diff --git a/hosts/hosting-02/default.nix b/hosts/hosting-02/default.nix index 6dea46e..5611af7 100644 --- a/hosts/hosting-02/default.nix +++ b/hosts/hosting-02/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, ... }: { imports = [ ./disk-config.nix @@ -23,46 +23,43 @@ ]; }; - systemd.network.networks."30-wan".address = [ - "2a01:4f8:c013:7fc0::/64" - ]; + networking.iproute2.enable = true; + systemd.network.config = { + routeTables = { + vpn = 133; + }; + addRouteTablesToIPRoute2 = true; + }; + + systemd.network.networks."30-wan" = { + address = [ + "2a01:4f8:c013:7fc0::/64" + ]; + + routingPolicyRules = [ + { + From = "10.64.244.95/32"; + Table = "vpn"; + } + { + From = "fc00:bbbb:bbbb:bb01::1:f45e/128"; + Table = "vpn"; + } + { + User = config.users.users.vpn.uid; + Table = "vpn"; + Family = "both"; + } + ]; + }; users.groups.vpn = { }; users.users.vpn = { isSystemUser = true; group = "vpn"; + uid = 51280; }; - networking.iproute2 = { - enable = true; - rttablesExtraConfig = '' - 133 vpn - ''; - }; - - systemd.services.vpn-policy-routing = - let - vpnUid = toString config.users.users.vpn.uid; - in - { - description = "Apply policy routing rules for the 'vpn' user."; - - wantedBy = [ "multi-user.target" ]; - - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - - serviceConfig.type = "oneshot"; - - script = '' - IP_CMD="${pkgs.iproute2}/bin/ip" - $IP_CMD rule add from ${builtins.elemAt config.networking.wireguard.interfaces.wg0.ips 0} table vpn prio 200 - $IP_CMD rule add uidrange ${vpnUid}-${vpnUid} table vpn prio 201 - $IP_CMD -6 rule add from ${builtins.elemAt config.networking.wireguard.interfaces.wg0.ips 1} table vpn prio 200 - $IP_CMD -6 rule add uidrange ${vpnUid}-${vpnUid} table vpn prio 201 - ''; - }; - networking.wireguard = { enable = true;