refactor: servo: hardcode OVPN-related IP addresses in far fewer places

hosts/by-name/servo/services/coturn.nix

@@ -36,7 +36,8 @@
 #   - rb = received bytes
 #   - sp = sent packets
 #   - sb = sent bytes
-{ lib, ... }:
+
+{ config, lib, ... }:
 let
   # TURN port range (inclusive).
   # default coturn behavior is to use the upper quarter of all ports. i.e. 49152 - 65535.
@@ -130,11 +131,11 @@ in
     "verbose"
     # "Verbose"  #< even MORE verbosity than "verbose"  (it's TOO MUCH verbosity really)
     "no-multicast-peers"  # disables sending to IPv4 broadcast addresses (e.g. 224.0.0.0/3)
-    # "listening-ip=10.0.1.5" "external-ip=185.157.162.178"  #< 2024/04/25: works, if running in root namespace
-    "listening-ip=185.157.162.178" "external-ip=185.157.162.178"
+    # "listening-ip=${config.sane.netns.ovpns.hostVethIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}"  #< 2024/04/25: works, if running in root namespace
+    "listening-ip=${config.sane.netns.ovpns.netnsPubIpv4}" "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}"
 
     # old attempts:
-    # "external-ip=185.157.162.178/10.0.1.5"
+    # "external-ip=${config.sane.netns.ovpns.netnsPubIpv4}/${config.sane.netns.ovpns.hostVethIpv4}"
     # "listening-ip=10.78.79.51"  # can be specified multiple times; omit for *
     # "external-ip=97.113.128.229/10.78.79.51"
     # "external-ip=97.113.128.229"

hosts/by-name/servo/services/email/postfix.nix

@@ -1,6 +1,6 @@
 # postfix config options: <https://www.postfix.org/postconf.5.html>
 
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 let
   submissionOptions = {
@@ -56,8 +56,7 @@ in
 
   sane.dns.zones."uninsane.org".inet = {
     MX."@" = "10 mx.uninsane.org.";
-    # XXX: RFC's specify that the MX record CANNOT BE A CNAME
-    A."mx" = "185.157.162.178";
+    A."mx" = "%AOVPNS%"; #< XXX: RFC's specify that the MX record CANNOT BE A CNAME. TODO: use "%AOVPNS%?
 
     # Sender Policy Framework:
     #   +mx     => mail passes if it originated from the MX

hosts/by-name/servo/services/jackett.nix

@@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 lib.mkIf false  #< TODO: re-enable once confident of sandboxing
 {
@@ -13,7 +13,7 @@ lib.mkIf false  #< TODO: re-enable once confident of sandboxing
   systemd.services.jackett.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ];  # abort if public IP is not as expected
+    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
 
     # patch jackett to listen on the public interfaces
     # ExecStart = lib.mkForce "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder /var/lib/jackett/.config/Jackett --ListenPublic";
@@ -25,8 +25,7 @@ lib.mkIf false  #< TODO: re-enable once confident of sandboxing
     enableACME = true;
     # inherit kTLS;
     locations."/" = {
-      # proxyPass = "http://ovpns.uninsane.org:9117";
-      proxyPass = "http://10.0.1.6:9117";
+      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9117";
       recommendedProxySettings = true;
     };
   };

hosts/by-name/servo/services/slskd.nix

@@ -32,7 +32,7 @@
     forceSSL = true;
     enableACME = true;
     locations."/" = {
-      proxyPass = "http://10.0.1.6:5030";
+      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:5030";
       proxyWebsockets = true;
     };
   };
@@ -71,7 +71,7 @@
   systemd.services.slskd.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ];  # abort if public IP is not as expected
+    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
 
     Restart = lib.mkForce "always";  # exits "success" when it fails to connect to soulseek server
     RestartSec = "60s";

hosts/by-name/servo/services/transmission.nix

@@ -106,8 +106,8 @@ lib.mkIf false  #< TODO: re-enable once confident of sandboxing
     # DOCUMENTATION/options list: <https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options>
 
