{ config, hostname, pkgs, ... }: { imports = [ ./wireguard.nix ]; sops.secrets = { "wg0/conf".sopsFile = ./secrets/vpn.yaml; "wg-br0/conf".sopsFile = ./secrets/vpn.yaml; "wg-us0/conf".sopsFile = ./secrets/vpn.yaml; "wg-uk0/conf".sopsFile = ./secrets/vpn.yaml; }; networking = { hostName = hostname; nameservers = [ "192.168.88.3" ]; networkmanager.enable = false; firewall.trustedInterfaces = [ "vlan66" ]; useDHCP = false; useNetworkd = true; # vlans.vlan66 = { # id = 66; # interface = "br0"; # }; # interfaces = { # br0.useDHCP = true; # vlan66.useDHCP = true; # }; # bridges.br0 = { # interfaces = [ inetInterface ]; # }; firewall.allowedTCPPorts = [ 9003 10000 10001 11000 11001 12000 12001 13000 13001 ]; }; systemd.network = { enable = true; netdevs."20-br0" = { netdevConfig = { Kind = "bridge"; Name = "br0"; }; }; networks."10-tap" = { matchConfig.Name = [ "en*" "eth*" ]; networkConfig.Bridge = "br0"; }; networks."20-br0" = { matchConfig.Name = "br0"; networkConfig = { DHCP = "yes"; }; linkConfig.RequiredForOnline = "routable"; }; # netdevs."30-vlan66" = { # netdevConfig = { # Kind = "vlan"; # Name = "vlan66"; # }; # vlanConfig = { # Id = 66; # }; # }; # networks."30-vlan66" = { # matchConfig.Name = "vlan66"; # networkConfig.DHCP = "yes"; # }; }; services.wireguard-netns = { enable = true; namespaces = { wg0 = { dns = "10.2.0.1"; address = "10.2.0.2/32"; conf = "wg0/conf"; }; wg-br0 = { dns = "10.2.0.1"; address = "10.2.0.2/32"; conf = "wg-br0/conf"; }; wg-us0 = { dns = "10.2.0.1"; address = "10.2.0.2/32"; conf = "wg-us0/conf"; }; wg-uk0 = { dns = "10.2.0.1"; address = "10.2.0.2/32"; conf = "wg-uk0/conf"; }; }; }; # systemd.services."netns@wg0ns" = { # description = "wg0 network namespace"; # before = [ "network.target" ]; # serviceConfig = { # Type = "oneshot"; # RemainAfterExit = true; # ExecStart = pkgs.writers.writeBash "wg0ns-up" '' # ${pkgs.coreutils}/bin/mkdir -p /etc/netns/wg0ns # echo "nameserver $(cat ${config.sops.secrets."wg0/dns".path})" > /etc/netns/wg0ns/resolv.conf # ${pkgs.iproute2}/bin/ip netns add wg0ns # ''; # ExecStop = "${pkgs.iproute2}/bin/ip netns del wg0ns"; # }; # }; # # systemd.services.wg0 = { # description = "wg0 network interface"; # bindsTo = [ "netns@wg0ns.service" ]; # requires = [ "network-online.target" ]; # after = [ "netns@wg0ns.service" ]; # wants = [ "network-online.target" ]; # wantedBy = [ "multi-user.target" ]; # serviceConfig = { # Type = "oneshot"; # RemainAfterExit = true; # ExecStart = pkgs.writers.writeBash "wg-up" '' # ${pkgs.iproute2}/bin/ip link add wg0 type wireguard # ${pkgs.iproute2}/bin/ip link set wg0 netns wg0ns # ${pkgs.iproute2}/bin/ip -n wg0ns address add $(< ${config.sops.secrets."wg0/address".path}) dev wg0 # ${pkgs.iproute2}/bin/ip netns exec wg0ns \ # ${pkgs.wireguard-tools}/bin/wg setconf wg0 ${config.sops.secrets."wg0/conf".path} # ${pkgs.iproute2}/bin/ip -n wg0ns link set lo up # ${pkgs.iproute2}/bin/ip -n wg0ns link set wg0 up # ${pkgs.iproute2}/bin/ip -n wg0ns route add default dev wg0 # ''; # ExecStop = pkgs.writers.writeBash "wg-down" '' # ${pkgs.iproute2}/bin/ip -n wg0ns route del default dev wg0 # ${pkgs.iproute2}/bin/ip -n wg0ns link del wg0 # ''; # }; # }; }