From 3c058d9b9aa0482c6ebf4559f255fa7322e5812a Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Jun 2025 22:09:34 +0100 Subject: [PATCH 1/4] yevaud/pennykettle: Rewrite from scratch without networkd or microsocks --- hosts/yevaud/experiments/pennykettle.nix | 149 ++++++++--------------- 1 file changed, 50 insertions(+), 99 deletions(-) diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix index 80395d3..7453219 100644 --- a/hosts/yevaud/experiments/pennykettle.nix +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -1,115 +1,66 @@ { config, lib, pkgs, ... }: { - networking.nat.enable = true; - networking.nat.enableIPv6 = true; - networking.nat.internalInterfaces = [ "ve-pennykettle" ]; - networking.nat.externalInterface = "ens3"; - networking.nat.forwardPorts = [ - { - sourcePort = 51820; - destination = "10.231.136.2:51820"; - proto = "udp"; - } - { - sourcePort = 51820; - destination = "[fc00::2]:51820"; - proto = "udp"; - } - ]; networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.firewall.interfaces."tailscale0".allowedTCPPorts = config.networking.firewall.allowedTCPPorts ++ [ 1080 ]; - containers."pennykettle" = { - privateNetwork = true; - extraVeths."ve-pennykettle" = { - hostAddress = "10.231.136.1"; - localAddress = "10.231.136.2"; - hostAddress6 = "fc00::1"; - localAddress6 = "fc00::2"; - }; - ephemeral = true; - autoStart = true; - bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle.path; - - config = { config, pkgs, ... }: { - system.stateVersion = "24.05"; - systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; - environment.systemPackages = [ pkgs.wireguard-tools ]; - - networking.useDHCP = false; - networking.useHostResolvConf = false; - networking.firewall.allowedUDPPorts = [ 51820 ]; - systemd.network = { - enable = true; - - networks."10-ve-pennykettle" = { - matchConfig.Name = "ve-pennykettle"; - networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ]; - linkConfig.RequiredForOnline = "yes"; - routes = [{ - Gateway = [ "10.231.136.1" "fc00::1" ]; - Destination = "217.138.216.162"; - }]; - }; - - networks."30-wg-protonvpn" = { - matchConfig.Name = "wg-protonvpn"; - networkConfig = { - Address = [ "10.2.0.2/32" ]; - DNS = "10.2.0.1"; - }; - linkConfig = { - RequiredForOnline = "yes"; - ActivationPolicy = "always-up"; - }; - routes = [ - { Gateway = [ "0.0.0.0" ]; } - { Gateway = [ "::" ]; } # TODO: ipv6 out is still not working for unclear reasons - ]; - }; - - netdevs."30-wg-protonvpn" = { - netdevConfig = { - Name = "wg-protonvpn"; - Kind = "wireguard"; - Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)"; - }; - wireguardConfig = { - ListenPort = 51820; - PrivateKeyFile = "/run/secrets/wg-key"; - }; - wireguardPeers = [{ - PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; - AllowedIPs = [ "0.0.0.0/0" "::/0" ]; - Endpoint = "217.138.216.162:51820"; - PersistentKeepalive = 5; - }]; - }; - }; - - networking.nat.enable = true; - networking.nat.enableIPv6 = true; - networking.nat.internalInterfaces = [ "ve-pennykettle" ]; - networking.nat.externalInterface = "wg-protonvpn"; - }; + environment.systemPackages = [ pkgs.wireguard-tools ]; + networking.wireguard.interfaces."wg-protonvpn" = { + ips = [ "10.2.0.2/32" ]; + peers = [{ + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "217.138.216.162:51820"; + publicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; + }]; + privateKeyFile = config.age.secrets.protonvpn-pennykettle1.path; + listenPort = 51820; + table = "957851094"; # randomly generated }; - age.secrets.protonvpn-pennykettle = { + networking.localCommands = '' + ip rule add from 10.2.0.2/32 table 957851094 + ''; + networking.firewall.checkReversePath = "loose"; + + age.secrets.protonvpn-pennykettle1 = { file = ../../../secrets/protonvpn-pennykettle1.age; owner = "root"; group = "systemd-network"; mode = "640"; }; - # TODO: password-protect