diff --git a/common/boot.nix b/common/boot.nix index 1eb8089..eb99def 100644 --- a/common/boot.nix +++ b/common/boot.nix @@ -10,13 +10,4 @@ in systemd-boot.memtest86.enable = mkIf config.nixpkgs.hostPlatform.isx86 true; efi.canTouchEfiVariables = true; }; - - services.resolved = { - enable = true; - fallbackDns = [ ]; - dnsovertls = "true"; - extraConfig = '' - DNS=2a07:e340::4#base.dns.mullvad.net 194.242.2.4#base.dns.mullvad.net - ''; - }; } diff --git a/flake.lock b/flake.lock index a70d4c4..f901e43 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1750173260, - "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", + "lastModified": 1747575206, + "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", "owner": "ryantm", "repo": "agenix", - "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", + "rev": "4835b1dc898959d8547a871ef484930675cb47f1", "type": "github" }, "original": { @@ -34,11 +34,11 @@ "stable": [] }, "locked": { - "lastModified": 1749739748, - "narHash": "sha256-csQQPoCA5iv+Nd9yCOCQNKflP7qUKEe7D27wsz+LPKM=", + "lastModified": 1749409980, + "narHash": "sha256-I/Tvv5UN5DRYXTEy/+j7mYRsdoWQ+rCfrVoNEw0K/Ek=", "owner": "zhaofengli", "repo": "colmena", - "rev": "c61641b156dfa3e82fc0671e77fccf7d7ccfaa3b", + "rev": "58f1beb074881d7208def140af71b7864b6139e0", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1750737804, - "narHash": "sha256-wClGd2PhxdjjphR6wIgoiDcR+Gfg4/+FyseSOjIIzVU=", + "lastModified": 1749441800, + "narHash": "sha256-bN4tccrmczfR4PUuepHpxNNmWG3cLZTFIt4BaD8YyvA=", "owner": "rycee", "repo": "nur-expressions", - "rev": "aaaf4fec792bad465ea4a35c0be5bc2a54f33095", + "rev": "fe13e6abfe72b39ad8381595c3c404849330c3cb", "type": "gitlab" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1750792728, - "narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=", + "lastModified": 1749154018, + "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=", "owner": "nix-community", "repo": "home-manager", - "rev": "366f00797b1efb70f2882d3da485e3c10fd3d557", + "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111", "type": "github" }, "original": { @@ -164,11 +164,11 @@ ] }, "locked": { - "lastModified": 1750798083, - "narHash": "sha256-DTCCcp6WCFaYXWKFRA6fiI2zlvOLCf5Vwx8+/0R8Wc4=", + "lastModified": 1749483884, + "narHash": "sha256-HdyfdVx0NbgrVtLY4lXdX9X/YE3PZjGZFnSyoAy1GJc=", "owner": "nix-community", "repo": "home-manager", - "rev": "ff31a4677c1a8ae506aa7e003a3dba08cb203f82", + "rev": "74d196c9943a67908d1883f61154e594d03863e5", "type": "github" }, "original": { @@ -180,15 +180,15 @@ "lix": { "flake": false, "locked": { - "lastModified": 1750762203, - "narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=", - "rev": "38b358ce27203f972faa2973cf44ba80c758f46e", + "lastModified": 1746827285, + "narHash": "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=", + "rev": "47aad376c87e2e65967f17099277428e4b3f8e5a", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/38b358ce27203f972faa2973cf44ba80c758f46e.tar.gz?rev=38b358ce27203f972faa2973cf44ba80c758f46e" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?rev=47aad376c87e2e65967f17099277428e4b3f8e5a" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz" + "url": "https://git.lix.systems/lix-project/lix/archive/2.93.0.tar.gz" } }, "lix-module": { @@ -201,24 +201,24 @@ ] }, "locked": { - "lastModified": 1750776670, - "narHash": "sha256-EfA5K5EZAnspmraJrXQlziffVpaT+QDBiE6yKmuaNNQ=", - "rev": "c3c78a32273e89d28367d8605a4c880f0b6607e3", + "lastModified": 1746838955, + "narHash": "sha256-11R4K3iAx4tLXjUs+hQ5K90JwDABD/XHhsM9nkeS5N8=", + "rev": "cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/c3c78a32273e89d28367d8605a4c880f0b6607e3.tar.gz?rev=c3c78a32273e89d28367d8605a4c880f0b6607e3" + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz?rev=cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz" + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz" } }, "nixpkgs": { "locked": { - "lastModified": 