From 61288d4675fa936a7ed5642518b55d58f084e59c Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 4 Dec 2024 18:57:45 +0000 Subject: [PATCH 1/2] yevaud: move dns experiment to separate file --- hosts/yevaud/default.nix | 32 ++-------------------- hosts/yevaud/experiments/birdsong-dns.nix | 33 +++++++++++++++++++++++ 2 files changed, 35 insertions(+), 30 deletions(-) create mode 100644 hosts/yevaud/experiments/birdsong-dns.nix diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 2a8fdae..f202d28 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -4,6 +4,8 @@ imports = [ ./hardware-configuration.nix ./networking.nix + + ./experiments/birdsong-dns.nix ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; @@ -14,36 +16,6 @@ users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; - services.bind = { - # enable = true; - cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; - forwarders = [ ]; - listenOn = [ config.birdsong.hosts.yevaud.ipv4 ]; - listenOnIpv6 = [ config.birdsong.hosts.yevaud.ipv6 ]; - zones = { - "birdsong.internal" = { - master = true; - # TODO: pick better email address for SOA record - file = pkgs.writeText "birdsong.internal.zone" '' - $TTL 60 - $ORIGIN birdsong.internal. - - birdsong.internal. IN SOA ns.birdsong.internal. accounts.katherina.rocks. ( 2024080401 7200 3600 1209600 3600 ) - birdsong.internal. IN NS ns.birdsong.internal. - - yevaud.c.birdsong.internal. IN A 10.127.1.1 - yevaud.c.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 - - ns.birdsong.internal. IN A 10.127.1.1 - ns.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 - ''; - }; - }; - }; - networking.resolvconf.useLocalResolver = false; - networking.firewall.allowedTCPPorts = [ 53 ]; - networking.firewall.allowedUDPPorts = [ 53 ]; - randomcat.services.zfs.datasets = { "rpool/state" = { mountpoint = "none"; }; "rpool/state/forgejo" = { mountpoint = "/var/lib/forgejo"; }; diff --git a/hosts/yevaud/experiments/birdsong-dns.nix b/hosts/yevaud/experiments/birdsong-dns.nix new file mode 100644 index 0000000..036e499 --- /dev/null +++ b/hosts/yevaud/experiments/birdsong-dns.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +{ + services.bind = { + # enable = true; + cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; + forwarders = [ ]; + listenOn = [ config.birdsong.hosts.yevaud.ipv4 ]; + listenOnIpv6 = [ config.birdsong.hosts.yevaud.ipv6 ]; + zones = { + "birdsong.internal" = { + master = true; + # TODO: pick better email address for SOA record + file = pkgs.writeText "birdsong.internal.zone" '' + $TTL 60 + $ORIGIN birdsong.internal. + + birdsong.internal. IN SOA ns.birdsong.internal. accounts.katherina.rocks. ( 2024080401 7200 3600 1209600 3600 ) + birdsong.internal. IN NS ns.birdsong.internal. + + yevaud.c.birdsong.internal. IN A 10.127.1.1 + yevaud.c.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 + + ns.birdsong.internal. IN A 10.127.1.1 + ns.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 + ''; + }; + }; + }; + networking.resolvconf.useLocalResolver = false; + networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; +} From a206f63e6832ee15cc45df6f41f5c6ab02266db0 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 4 Dec 2024 19:46:17 +0000 Subject: [PATCH 2/2] yevaud: add experimental container with networking over vpn --- hosts/yevaud/default.nix | 1 + hosts/yevaud/experiments/pennykettle.nix | 85 ++++++++++++++++++++++++ secrets.nix | 1 + secrets/protonvpn-pennykettle1.age | 9 +++ 4 files changed, 96 insertions(+) create mode 100644 hosts/yevaud/experiments/pennykettle.nix