the proxy instead of relying on only listening over Tailscale - services.microsocks = { + services.dante = { enable = true; - port = 1080; - ip = "::"; - outgoingBindIp = "fc00::2"; - # authUsername = "testusername123"; - # authPasswordFile = pkgs.writeText "testpassword" "testpassworddonotuse"; - # execWrapper = "${lib.getExe pkgs.strace}"; + config = '' + debug: 2 + internal: tailscale0 + external: wg-protonvpn + + # auth/tls handled by tailscale + clientmethod: none + socksmethod: none + + # allow connections from tailscale + # "0/0" matches any v4 or v6 address + client pass { + from: 100.64.0.0/10 to: 0/0 + log: error connect disconnect + } + client pass { + from: fd7a:115c:a1e0::/48 to: 0/0 + log: error connect disconnect + } + + socks pass { + from: 0/0 to: 0/0 + protocol: tcp udp + log: error connect disconnect iooperation + } + ''; + }; + + systemd.services.dante = { + wants = [ "tailscaled-autoconnect.service" ]; + after = [ "tailscaled-autoconnect.service" ]; }; - networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 1080 ]; } From 43273d4689e6825052a6ddda270951ffe560e39c Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Jun 2025 22:11:16 +0100 Subject: [PATCH 2/4] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/4835b1dc898959d8547a871ef484930675cb47f1' (2025-05-18) → 'github:ryantm/agenix/531beac616433bac6f9e2a19feb8e99a22a66baf' (2025-06-17) • Updated input 'colmena': 'github:zhaofengli/colmena/58f1beb074881d7208def140af71b7864b6139e0' (2025-06-08) → 'github:zhaofengli/colmena/c61641b156dfa3e82fc0671e77fccf7d7ccfaa3b' (2025-06-12) • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/fe13e6abfe72b39ad8381595c3c404849330c3cb?dir=pkgs/firefox-addons' (2025-06-09) → 'gitlab:rycee/nur-expressions/aaaf4fec792bad465ea4a35c0be5bc2a54f33095?dir=pkgs/firefox-addons' (2025-06-24) • Updated input 'home-manager': 'github:nix-community/home-manager/7aae0ee71a17b19708b93b3ed448a1a0952bf111' (2025-06-05) → 'github:nix-community/home-manager/366f00797b1efb70f2882d3da485e3c10fd3d557' (2025-06-24) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/74d196c9943a67908d1883f61154e594d03863e5' (2025-06-09) → 'github:nix-community/home-manager/ff31a4677c1a8ae506aa7e003a3dba08cb203f82' (2025-06-24) • Updated input 'lix-module': 'https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz?narHash=sha256-11R4K3iAx4tLXjUs%2BhQ5K90JwDABD/XHhsM9nkeS5N8%3D&rev=cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc' (2025-05-10) → 'https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/c3c78a32273e89d28367d8605a4c880f0b6607e3.tar.gz?narHash=sha256-EfA5K5EZAnspmraJrXQlziffVpaT%2BQDBiE6yKmuaNNQ%3D&rev=c3c78a32273e89d28367d8605a4c880f0b6607e3' (2025-06-24) • Updated input 'lix-module/lix': 'https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?narHash=sha256-hsFe4Tsqqg4l%2BFfQWphDtjC79WzNCZbEFhHI8j2KJzw%3D&rev=47aad376c87e2e65967f17099277428e4b3f8e5a' (2025-05-09) → 'https://git.lix.systems/api/v1/repos/lix-project/lix/archive/38b358ce27203f972faa2973cf44ba80c758f46e.tar.gz?narHash=sha256-LmQhjQ7c%2BAOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw%3D&rev=38b358ce27203f972faa2973cf44ba80c758f46e' (2025-06-24) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/70c74b02eac46f4e4aa071e45a6189ce0f6d9265' (2025-06-06) → 'github:NixOS/nixpkgs/c7ab75210cb8cb16ddd8f290755d9558edde7ee1' (2025-06-22) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/2b41bf05854399433a852b438bb5392dc56cbaba' (2025-06-07) → 'github:NixOS/nixpkgs/a5e9291e97f5ba0b4ba7d657ddedd5f86d11acfd' (2025-06-24) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/3e3afe5174c561dee0df6f2c2b2236990146329f' (2025-06-07) → 'github:NixOS/nixpkgs/4206c4cb56751df534751b058295ea61357bbbaa' (2025-06-21) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/0fc422d6c394191338c9d6a05786c63fc52a0f29' (2025-06-08) → 