diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index f202d28..c2d4639 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -6,6 +6,7 @@ ./networking.nix ./experiments/birdsong-dns.nix + ./experiments/pennykettle.nix ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix new file mode 100644 index 0000000..98e84c6 --- /dev/null +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }: + +{ + networking.nat.enable = true; + networking.nat.internalInterfaces = [ "ve-pennykettle1" ]; + networking.nat.externalInterface = "ens3"; + networking.firewall.allowedUDPPorts = [ 51821 ]; + + containers."pennykettle1" = { + privateNetwork = true; + extraVeths."ve-pennykettle1" = { + hostAddress = "10.235.1.1"; + localAddress = "10.235.2.1"; + forwardPorts = [{ hostPort = 51821; }]; + }; + ephemeral = true; + autoStart = true; + bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle1.path; + + config = { config, pkgs, ... }: { + system.stateVersion = "24.05"; + systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; + environment.systemPackages = [ pkgs.wireguard-tools ]; + + networking.useDHCP = false; + networking.useHostResolvConf = false; + networking.firewall.allowedUDPPorts = [ 51821 ]; + systemd.network = { + enable = true; + + networks."10-ve" = { + matchConfig.Name = "ve-pennykettle1"; + networkConfig.Address = "10.235.2.1/32"; + # linkConfig.RequiredForOnline = "routable"; + routes = [{ + routeConfig = { + Gateway = "10.235.1.1"; + Destination = "217.138.216.162/32"; + }; + }]; + }; + + networks."30-protonvpn" = { + matchConfig.Name = "wg-protonvpn"; + networkConfig = { + DefaultRouteOnDevice = true; + Address = [ "10.2.0.2/32" ]; + DNS = "10.2.0.1"; + }; + linkConfig = { + RequiredForOnline = "yes"; + ActivationPolicy = "always-up"; + }; + }; + + netdevs."30-protonvpn" = { + netdevConfig = { + Name = "wg-protonvpn"; + Kind = "wireguard"; + Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)"; + }; + wireguardConfig = { + ListenPort = 51821; + PrivateKeyFile = "/run/secrets/wg-key"; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; + AllowedIPs = "0.0.0.0/0"; + Endpoint = "217.138.216.162:51820"; + PersistentKeepalive = 5; + }; + }]; + }; + }; + }; + }; + + age.secrets.protonvpn-pennykettle1 = { + file = ../../../secrets/protonvpn-pennykettle1.age; + owner = "root"; + group = "systemd-network"; + mode = "640"; + }; +} \ No newline at end of file diff --git a/secrets.nix b/secrets.nix index 82036db..61abf6e 100644 --- a/secrets.nix +++ b/secrets.nix @@ -10,6 +10,7 @@ let wireguard-peer-yevaud = [ machines.yevaud ] ++ keys.users.qenya; wireguard-peer-kalessin = [ machines.kalessin ] ++ keys.users.qenya; wireguard-peer-kilgharrah = [ machines.kilgharrah ] ++ keys.users.qenya; + protonvpn-pennykettle1 = [ machines.yevaud ] ++ keys.users.qenya; }; in builtins.listToAttrs ( diff --git a/secrets/protonvpn-pennykettle1.age b/secrets/protonvpn-pennykettle1.age new file mode 100644 index 0000000..e58dc56 --- /dev/null +++ b/secrets/protonvpn-pennykettle1.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 uJfgGw +h4WiWyMlQZ5iaMFTl/whUD0vJnIN0GYeqRbZ0MIH0o +eKio4DsSJlrvSAjmR0naDO/lmB78o7cy7QC9WZjHUa0 +-> ssh-ed25519 seJ9Iw xov8WY0TxEj5/wkWg1T0kmrbpXsNhDLnZwqyIg0eExA +wu5QApQk6K8Fu5XMTrWY2veoYbJVuQmn3DJXewVB860 +-> ssh-ed25519 900ILw N6RbpHr4Vwgm0BUCuMXzVo3VEgrl29NF8ZJU5Far7yk +KdA1dZXmcSF3cH9bVdmIbj7iZO3uuSY+isjswDzSu+Y +--- YtnS9FqXVat2hi9BLvX+71HEZDw3zcxIQ7Dp5+iao4c +a'|N7NT5]O0Sm<-1:dg^/u7N?XM~s.9cC \ No newline at end of file