From fbe8c258591fb95cfbb2081349bdb13484b8a8ae Mon Sep 17 00:00:00 2001 From: cnst Date: Sun, 20 Jul 2025 12:10:40 +0200 Subject: [PATCH] vpn v1 --- hosts/sobotka/server.nix | 6 +++ modules/default.nix | 2 + modules/nixos/services/agenix/default.nix | 1 + modules/server/deluge/default.nix | 2 +- modules/server/wireguard-netns/default.nix | 60 +++++++++++++++++++++ secrets/secrets.nix | 1 + secrets/wgCredentials.age | Bin 0 -> 837 bytes 7 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 modules/server/wireguard-netns/default.nix create mode 100644 secrets/wgCredentials.age diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix index 70e7bb5e..d8f5acf3 100644 --- a/hosts/sobotka/server.nix +++ b/hosts/sobotka/server.nix @@ -28,5 +28,11 @@ credentialsFile = config.age.secrets.vaultwardenCloudflared.path; }; }; + deluge.enable = true; + wireguard-netns = { + enable = true; + namespace = "vpn"; + configFile = config.age.secrets.wireguardCredentials.path; + }; }; } diff --git a/modules/default.nix b/modules/default.nix index fa9b6cd0..a3aeca93 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -126,6 +126,8 @@ ./server/vaultwarden ./server/prowlarr ./server/lidarr + ./server/deluge + ./server/wireguard-netns ]; }; settings = { diff --git a/modules/nixos/services/agenix/default.nix b/modules/nixos/services/agenix/default.nix index 74f22a64..a6598565 100644 --- a/modules/nixos/services/agenix/default.nix +++ b/modules/nixos/services/agenix/default.nix @@ -60,6 +60,7 @@ in { cloudflareFirewallApiKey.file = "${self}/secrets/cloudflareFirewallApiKey.age"; cloudflareDnsApiToken.file = "${self}/secrets/cloudflareDnsApiToken.age"; cloudflareDnsCredentials.file = "${self}/secrets/cloudflareDnsCredentials.age"; + wgCredentials.file = "${self}/secrets/wgCredentials.age"; vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age"; vaultwarden-env.file = "${self}/secrets/vaultwarden-env.age"; homepage-env.file = "${self}/secrets/homepage-env.age"; diff --git a/modules/server/deluge/default.nix b/modules/server/deluge/default.nix index 9c3673fb..15f14c46 100644 --- a/modules/server/deluge/default.nix +++ b/modules/server/deluge/default.nix @@ -58,7 +58,7 @@ in { "network-online.target" "${ns}.service" ]; - services.deluged.serviceConfig.NetworkNamespacePath = ["/var/run/netns/${ns}"]; + services.deluged.serviceConfig.NetworkNamespacePath = "/var/run/netns/${ns}"; sockets."deluged-proxy" = { enable = true; description = "Socket for Proxy to Deluge WebUI"; diff --git a/modules/server/wireguard-netns/default.nix b/modules/server/wireguard-netns/default.nix new file mode 100644 index 00000000..1fe12422 --- /dev/null +++ b/modules/server/wireguard-netns/default.nix @@ -0,0 +1,60 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.server.wireguard-netns; +in { + options.server.wireguard-netns = { + enable = lib.mkEnableOption "Enable a network namespace with WireGuard VPN"; + configFile = lib.mkOption { + type = lib.types.path; + description = "Path to the WireGuard configuration file (e.g., mullvad.conf)"; + }; + namespace = lib.mkOption { + type = lib.types.str; + default = "vpn"; + description = "Name of the network namespace"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services."netns@${cfg.namespace}" = { + description = "WireGuard VPN netns (${cfg.namespace})"; + after = ["network-online.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = pkgs.writeShellScript "netns-${cfg.namespace}-setup" '' + set -eux + + CONFIG=${cfg.configFile} + NS=${cfg.namespace} + ADDR=$(awk -F' *= *' '/^Address/ { print $2 }' "$CONFIG") + DNS=$(awk -F' *= *' '/^DNS/ { print $2 }' "$CONFIG") + + # Clean up any existing netns + ip netns delete "$NS" 2>/dev/null || true + + ip netns add "$NS" + ip link add wg0 type wireguard + ip link set wg0 netns "$NS" + ip -n "$NS" addr add "$ADDR" dev wg0 + ip -n "$NS" link set wg0 up + ip netns exec "$NS" wg setconf wg0 "$CONFIG" + ip netns exec "$NS" ip link set lo up + ip netns exec "$NS" ip route add default dev wg0 + + # Set DNS + mkdir -p /etc/netns/"$NS" + echo "nameserver $DNS" > /etc/netns/"$NS"/resolv.conf + ''; + ExecStop = pkgs.writeShellScript "netns-${cfg.namespace}-teardown" '' + ip netns delete ${cfg.namespace} || true + ''; + }; + }; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 5f958d3c..b555e05c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,4 +17,5 @@ in { "vaultwardenCloudflared.age".publicKeys = [cnst kima usobotka rsobotka]; "cloudflareDnsApiToken.age".publicKeys = [cnst kima usobotka rsobotka]; "cloudflareDnsCredentials.age".publicKeys = [cnst kima usobotka rsobotka]; + "wgCredentials.age".publicKeys = [cnst kima usobotka rsobotka]; } diff --git a/secrets/wgCredentials.age b/secrets/wgCredentials.age new file mode 100644 index 0000000000000000000000000000000000000000..608b3adb299763ed41748880078e366722330031 GIT binary patch literal 837 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHvCQ;$O;;#S^mcc3 zcMq#FG}2BA2sdyqa?Ob_bgN7W3--u&2=r$56I8(@kp=I_O>W5^)=6R%_wrpwm`SdJ2cYQ%~7GyGbBCIG^8{qz%<7# z%iTBC-Pt%I#iTqkvM8gipsF<8GAN?R+^jgHGT1*q zFE7(FBGA*)uSnb3G%?vJz#t;PI}+VCbF-j~&_IRY68Ff0K#L%g!fd0+ps0}K3TsT;K%)W^Cw+?$Col6f-wMOBKHF0*b@DN{TBCi;Ppejm#W# zOG3HW+Z`s&D~UB(7wo`cHgoMh!!3EgS4CzwP4<6$(`?qQd1pT-&y)(y+Ii8meSx^T z+PkI6d*59!3{;ES)#z&5E-e+WE_U^A+@*E(u1mj7{&8XY@Aof5H3NT@A1T&URkYZU z@uj#cCy;fM*3^F?K_!`!6^SATuhc13hg|GSdUMe6t0v-&^##aCy= z7LXw++;e2|ZAIU_Rf4~#p13Tbx%d;G>(L*|n*W&3D1MH5cgpQr&z-NeYhzdWce`)3 z&}7Vic;u7g!?3b6bB6p~*XM>d9?_BB_0(!@swSJ2^?Q}(9<8fWoijJK2&G)(^HX%ce28z4{46fHzVtHh10F>`Z@zojKlf(QhwY&i^<7f}RZQNs or_ZkV^HyQn(+M%&E8{nQm2*-Eo&EX8q_q}Zr+SU}ZWZ?c0IwNDE&u=k literal 0 HcmV?d00001