105 lines
3.3 KiB
Nix
105 lines
3.3 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
networking.nat.enable = true;
|
|
networking.nat.enableIPv6 = true;
|
|
networking.nat.internalInterfaces = [ "ve-pennykettle1" ];
|
|
networking.nat.externalInterface = "ens3";
|
|
networking.nat.forwardPorts = [
|
|
{
|
|
sourcePort = 51821;
|
|
destination = "[fc00::2]:51821";
|
|
proto = "udp";
|
|
}
|
|
];
|
|
networking.firewall.allowedUDPPorts = [ 51821 ];
|
|
|
|
# RA = Router Advertisement (how a host finds a gateway IPv6 address for
|
|
# SLAAC or DHCPv6).
|
|
# networkd usually defaults this to true, but instead defaults it to false
|
|
# for ALL networks if ANY network has IPv6Forwarding enabled, on the
|
|
# (reasonable) assumption that a host doing IP forwarding is probably a
|
|
# network bridge.
|
|
# The kernel's RA implementation does this too, and the NixOS networking.nat
|
|
# module explicitly overrides that with sysctl, but networkd doesn't pay
|
|
# attention to that.
|
|
# We thus explicitly enable it, as otherwise external IPv6 is broken.
|
|
systemd.network.networks."40-ens3".networkConfig.IPv6AcceptRA = true;
|
|
|
|
containers."pennykettle1" = {
|
|
privateNetwork = true;
|
|
extraVeths."ve-pennykettle1" = {
|
|
hostAddress = "10.231.136.1";
|
|
localAddress = "10.231.136.2";
|
|
hostAddress6 = "fc00::1";
|
|
localAddress6 = "fc00::2";
|
|
};
|
|
ephemeral = true;
|
|
autoStart = true;
|
|
bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle1.path;
|
|
|
|
config = { config, pkgs, ... }: {
|
|
system.stateVersion = "24.05";
|
|
systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
|
|
environment.systemPackages = [ pkgs.wireguard-tools ];
|
|
|
|
networking.useDHCP = false;
|
|
networking.useHostResolvConf = false;
|
|
networking.firewall.allowedUDPPorts = [ 51821 ];
|
|
systemd.network = {
|
|
enable = true;
|
|
|
|
networks."10-ve" = {
|
|
matchConfig.Name = "ve-pennykettle1";
|
|
networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ];
|
|
linkConfig.RequiredForOnline = "yes";
|
|
routes = [{
|
|
Gateway = [ "10.231.136.1" "fc00::1" ];
|
|
Destination = "217.138.216.162";
|
|
}];
|
|
};
|
|
|
|
networks."30-protonvpn" = {
|
|
matchConfig.Name = "wg-protonvpn";
|
|
networkConfig = {
|
|
Address = [ "10.2.0.2/32" ];
|
|
DNS = "10.2.0.1";
|
|
};
|
|
linkConfig = {
|
|
RequiredForOnline = "yes";
|
|
ActivationPolicy = "always-up";
|
|
};
|
|
routes = [
|
|
{ Gateway = [ "0.0.0.0" ]; }
|
|
{ Gateway = [ "::" ]; }
|
|
];
|
|
};
|
|
|
|
netdevs."30-protonvpn" = {
|
|
netdevConfig = {
|
|
Name = "wg-protonvpn";
|
|
Kind = "wireguard";
|
|
Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)";
|
|
};
|
|
wireguardConfig = {
|
|
ListenPort = 51821;
|
|
PrivateKeyFile = "/run/secrets/wg-key";
|
|
};
|
|
wireguardPeers = [{
|
|
PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
|
|
AllowedIPs = "0.0.0.0/0";
|
|
Endpoint = "217.138.216.162:51820";
|
|
PersistentKeepalive = 5;
|
|
}];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
age.secrets.protonvpn-pennykettle1 = {
|
|
file = ../../../secrets/protonvpn-pennykettle1.age;
|
|
owner = "root";
|
|
group = "systemd-network";
|
|
mode = "640";
|
|
};
|
|
}
|