'github:NixOS/nixpkgs/4396a137499b6cc9f9fe9f3c266577bd52d455a4' (2025-06-24) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/3cc561e5c7c463785f0e79a518572afaa74c8377' (2025-06-09) → 'github:randomnetcat/nix-configs/1a2a536f5550c3b323e19f46d166340ad01745fd' (2025-06-24) --- flake.lock | 80 +++++++++++++++++++++++++++--------------------------- flake.nix | 2 +- 2 files changed, 41 insertions(+), 41 deletions(-) diff --git a/flake.lock b/flake.lock index f901e43..a70d4c4 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1747575206, - "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", "owner": "ryantm", "repo": "agenix", - "rev": "4835b1dc898959d8547a871ef484930675cb47f1", + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", "type": "github" }, "original": { @@ -34,11 +34,11 @@ "stable": [] }, "locked": { - "lastModified": 1749409980, - "narHash": "sha256-I/Tvv5UN5DRYXTEy/+j7mYRsdoWQ+rCfrVoNEw0K/Ek=", + "lastModified": 1749739748, + "narHash": "sha256-csQQPoCA5iv+Nd9yCOCQNKflP7qUKEe7D27wsz+LPKM=", "owner": "zhaofengli", "repo": "colmena", - "rev": "58f1beb074881d7208def140af71b7864b6139e0", + "rev": "c61641b156dfa3e82fc0671e77fccf7d7ccfaa3b", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1749441800, - "narHash": "sha256-bN4tccrmczfR4PUuepHpxNNmWG3cLZTFIt4BaD8YyvA=", + "lastModified": 1750737804, + "narHash": "sha256-wClGd2PhxdjjphR6wIgoiDcR+Gfg4/+FyseSOjIIzVU=", "owner": "rycee", "repo": "nur-expressions", - "rev": "fe13e6abfe72b39ad8381595c3c404849330c3cb", + "rev": "aaaf4fec792bad465ea4a35c0be5bc2a54f33095", "type": "gitlab" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1749154018, - "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=", + "lastModified": 1750792728, + "narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=", "owner": "nix-community", "repo": "home-manager", - "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111", + "rev": "366f00797b1efb70f2882d3da485e3c10fd3d557", "type": "github" }, "original": { @@ -164,11 +164,11 @@ ] }, "locked": { - "lastModified": 1749483884, - "narHash": "sha256-HdyfdVx0NbgrVtLY4lXdX9X/YE3PZjGZFnSyoAy1GJc=", + "lastModified": 1750798083, + "narHash": "sha256-DTCCcp6WCFaYXWKFRA6fiI2zlvOLCf5Vwx8+/0R8Wc4=", "owner": "nix-community", "repo": "home-manager", - "rev": "74d196c9943a67908d1883f61154e594d03863e5", + "rev": "ff31a4677c1a8ae506aa7e003a3dba08cb203f82", "type": "github" }, "original": { @@ -180,15 +180,15 @@ "lix": { "flake": false, "locked": { - "lastModified": 1746827285, - "narHash": "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=", - "rev": "47aad376c87e2e65967f17099277428e4b3f8e5a", + "lastModified": 1750762203, + "narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=", + "rev": "38b358ce27203f972faa2973cf44ba80c758f46e", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?rev=47aad376c87e2e65967f17099277428e4b3f8e5a" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/38b358ce27203f972faa2973cf44ba80c758f46e.tar.gz?rev=38b358ce27203f972faa2973cf44ba80c758f46e" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/2.93.0.tar.gz" + "url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz" } }, "lix-module": { @@ -201,24 +201,24 @@ ] }, "locked": { - "lastModified": 1746838955, - "narHash": "sha256-11R4K3iAx4tLXjUs+hQ5K90JwDABD/XHhsM9nkeS5N8=", - "rev": "cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc", + "lastModified": 1750776670, + "narHash": "sha256-EfA5K5EZAnspmraJrXQlziffVpaT+QDBiE6yKmuaNNQ=", + "rev": "c3c78a32273e89d28367d8605a4c880f0b6607e3", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz?rev=cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc" + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/c3c78a32273e89d28367d8605a4c880f0b6607e3.tar.gz?rev=c3c78a32273e89d28367d8605a4c880f0b6607e3" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz" + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz" } }, "nixpkgs": { "locked": { - "lastModified": 