28 lines
1.1 KiB
Nix
28 lines
1.1 KiB
Nix
{ config, ... }:
|
|
{
|
|
# tun-sea config
|
|
sane.dns.zones."uninsane.org".inet.A."doof.tunnel" = "205.201.63.12";
|
|
# sane.dns.zones."uninsane.org".inet.AAAA."doof.tunnel" = "2602:fce8:106::51"; #< TODO: enable IPv6 (i have /128)
|
|
|
|
# if the tunnel breaks, restart it manually:
|
|
# - `systemctl restart netns-doof.service`
|
|
sane.netns.doof = {
|
|
veth.initns.ipv4 = "10.0.2.5";
|
|
veth.netns.ipv4 = "10.0.2.6";
|
|
routeTable = 12;
|
|
# wg.port = 51821;
|
|
wg.privateKeyFile = config.sops.secrets.wg_doof_privkey.path;
|
|
wg.address.ipv4 = "205.201.63.12";
|
|
wg.peer.publicKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
|
|
wg.peer.endpoint = "tun-sea.doof.net:53263";
|
|
# wg.peer.endpoint = "205.201.63.44:53263";
|
|
};
|
|
|
|
# inside doof, forward DNS requests back to the root machine
|
|
# this is fine: nothing inside the ns performs DNS except for wireguard,
|
|
# and we're not forwarding external DNS requests here
|
|
# XXX: ACTUALLY, CAN'T EASILY DO THAT BECAUSE HICKORY-DNS IS ALREADY USING PORT 53
|
|
# but that's ok, we don't really need DNS *inside* this namespace.
|
|
# sane.netns.doof.dns.ipv4 = config.sane.netns.doof.veth.netns.ipv4;
|
|
}
|