1750622754, - "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=", + "lastModified": 1749237914, + "narHash": "sha256-N5waoqWt8aMr/MykZjSErOokYH6rOsMMXu3UOVH5kiw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1", + "rev": "70c74b02eac46f4e4aa071e45a6189ce0f6d9265", "type": "github" }, "original": { @@ -245,11 +245,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1750784235, - "narHash": "sha256-IYCCkKerO3lMUcMaDRLfwnfyPopQbGWF8iHRd0XcCBc=", + "lastModified": 1749330319, + "narHash": "sha256-5UnNMREFRBA2UHakpk2naiCvZCW0LtZ5GMzl3u9V9HA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a5e9291e97f5ba0b4ba7d657ddedd5f86d11acfd", + "rev": "2b41bf05854399433a852b438bb5392dc56cbaba", "type": "github" }, "original": { @@ -261,11 +261,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1750506804, - "narHash": "sha256-VLFNc4egNjovYVxDGyBYTrvVCgDYgENp5bVi9fPTDYc=", + "lastModified": 1749285348, + "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4206c4cb56751df534751b058295ea61357bbbaa", + "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f", "type": "github" }, "original": { @@ -277,11 +277,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1750776346, - "narHash": "sha256-sWw7gz2B02fHQkmPSutVcoawLuiPT0hpztL0ldCnIy0=", + "lastModified": 1749411262, + "narHash": "sha256-gRBkeW9l5lb/90lv1waQFNT+18OhITs11HENarh6vNo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4396a137499b6cc9f9fe9f3c266577bd52d455a4", + "rev": "0fc422d6c394191338c9d6a05786c63fc52a0f29", "type": "github" }, "original": { @@ -317,11 +317,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1750730821, - "narHash": "sha256-U5uW9mRSuA2dRaOyswmz2I0fUVQbGRSZROXIe2WKS+8=", + "lastModified": 1749435035, + "narHash": "sha256-hgkMTlwU1HGcGcP6Z8vuMupIBOZxqy2bX60TusJEnJA=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "1a2a536f5550c3b323e19f46d166340ad01745fd", + "rev": "3cc561e5c7c463785f0e79a518572afaa74c8377", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 73fe576..3fcba00 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,7 @@ lix-module = { # lix haven't figured out automatic updates yet: https://git.lix.systems/lix-project/nixos-module/issues/39 - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz"; + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/hosts/kilgharrah/hardware.nix b/hosts/kilgharrah/hardware.nix index 0583c64..89c6b59 100644 --- a/hosts/kilgharrah/hardware.nix +++ b/hosts/kilgharrah/hardware.nix @@ -38,7 +38,6 @@ withBDplus = true; }); }).overrideAttrs (originalAttrs: { - buildInputs = originalAttrs.buildInputs ++ [ pkgs.libdvdcss ]; # TODO: nixpkgs bug: libbluray needs patching to look at the nix store path of jdk17 when searching for a jdk # as a workaround, wrap vlc and set JAVA_HOME, which it uses instead of searching when specified nativeBuildInputs = originalAttrs.nativeBuildInputs ++ [ pkgs.makeWrapper ]; diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix index 7453219..80395d3 100644 --- a/hosts/yevaud/experiments/pennykettle.nix +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -1,66 +1,115 @@ { config, lib, pkgs, ... }: { + networking.nat.enable = true; + networking.nat.enableIPv6 = true; + networking.nat.internalInterfaces = [ "ve-pennykettle" ]; + networking.nat.externalInterface = "ens3"; + networking.nat.forwardPorts = [ + { + sourcePort = 51820; + destination = "10.231.136.2:51820"; + proto = "udp"; + } + { + sourcePort = 51820; + destination = "[fc00::2]:51820"; + proto = "udp"; + } + ]; networking.firewall.allowedUDPPorts = [ 51820 ]; - networking.firewall.interfaces."tailscale0".allowedTCPPorts = config.networking.firewall.allowedTCPPorts ++ [ 1080 ]; - environment.systemPackages = [ pkgs.wireguard-tools ]; - networking.wireguard.interfaces."wg-protonvpn" = { - ips = [ "10.2.0.2/32" ]; - peers = [{ - allowedIPs = [ "0.0.0.0/0" "::/0" ]; - endpoint = "217.138.216.162:51820"; - publicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; - }]; - privateKeyFile = config.age.secrets.protonvpn-pennykettle1.path; - listenPort = 51820; - table = "957851094"; # randomly generated + containers."pennykettle" = { + privateNetwork = true; + extraVeths."ve-pennykettle" = { + hostAddress = "10.231.136.1"; + localAddress = "10.231.136.2"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::2"; + }; + ephemeral = true; + autoStart = true; + bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle.path; + + config = { config, pkgs, ... }: { + system.stateVersion = "24.05"; + systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; + environment.systemPackages = [ pkgs.wireguard-tools ]; + + networking.useDHCP = false; + networking.useHostResolvConf = false; + networking.firewall.allowedUDPPorts = [ 51820 ]; + systemd.network = { + enable = true; + + networks."10-ve-pennykettle" = { + matchConfig.Name = "ve-pennykettle"; + networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ]; + linkConfig.RequiredForOnline = "yes"; + routes = [{ + Gateway = [ "10.231.136.1" "fc00::1" ]; + Destination = "217.138.216.162"; + }]; + }; + + networks."30-wg-protonvpn" = { + matchConfig.Name = "wg-protonvpn"; + networkConfig = { + Address = [ "10.2.0.2/32" ]; + DNS = "10.2.0.1"; + }; + linkConfig = { + RequiredForOnline = "yes"; + ActivationPolicy = "always-up"; + }; + routes = [ + { Gateway = [ "0.0.0.0" ]; } + { Gateway = [ "::" ]; } # TODO: ipv6 out is still not working for unclear reasons + ]; + }; + + netdevs."30-wg-protonvpn" = { + netdevConfig = { + Name = "wg-protonvpn"; + Kind = "wireguard"; + Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)"; + }; + wireguardConfig = { + ListenPort = 51820; + PrivateKeyFile = "/run/secrets/wg-key"; + }; + wireguardPeers = [{ + PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; + AllowedIPs = [ "0.0.0.0/0" "::/0" ]; + Endpoint = "217.138.216.162:51820"; + PersistentKeepalive = 5; + }]; + }; + }; + + networking.nat.enable = true; + networking.nat.enableIPv6 = true; + networking.nat.internalInterfaces = [ "ve-pennykettle" ]; + networking.nat.externalInterface = "wg-protonvpn"; + }; }; - networking.localCommands = '' - ip rule add from 10.2.0.2/32 table 957851094 - ''; - networking.firewall.checkReversePath = "loose"; - - age.secrets.protonvpn-pennykettle1 = { + age.secrets.protonvpn-pennykettle = { file = ../../../secrets/protonvpn-pennykettle1.age; owner = "root"; group = "systemd-network"; mode = "640"; }; - services.dante = { + # TODO: password-protect the proxy instead of relying on only listening over Tailscale + services.microsocks = { enable = true; - config = '' - debug: 2 - internal: tailscale0 - external: wg-protonvpn - - # auth/tls handled by tailscale - clientmethod: none - socksmethod: none - - # allow connections from tailscale - # "0/0" matches any v4 or v6 address - client pass { - from: 100.64.0.0/10 to: 0/0 - log: error connect disconnect - } - client pass { - from: fd7a:115c:a1e0::/48 to: 0/0 - log: error connect disconnect - } - - socks pass { - from: 0/0 to: 0/0 - protocol: tcp udp - log: error connect disconnect iooperation - } - ''; - }; - - systemd.services.dante = { - wants = [ "tailscaled-autoconnect.service" ]; - after = [ "tailscaled-autoconnect.service" ]; + port = 1080; + ip = "::"; + outgoingBindIp = "fc00::2"; + # authUsername = "testusername123"; + # authPasswordFile = pkgs.writeText "testpassword" "testpassworddonotuse"; + # execWrapper = "${lib.getExe pkgs.strace}"; }; + networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 1080 ]; }