From dfe00fabb4d162995001894728cd85ba22ec3fcc Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@qenya.tel>
Date: Mon, 16 Jun 2025 15:54:15 +0100
Subject: [PATCH 1/6] yevaud/pennykettle: Minor fixes to port forwarding

---
 hosts/yevaud/experiments/pennykettle.nix | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix
index 53f7661..883c458 100644
--- a/hosts/yevaud/experiments/pennykettle.nix
+++ b/hosts/yevaud/experiments/pennykettle.nix
@@ -5,8 +5,15 @@
   networking.nat.enableIPv6 = true;
   networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
   networking.nat.externalInterface = "ens3";
+  networking.nat.forwardPorts = [
+    {
+      sourcePort = 51821;
+      destination = "[fc00::2]:51821";
+      proto = "udp";
+    }
+  ];
   networking.firewall.allowedUDPPorts = [ 51821 ];
-  
+
   # RA = Router Advertisement (how a host finds a gateway IPv6 address for
   # SLAAC or DHCPv6).
   # networkd usually defaults this to true, but instead defaults it to false
@@ -26,7 +33,6 @@
       localAddress = "10.231.136.2";
       hostAddress6 = "fc00::1";
       localAddress6 = "fc00::2";
-      forwardPorts = [{ hostPort = 51821; }];
     };
     ephemeral = true;
     autoStart = true;
@@ -46,7 +52,7 @@
         networks."10-ve" = {
           matchConfig.Name = "ve-pennykettle1";
           networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ];
-          # linkConfig.RequiredForOnline = "routable";
+          linkConfig.RequiredForOnline = "yes";
           routes = [{
             Gateway = [ "10.231.136.1" "fc00::1" ];
             Destination = "217.138.216.162";
@@ -56,7 +62,6 @@
         networks."30-protonvpn" = {
           matchConfig.Name = "wg-protonvpn";
           networkConfig = {
-            DefaultRouteOnDevice = true;
             Address = [ "10.2.0.2/32" ];
             DNS = "10.2.0.1";
           };
@@ -64,6 +69,10 @@
             RequiredForOnline = "yes";
             ActivationPolicy = "always-up";
           };
+          routes = [
+            { Gateway = [ "0.0.0.0" ]; }
+            { Gateway = [ "::" ]; }
+          ];
         };
 
         netdevs."30-protonvpn" = {

From 9cf30613f459e53e5ab90b5e16ad6a8a4fa0284c Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@qenya.tel>
Date: Mon, 16 Jun 2025 20:35:07 +0100
Subject: [PATCH 2/6] yevaud: Disable networkd

Just so much more trouble than it's worth - NixOS containers are really
not designed to work with it
---
 hosts/yevaud/experiments/pennykettle.nix | 12 ------------
 hosts/yevaud/networking.nix              |  1 -
 2 files changed, 13 deletions(-)

diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix
index 883c458..cf705e8 100644
--- a/hosts/yevaud/experiments/pennykettle.nix
+++ b/hosts/yevaud/experiments/pennykettle.nix
@@ -14,18 +14,6 @@
   ];
   networking.firewall.allowedUDPPorts = [ 51821 ];
 
-  # RA = Router Advertisement (how a host finds a gateway IPv6 address for
-  # SLAAC or DHCPv6).
-  # networkd usually defaults this to true, but instead defaults it to false
-  # for ALL networks if ANY network has IPv6Forwarding enabled, on the
-  # (reasonable) assumption that a host doing IP forwarding is probably a
-  # network bridge.
-  # The kernel's RA implementation does this too, and the NixOS networking.nat
-  # module explicitly overrides that with sysctl, but networkd doesn't pay
-  # attention to that.
-  # We thus explicitly enable it, as otherwise external IPv6 is broken.
-  systemd.network.networks."40-ens3".networkConfig.IPv6AcceptRA = true;
-
   containers."pennykettle1" = {
     privateNetwork = true;
     extraVeths."ve-pennykettle1" = {
diff --git a/hosts/yevaud/networking.nix b/hosts/yevaud/networking.nix
index 9423165..d54ca7f 100644
--- a/hosts/yevaud/networking.nix
+++ b/hosts/yevaud/networking.nix
@@ -1,6 +1,5 @@
 { config, lib, pkgs, ... }:
 
 {
-  networking.useNetworkd = true;
   networking.interfaces.ens3.useDHCP = true;
 }

From 7e61ad0aacaaebfe0472255e90d9eb3466b20b56 Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@qenya.tel>
Date: Mon, 16 Jun 2025 20:35:33 +0100
Subject: [PATCH 3/6] yevaud/pennykettle: Fix IPv6 again

---
 hosts/yevaud/experiments/pennykettle.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix
index cf705e8..a8e2d45 100644
--- a/hosts/yevaud/experiments/pennykettle.nix
+++ b/hosts/yevaud/experiments/pennykettle.nix
@@ -75,7 +75,7 @@
           };
           wireguardPeers = [{
             PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
-            AllowedIPs = "0.0.0.0/0";
+            AllowedIPs = [ "0.0.0.0/0" "::/0" ];
             Endpoint = "217.138.216.162:51820";
             PersistentKeepalive = 5;
           }];

From a7052e1b8f99dbcf6a95d15f2ef537f3a2f0382b Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@qenya.tel>
Date: Tue, 17 Jun 2025 12:01:37 +0100
Subject: [PATCH 4/6] yevaud/pennykettle: Run SOCKS server

