net: communicate with the OVPNs network locally instead of over the public internet

2022-05-06 00:22:36 +00:00 · 2022-05-06 00:22:36 +00:00 · fa3ed520e2
commit fa3ed520e2
parent efe8a8447a
5 changed files with 35 additions and 4 deletions
--- a/config/net.nix
+++ b/config/net.nix
@ -39,6 +39,34 @@
    ];
  };

+  systemd.services.wg0veth = {
+    description = "veth pair to allow communication between host and wg0 netns";
+    after = [ "wireguard-wg0.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+
+      ExecStart = with pkgs; writeScript "wg0veth-start" ''
+        #!${bash}/bin/bash
+        # create veth pair
+        ${iproute2}/bin/ip link add ovpns-veth-a type veth peer name ovpns-veth-b
+        ${iproute2}/bin/ip addr add 10.0.1.5/24 dev ovpns-veth-a
+        ${iproute2}/bin/ip link set ovpns-veth-a up
+        # mv veth-b into the ovpns namespace
+        ${iproute2}/bin/ip link set ovpns-veth-b netns ovpns
+        ${iproute2}/bin/ip -n ovpns addr add 10.0.1.6/24 dev ovpns-veth-b
+        ${iproute2}/bin/ip -n ovpns link set ovpns-veth-b up
+      '';
+
+      ExecStop = with pkgs; writeScript "wg0veth-stop" ''
+        #!${bash}/bin/bash
+        ${iproute2}/bin/ip -n wg0 link del ovpns-veth-b
+        ${iproute2}/bin/ip link del ovpns-veth-a
+      '';
+    };
+  };
+
  # HURRICANE ELECTRIC CONFIG:
  # networking.sits = {
  #   hurricane = {
--- a/config/services/jackett.nix
+++ b/config/services/jackett.nix
@ -3,7 +3,7 @@
 {
  services.jackett.enable = true;

-  systemd.services.jackett.after = ["wireguard-wg0.service"];
+  systemd.services.jackett.after = ["wg0veth.service"];
  systemd.services.jackett.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
--- a/config/services/nginx.nix
+++ b/config/services/nginx.nix
@ -94,7 +94,8 @@
    forceSSL = true;
    enableACME = true;
    locations."/" = {
-      proxyPass = "http://ovpns.uninsane.org:9091";
+      # proxyPass = "http://ovpns.uninsane.org:9091";
+      proxyPass = "http://10.0.1.6:9091";
    };
  };

@ -102,7 +103,8 @@
    forceSSL = true;
    enableACME = true;
    locations."/" = {
-      proxyPass = "http://ovpns.uninsane.org:9117";
+      # proxyPass = "http://ovpns.uninsane.org:9117";
+      proxyPass = "http://10.0.1.6:9117";
    };
  };

--- a/config/services/postfix.nix
+++ b/config/services/postfix.nix
@ -27,6 +27,7 @@
  # keeping this the same as the hostname seems simplest
  services.opendkim.selector = "mx";

+  systemd.services.postfix.after = ["wg0veth.service"];
  systemd.services.postfix.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";
--- a/config/services/transmission.nix
+++ b/config/services/transmission.nix
@ -28,7 +28,7 @@
  # transmission will by default not allow the world to read its files.
  services.transmission.downloadDirPermissions = "775";

-  systemd.services.transmission.after = ["wireguard-wg0.service"];
+  systemd.services.transmission.after = ["wg0veth.service"];
  systemd.services.transmission.serviceConfig = {
    # run this behind the OVPN static VPN
    NetworkNamespacePath = "/run/netns/ovpns";