0d99293b2f
servo: split the doof/ovpns netns config into its own module
...
a big thing this gets me is that the attributes (like IP addresses) are now accessible via 'config' an i won't have to hardcode them so much
2024-06-17 09:25:10 +00:00
4c8695aae8
servo: fix missing route table for doof
2024-06-17 07:31:28 +00:00
456e0de872
servo: doof net: add the capability to forward ports
2024-06-17 07:20:23 +00:00
7825ddc123
servo: split out a "bridgedWireguardNamespace" helper for configuring ovpns VPN
...
i can re-use this to forward traffic over doof
2024-06-17 07:20:23 +00:00
dd47a5083c
servo: only forward ports to OVPN which are actually marked for visiblity
2024-06-17 06:29:09 +00:00
14d5d9eb5a
servo: net: remove dead Hurricane Electric code
2024-06-17 06:04:29 +00:00
c21ddca1fd
servo: doof tunnel: enable IPv6 and forward-DNS records
2024-05-20 05:47:04 +00:00
3b99bb497b
servo: bridge to doof.net
2024-05-20 05:08:32 +00:00
c6a1f310a0
servo: net: actually assert that ovpns exists if we fail to add it
2024-03-26 11:13:10 +00:00
a725d42bf5
ip_forward: consolidate the options to fix servo build
2024-01-19 21:34:18 +00:00
d7a2bf9d26
servo: remove networking.useDHCP=false override
...
seems likely that the change to systemd-networkd renamed the ethernet interface, and so eth0.useDHCP wasn't right. this change seems to restore networking
2024-01-16 06:09:19 +00:00
851c15aa6d
vpn: port ovpnd connections to use systemd-network
...
this should allow better integration with e.g. systemd-run, in future
2024-01-16 03:20:40 +00:00
5b9c58dbc6
hosts/common: use servo-style dns on all machines
...
it'll be handy as i want to place individual applications inside VPNs/namespaces
2024-01-15 01:16:22 +00:00
58febf51bd
remove most useDHCP=false settings
...
networking.useDHCP was deprecated, and then later undeprecated: it's safe to keep it defaulted
2023-12-24 02:17:06 +00:00
827d9626d6
ports: actually forward ovpns
ports into the root namespace
2023-10-17 09:42:13 +00:00
287817056f
refactor: sane.services.wan-ports -> sane.ports
2023-05-31 04:25:39 +00:00
5cc7ced859
dns: rework so that we branch to the LAN v.s. WAN results based on source IP of the query -- not interface.
...
this simplifies the UPnP forwards and the OVPN routing
2023-05-31 00:56:52 +00:00
4dc5378b3e
dns: give different results based on which port the request arrives from
...
WAN and VPN requests are served by local port 1053 and `wan.uninsane.org`.
LAN requests are served by port 53 and `servo.lan.uninsane.org`.
i'm not *super* fond of this. a recursive resolver of uninsane.org via the VPN will only ever get WAN addresses (broken).
we may prefer to do IP-based responses, maybe via the same Linux firewall rules that forward from VPN namespace to root namespace
2023-05-30 12:00:30 +00:00
35c9f2bf60
servo: enable UPnP port forwarding timer
2023-05-28 20:38:24 +00:00
c1ddddddc0
ports: hide behind services.sane.wan-ports
...
later i will use this to enable UPnP on relevant ports
2023-05-26 23:28:30 +00:00
a541e866a1
servo: remove the extraneous firewall enable statement. FW is enabled by default
2023-05-26 04:52:52 +00:00
74e3aa02b9
servo: disable DNSSEC to fix connectivity problems
2023-05-13 21:28:47 +00:00
5a232eb832
servo: fix secrets path
2023-01-19 23:57:40 +00:00
9301b95dbb
wg-home: move to shared module so that host and client config can be adjacent
2023-01-19 23:55:56 +00:00
d13bcc49ab
refactor hosts directory, and move ssh keys out of modules/data
...
longer-term, i want hosts/by-name to define host-specific data
that's accessible via the other hosts (things like pubkeys).
also the secrets management needs some rethinking. there's really not
much point in me specifiying where *exactly* a secret comes from at its
use site. i should really be specifying secret store manifests; i.e.
"servo.yaml contains secrets X Y and Z", and leaving the rest up to
auto-computing.
2023-01-19 23:23:43 +00:00