diff --git a/hosts/by-name/servo/net.nix b/hosts/by-name/servo/net.nix index 63882b73..0b0242dd 100644 --- a/hosts/by-name/servo/net.nix +++ b/hosts/by-name/servo/net.nix @@ -10,6 +10,13 @@ let whether to forward inbound traffic on the OVPN vpn port to the corresponding localhost port. ''; }; + visibleTo.doof = mkOption { + type = types.bool; + default = false; + description = '' + whether to forward inbound traffic on the doofnet vpn port to the corresponding localhost port. + ''; + }; }; }; @@ -113,19 +120,15 @@ in # tun-sea config sane.dns.zones."uninsane.org".inet.A."doof.tunnel" = "205.201.63.12"; - sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51"; - networking.wireguard.interfaces.wg-doof = let - ip = "${pkgs.iproute2}/bin/ip"; - in { + # sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51"; #< TODO: enable IPv6 + networking.wireguard.interfaces.wg-doof = bridgedWireguardNamespace { privateKeyFile = config.sops.secrets.wg_doof_privkey.path; # wg is active only in this namespace. # run e.g. ip netns exec doof # sudo ip netns exec doof ping www.google.com - interfaceNamespace = "doof"; - ips = [ - "205.201.63.12/32" - "2602:fce8:106::51/128" - ]; + name = "doof"; + ip4 = "205.201.63.12"; + # ip6 = "2602:fce8:106::51/128" #< TODO: enable IPv6 peers = [ { publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU="; @@ -136,12 +139,9 @@ in persistentKeepalive = 25; #< keep the NAT alive } ]; - preSetup = '' - ${ip} netns add doof || (test -e /run/netns/doof && echo "doof already exists") - ''; - postShutdown = '' - ${ip} netns delete doof || echo "couldn't delete doof" - ''; + + vethSubnet = "10.0.2"; #< 10.0.2.x is used for forwarding traffic between the root namespace and the VPN namespace + vpnDns = "1.1.1.1"; #< DNS requests inside the namespace are forwarded here (TODO: forward to the init namespace resolver) }; # OVPN CONFIG (https://www.ovpn.com):