servo: doof net: add the capability to forward ports
This commit is contained in:
parent
7825ddc123
commit
456e0de872
|
@ -10,6 +10,13 @@ let
|
|||
whether to forward inbound traffic on the OVPN vpn port to the corresponding localhost port.
|
||||
'';
|
||||
};
|
||||
visibleTo.doof = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
whether to forward inbound traffic on the doofnet vpn port to the corresponding localhost port.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -113,19 +120,15 @@ in
|
|||
|
||||
# tun-sea config
|
||||
sane.dns.zones."uninsane.org".inet.A."doof.tunnel" = "205.201.63.12";
|
||||
sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51";
|
||||
networking.wireguard.interfaces.wg-doof = let
|
||||
ip = "${pkgs.iproute2}/bin/ip";
|
||||
in {
|
||||
# sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51"; #< TODO: enable IPv6
|
||||
networking.wireguard.interfaces.wg-doof = bridgedWireguardNamespace {
|
||||
privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
|
||||
# wg is active only in this namespace.
|
||||
# run e.g. ip netns exec doof <some command like ping/curl/etc, it'll go through wg>
|
||||
# sudo ip netns exec doof ping www.google.com
|
||||
interfaceNamespace = "doof";
|
||||
ips = [
|
||||
"205.201.63.12/32"
|
||||
"2602:fce8:106::51/128"
|
||||
];
|
||||
name = "doof";
|
||||
ip4 = "205.201.63.12";
|
||||
# ip6 = "2602:fce8:106::51/128" #< TODO: enable IPv6
|
||||
peers = [
|
||||
{
|
||||
publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
|
||||
|
@ -136,12 +139,9 @@ in
|
|||
persistentKeepalive = 25; #< keep the NAT alive
|
||||
}
|
||||
];
|
||||
preSetup = ''
|
||||
${ip} netns add doof || (test -e /run/netns/doof && echo "doof already exists")
|
||||
'';
|
||||
postShutdown = ''
|
||||
${ip} netns delete doof || echo "couldn't delete doof"
|
||||
'';
|
||||
|
||||
vethSubnet = "10.0.2"; #< 10.0.2.x is used for forwarding traffic between the root namespace and the VPN namespace
|
||||
vpnDns = "1.1.1.1"; #< DNS requests inside the namespace are forwarded here (TODO: forward to the init namespace resolver)
|
||||
};
|
||||
|
||||
# OVPN CONFIG (https://www.ovpn.com):
|
||||
|
|
Loading…
Reference in New Issue
Block a user