Easy nixos vpn containers

2022-04-09 01:01:14 -04:00 · 2022-04-09 01:01:14 -04:00 · 3158f8c3af
commit 3158f8c3af
parent 809dd0b5eb
2 changed files with 16 additions and 8 deletions
--- a/flake.nix
+++ b/flake.nix
@ -37,7 +37,7 @@
    let
      nixpkgs = inputs.nixpkgs;

-      modules = [
+      modules = system: [
        ./common
        inputs.simple-nixos-mailserver.nixosModule
        inputs.agenix.nixosModule
@ -52,7 +52,7 @@
        })
      ];

-      mkVpnContainer = container_config: {
+      mkVpnContainer = system: pkgs: mount: config: {
        ephemeral = true;
        autoStart = true;
        bindMounts = {
@ -68,14 +68,20 @@
            hostPath = "/dev/fuse";
            isReadOnly = false;
          };
+          "${mount}" = {
+            hostPath = mount;
+            isReadOnly = false;
+          };
        };
        enableTun = true;
        privateNetwork = true;
        hostAddress = "172.16.100.1";
        localAddress = "172.16.100.2";

-        config = { config, pkgs, lib, ... }: {
-          imports = modules ++ [container_config];
+        config = { lib, ... }: {
+          imports = (modules system) ++ [config];
+
+          nixpkgs.pkgs = pkgs;

          networking.firewall.enable = lib.mkForce false;
          pia.enable = true;
@ -89,10 +95,10 @@
      mkSystem = system: nixpkgs: path:
        nixpkgs.lib.nixosSystem {
          inherit system;
-          modules = [path] ++ modules;
+          modules = (modules system) ++ [path];

          specialArgs = {
-            inherit mkVpnContainer;
+            mkVpnContainer = (mkVpnContainer system);
          };
        };
    in
--- a/machines/liza/configuration.nix
+++ b/machines/liza/configuration.nix
@ -121,12 +121,14 @@ in {
  };

  # wrap radio in a VPN
-  containers.vpn-container = mkVpnContainer {
+  containers.vpn = mkVpnContainer pkgs "/dev/null" {
    services.radio = {
      enable = true;
      host = "radio.neet.space";
    };
  };
+  # containers cannot unlock their own secrets right now. unlock it here
+  age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;

  services.drastikbot = {
    enable = true;
@ -262,7 +264,7 @@ in {
  networking.nat.enable = true;
  networking.nat.internalInterfaces = [
    "dns0" # iodine
-    "ve-vpn-continer" # vpn container
+    "ve-vpn" # vpn container
  ];
  networking.nat.externalInterface = "enp1s0";