From 428a2cd6154dae3808bcf31387ae6bccc38df583 Mon Sep 17 00:00:00 2001 From: cnst Date: Sun, 20 Jul 2025 14:20:59 +0200 Subject: [PATCH] vpn v11 --- hosts/sobotka/default.nix | 34 ++++---- hosts/sobotka/server.nix | 2 + modules/server/deluge/default.nix | 7 +- modules/server/wireguard-netns/default.nix | 95 +++++++++++----------- 4 files changed, 69 insertions(+), 69 deletions(-) diff --git a/hosts/sobotka/default.nix b/hosts/sobotka/default.nix index 26710470..a3e07253 100644 --- a/hosts/sobotka/default.nix +++ b/hosts/sobotka/default.nix @@ -44,23 +44,23 @@ in { networking = { hostName = "sobotka"; domain = "cnst.dev"; - wireguard = { - interfaces.wg0 = { - ips = [ - "127.0.0.1/8" - ]; - peers = [ - { - allowedIPs = [ - "192.168.88.13/24" - ]; - # endpoint = "demo.wireguard.io:12913"; - publicKey = "cUeRvwTwrL5GRc4dHjea89RJSa1kh4kIA/sHYzmscyQ="; - } - ]; - privateKeyFile = config.age.secrets.wgSobotkaPrivateKey.path; - }; - }; + # wireguard = { + # interfaces.wg0 = { + # ips = [ + # "127.0.0.1/8" + # ]; + # peers = [ + # { + # allowedIPs = [ + # "192.168.88.13/24" + # ]; + # # endpoint = "demo.wireguard.io:12913"; + # publicKey = "cUeRvwTwrL5GRc4dHjea89RJSa1kh4kIA/sHYzmscyQ="; + # } + # ]; + # privateKeyFile = config.age.secrets.wgSobotkaPrivateKey.path; + # }; + # }; }; powerManagement.enable = false; diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix index 392f349e..3ac263f5 100644 --- a/hosts/sobotka/server.nix +++ b/hosts/sobotka/server.nix @@ -33,6 +33,8 @@ enable = true; namespace = "vpn"; configFile = config.age.secrets.wgCredentials.path; + privateIP = "10.68.145.193/32"; + dnsIP = "10.64.0.1"; }; }; } diff --git a/modules/server/deluge/default.nix b/modules/server/deluge/default.nix index bcb16b1b..aebc7663 100644 --- a/modules/server/deluge/default.nix +++ b/modules/server/deluge/default.nix @@ -66,6 +66,7 @@ in { }; services."delugedproxy" = { + enable = true; description = "Proxy to Deluge in Network Namespace"; requires = [ "deluged.service" @@ -79,10 +80,10 @@ in { JoinsNamespaceOf = "deluged.service"; }; serviceConfig = { - Type = "simple"; + User = config.services.deluge.user; + Group = config.services.deluge.group; ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd --exit-idle-time=5min 127.0.0.1:58846"; - PrivateNetwork = true; - NetworkNamespacePath = "/var/run/netns/${ns}"; + PrivateNetwork = "yes"; }; }; }; diff --git a/modules/server/wireguard-netns/default.nix b/modules/server/wireguard-netns/default.nix index dbe47417..591d12b7 100644 --- a/modules/server/wireguard-netns/default.nix +++ b/modules/server/wireguard-netns/default.nix @@ -17,57 +17,54 @@ in { default = "vpn"; description = "Name of the network namespace"; }; + privateIP = lib.mkOption { + type = lib.types.str; + }; + dnsIP = lib.mkOption { + type = lib.types.str; + }; }; - - config = lib.mkIf cfg.enable ( - let - netnsSetup = pkgs.writeShellApplication { - name = "netns-${cfg.namespace}-setup"; - runtimeInputs = with pkgs; [iproute2 wireguard-tools gawk coreutils]; - text = '' - set -eux - - CONFIG=${cfg.configFile} - NS=${cfg.namespace} - ADDR=$(awk -F' *= *' '/^Address/ { print $2 }' "$CONFIG") - DNS=$(awk -F' *= *' '/^DNS/ { print $2 }' "$CONFIG") - ip netns delete "$NS" 2>/dev/null || true - ip netns add "$NS" - ip link add wg0 type wireguard - ip link set wg0 netns "$NS" - IFS=',' read -ra ADDRS <<< "$ADDR" - for ip in "''${ADDRS[@]}"; do - ip -n "$NS" addr add "$ip" dev wg0 - done - ip -n "$NS" link set wg0 up - grep -vE '^(Address|DNS) *=' "$CONFIG" | ip netns exec "$NS" wg setconf wg0 /dev/stdin - ip netns exec "$NS" ip link set lo up - ip netns exec "$NS" ip route add default dev wg0 - mkdir -p /etc/netns/"$NS" - echo "nameserver $DNS" > /etc/netns/"$NS"/resolv.conf - ''; + config = lib.mkIf cfg.enable { + systemd.services."netns@" = { + description = "%I network namespace"; + before = ["network.target"]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.iproute2}/bin/ip netns add %I"; + ExecStop = "${pkgs.iproute2}/bin/ip netns del %I"; }; - netnsTeardown = pkgs.writeShellApplication { - name = "netns-${cfg.namespace}-teardown"; - runtimeInputs = with pkgs; [iproute2]; - text = '' - set -eu - ip netns delete ${cfg.namespace} || true - ''; - }; - in { - systemd.services."netns@${cfg.namespace}" = { - description = "WireGuard VPN netns (${cfg.namespace})"; - requires = ["network-online.target"]; - wantedBy = ["multi-user.target"]; + }; + environment.etc."netns/${cfg.namespace}/resolv.conf".text = "nameserver ${cfg.dnsIP}"; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStart = "${netnsSetup}/bin/netns-${cfg.namespace}-setup"; - ExecStop = "${netnsTeardown}/bin/netns-${cfg.namespace}-teardown"; - }; + systemd.services.${cfg.namespace} = { + description = "${cfg.namespace} network interface"; + bindsTo = ["netns@${cfg.namespace}.service"]; + requires = ["network-online.target"]; + after = ["netns@${cfg.namespace}.service"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = with pkgs; + writers.writeBash "wg-up" '' + set -e + ${iproute2}/bin/ip link add wg0 type wireguard + ${iproute2}/bin/ip link set wg0 netns ${cfg.namespace} + ${iproute2}/bin/ip -n ${cfg.namespace} address add ${cfg.privateIP} dev wg0 + ${iproute2}/bin/ip netns exec ${cfg.namespace} \ + ${wireguard-tools}/bin/wg setconf wg0 ${cfg.configFile} + ${iproute2}/bin/ip -n ${cfg.namespace} link set wg0 up + ${iproute2}/bin/ip -n ${cfg.namespace} link set lo up + ${iproute2}/bin/ip -n ${cfg.namespace} route add default dev wg0 + ''; + ExecStop = with pkgs; + writers.writeBash "wg-down" '' + set -e + ${iproute2}/bin/ip -n ${cfg.namespace} route del default dev wg0 + ${iproute2}/bin/ip -n ${cfg.namespace} link del wg0 + ''; }; - } - ); + }; + }; }