servo: doof net: add the capability to forward ports
This commit is contained in:
parent
7825ddc123
commit
456e0de872
|
@ -10,6 +10,13 @@ let
|
||||||
whether to forward inbound traffic on the OVPN vpn port to the corresponding localhost port.
|
whether to forward inbound traffic on the OVPN vpn port to the corresponding localhost port.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
visibleTo.doof = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
whether to forward inbound traffic on the doofnet vpn port to the corresponding localhost port.
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -113,19 +120,15 @@ in
|
||||||
|
|
||||||
# tun-sea config
|
# tun-sea config
|
||||||
sane.dns.zones."uninsane.org".inet.A."doof.tunnel" = "205.201.63.12";
|
sane.dns.zones."uninsane.org".inet.A."doof.tunnel" = "205.201.63.12";
|
||||||
sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51";
|
# sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51"; #< TODO: enable IPv6
|
||||||
networking.wireguard.interfaces.wg-doof = let
|
networking.wireguard.interfaces.wg-doof = bridgedWireguardNamespace {
|
||||||
ip = "${pkgs.iproute2}/bin/ip";
|
|
||||||
in {
|
|
||||||
privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
|
privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
|
||||||
# wg is active only in this namespace.
|
# wg is active only in this namespace.
|
||||||
# run e.g. ip netns exec doof <some command like ping/curl/etc, it'll go through wg>
|
# run e.g. ip netns exec doof <some command like ping/curl/etc, it'll go through wg>
|
||||||
# sudo ip netns exec doof ping www.google.com
|
# sudo ip netns exec doof ping www.google.com
|
||||||
interfaceNamespace = "doof";
|
name = "doof";
|
||||||
ips = [
|
ip4 = "205.201.63.12";
|
||||||
"205.201.63.12/32"
|
# ip6 = "2602:fce8:106::51/128" #< TODO: enable IPv6
|
||||||
"2602:fce8:106::51/128"
|
|
||||||
];
|
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
|
publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
|
||||||
|
@ -136,12 +139,9 @@ in
|
||||||
persistentKeepalive = 25; #< keep the NAT alive
|
persistentKeepalive = 25; #< keep the NAT alive
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
preSetup = ''
|
|
||||||
${ip} netns add doof || (test -e /run/netns/doof && echo "doof already exists")
|
vethSubnet = "10.0.2"; #< 10.0.2.x is used for forwarding traffic between the root namespace and the VPN namespace
|
||||||
'';
|
vpnDns = "1.1.1.1"; #< DNS requests inside the namespace are forwarded here (TODO: forward to the init namespace resolver)
|
||||||
postShutdown = ''
|
|
||||||
${ip} netns delete doof || echo "couldn't delete doof"
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# OVPN CONFIG (https://www.ovpn.com):
|
# OVPN CONFIG (https://www.ovpn.com):
|
||||||
|
|
Loading…
Reference in New Issue
Block a user