feat: use networkd for routing config

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-09-11 10:30:20 +02:00 · 2025-09-11 10:30:20 +02:00 · a373a0dc20
commit a373a0dc20
parent 2c60a915eb
1 changed files with 31 additions and 34 deletions
--- a/hosts/hosting-02/default.nix
+++ b/hosts/hosting-02/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 {
  imports = [
    ./disk-config.nix
@ -23,46 +23,43 @@
    ];
  };

-  systemd.network.networks."30-wan".address = [
-    "2a01:4f8:c013:7fc0::/64"
-  ];
+  networking.iproute2.enable = true;
+  systemd.network.config = {
+    routeTables = {
+      vpn = 133;
+    };
+    addRouteTablesToIPRoute2 = true;
+  };
+
+  systemd.network.networks."30-wan" = {
+    address = [
+      "2a01:4f8:c013:7fc0::/64"
+    ];
+
+    routingPolicyRules = [
+      {
+        From = "10.64.244.95/32";
+        Table = "vpn";
+      }
+      {
+        From = "fc00:bbbb:bbbb:bb01::1:f45e/128";
+        Table = "vpn";
+      }
+      {
+        User = config.users.users.vpn.uid;
+        Table = "vpn";
+        Family = "both";
+      }
+    ];
+  };

  users.groups.vpn = { };
  users.users.vpn = {
    isSystemUser = true;
    group = "vpn";
+    uid = 51280;
  };

-  networking.iproute2 = {
-    enable = true;
-    rttablesExtraConfig = ''
-      133 vpn
-    '';
-  };
-
-  systemd.services.vpn-policy-routing =
-    let
-      vpnUid = toString config.users.users.vpn.uid;
-    in
-    {
-      description = "Apply policy routing rules for the 'vpn' user.";
-
-      wantedBy = [ "multi-user.target" ];
-
-      after = [ "network-online.target" ];
-      wants = [ "network-online.target" ];
-
-      serviceConfig.type = "oneshot";
-
-      script = ''
-        IP_CMD="${pkgs.iproute2}/bin/ip"
-        $IP_CMD rule add from ${builtins.elemAt config.networking.wireguard.interfaces.wg0.ips 0} table vpn prio 200
-        $IP_CMD rule add uidrange ${vpnUid}-${vpnUid} table vpn prio 201
-        $IP_CMD -6 rule add from ${builtins.elemAt config.networking.wireguard.interfaces.wg0.ips 1} table vpn prio 200
-        $IP_CMD -6 rule add uidrange ${vpnUid}-${vpnUid} table vpn prio 201
-      '';
-    };
-
  networking.wireguard = {
    enable = true;