system/desktop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

.

Browse source
This commit is contained in:
root 2026-03-16 12:19:11 -03:00
commit 73ff9ee8ee
No known key found for this signature in database
31 changed files with 4906 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

156
networking.nix Normal file
View file

@ -0,0 +1,156 @@
{
config,
hostname,
pkgs,
...
}:
{
imports = [ ./wireguard.nix ];
sops.secrets = {
"wg0/conf".sopsFile = ./secrets/vpn.yaml;
"wg-br0/conf".sopsFile = ./secrets/vpn.yaml;
"wg-us0/conf".sopsFile = ./secrets/vpn.yaml;
"wg-uk0/conf".sopsFile = ./secrets/vpn.yaml;
};
networking = {
hostName = hostname;
nameservers = [ "192.168.88.3" ];
networkmanager.enable = false;
firewall.trustedInterfaces = [ "vlan66" ];
useDHCP = false;
useNetworkd = true;
# vlans.vlan66 = {
# id = 66;
# interface = "br0";
# };
# interfaces = {
# br0.useDHCP = true;
# vlan66.useDHCP = true;
# };
# bridges.br0 = {
# interfaces = [ inetInterface ];
# };
firewall.allowedTCPPorts = [
9003
10000
10001
11000
11001
12000
12001
13000
13001
];
};
systemd.network = {
enable = true;
netdevs."20-br0" = {
netdevConfig = {
Kind = "bridge";
Name = "br0";
};
};
networks."10-tap" = {
matchConfig.Name = [
"en*"
"eth*"
];
networkConfig.Bridge = "br0";
};
networks."20-br0" = {
matchConfig.Name = "br0";
networkConfig = {
DHCP = "yes";
};
linkConfig.RequiredForOnline = "routable";
};
# netdevs."30-vlan66" = {
# netdevConfig = {
# Kind = "vlan";
# Name = "vlan66";
# };
# vlanConfig = {
# Id = 66;
# };
# };
# networks."30-vlan66" = {
# matchConfig.Name = "vlan66";
# networkConfig.DHCP = "yes";
# };
};
services.wireguard-netns = {
enable = true;
namespaces = {
wg0 = {
dns = "10.2.0.1";
address = "10.2.0.2/32";
conf = "wg0/conf";
};
wg-br0 = {
dns = "10.2.0.1";
address = "10.2.0.2/32";
conf = "wg-br0/conf";
};
wg-us0 = {
dns = "10.2.0.1";
address = "10.2.0.2/32";
conf = "wg-us0/conf";
};
wg-uk0 = {
dns = "10.2.0.1";
address = "10.2.0.2/32";
conf = "wg-uk0/conf";
};
};
};
# systemd.services."netns@wg0ns" = {
# description = "wg0 network namespace";
# before = [ "network.target" ];
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# ExecStart = pkgs.writers.writeBash "wg0ns-up" ''
# ${pkgs.coreutils}/bin/mkdir -p /etc/netns/wg0ns
# echo "nameserver $(cat ${config.sops.secrets."wg0/dns".path})" > /etc/netns/wg0ns/resolv.conf
# ${pkgs.iproute2}/bin/ip netns add wg0ns
# '';
# ExecStop = "${pkgs.iproute2}/bin/ip netns del wg0ns";
# };
# };
#
# systemd.services.wg0 = {
# description = "wg0 network interface";
# bindsTo = [ "netns@wg0ns.service" ];
# requires = [ "network-online.target" ];
# after = [ "netns@wg0ns.service" ];
# wants = [ "network-online.target" ];
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# ExecStart = pkgs.writers.writeBash "wg-up" ''
# ${pkgs.iproute2}/bin/ip link add wg0 type wireguard
# ${pkgs.iproute2}/bin/ip link set wg0 netns wg0ns
# ${pkgs.iproute2}/bin/ip -n wg0ns address add $(< ${config.sops.secrets."wg0/address".path}) dev wg0
# ${pkgs.iproute2}/bin/ip netns exec wg0ns \
# ${pkgs.wireguard-tools}/bin/wg setconf wg0 ${config.sops.secrets."wg0/conf".path}
# ${pkgs.iproute2}/bin/ip -n wg0ns link set lo up
# ${pkgs.iproute2}/bin/ip -n wg0ns link set wg0 up
# ${pkgs.iproute2}/bin/ip -n wg0ns route add default dev wg0
# '';
# ExecStop = pkgs.writers.writeBash "wg-down" ''
# ${pkgs.iproute2}/bin/ip -n wg0ns route del default dev wg0
# ${pkgs.iproute2}/bin/ip -n wg0ns link del wg0
# '';
# };
# };
}