diff --git a/common/boot.nix b/common/boot.nix index eb99def..1eb8089 100644 --- a/common/boot.nix +++ b/common/boot.nix @@ -10,4 +10,13 @@ in systemd-boot.memtest86.enable = mkIf config.nixpkgs.hostPlatform.isx86 true; efi.canTouchEfiVariables = true; }; + + services.resolved = { + enable = true; + fallbackDns = [ ]; + dnsovertls = "true"; + extraConfig = '' + DNS=2a07:e340::4#base.dns.mullvad.net 194.242.2.4#base.dns.mullvad.net + ''; + }; } diff --git a/flake.lock b/flake.lock index f901e43..a70d4c4 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1747575206, - "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", "owner": "ryantm", "repo": "agenix", - "rev": "4835b1dc898959d8547a871ef484930675cb47f1", + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", "type": "github" }, "original": { @@ -34,11 +34,11 @@ "stable": [] }, "locked": { - "lastModified": 1749409980, - "narHash": "sha256-I/Tvv5UN5DRYXTEy/+j7mYRsdoWQ+rCfrVoNEw0K/Ek=", + "lastModified": 1749739748, + "narHash": "sha256-csQQPoCA5iv+Nd9yCOCQNKflP7qUKEe7D27wsz+LPKM=", "owner": "zhaofengli", "repo": "colmena", - "rev": "58f1beb074881d7208def140af71b7864b6139e0", + "rev": "c61641b156dfa3e82fc0671e77fccf7d7ccfaa3b", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1749441800, - "narHash": "sha256-bN4tccrmczfR4PUuepHpxNNmWG3cLZTFIt4BaD8YyvA=", + "lastModified": 1750737804, + "narHash": "sha256-wClGd2PhxdjjphR6wIgoiDcR+Gfg4/+FyseSOjIIzVU=", "owner": "rycee", "repo": "nur-expressions", - "rev": "fe13e6abfe72b39ad8381595c3c404849330c3cb", + "rev": "aaaf4fec792bad465ea4a35c0be5bc2a54f33095", "type": "gitlab" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1749154018, - "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=", + "lastModified": 1750792728, + "narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=", "owner": "nix-community", "repo": "home-manager", - "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111", + "rev": "366f00797b1efb70f2882d3da485e3c10fd3d557", "type": "github" }, "original": { @@ -164,11 +164,11 @@ ] }, "locked": { - "lastModified": 1749483884, - "narHash": "sha256-HdyfdVx0NbgrVtLY4lXdX9X/YE3PZjGZFnSyoAy1GJc=", + "lastModified": 1750798083, + "narHash": "sha256-DTCCcp6WCFaYXWKFRA6fiI2zlvOLCf5Vwx8+/0R8Wc4=", "owner": "nix-community", "repo": "home-manager", - "rev": "74d196c9943a67908d1883f61154e594d03863e5", + "rev": "ff31a4677c1a8ae506aa7e003a3dba08cb203f82", "type": "github" }, "original": { @@ -180,15 +180,15 @@ "lix": { "flake": false, "locked": { - "lastModified": 1746827285, - "narHash": "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=", - "rev": "47aad376c87e2e65967f17099277428e4b3f8e5a", + "lastModified": 1750762203, + "narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=", + "rev": "38b358ce27203f972faa2973cf44ba80c758f46e", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?rev=47aad376c87e2e65967f17099277428e4b3f8e5a" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/38b358ce27203f972faa2973cf44ba80c758f46e.tar.gz?rev=38b358ce27203f972faa2973cf44ba80c758f46e" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/2.93.0.tar.gz" + "url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz" } }, "lix-module": { @@ -201,24 +201,24 @@ ] }, "locked": { - "lastModified": 1746838955, - "narHash": "sha256-11R4K3iAx4tLXjUs+hQ5K90JwDABD/XHhsM9nkeS5N8=", - "rev": "cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc", + "lastModified": 1750776670, + "narHash": "sha256-EfA5K5EZAnspmraJrXQlziffVpaT+QDBiE6yKmuaNNQ=", + "rev": "c3c78a32273e89d28367d8605a4c880f0b6607e3", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz?rev=cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc" + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/c3c78a32273e89d28367d8605a4c880f0b6607e3.tar.gz?rev=c3c78a32273e89d28367d8605a4c880f0b6607e3" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz" + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz" } }, "nixpkgs": { "locked": { - "lastModified": 