From 7e615f814d4a6a4c901b05cc9f54c7d1e35c725b Mon Sep 17 00:00:00 2001 From: Zuckerberg Date: Sat, 28 May 2022 18:54:41 -0400 Subject: [PATCH] Rewrite VPN container --- common/default.nix | 4 +- common/network/default.nix | 10 +++ common/{ => network}/hosts.nix | 2 +- common/{pia.nix => network/pia-openvpn.nix} | 2 +- common/network/vpn.nix | 97 +++++++++++++++++++++ common/{ => network}/vpnfailsafe.sh | 0 common/{ => network}/zerotier.nix | 0 flake.lock | 10 +-- flake.nix | 48 ++-------- machines/liza/configuration.nix | 2 +- machines/ponyo/configuration.nix | 11 +-- machines/ponyo/hardware-configuration.nix | 2 +- machines/storage/s0/configuration.nix | 21 ++--- 13 files changed, 132 insertions(+), 77 deletions(-) create mode 100644 common/network/default.nix rename common/{ => network}/hosts.nix (97%) rename common/{pia.nix => network/pia-openvpn.nix} (98%) create mode 100644 common/network/vpn.nix rename common/{ => network}/vpnfailsafe.sh (100%) rename common/{ => network}/zerotier.nix (100%) diff --git a/common/default.nix b/common/default.nix index f7a71cf..e835723 100644 --- a/common/default.nix +++ b/common/default.nix @@ -5,10 +5,8 @@ let in { imports = [ ./flakes.nix - ./pia.nix - ./zerotier.nix ./auto-update.nix - ./hosts.nix + ./network ./boot ./server ./pc diff --git a/common/network/default.nix b/common/network/default.nix new file mode 100644 index 0000000..7f87dc5 --- /dev/null +++ b/common/network/default.nix @@ -0,0 +1,10 @@ +{ config, lib, ... }: + +{ + imports = [ + ./hosts.nix + ./pia-openvpn.nix + ./vpn.nix + ./zerotier.nix + ]; +} \ No newline at end of file diff --git a/common/hosts.nix b/common/network/hosts.nix similarity index 97% rename from common/hosts.nix rename to common/network/hosts.nix index ef96079..a8d80d2 100644 --- a/common/hosts.nix +++ b/common/network/hosts.nix @@ -1,7 +1,7 @@ { config, lib, ... }: let - system = (import ./ssh.nix).system; + system = (import ../ssh.nix).system; in { networking.hosts = { # some DNS providers filter local ip results from DNS request diff --git a/common/pia.nix b/common/network/pia-openvpn.nix similarity index 98% rename from common/pia.nix rename to common/network/pia-openvpn.nix index a3d55d5..52255d7 100644 --- a/common/pia.nix +++ b/common/network/pia-openvpn.nix @@ -108,6 +108,6 @@ in }; }; }; - age.secrets."pia-login.conf".file = ../secrets/pia-login.conf; + age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf; }; } \ No newline at end of file diff --git a/common/network/vpn.nix b/common/network/vpn.nix new file mode 100644 index 0000000..d991e8a --- /dev/null +++ b/common/network/vpn.nix @@ -0,0 +1,97 @@ +{ config, pkgs, lib, allModules, ... }: + +with lib; + +let + cfg = config.vpn-container; +in +{ + options.vpn-container = { + enable = mkEnableOption "Enable VPN container"; + + containerName = mkOption { + type = types.str; + default = "vpn"; + description = '' + Name of the VPN container. + ''; + }; + + mounts = mkOption { + type = types.listOf types.str; + default = [ "/var/lib" ]; + example = "/home/example"; + description = '' + List of mounts on the host to bind to the vpn container. + ''; + }; + + config = mkOption { + type = types.anything; + default = {}; + example = '' + { + services.nginx.enable = true; + } + ''; + description = '' + NixOS config for the vpn container. + ''; + }; + }; + + config = mkIf cfg.enable { + containers.${cfg.containerName} = { + ephemeral = true; + autoStart = true; + + bindMounts = mkMerge ([{ + "/run/agenix" = { + hostPath = "/run/agenix"; + isReadOnly = true; + }; + }] ++ (lists.forEach cfg.mounts (mount: + { + "${mount}" = { + hostPath = mount; + isReadOnly = false; + }; + } + ))); + + enableTun = true; + privateNetwork = true; + hostAddress = "172.16.100.1"; + localAddress = "172.16.100.2"; + + config = { + imports = allModules ++ [cfg.config]; + + nixpkgs.pkgs = pkgs; + + networking.firewall.enable = mkForce false; + + pia.enable = true; + pia.server = "swiss.privacy.network"; # swiss vpn + + # run it's own DNS resolver + networking.useHostResolvConf = false; + services.resolved.enable = true; + }; + }; + + # load secrets the container needs + age.secrets = config.containers.${cfg.containerName}.config.age.secrets; + + # forwarding for vpn container + networking.nat.enable = true; + networking.nat.internalInterfaces = [ + "ve-${cfg.containerName}" + ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + + # assumes only one potential interface + networking.usePredictableInterfaceNames = false; + networking.nat.externalInterface = "eth0"; + }; +} \ No newline at end of file diff --git a/common/vpnfailsafe.sh b/common/network/vpnfailsafe.sh similarity index 100% rename from common/vpnfailsafe.sh rename to common/network/vpnfailsafe.sh diff --git a/common/zerotier.nix b/common/network/zerotier.nix similarity index 100% rename from common/zerotier.nix rename to common/network/zerotier.nix diff --git a/flake.lock b/flake.lock index fae80fd..a5295fe 100644 --- a/flake.lock +++ b/flake.lock @@ -121,15 +121,15 @@ ] }, "locked": { - "lastModified": 1647808006, - "narHash": "sha256-aBlJcylH7/MDiu0RVEiUwV1XufGfVk4OvsFutImCszY=", - "owner": "bennofs", + "lastModified": 1652819416, + "narHash": "sha256-OzYSb66kQUVP1FM0E7Z0ij13mm14DkJi79FAMprAavo=", + "owner": "googlebot42", "repo": "nix-index", - "rev": "e7c66ba52fcfba6bfe51adb5400c29a9622664a2", + "rev": "a28bb3175d370c6cb9569e6d4b5570e9ca016a3e", "type": "github" }, "original": { - "owner": "bennofs", + "owner": "googlebot42", "repo": "nix-index", "type": "github" } diff --git a/flake.nix b/flake.nix index a368be0..9199890 100644 --- a/flake.nix +++ b/flake.nix @@ -56,53 +56,15 @@ }) ]; - mkVpnContainer = system: pkgs: mount: config: { - ephemeral = true; - autoStart = true; - bindMounts = { - "/var/lib" = { - hostPath = "/var/lib/"; - isReadOnly = false; - }; - "/run/agenix" = { - hostPath = "/run/agenix"; - isReadOnly = true; - }; - "/dev/fuse" = { - hostPath = "/dev/fuse"; - isReadOnly = false; - }; - "${mount}" = { - hostPath = mount; - isReadOnly = false; - }; - }; - enableTun = true; - privateNetwork = true; - hostAddress = "172.16.100.1"; - localAddress = "172.16.100.2"; - - config = { lib, ... }: { - imports = (modules system) ++ [config]; - - nixpkgs.pkgs = pkgs; - - networking.firewall.enable = lib.mkForce false; - pia.enable = true; - - # run it's own DNS resolver - networking.useHostResolvConf = false; - services.resolved.enable = true; - }; - }; - mkSystem = system: nixpkgs: path: - nixpkgs.lib.nixosSystem { + let + allModules = modules system; + in nixpkgs.lib.nixosSystem { inherit system; - modules = (modules system) ++ [path]; + modules = allModules ++ [path]; specialArgs = { - mkVpnContainer = (mkVpnContainer system); + inherit allModules; }; }; in diff --git a/machines/liza/configuration.nix b/machines/liza/configuration.nix index 6807237..3242a5c 100644 --- a/machines/liza/configuration.nix +++ b/machines/liza/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, mkVpnContainer, ... }: +{ config, pkgs, lib, ... }: { imports =[ diff --git a/machines/ponyo/configuration.nix b/machines/ponyo/configuration.nix index 552d3f9..1857fe4 100644 --- a/machines/ponyo/configuration.nix +++ b/machines/ponyo/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, mkVpnContainer, ... }: +{ config, pkgs, lib, ... }: { imports =[ @@ -55,14 +55,13 @@ }; # wrap radio in a VPN - containers.vpn = mkVpnContainer pkgs "/dev/null" { + vpn-container.enable = true; + vpn-container.config = { services.radio = { enable = true; host = "radio.runyan.org"; }; }; - # containers cannot unlock their own secrets right now. unlock it here - age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf; # icecast endpoint + website services.nginx.virtualHosts."radio.runyan.org" = { @@ -131,13 +130,9 @@ age.secrets.iodine.file = ../../secrets/iodine.age; networking.firewall.allowedUDPPorts = [ 53 ]; - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - networking.nat.enable = true; networking.nat.internalInterfaces = [ "dns0" # iodine - "ve-vpn" # vpn container ]; - networking.nat.externalInterface = "ens3"; services.nginx.enable = true; services.nginx.virtualHosts."jellyfin.neet.cloud" = { diff --git a/machines/ponyo/hardware-configuration.nix b/machines/ponyo/hardware-configuration.nix index 5d58f4e..d6f141e 100644 --- a/machines/ponyo/hardware-configuration.nix +++ b/machines/ponyo/hardware-configuration.nix @@ -31,7 +31,7 @@ # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = lib.mkDefault false; - networking.interfaces.ens3.useDHCP = lib.mkDefault true; + networking.interfaces.eth0.useDHCP = lib.mkDefault true; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } \ No newline at end of file diff --git a/machines/storage/s0/configuration.nix b/machines/storage/s0/configuration.nix index eefb9f5..96d6efc 100644 --- a/machines/storage/s0/configuration.nix +++ b/machines/storage/s0/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, mkVpnContainer, ... }: +{ config, pkgs, lib, ... }: { imports =[ @@ -42,10 +42,12 @@ users.users.googlebot.extraGroups = [ "transmission" ]; users.groups.transmission.gid = config.ids.gids.transmission; - containers.vpn = mkVpnContainer pkgs "/data/samba/Public/Plex" { - # swiss vpn - pia.server = "swiss.privacy.network"; - + vpn-container.enable = true; + vpn-container.mounts = [ + "/var/lib" + "/data/samba/Public/Plex" + ]; + vpn-container.config = { # servarr services services.prowlarr.enable = true; services.sonarr.enable = true; @@ -119,15 +121,6 @@ uid = 994; }; }; - # containers cannot unlock their own secrets right now. unlock it here - age.secrets."pia-login.conf".file = ../../../secrets/pia-login.conf; - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - # forwarding for vpn container - networking.nat.enable = true; - networking.nat.internalInterfaces = [ - "ve-vpn" # vpn container - ]; - networking.nat.externalInterface = "eth0"; # unpackerr # flaresolverr