yevaud: add experimental container with networking over vpn

hosts/yevaud/default.nix

@@ -6,6 +6,7 @@
     ./networking.nix
 
     ./experiments/birdsong-dns.nix
+    ./experiments/pennykettle.nix
   ];
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

hosts/yevaud/experiments/pennykettle.nix

@@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
+  networking.nat.externalInterface = "ens3";
+  networking.firewall.allowedUDPPorts = [ 51821 ];
+
+  containers."pennykettle1" = {
+    privateNetwork = true;
+    extraVeths."ve-pennykettle1" = {
+      hostAddress = "10.235.1.1";
+      localAddress = "10.235.2.1";
+      forwardPorts = [{ hostPort = 51821; }];
+    };
+    ephemeral = true;
+    autoStart = true;
+    bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle1.path;
+
+    config = { config, pkgs, ... }: {
+      system.stateVersion = "24.05";
+      systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
+      environment.systemPackages = [ pkgs.wireguard-tools ];
+
+      networking.useDHCP = false;
+      networking.useHostResolvConf = false;
+      networking.firewall.allowedUDPPorts = [ 51821 ];
+      systemd.network = {
+        enable = true;
+
+        networks."10-ve" = {
+          matchConfig.Name = "ve-pennykettle1";
+          networkConfig.Address = "10.235.2.1/32";
+          # linkConfig.RequiredForOnline = "routable";
+          routes = [{
+            routeConfig = {
+              Gateway = "10.235.1.1";
+              Destination = "217.138.216.162/32";
+            };
+          }];
+        };
+
+        networks."30-protonvpn" = {
+          matchConfig.Name = "wg-protonvpn";
+          networkConfig = {
+            DefaultRouteOnDevice = true;
+            Address = [ "10.2.0.2/32" ];
+            DNS = "10.2.0.1";
+          };
+          linkConfig = {
+            RequiredForOnline = "yes";
+            ActivationPolicy = "always-up";
+          };
+        };
+
+        netdevs."30-protonvpn" = {
+          netdevConfig = {
+            Name = "wg-protonvpn";
+            Kind = "wireguard";
+            Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)";
+          };
+          wireguardConfig = {
+            ListenPort = 51821;
+            PrivateKeyFile = "/run/secrets/wg-key";
+          };
+          wireguardPeers = [{
+            wireguardPeerConfig = {
+              PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
+              AllowedIPs = "0.0.0.0/0";
+              Endpoint = "217.138.216.162:51820";
+              PersistentKeepalive = 5;
+            };
+          }];
+        };
+      };
+    };
+  };
+
+  age.secrets.protonvpn-pennykettle1 = {
+    file = ../../../secrets/protonvpn-pennykettle1.age;
+    owner = "root";
+    group = "systemd-network";
+    mode = "640";
+  };
+}

secrets.nix

@@ -10,6 +10,7 @@ let
     wireguard-peer-yevaud = [ machines.yevaud ] ++ keys.users.qenya;
     wireguard-peer-kalessin = [ machines.kalessin ] ++ keys.users.qenya;
     wireguard-peer-kilgharrah = [ machines.kilgharrah ] ++ keys.users.qenya;
+    protonvpn-pennykettle1 = [ machines.yevaud ] ++ keys.users.qenya;
   };
 in
 builtins.listToAttrs (

secrets/protonvpn-pennykettle1.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 uJfgGw +h4WiWyMlQZ5iaMFTl/whUD0vJnIN0GYeqRbZ0MIH0o
+eKio4DsSJlrvSAjmR0naDO/lmB78o7cy7QC9WZjHUa0
+-> ssh-ed25519 seJ9Iw xov8WY0TxEj5/wkWg1T0kmrbpXsNhDLnZwqyIg0eExA
+wu5QApQk6K8Fu5XMTrWY2veoYbJVuQmn3DJXewVB860
+-> ssh-ed25519 900ILw N6RbpHr4Vwgm0BUCuMXzVo3VEgrl29NF8ZJU5Far7yk
+KdA1dZXmcSF3cH9bVdmIbj7iZO3uuSY+isjswDzSu+Y
+--- YtnS9FqXVat2hi9BLvX+71HEZDw3zcxIQ7Dp5+iao4c
+¢¼ða'þš|<7C>‡N7N”†ÊT5]O¤0Säm<-1ë»ëª:d®„–›g¡^/
ä†u7µïNû?XþMçûìÄì~Þs.9c¾C