---
 hosts/yevaud/experiments/pennykettle.nix | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix
index a8e2d45..77e6b23 100644
--- a/hosts/yevaud/experiments/pennykettle.nix
+++ b/hosts/yevaud/experiments/pennykettle.nix
@@ -59,7 +59,7 @@
           };
           routes = [
             { Gateway = [ "0.0.0.0" ]; }
-            { Gateway = [ "::" ]; }
+            { Gateway = [ "::" ]; } # TODO: ipv6 out is still not working for unclear reasons
           ];
         };
 
@@ -81,6 +81,11 @@
           }];
         };
       };
+
+      networking.nat.enable = true;
+      networking.nat.enableIPv6 = true;
+      networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
+      networking.nat.externalInterface = "wg-protonvpn";
     };
   };
 
@@ -90,4 +95,16 @@
     group = "systemd-network";
     mode = "640";
   };
+
+  # TODO: password-protect the proxy instead of relying on only listening over Tailscale
+  services.microsocks = {
+    enable = true;
+    port = 1080;
+    ip = "::";
+    outgoingBindIp = "fc00::2";
+    # authUsername = "testusername123";
+    # authPasswordFile = pkgs.writeText "testpassword" "testpassworddonotuse";
+    # execWrapper = "${lib.getExe pkgs.strace}";
+  };
+  networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 1080 ];
 }

From f590432b7d2db0e180484c1d3a9f8eba4448e3a8 Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@qenya.tel>
Date: Tue, 17 Jun 2025 12:02:05 +0100
Subject: [PATCH 5/6] yevaud/pennykettle: Further IPv6 fixes

---
 hosts/yevaud/experiments/pennykettle.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix
index 77e6b23..3efd261 100644
--- a/hosts/yevaud/experiments/pennykettle.nix
+++ b/hosts/yevaud/experiments/pennykettle.nix
@@ -6,6 +6,11 @@
   networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
   networking.nat.externalInterface = "ens3";
   networking.nat.forwardPorts = [
+    {
+      sourcePort = 51821;
+      destination = "10.231.136.2:51821";
+      proto = "udp";
+    }
     {
       sourcePort = 51821;
       destination = "[fc00::2]:51821";

From 5df6e93ae35383745221c32a2cd585e3bf52dc53 Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@qenya.tel>
Date: Tue, 17 Jun 2025 12:14:29 +0100
Subject: [PATCH 6/6] yevaud/pennykettle: Standardise port numbers and
 interface names

---
 hosts/yevaud/experiments/pennykettle.nix | 34 ++++++++++++------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix
index 3efd261..80395d3 100644
--- a/hosts/yevaud/experiments/pennykettle.nix
+++ b/hosts/yevaud/experiments/pennykettle.nix
@@ -3,25 +3,25 @@
 {
   networking.nat.enable = true;
   networking.nat.enableIPv6 = true;
-  networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
+  networking.nat.internalInterfaces = [ "ve-pennykettle" ];
   networking.nat.externalInterface = "ens3";
   networking.nat.forwardPorts = [
     {
-      sourcePort = 51821;
-      destination = "10.231.136.2:51821";
+      sourcePort = 51820;
+      destination = "10.231.136.2:51820";
       proto = "udp";
     }
     {
-      sourcePort = 51821;
-      destination = "[fc00::2]:51821";
+      sourcePort = 51820;
+      destination = "[fc00::2]:51820";
       proto = "udp";
     }
   ];
-  networking.firewall.allowedUDPPorts = [ 51821 ];
+  networking.firewall.allowedUDPPorts = [ 51820 ];
 
-  containers."pennykettle1" = {
+  containers."pennykettle" = {
     privateNetwork = true;
-    extraVeths."ve-pennykettle1" = {
+    extraVeths."ve-pennykettle" = {
       hostAddress = "10.231.136.1";
       localAddress = "10.231.136.2";
       hostAddress6 = "fc00::1";
@@ -29,7 +29,7 @@
     };
     ephemeral = true;
     autoStart = true;
-    bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle1.path;
+    bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle.path;
 
     config = { config, pkgs, ... }: {
       system.stateVersion = "24.05";
@@ -38,12 +38,12 @@
 
       networking.useDHCP = false;
       networking.useHostResolvConf = false;
-      networking.firewall.allowedUDPPorts = [ 51821 ];
+      networking.firewall.allowedUDPPorts = [ 51820 ];
       systemd.network = {
         enable = true;
 
-        networks."10-ve" = {
-          matchConfig.Name = "ve-pennykettle1";
+        networks."10-ve-pennykettle" = {
+          matchConfig.Name = "ve-pennykettle";
           networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ];
           linkConfig.RequiredForOnline = "yes";
           routes = [{
@@ -52,7 +52,7 @@
           }];
         };
 
-        networks."30-protonvpn" = {
+        networks."30-wg-protonvpn" = {
           matchConfig.Name = "wg-protonvpn";
           networkConfig = {
             Address = [ "10.2.0.2/32" ];
@@ -68,14 +68,14 @@
           ];
         };
 
-        netdevs."30-protonvpn" = {
+        netdevs."30-wg-protonvpn" = {
           netdevConfig = {
             Name = "wg-protonvpn";
             Kind = "wireguard";
             Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)";
           };
           wireguardConfig = {
-            ListenPort = 51821;
+            ListenPort = 51820;
             PrivateKeyFile = "/run/secrets/wg-key";
           };
           wireguardPeers = [{
@@ -89,12 +89,12 @@
 
       networking.nat.enable = true;
       networking.nat.enableIPv6 = true;
-      networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
+      networking.nat.internalInterfaces = [ "ve-pennykettle" ];
       networking.nat.externalInterface = "wg-protonvpn";
     };
   };
 
-  age.secrets.protonvpn-pennykettle1 = {
+  age.secrets.protonvpn-pennykettle = {
     file = ../../../secrets/protonvpn-pennykettle1.age;
     owner = "root";
     group = "systemd-network";