christoph/flake-nixinator
1
Fork 0
Code Activity
Files
43ed6d3fa3afce1fb85edd0f665a0ff64dcc364f
flake-nixinator/lib/networking.nix
Christoph Urlacher 86d5a574b8 Reformat
2024-06-01 19:33:30 +02:00

142 lines
3.9 KiB
Nix
Raw Blame History

# TODO: OpenVPN
{
inputs,
pkgs,
lib,
...
}: rec {
mkSystemdNetwork = interface: routable: {
# name = "enp0s31f6"; # Network interface name?
enable = true;
# See man systemd.link, man systemd.netdev, man systemd.network
matchConfig = {
# This corresponds to the [MATCH] section
Name = interface; # Match ethernet interface
};
# See man systemd.network
networkConfig = {
# This corresponds to the [NETWORK] section
DHCP = "yes";
# TODO: What does this all do?
# IPv6AcceptRA = true;
# MulticastDNS = "yes"; # Needed?
# LLMNR = "no"; # Needed?
# LinkLocalAddressing = "no"; # Needed?
};
linkConfig = {
# This corresponds to the [LINK] section
# RequiredForOnline = "routable";
RequiredForOnline =
if routable
then "routable"
else "no"; # Don't make nixos-rebuild wait for systemd-networkd-wait-online.service
};
};
mkStaticSystemdNetwork = {
interface,
ip,
router,
nameserver,
routable,
}: {
# name = "enp0s31f6"; # Network interface name?
enable = true;
# See man systemd.link, man systemd.netdev, man systemd.network
matchConfig = {
# This corresponds to the [MATCH] section
Name = interface; # Match ethernet interface
};
# Static IP + DNS + Gateway
address = ip;
gateway = router;
dns = nameserver;
# routes = [
# {
# routeConfig.Gateway = (lib.head router);
# }
# ];
# See man systemd.network
networkConfig = {
# This corresponds to the [NETWORK] section
DHCP = "no";
# TODO: What does this all do?
# IPv6AcceptRA = true;
# MulticastDNS = "yes"; # Needed?
# LLMNR = "no"; # Needed?
# LinkLocalAddressing = "no"; # Needed?
};
linkConfig = {
# This corresponds to the [LINK] section
# RequiredForOnline = "routable";
RequiredForOnline =
if routable
then "routable"
else "no"; # Don't make nixos-rebuild wait for systemd-networkd-wait-online.service
};
};
mkNetworkNamespace = name: ''
${pkgs.iproute}/bin/ip netns add ${name} # Create the Namespace
${pkgs.iproute}/bin/ip -n ${name} link set lo up # Enable the Loopback device
'';
killNetworkNamespace = name: ''
${pkgs.iproute}/bin/ip netns del ${name} # Delete the Namespace
'';
# VPN stuff
mkWireguardService = let
# NOTE: The interface and netns have the same name, so it's a bit confusing
mkWireguardTunnel = name: privatekey: publickey: endpoint: ''
${pkgs.iproute}/bin/ip link add ${name} type wireguard
${pkgs.iproute}/bin/ip link set ${name} netns ${name}
${pkgs.iproute}/bin/ip netns exec ${name} ${pkgs.wireguard-tools}/bin/wg set ${name} \
private-key /home/christoph/.secrets/wireguard/${privatekey} \
peer ${publickey} \
allowed-ips 0.0.0.0/0 \
endpoint ${endpoint}:51820
${pkgs.iproute}/bin/ip -n ${name} addr add 10.2.0.2/32 dev ${name}
${pkgs.iproute}/bin/ip -n ${name} link set ${name} up
${pkgs.iproute}/bin/ip -n ${name} route add default dev ${name}
'';
killWireguardTunnel = name: ''
${pkgs.iproute}/bin/ip -n ${name} link del ${name}
'';
in
name: privatekey: publickey: endpoint: {
description = "Wireguard ProtonVPN Server ${name}";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeScript "${name}-up" ''
#! ${pkgs.bash}/bin/bash
${mkNetworkNamespace "${name}"}
${mkWireguardTunnel "${name}" "${privatekey}" "${publickey}" "${endpoint}"}
'';
ExecStop = pkgs.writeScript "wg0-de-115-down" ''
#! ${pkgs.bash}/bin/bash
${killWireguardTunnel "${name}"}
${killNetworkNamespace "${name}"}
'';
};
};
# mkOpenVPNService = let
# mkOpenVPNTunnel = "";
# killOpenVPNTunnel = "";
# in
# name: {};
}
View Git Blame Copy Permalink