lander/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix-config/hosts/hosting-02/default.nix
Lander Van den Bulcke 1f846cae56
fix: veth setup 
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-09-11 23:57:32 +02:00

171 lines
3.9 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
{
imports = [
./disk-config.nix
{
_module.args.disks = [ "/dev/sda" ];
}
../common/servers
];
time.timeZone = "Europe/Berlin";
networking.hostName = "hosting-02";
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
allowedUDPPorts = [
51820
];
};
networking.iproute2.enable = true;
systemd.network.config = {
routeTables = {
vpn = 133;
};
addRouteTablesToIPRoute2 = true;
};
systemd.network.networks."30-wan" = {
address = [
"2a01:4f8:c013:7fc0::/64"
];
};
systemd.services."netns@" = {
description = "Network namespace %i";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip netns add %i";
ExecStop = "${pkgs.iproute2}/bin/ip netns del %i";
};
};
systemd.services."veth-setup@" = {
description = "Setup veth pair for %i namespace";
after = [ "netns@%i.service" ];
requires = [ "netns@%i.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart =
let
script = pkgs.writers.writeBash "veth-up" ''
ns="$1"
${pkgs.iproute2}/bin/ip link add veth-init-$ns type veth peer name veth-ns-$ns
${pkgs.iproute2}/bin/ip link set veth-ns-$ns netns $ns
${pkgs.iproute2}/bin/ip link set veth-init-$ns up
${pkgs.iproute2}/bin/ip netns exec $ns ${pkgs.iproute2}/bin/ip link set veth-ns-$ns up
${pkgs.iproute2}/bin/ip netns exec $ns ${pkgs.iproute2}/bin/ip addr add 10.0.0.2/24 dev veth-ns-$ns
'';
in
"${script} %i";
ExecStop = "${pkgs.iproute2}/bin/ip link del veth-%i";
};
};
systemd.network.networks."50-veth" = {
matchConfig.Name = "veth-init-vpn";
networkConfig = {
Address = "10.0.0.1/24";
};
};
systemd.services."wireguard-wg0".requires = [
"netns@vpn.service"
"veth-setup@vpn.service"
];
networking.wireguard = {
enable = true;
useNetworkd = false;
interfaces.wg0 = {
ips = [
"10.64.244.95/32"
"fc00:bbbb:bbbb:bb01::1:f45e/128"
];
peers = [
{
publicKey = "KkShcqgwbkX2A9n1hhST6qu+m3ldxdJ2Lx8Eiw6mdXw=";
allowedIPs = [
"0.0.0.0/0"
"::0/0"
];
endpoint = "146.70.117.226:51820";
persistentKeepalive = 25;
}
];
listenPort = 51820;
privateKeyFile = config.sops.secrets.wireguardKey.path;
socketNamespace = "init";
interfaceNamespace = "vpn";
};
};
environment.systemPackages = with pkgs; [
gocryptfs
sshfs
];
programs.ssh.knownHosts.storageBox = {
hostNames = [ "u491729.your-storagebox.de" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
};
fileSystems."/mnt/box" = {
device = "u491729@u491729.your-storagebox.de:/home";
fsType = "fuse.sshfs";
options = [
"defaults"
"_netdev"
"allow_other"
"default_permissions"
"port=23"
"compression=no"
"reconnect"
"ServerAliveInterval=15"
"IdentityFile=${config.sops.secrets.storageboxKey.path}"
];
};
fileSystems."/data" = {
depends = [
"/mnt/box"
];
device = "/mnt/box/crypt";
fsType = "fuse.gocryptfs";
options = [
"rw"
"allow_other"
"passfile=${config.sops.secrets.storageboxCryptKey.path}"
];
};
sops.secrets = {
wireguardKey = {
owner = "root";
sopsFile = ./secrets.yaml;
};
storageboxKey = {
owner = "root";
sopsFile = ./secrets.yaml;
};
storageboxCryptKey = {
owner = "root";
sopsFile = ./secrets.yaml;
};
};
security.acme.defaults.email = "landervandenbulcke@gmail.com";
security.acme.acceptTerms = true;
system.stateVersion = "25.05";
}
Reference in a new issue View git blame Copy permalink