Rewrite VPN container

2022-05-28 18:54:41 -04:00 · 2022-05-28 18:54:41 -04:00 · 7e615f814d
commit 7e615f814d
parent c560a63182
13 changed files with 132 additions and 77 deletions
--- a/common/default.nix
+++ b/common/default.nix
@ -5,10 +5,8 @@ let
 in {
  imports = [
    ./flakes.nix
-    ./pia.nix
-    ./zerotier.nix
    ./auto-update.nix
-    ./hosts.nix
+    ./network
    ./boot
    ./server
    ./pc
--- a/common/network/default.nix
+++ b/common/network/default.nix
@ -0,0 +1,10 @@
+{ config, lib, ... }:
+
+{
+  imports = [
+    ./hosts.nix
+    ./pia-openvpn.nix
+    ./vpn.nix
+    ./zerotier.nix
+  ];
+}
--- a/common/network/hosts.nix
+++ b/common/network/hosts.nix
@ -1,7 +1,7 @@
 { config, lib, ... }:

 let
-  system = (import ./ssh.nix).system;
+  system = (import ../ssh.nix).system;
 in {
  networking.hosts = {
    # some DNS providers filter local ip results from DNS request
--- a/common/network/pia-openvpn.nix
+++ b/common/network/pia-openvpn.nix
@ -108,6 +108,6 @@ in
        };
      };
    };
-    age.secrets."pia-login.conf".file = ../secrets/pia-login.conf;
+    age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
  };
 }
--- a/common/network/vpn.nix
+++ b/common/network/vpn.nix
@ -0,0 +1,97 @@
+{ config, pkgs, lib, allModules, ... }:
+
+with lib;
+
+let
+  cfg = config.vpn-container;
+in
+{
+  options.vpn-container = {
+    enable = mkEnableOption "Enable VPN container";
+
+    containerName = mkOption {
+      type = types.str;
+      default = "vpn";
+      description = ''
+        Name of the VPN container.
+      '';
+    };
+
+    mounts = mkOption {
+      type = types.listOf types.str;
+      default = [ "/var/lib" ];
+      example = "/home/example";
+      description = ''
+        List of mounts on the host to bind to the vpn container.
+      '';
+    };
+
+    config = mkOption {
+      type = types.anything;
+      default = {};
+      example = ''
+        {
+          services.nginx.enable = true;
+        }
+      '';
+      description = ''
+        NixOS config for the vpn container.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    containers.${cfg.containerName} = {
+      ephemeral = true;
+      autoStart = true;
+
+      bindMounts = mkMerge ([{
+        "/run/agenix" = {
+          hostPath = "/run/agenix";
+          isReadOnly = true;
+        };
+      }] ++ (lists.forEach cfg.mounts (mount:
+        {
+          "${mount}" = {
+            hostPath = mount;
+            isReadOnly = false;
+          };
+        }
+      )));
+
+      enableTun = true;
+      privateNetwork = true;
+      hostAddress = "172.16.100.1";
+      localAddress = "172.16.100.2";
+
+      config = {
+        imports = allModules ++ [cfg.config];
+
+        nixpkgs.pkgs = pkgs;
+
+        networking.firewall.enable = mkForce false;
+
+        pia.enable = true;
+        pia.server = "swiss.privacy.network"; # swiss vpn
+
+        # run it's own DNS resolver
+        networking.useHostResolvConf = false;
+        services.resolved.enable = true;
+      };
+    };
+
+    # load secrets the container needs
+    age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
+
+    # forwarding for vpn container
+    networking.nat.enable = true;
+    networking.nat.internalInterfaces = [
+      "ve-${cfg.containerName}"
+    ];
+    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
+    # assumes only one potential interface
+    networking.usePredictableInterfaceNames = false;
+    networking.nat.externalInterface = "eth0";
+  };
+}
--- a/common/network/vpnfailsafe.sh
+++ b/common/network/vpnfailsafe.sh
--- a/common/network/zerotier.nix
+++ b/common/network/zerotier.nix
--- a/flake.lock
+++ b/flake.lock
@ -121,15 +121,15 @@
        ]
      },
      "locked": {
-        "lastModified": 1647808006,
-        "narHash": "sha256-aBlJcylH7/MDiu0RVEiUwV1XufGfVk4OvsFutImCszY=",
-        "owner": "bennofs",
+        "lastModified": 1652819416,
+        "narHash": "sha256-OzYSb66kQUVP1FM0E7Z0ij13mm14DkJi79FAMprAavo=",
+        "owner": "googlebot42",
        "repo": "nix-index",
-        "rev": "e7c66ba52fcfba6bfe51adb5400c29a9622664a2",
+        "rev": "a28bb3175d370c6cb9569e6d4b5570e9ca016a3e",
        "type": "github"
      },
      "original": {
-        "owner": "bennofs",
+        "owner": "googlebot42",
        "repo": "nix-index",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -56,53 +56,15 @@
        })
      ];