create mode 100644 secrets/protonvpn-pennykettle1.age diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index f202d28..c2d4639 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -6,6 +6,7 @@ ./networking.nix ./experiments/birdsong-dns.nix + ./experiments/pennykettle.nix ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix new file mode 100644 index 0000000..98e84c6 --- /dev/null +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }: + +{ + networking.nat.enable = true; + networking.nat.internalInterfaces = [ "ve-pennykettle1" ]; + networking.nat.externalInterface = "ens3"; + networking.firewall.allowedUDPPorts = [ 51821 ]; + + containers."pennykettle1" = { + privateNetwork = true; + extraVeths."ve-pennykettle1" = { + hostAddress = "10.235.1.1"; + localAddress = "10.235.2.1"; + forwardPorts = [{ hostPort = 51821; }]; + }; + ephemeral = true; + autoStart = true; + bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle1.path; + + config = { config, pkgs, ... }: { + system.stateVersion = "24.05"; + systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; + environment.systemPackages = [ pkgs.wireguard-tools ]; + + networking.useDHCP = false; + networking.useHostResolvConf = false; + networking.firewall.allowedUDPPorts = [ 51821 ]; + systemd.network = { + enable = true; + + networks."10-ve" = { + matchConfig.Name = "ve-pennykettle1"; + networkConfig.Address = "10.235.2.1/32"; + # linkConfig.RequiredForOnline = "routable"; + routes = [{ + routeConfig = { + Gateway = "10.235.1.1"; + Destination = "217.138.216.162/32"; + }; + }]; + }; + + networks."30-protonvpn" = { + matchConfig.Name = "wg-protonvpn"; + networkConfig = { + DefaultRouteOnDevice = true; + Address = [ "10.2.0.2/32" ]; + DNS = "10.2.0.1"; + }; + linkConfig = { + RequiredForOnline = "yes"; + ActivationPolicy = "always-up"; + }; + }; + + netdevs."30-protonvpn" = { + netdevConfig = { + Name = "wg-protonvpn"; + Kind = "wireguard"; + Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)"; + }; + wireguardConfig = { + ListenPort = 51821; + PrivateKeyFile = "/run/secrets/wg-key"; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; + AllowedIPs = "0.0.0.0/0"; + Endpoint = "217.138.216.162:51820"; + PersistentKeepalive = 5; + }; + }]; + }; + }; + }; + }; + + age.secrets.protonvpn-pennykettle1 = { + file = ../../../secrets/protonvpn-pennykettle1.age; + owner = "root"; + group = "systemd-network"; + mode = "640"; + }; +} \ No newline at end of file diff --git a/secrets.nix b/secrets.nix index 82036db..61abf6e 100644 --- a/secrets.nix +++ b/secrets.nix @@ -10,6 +10,7 @@ let wireguard-peer-yevaud = [ machines.yevaud ] ++ keys.users.qenya; wireguard-peer-kalessin = [ machines.kalessin ] ++ keys.users.qenya; wireguard-peer-kilgharrah = [ machines.kilgharrah ] ++ keys.users.qenya; + protonvpn-pennykettle1 = [ machines.yevaud ] ++ keys.users.qenya; }; in builtins.listToAttrs ( diff --git a/secrets/protonvpn-pennykettle1.age b/secrets/protonvpn-pennykettle1.age new file mode 100644 index 0000000..e58dc56 --- /dev/null +++ b/secrets/protonvpn-pennykettle1.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 uJfgGw +h4WiWyMlQZ5iaMFTl/whUD0vJnIN0GYeqRbZ0MIH0o +eKio4DsSJlrvSAjmR0naDO/lmB78o7cy7QC9WZjHUa0 +-> ssh-ed25519 seJ9Iw xov8WY0TxEj5/wkWg1T0kmrbpXsNhDLnZwqyIg0eExA +wu5QApQk6K8Fu5XMTrWY2veoYbJVuQmn3DJXewVB860 +-> ssh-ed25519 900ILw N6RbpHr4Vwgm0BUCuMXzVo3VEgrl29NF8ZJU5Far7yk +KdA1dZXmcSF3cH9bVdmIbj7iZO3uuSY+isjswDzSu+Y +--- YtnS9FqXVat2hi9BLvX+71HEZDw3zcxIQ7Dp5+iao4c +a'|N7NT5]O0Sm<-1:dg^/u7N?XM~s.9cC \ No newline at end of file