dotfiles/system/nixos/wireguard-netns.nix

86 lines
2.9 KiB
Nix
Raw Normal View History

2023-07-16 22:17:50 +00:00
{ pkgs, config, secret, ... }:
2023-04-13 20:46:32 +00:00
{
2023-04-18 22:43:25 +00:00
environment.systemPackages = with pkgs; [ ldns tcpdump wireguard-tools ];
2023-04-13 20:46:32 +00:00
2023-04-18 21:20:35 +00:00
environment.etc."netns/wg/resolv.conf" = {
mode = "0644";
text = ''
2023-04-20 19:41:45 +00:00
nameserver ${secret.wireguard.dns}
2023-04-18 21:20:35 +00:00
'';
};
2023-04-18 22:55:49 +00:00
environment.etc."netns/wg/nsswitch.conf" = {
mode = "0644";
text = ''
passwd: files systemd
group: files [success=merge] systemd
shadow: files
2023-05-24 11:02:56 +00:00
hosts: dns [!UNAVAIL=return] files
2023-04-18 22:55:49 +00:00
networks: files
ethers: files
services: files
protocols: files
rpc: files
'';
};
2023-04-13 20:46:32 +00:00
systemd.services."netns@" = {
description = "%I network namespace";
before = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute}/bin/ip netns add %I";
ExecStop = "${pkgs.iproute}/bin/ip netns del %I";
};
};
systemd.services.wg = {
description = "wg network interface";
bindsTo = [ "netns@wg.service" ];
2023-06-02 08:19:34 +00:00
wants = [ "network-online.target" ];
after = [ "netns@wg.service" "network-online.target" "run-agenix.d.mount" ];
environment.WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
2023-04-13 20:46:32 +00:00
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = with pkgs; writers.writeBash "wg-up" ''
set -e
2023-04-18 23:33:58 +00:00
echo "Setting lo to up ..."
${iproute}/bin/ip -n wg link set lo up
2023-04-20 20:10:40 +00:00
echo "Creating veth network ..."
${iproute}/bin/ip link add name vethwghost0 type veth peer vethwgns0 netns wg
${iproute}/bin/ip address add 192.168.42.1/24 dev vethwghost0
${iproute}/bin/ip -n wg address add 192.168.42.2/24 dev vethwgns0
${iproute}/bin/ip link set vethwghost0 up
${iproute}/bin/ip -n wg link set vethwgns0 up
echo "Creating wg0 interface ..."
2023-04-13 20:46:32 +00:00
${iproute}/bin/ip link add wg0 type wireguard
${wireguard-tools}/bin/wg setconf wg0 ${config.age.secrets.wireguard-config.path}
${iproute}/bin/ip link set wg0 netns wg
2023-04-20 19:41:45 +00:00
${iproute}/bin/ip -n wg address add ${secret.wireguard.ipv4} dev wg0
${iproute}/bin/ip -n wg -6 address add ${secret.wireguard.ipv6} dev wg0
2023-04-13 20:46:32 +00:00
${iproute}/bin/ip -n wg link set wg0 up
${iproute}/bin/ip -n wg route add default dev wg0
${iproute}/bin/ip -n wg -6 route add default dev wg0
2023-04-14 22:17:41 +00:00
echo "Done!"
2023-04-13 20:46:32 +00:00
'';
ExecStop = with pkgs; writers.writeBash "wg-down" ''
2023-04-14 22:17:41 +00:00
echo "Tearing down wg0 ..."
2023-04-13 20:46:32 +00:00
${iproute}/bin/ip -n wg route del default dev wg0
${iproute}/bin/ip -n wg -6 route del default dev wg0
${iproute}/bin/ip -n wg link del wg0
2023-04-20 20:10:40 +00:00
echo "Tearing down veth network ..."
${iproute}/bin/ip link del vethwghost0
2023-04-20 20:10:40 +00:00
${iproute}/bin/ip -n wg link del vethwgns0
2023-04-18 23:33:58 +00:00
echo "Setting lo to down ..."
${iproute}/bin/ip -n wg link set lo down
2023-04-14 22:17:41 +00:00
echo "Done!"
2023-04-13 20:46:32 +00:00
'';
};
};
}