lander/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: use network namespace for wireguard

Browse source 
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
This commit is contained in:
Lander Van den Bulcke 2025-09-11 23:14:49 +02:00
parent a767bcc039
commit ded73650a9
Signed by: lander
GPG key ID: 0142722B4B0C536F
1 changed files with 41 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

67
hosts/hosting-02/default.nix
View file

@ -35,33 +35,51 @@
address = [ address = [
"2a01:4f8:c013:7fc0::/64" "2a01:4f8:c013:7fc0::/64"
]; ];
};
routingPolicyRules = [ systemd.services."netns@" = {
{ description = "Network namespace %i";
From = "10.64.244.95/32"; serviceConfig = {
Table = "vpn"; Type = "oneshot";
} RemainAfterExit = true;
{ ExecStart = "${pkgs.iproute2}/bin/ip netns add %i";
From = "fc00:bbbb:bbbb:bb01::1:f45e/128"; ExecStop = "${pkgs.iproute2}/bin/ip netns del %i";
Table = "vpn"; };
} };
{
User = config.users.users.vpn.uid; systemd.services."veth-setup@" = {
Table = "vpn"; description = "Setup veth pair for %i namespace";
Family = "both"; after = [ "netns@%i.service" ];
} requires = [ "netns@%i.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = ''
${pkgs.iproute2}/bin/ip link add veth-%i type veth peer name veth-ns-%i
${pkgs.iproute2}/bin/ip link set veth-ns-%i netns %i
${pkgs.iproute2}/bin/ip link set veth-%i up
${pkgs.iproute2}/bin/ip netns exec %i ${pkgs.iproute2}/bin/ip link set veth-ns-%i up
${pkgs.iproute2}/bin/ip netns exec %i ${pkgs.iproute2}/bin/ip addr add 10.0.0.2/24 dev veth-ns-%i
${pkgs.iproute2}/bin/ip netns exec %i ${pkgs.iproute2}/bin/ip route add default via 10.0.0.1
'';
ExecStop = "${pkgs.iproute2}/bin/ip link del veth-%i";
};
};
systemd.network.networks."50-veth" = {
matchConfig.Name = "veth-*";
networkConfig = {
Address = "10.0.0.1/24";
};
};
systemd.services."wireguard-wg0".requires = [
"netns@vpn.service"
"veth-setup@vpn.service"
]; ];
};
users.groups.vpn = { };
users.users.vpn = {
isSystemUser = true;
group = "vpn";
uid = 51280;
};
networking.wireguard = { networking.wireguard = {
enable = true; enable = true;
useNetworkd = false;
interfaces.wg0 = { interfaces.wg0 = {
ips = [ ips = [
@ -83,7 +101,8 @@
listenPort = 51820; listenPort = 51820;
privateKeyFile = config.sops.secrets.wireguardKey.path; privateKeyFile = config.sops.secrets.wireguardKey.path;
table = "133"; socketNamespace = "init";
interfaceNamespace = "vpn";
}; };
}; };