     # message-level = 3;  #< enable for debug logging. 0-3, default is 2.
-    # 10.0.1.6 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
-    rpc-bind-address = "10.0.1.6";
+    # ovpns.netnsVethIpv4 => allow rpc only from the root servo ns. it'll tunnel things to the net, if need be.
+    rpc-bind-address = config.sane.netns.ovpns.netnsVethIpv4;
     #rpc-host-whitelist = "bt.uninsane.org";
     #rpc-whitelist = "*.*.*.*";
     rpc-authentication-required = true;
@@ -118,7 +118,7 @@ lib.mkIf false  #< TODO: re-enable once confident of sandboxing
     rpc-whitelist-enabled = false;
 
     # force behind ovpns in case the NetworkNamespace fails somehow
-    bind-address-ipv4 = "185.157.162.178";
+    bind-address-ipv4 = config.sane.netns.ovpns.netnsPubIpv4;
     port-forwarding-enabled = false;
 
     # hopefully, make the downloads world-readable
@@ -160,7 +160,7 @@ lib.mkIf false  #< TODO: re-enable once confident of sandboxing
   systemd.services.transmission.serviceConfig = {
     # run this behind the OVPN static VPN
     NetworkNamespacePath = "/run/netns/ovpns";
-    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect 185.157.162.178" ];  # abort if public IP is not as expected
+    ExecStartPre = [ "${lib.getExe pkgs.sane-scripts.ip-check} --no-upnp --expect ${config.sane.netns.ovpns.netnsPubIpv4}" ];  # abort if public IP is not as expected
 
     Restart = "on-failure";
     RestartSec = "30s";
@@ -190,7 +190,7 @@ lib.mkIf false  #< TODO: re-enable once confident of sandboxing
     # inherit kTLS;
     locations."/" = {
       # proxyPass = "http://ovpns.uninsane.org:9091";
-      proxyPass = "http://10.0.1.6:9091";
+      proxyPass = "http://${config.sane.netns.ovpns.netnsVethIpv4}:9091";
     };
   };
 

hosts/by-name/servo/services/trust-dns.nix

@@ -4,8 +4,6 @@
 let
   dyn-dns = config.sane.services.dyn-dns;
   nativeAddrs = lib.mapAttrs (_name: builtins.head) config.sane.dns.zones."uninsane.org".inet.A;
-  bindOvpn = "10.0.1.5";
-  bindDoof = "10.0.2.5";
 in
 {
   sane.ports.ports."53" = {
@@ -48,9 +46,9 @@ in
     # it's best that we keep this identical, or a superset of, what org. lists as our NS.
     # so, org. can specify ns2/ns3 as being to the VPN, with no mention of ns1. we provide ns1 here.
     A."ns1" =    "%ANATIVE%";
-    A."ns2" =    "185.157.162.178";
-    A."ns3" =    "185.157.162.178";
-    A."ovpns" =  "185.157.162.178";
+    A."ns2" =    "%AOVPNS%";
+    A."ns3" =    "%AOVPNS%";
+    A."ovpns" =  "%AOVPNS%";
     NS."@" = [
       "ns1.uninsane.org."
       "ns2.uninsane.org."
@@ -92,7 +90,7 @@ in
       "%AWAN%" = "$(cat '${dyn-dns.ipPath}')";
       "%CNAMENATIVE%" = "servo.${flavor}";
       "%ANATIVE%" = nativeAddrs."servo.${flavor}";
-      "%AOVPNS%" = "185.157.162.178";
+      "%AOVPNS%" = config.sane.netns.ovpns.netnsPubIpv4;
     };
   in
   {
@@ -100,8 +98,8 @@ in
       substitutions = mkSubstitutions "wan";
       listenAddrsIpv4 = [
         nativeAddrs."servo.lan"
-        bindOvpn
-        bindDoof
+        config.sane.netns.ovpns.hostVethIpv4
+        config.sane.netns.doof.hostVethIpv4
       ];
     };
     lan = {