1749237914, - "narHash": "sha256-N5waoqWt8aMr/MykZjSErOokYH6rOsMMXu3UOVH5kiw=", + "lastModified": 1750622754, + "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "70c74b02eac46f4e4aa071e45a6189ce0f6d9265", + "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1", "type": "github" }, "original": { @@ -245,11 +245,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1749330319, - "narHash": "sha256-5UnNMREFRBA2UHakpk2naiCvZCW0LtZ5GMzl3u9V9HA=", + "lastModified": 1750784235, + "narHash": "sha256-IYCCkKerO3lMUcMaDRLfwnfyPopQbGWF8iHRd0XcCBc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2b41bf05854399433a852b438bb5392dc56cbaba", + "rev": "a5e9291e97f5ba0b4ba7d657ddedd5f86d11acfd", "type": "github" }, "original": { @@ -261,11 +261,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1749285348, - "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=", + "lastModified": 1750506804, + "narHash": "sha256-VLFNc4egNjovYVxDGyBYTrvVCgDYgENp5bVi9fPTDYc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f", + "rev": "4206c4cb56751df534751b058295ea61357bbbaa", "type": "github" }, "original": { @@ -277,11 +277,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1749411262, - "narHash": "sha256-gRBkeW9l5lb/90lv1waQFNT+18OhITs11HENarh6vNo=", + "lastModified": 1750776346, + "narHash": "sha256-sWw7gz2B02fHQkmPSutVcoawLuiPT0hpztL0ldCnIy0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0fc422d6c394191338c9d6a05786c63fc52a0f29", + "rev": "4396a137499b6cc9f9fe9f3c266577bd52d455a4", "type": "github" }, "original": { @@ -317,11 +317,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1749435035, - "narHash": "sha256-hgkMTlwU1HGcGcP6Z8vuMupIBOZxqy2bX60TusJEnJA=", + "lastModified": 1750730821, + "narHash": "sha256-U5uW9mRSuA2dRaOyswmz2I0fUVQbGRSZROXIe2WKS+8=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "3cc561e5c7c463785f0e79a518572afaa74c8377", + "rev": "1a2a536f5550c3b323e19f46d166340ad01745fd", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3fcba00..73fe576 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,7 @@ lix-module = { # lix haven't figured out automatic updates yet: https://git.lix.systems/lix-project/nixos-module/issues/39 - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"; + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; From 094812e6f1b69d25e2a78f7c440265cdb5e1cf2f Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 25 Jun 2025 01:14:11 +0100 Subject: [PATCH 3/4] kilgharrah: Install libdvdcss --- hosts/kilgharrah/hardware.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/kilgharrah/hardware.nix b/hosts/kilgharrah/hardware.nix index 89c6b59..0583c64 100644 --- a/hosts/kilgharrah/hardware.nix +++ b/hosts/kilgharrah/hardware.nix @@ -38,6 +38,7 @@ withBDplus = true; }); }).overrideAttrs (originalAttrs: { + buildInputs = originalAttrs.buildInputs ++ [ pkgs.libdvdcss ]; # TODO: nixpkgs bug: libbluray needs patching to look at the nix store path of jdk17 when searching for a jdk # as a workaround, wrap vlc and set JAVA_HOME, which it uses instead of searching when specified nativeBuildInputs = originalAttrs.nativeBuildInputs ++ [ pkgs.makeWrapper ]; From fa61c1523b6e4c4e1af29c3c1375a306671534f4 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 25 Jun 2025 01:14:54 +0100 Subject: [PATCH 4/4] boot: Enable resolved/DNS-over-TLS --- common/boot.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/common/boot.nix b/common/boot.nix index eb99def..1eb8089 100644 --- a/common/boot.nix +++ b/common/boot.nix @@ -10,4 +10,13 @@ in systemd-boot.memtest86.enable = mkIf config.nixpkgs.hostPlatform.isx86 true; efi.canTouchEfiVariables = true; }; + + services.resolved = { + enable = true; + fallbackDns = [ ]; + dnsovertls = "true"; + extraConfig = '' + DNS=2a07:e340::4#base.dns.mullvad.net 194.242.2.4#base.dns.mullvad.net + ''; + }; }