-      mkVpnContainer = system: pkgs: mount: config: {
-        ephemeral = true;
-        autoStart = true;
-        bindMounts = {
-          "/var/lib" = {
-            hostPath = "/var/lib/";
-            isReadOnly = false;
-          };
-          "/run/agenix" = {
-            hostPath = "/run/agenix";
-            isReadOnly = true;
-          };
-          "/dev/fuse" = {
-            hostPath = "/dev/fuse";
-            isReadOnly = false;
-          };
-          "${mount}" = {
-            hostPath = mount;
-            isReadOnly = false;
-          };
-        };
-        enableTun = true;
-        privateNetwork = true;
-        hostAddress = "172.16.100.1";
-        localAddress = "172.16.100.2";
-
-        config = { lib, ... }: {
-          imports = (modules system) ++ [config];
-
-          nixpkgs.pkgs = pkgs;
-
-          networking.firewall.enable = lib.mkForce false;
-          pia.enable = true;
-
-          # run it's own DNS resolver
-          networking.useHostResolvConf = false;
-          services.resolved.enable = true;
-        };
-      };
-
      mkSystem = system: nixpkgs: path:
-        nixpkgs.lib.nixosSystem {
+        let
+          allModules = modules system;
+        in nixpkgs.lib.nixosSystem {
          inherit system;
-          modules = (modules system) ++ [path];
+          modules = allModules ++ [path];

          specialArgs = {
-            mkVpnContainer = (mkVpnContainer system);
+            inherit allModules;
          };
        };
    in
--- a/machines/liza/configuration.nix
+++ b/machines/liza/configuration.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, mkVpnContainer, ... }:
+{ config, pkgs, lib, ... }:

 {
  imports =[
--- a/machines/ponyo/configuration.nix
+++ b/machines/ponyo/configuration.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, mkVpnContainer, ... }:
+{ config, pkgs, lib, ... }:

 {
  imports =[
@ -55,14 +55,13 @@
  };

  # wrap radio in a VPN
-  containers.vpn = mkVpnContainer pkgs "/dev/null" {
+  vpn-container.enable = true;
+  vpn-container.config = {
    services.radio = {
      enable = true;
      host = "radio.runyan.org";
    };
  };
-  # containers cannot unlock their own secrets right now. unlock it here
-  age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;

  # icecast endpoint + website
  services.nginx.virtualHosts."radio.runyan.org" = {
@ -131,13 +130,9 @@
  age.secrets.iodine.file = ../../secrets/iodine.age;
  networking.firewall.allowedUDPPorts = [ 53 ];

-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  networking.nat.enable = true;
  networking.nat.internalInterfaces = [
    "dns0" # iodine
-    "ve-vpn" # vpn container
  ];
-  networking.nat.externalInterface = "ens3";

  services.nginx.enable = true;
  services.nginx.virtualHosts."jellyfin.neet.cloud" = {
--- a/machines/ponyo/hardware-configuration.nix
+++ b/machines/ponyo/hardware-configuration.nix
@ -31,7 +31,7 @@
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = lib.mkDefault false;
-  networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+  networking.interfaces.eth0.useDHCP = lib.mkDefault true;

  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/storage/s0/configuration.nix
+++ b/machines/storage/s0/configuration.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, mkVpnContainer, ... }:
+{ config, pkgs, lib, ... }:

 {
  imports =[
@ -42,10 +42,12 @@
  users.users.googlebot.extraGroups = [ "transmission" ];
  users.groups.transmission.gid = config.ids.gids.transmission;

-  containers.vpn = mkVpnContainer pkgs "/data/samba/Public/Plex" {
-    # swiss vpn
-    pia.server = "swiss.privacy.network";
-
+  vpn-container.enable = true;
+  vpn-container.mounts = [
+    "/var/lib"
+    "/data/samba/Public/Plex"
+  ];
+  vpn-container.config = {
    # servarr services
    services.prowlarr.enable = true;
    services.sonarr.enable = true;
@ -119,15 +121,6 @@
      uid = 994;
    };
  };
-  # containers cannot unlock their own secrets right now. unlock it here
-  age.secrets."pia-login.conf".file = ../../../secrets/pia-login.conf;
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  # forwarding for vpn container
-  networking.nat.enable = true;
-  networking.nat.internalInterfaces = [
-    "ve-vpn" # vpn container
-  ];
-  networking.nat.externalInterface = "eth0";

  # unpackerr
  # flaresolverr