initial commit

2025-12-22 16:46:52 -03:00 · 2025-12-22 16:46:52 -03:00 · 120dbdbc64
commit 120dbdbc64
21 changed files with 2413 additions and 0 deletions
--- a/networking.nix
+++ b/networking.nix
@ -0,0 +1,116 @@
+{
+  config,
+  hostname,
+  pkgs,
+  ...
+}:
+let
+  inetInterface = "enp1s0";
+in
+{
+  sops.secrets = {
+    "wg0/address".sopsFile = ./secrets/vpn.yaml;
+    "wg0/dns".sopsFile = ./secrets/vpn.yaml;
+    "wg0/conf".sopsFile = ./secrets/vpn.yaml;
+  };
+
+  networking = {
+    hostName = hostname;
+    networkmanager.enable = false;
+    firewall.trustedInterfaces = [ "vlan66" ];
+    useDHCP = false;
+    useNetworkd = true;
+
+    # vlans.vlan66 = {
+    #   id = 66;
+    #   interface = "br0";
+    # };
+    # interfaces = {
+    #   br0.useDHCP = true;
+    #   vlan66.useDHCP = true;
+    # };
+    # bridges.br0 = {
+    #   interfaces = [ inetInterface ];
+    # };
+    #    firewall.allowedTCPPorts = [ 8080 12000 12001 12002 12003 12004 12005 ];
+  };
+
+  systemd.network = {
+    netdevs."20-br0" = {
+      netdevConfig = {
+        Kind = "bridge";
+        Name = "br0";
+      };
+    };
+
+    netdevs."30-vlan66" = {
+      netdevConfig = {
+        Kind = "vlan";
+        Name = "vlan66";
+      };
+      vlanConfig = {
+        Id = 66;
+      };
+    };
+
+    networks."10-lan-up-link" = {
+      matchConfig.Name = "en* eth*";
+      networkConfig.Bridge = "br0";
+    };
+
+    networks."20-br0" = {
+      matchConfig.Name = "br0";
+      networkConfig = {
+        VLAN = [ "vlan66" ];
+        DHCP = "yes";
+      };
+    };
+
+    networks."30-vlan66" = {
+      matchConfig.Name = "vlan66";
+      networkConfig.DHCP = "yes";
+    };
+  };
+
+  systemd.services."netns@wg0ns" = {
+    description = "wg0 network namespace";
+    before = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = pkgs.writers.writeBash "wg0ns-up" ''
+        ${pkgs.coreutils}/bin/mkdir -p /etc/netns/wg0ns
+        cat ${config.sops.secrets."wg0/dns".path} >> /etc/netns/wg0ns/resolv.conf
+        ${pkgs.iproute2}/bin/ip netns add wg0ns
+      '';
+      ExecStop = "${pkgs.iproute2}/bin/ip netns del wg0ns";
+    };
+  };
+
+  systemd.services.wg0 = {
+    description = "wg0 network interface";
+    bindsTo = [ "netns@wg0ns.service" ];
+    requires = [ "network-online.target" ];
+    after = [ "netns@wg0ns.service" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = pkgs.writers.writeBash "wg-up" ''
+        ${pkgs.iproute2}/bin/ip link add wg0 type wireguard 
+        ${pkgs.iproute2}/bin/ip link set wg0 netns wg0ns
+        ${pkgs.iproute2}/bin/ip -n wg0ns address add $(< ${config.sops.secrets."wg0/address".path}) dev wg0
+        ${pkgs.iproute2}/bin/ip netns exec wg0ns \
+            ${pkgs.wireguard-tools}/bin/wg setconf wg0 ${config.sops.secrets."wg0/conf".path}
+        ${pkgs.iproute2}/bin/ip -n wg0ns link set lo up
+        ${pkgs.iproute2}/bin/ip -n wg0ns link set wg0 up
+        ${pkgs.iproute2}/bin/ip -n wg0ns route add default dev wg0
+      '';
+      ExecStop = pkgs.writers.writeBash "wg-down" ''
+        ${pkgs.iproute2}/bin/ip -n wg0ns route del default dev wg0
+        ${pkgs.iproute2}/bin/ip -n wg0ns link del wg0
+      '';
+    };
+  };
+}