1749237914, - "narHash": "sha256-N5waoqWt8aMr/MykZjSErOokYH6rOsMMXu3UOVH5kiw=", + "lastModified": 1750622754, + "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "70c74b02eac46f4e4aa071e45a6189ce0f6d9265", + "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1", "type": "github" }, "original": { @@ -245,11 +245,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1749330319, - "narHash": "sha256-5UnNMREFRBA2UHakpk2naiCvZCW0LtZ5GMzl3u9V9HA=", + "lastModified": 1750784235, + "narHash": "sha256-IYCCkKerO3lMUcMaDRLfwnfyPopQbGWF8iHRd0XcCBc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2b41bf05854399433a852b438bb5392dc56cbaba", + "rev": "a5e9291e97f5ba0b4ba7d657ddedd5f86d11acfd", "type": "github" }, "original": { @@ -261,11 +261,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1749285348, - "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=", + "lastModified": 1750506804, + "narHash": "sha256-VLFNc4egNjovYVxDGyBYTrvVCgDYgENp5bVi9fPTDYc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f", + "rev": "4206c4cb56751df534751b058295ea61357bbbaa", "type": "github" }, "original": { @@ -277,11 +277,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1749411262, - "narHash": "sha256-gRBkeW9l5lb/90lv1waQFNT+18OhITs11HENarh6vNo=", + "lastModified": 1750776346, + "narHash": "sha256-sWw7gz2B02fHQkmPSutVcoawLuiPT0hpztL0ldCnIy0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0fc422d6c394191338c9d6a05786c63fc52a0f29", + "rev": "4396a137499b6cc9f9fe9f3c266577bd52d455a4", "type": "github" }, "original": { @@ -317,11 +317,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1749435035, - "narHash": "sha256-hgkMTlwU1HGcGcP6Z8vuMupIBOZxqy2bX60TusJEnJA=", + "lastModified": 1750730821, + "narHash": "sha256-U5uW9mRSuA2dRaOyswmz2I0fUVQbGRSZROXIe2WKS+8=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "3cc561e5c7c463785f0e79a518572afaa74c8377", + "rev": "1a2a536f5550c3b323e19f46d166340ad01745fd", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3fcba00..73fe576 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,7 @@ lix-module = { # lix haven't figured out automatic updates yet: https://git.lix.systems/lix-project/nixos-module/issues/39 - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"; + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/hosts/kilgharrah/hardware.nix b/hosts/kilgharrah/hardware.nix index 89c6b59..0583c64 100644 --- a/hosts/kilgharrah/hardware.nix +++ b/hosts/kilgharrah/hardware.nix @@ -38,6 +38,7 @@ withBDplus = true; }); }).overrideAttrs (originalAttrs: { + buildInputs = originalAttrs.buildInputs ++ [ pkgs.libdvdcss ]; # TODO: nixpkgs bug: libbluray needs patching to look at the nix store path of jdk17 when searching for a jdk # as a workaround, wrap vlc and set JAVA_HOME, which it uses instead of searching when specified nativeBuildInputs = originalAttrs.nativeBuildInputs ++ [ pkgs.makeWrapper ]; diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix index 80395d3..7453219 100644 --- a/hosts/yevaud/experiments/pennykettle.nix +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -1,115 +1,66 @@ { config, lib, pkgs, ... }: { - networking.nat.enable = true; - networking.nat.enableIPv6 = true; - networking.nat.internalInterfaces = [ "ve-pennykettle" ]; - networking.nat.externalInterface = "ens3"; - networking.nat.forwardPorts = [ - { - sourcePort = 51820; - destination = "10.231.136.2:51820"; - proto = "udp"; - } - { - sourcePort = 51820; - destination = "[fc00::2]:51820"; - proto = "udp"; - } - ]; networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.firewall.interfaces."tailscale0".allowedTCPPorts = config.networking.firewall.allowedTCPPorts ++ [ 1080 ]; - containers."pennykettle" = { - privateNetwork = true; - extraVeths."ve-pennykettle" = { - hostAddress = "10.231.136.1"; - localAddress = "10.231.136.2"; - hostAddress6 = "fc00::1"; - localAddress6 = "fc00::2"; - }; - ephemeral = true; - autoStart = true; - bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle.path; - - config = { config, pkgs, ... }: { - system.stateVersion = "24.05"; - systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; - environment.systemPackages = [ pkgs.wireguard-tools ]; - - networking.useDHCP = false; - networking.useHostResolvConf = false; - networking.firewall.allowedUDPPorts = [ 51820 ]; - systemd.network = { - enable = true; - - networks."10-ve-pennykettle" = { - matchConfig.Name = "ve-pennykettle"; - networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ]; - linkConfig.RequiredForOnline = "yes"; - routes = [{ - Gateway = [ "10.231.136.1" "fc00::1" ]; - Destination = "217.138.216.162"; - }]; - }; - - networks."30-wg-protonvpn" = { - matchConfig.Name = "wg-protonvpn"; - networkConfig = { - Address = [ "10.2.0.2/32" ]; - DNS = "10.2.0.1"; - }; - linkConfig = { - RequiredForOnline = "yes"; - ActivationPolicy = "always-up"; - }; - routes = [ - { Gateway = [ "0.0.0.0" ]; } - { Gateway = [ "::" ]; } # TODO: ipv6 out is still not working for unclear reasons - ]; - }; - - netdevs."30-wg-protonvpn" = { - netdevConfig = { - Name = "wg-protonvpn"; - Kind = "wireguard"; - Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)"; - }; - wireguardConfig = { - ListenPort = 51820; - PrivateKeyFile = "/run/secrets/wg-key"; - }; - wireguardPeers = [{ - PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; - AllowedIPs = [ "0.0.0.0/0" "::/0" ]; - Endpoint = "217.138.216.162:51820"; - PersistentKeepalive = 5; - }]; - }; - }; - - networking.nat.enable = true; - networking.nat.enableIPv6 = true; - networking.nat.internalInterfaces = [ "ve-pennykettle" ]; - networking.nat.externalInterface = "wg-protonvpn"; - }; + environment.systemPackages = [ pkgs.wireguard-tools ]; + networking.wireguard.interfaces."wg-protonvpn" = { + ips = [ "10.2.0.2/32" ]; + peers = [{ + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "217.138.216.162:51820"; + publicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; + }]; + privateKeyFile = config.age.secrets.protonvpn-pennykettle1.path; + listenPort = 51820; + table = "957851094"; # randomly generated }; - age.secrets.protonvpn-pennykettle = { + networking.localCommands = '' + ip rule add from 10.2.0.2/32 table 957851094 + ''; + networking.firewall.checkReversePath = "loose"; + + age.secrets.protonvpn-pennykettle1 = { file = ../../../secrets/protonvpn-pennykettle1.age; owner = "root"; group = "systemd-network"; mode = "640"; }; - # TODO: password-protect the proxy instead of relying on only listening over Tailscale - services.microsocks = { + services.dante = { enable = true; - port = 1080; - ip = "::"; - outgoingBindIp = "fc00::2"; - # authUsername = "testusername123"; - # authPasswordFile = pkgs.writeText "testpassword" "testpassworddonotuse"; - # execWrapper = "${lib.getExe pkgs.strace}"; + config = '' + debug: 2 + internal: tailscale0 + external: wg-protonvpn + + # auth/tls handled by tailscale + clientmethod: none + socksmethod: none + + # allow connections from tailscale + # "0/0" matches any v4 or v6 address + client pass { + from: 100.64.0.0/10 to: 0/0 + log: error connect disconnect + } + client pass { + from: fd7a:115c:a1e0::/48 to: 0/0 + log: error connect disconnect + } + + socks pass { + from: 0/0 to: 0/0 + protocol: tcp udp + log: error connect disconnect iooperation + } + ''; + }; + + systemd.services.dante = { + wants = [ "tailscaled-autoconnect.service" ]; + after = [ "tailscaled-autoconnect.service" ]; }; - networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 1080 ]; }