colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

servo: hardcode the doof/ovpns listen ports, and forward them through the NAT

Browse Source
This commit is contained in:
Colin
2024-11-25 18:07:37 +00:00
parent 3ed0ff6611
commit 6be6c08e7c
3 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/by-name/servo/net/doof.nix
View File

@@ -10,6 +10,7 @@
veth.initns.ipv4 = "10.0.2.5"; veth.initns.ipv4 = "10.0.2.5";
veth.netns.ipv4 = "10.0.2.6"; veth.netns.ipv4 = "10.0.2.6";
routeTable = 12; routeTable = 12;
wg.port = 51821;
wg.privateKeyFile = config.sops.secrets.wg_doof_privkey.path; wg.privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
wg.address.ipv4 = "205.201.63.12"; wg.address.ipv4 = "205.201.63.12";
wg.peer.publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU="; wg.peer.publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";

1
hosts/by-name/servo/net/ovpn.nix
View File

@@ -10,6 +10,7 @@
veth.netns.ipv4 = "10.0.1.6"; veth.netns.ipv4 = "10.0.1.6";
routeTable = 11; routeTable = 11;
dns.ipv4 = "46.227.67.134"; #< DNS requests inside the namespace are forwarded here dns.ipv4 = "46.227.67.134"; #< DNS requests inside the namespace are forwarded here
wg.port = 51822;
wg.privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path; wg.privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
wg.address.ipv4 = "185.157.162.178"; wg.address.ipv4 = "185.157.162.178";
wg.peer.publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs="; wg.peer.publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";

17
modules/netns.nix
View File

@@ -30,6 +30,9 @@ let
each netns gets its own routing table so that i can route a packet out by placing it in the table. each netns gets its own routing table so that i can route a packet out by placing it in the table.
''; '';
}; };
wg.port = mkOption {
type = types.port;
};
wg.privateKeyFile = mkOption { wg.privateKeyFile = mkOption {
type = types.path; type = types.path;
}; };
@@ -175,6 +178,11 @@ let
serviceConfig.RestartSteps = 9; # roughly: 10s, 30s, 50s, ... 180s, then keep the 180s retry serviceConfig.RestartSteps = 9; # roughly: 10s, 30s, 50s, ... 180s, then keep the 180s retry
script = '' script = ''
${ip} link add wg-${name} type wireguard ${ip} link add wg-${name} type wireguard
# listen on a public port. the other end of the tunnel doesn't send keepalives
# so i *hope* setting to a fixed port, which is opened in `sane.ports.ports`, make the tunnel more robust
${wg'} set wg-${name} listen-port ${builtins.toString wg.port}
# resolve the endpoint *now*, from a namespace which can do DNS lookups, before moving it into its destination netns # resolve the endpoint *now*, from a namespace which can do DNS lookups, before moving it into its destination netns
# at this point, our wg device can neither send nor receive traffic, because we haven't given it a private key. # at this point, our wg device can neither send nor receive traffic, because we haven't given it a private key.
# hence, it's 100% safe to configure peers even inside the root ns at this point. # hence, it's 100% safe to configure peers even inside the root ns at this point.
@@ -210,6 +218,14 @@ let
]; ];
}; };
sane.ports.ports."${builtins.toString wg.port}" = {
protocol = [ "udp" ];
visibleTo.lan = true;
visibleTo.wan = true;
# visibleTo.doof = true;
description = "colin-wireguard-${name}";
};
# for some reason network-pre doesn't actually get run before network.target by default?? # for some reason network-pre doesn't actually get run before network.target by default??
systemd.targets.network-pre.wantedBy = [ "network.target" ]; systemd.targets.network-pre.wantedBy = [ "network.target" ];
systemd.targets.network-pre.before = [ "network.target" ]; systemd.targets.network-pre.before = [ "network.target" ];
@@ -263,6 +279,7 @@ in
networking.localCommands = f.networking.localCommands; networking.localCommands = f.networking.localCommands;
networking.iproute2.rttablesExtraConfig = f.networking.iproute2.rttablesExtraConfig; networking.iproute2.rttablesExtraConfig = f.networking.iproute2.rttablesExtraConfig;
networking.iproute2.enable = f.networking.iproute2.enable; networking.iproute2.enable = f.networking.iproute2.enable;
sane.ports.ports = f.sane.ports.ports;
systemd.services = f.systemd.services; systemd.services = f.systemd.services;
systemd.targets = f.systemd.targets; systemd.targets = f.systemd.targets;
}; };