ip_forward: consolidate the options to fix servo build

hosts/by-name/servo/net.nix

@@ -24,9 +24,6 @@ in
     sane.ports.openFirewall = true;
     sane.ports.openUpnp = true;
 
-    # this is needed to forward packets from the VPN to the host
-    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-
     # unless we add interface-specific settings for each VPN, we have to define nameservers globally.
     # networking.nameservers = [
     #   "1.1.1.1"

hosts/common/net/default.nix

@@ -20,6 +20,11 @@
   # networking.firewall.checkReversePath = false;  # or "loose" to keep it partially.
   # networking.firewall.enable = false;  #< set false to debug
 
+  # this is needed to forward packets from the VPN to the host.
+  # this is required separately by servo and by any `sane-vpn` users,
+  # however Nix requires this be set centrally, in only one location (i.e. here)
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
   # the default backend is "wpa_supplicant".
   # wpa_supplicant reliably picks weak APs to connect to.
   # see: <https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/474>

hosts/common/net/vpn.nix

@@ -156,10 +156,6 @@ let
     };
   };
 in lib.mkMerge [
-  {
-    # has to be here instead of in the VPN definitions because it can't be defined more than once (even if identical)
-    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  }
   (def-ovpn "us" {
     endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
     publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";