@ in
          persistentKeepalive = 25; #< keep the NAT alive
        }
      ];
-      preSetup = ''
-        ${ip} netns add doof || (test -e /run/netns/doof && echo "doof already exists")
-      '';
-      postShutdown = ''
-        ${ip} netns delete doof || echo "couldn't delete doof"
-      '';
+
+      vethSubnet = "10.0.2";  #< 10.0.2.x is used for forwarding traffic between the root namespace and the VPN namespace
+      vpnDns = "1.1.1.1";  #< DNS requests inside the namespace are forwarded here (TODO: forward to the init namespace resolver)
    };

    # OVPN CONFIG (https://www.ovpn.com):