zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Easy nixos vpn containers

Browse Source
This commit is contained in:
Zuckerberg 2022-04-09 01:01:14 -04:00
parent 809dd0b5eb
commit 3158f8c3af
2 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
flake.nix
View File

@ -37,7 +37,7 @@
let let
nixpkgs = inputs.nixpkgs; nixpkgs = inputs.nixpkgs;
modules = [ modules = system: [
./common ./common
inputs.simple-nixos-mailserver.nixosModule inputs.simple-nixos-mailserver.nixosModule
inputs.agenix.nixosModule inputs.agenix.nixosModule
@ -52,7 +52,7 @@
}) })
]; ];
mkVpnContainer = container_config: { mkVpnContainer = system: pkgs: mount: config: {
ephemeral = true; ephemeral = true;
autoStart = true; autoStart = true;
bindMounts = { bindMounts = {
@ -68,14 +68,20 @@
hostPath = "/dev/fuse"; hostPath = "/dev/fuse";
isReadOnly = false; isReadOnly = false;
}; };
"${mount}" = {
hostPath = mount;
isReadOnly = false;
};
}; };
enableTun = true; enableTun = true;
privateNetwork = true; privateNetwork = true;
hostAddress = "172.16.100.1"; hostAddress = "172.16.100.1";
localAddress = "172.16.100.2"; localAddress = "172.16.100.2";
config = { config, pkgs, lib, ... }: { config = { lib, ... }: {
imports = modules ++ [container_config]; imports = (modules system) ++ [config];
nixpkgs.pkgs = pkgs;
networking.firewall.enable = lib.mkForce false; networking.firewall.enable = lib.mkForce false;
pia.enable = true; pia.enable = true;
@ -89,10 +95,10 @@
mkSystem = system: nixpkgs: path: mkSystem = system: nixpkgs: path:
nixpkgs.lib.nixosSystem { nixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = [path] ++ modules; modules = (modules system) ++ [path];
specialArgs = { specialArgs = {
inherit mkVpnContainer; mkVpnContainer = (mkVpnContainer system);
}; };
}; };
in in

6
machines/liza/configuration.nix
View File

@ -121,12 +121,14 @@ in {
}; };
# wrap radio in a VPN # wrap radio in a VPN
containers.vpn-container = mkVpnContainer { containers.vpn = mkVpnContainer pkgs "/dev/null" {
services.radio = { services.radio = {
enable = true; enable = true;
host = "radio.neet.space"; host = "radio.neet.space";
}; };
}; };
# containers cannot unlock their own secrets right now. unlock it here
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
services.drastikbot = { services.drastikbot = {
enable = true; enable = true;
@ -262,7 +264,7 @@ in {
networking.nat.enable = true; networking.nat.enable = true;
networking.nat.internalInterfaces = [ networking.nat.internalInterfaces = [
"dns0" # iodine "dns0" # iodine
"ve-vpn-continer" # vpn container "ve-vpn" # vpn container
]; ];
networking.nat.externalInterface = "enp1s0"; networking.nat.externalInterface = "enp1s0";