diff options
| author | Kjetil Orbekk <kj@orbekk.com> | 2023-02-26 19:21:32 -0500 |
|---|---|---|
| committer | Kjetil Orbekk <kj@orbekk.com> | 2023-02-26 19:21:32 -0500 |
| commit | c5173c7f08c6617002e086c8936effb297ef16d8 (patch) | |
| tree | df05b2c3bb24901c79a614f61ad1237ff80b6853 /modules | |
| parent | b88fdbf4e208d4eda4b2433ec8bdeea2adea21b6 (diff) | |
vpn netns config
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/router.nix | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/modules/router.nix b/modules/router.nix index efd4f69..9d45cef 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -12,6 +12,10 @@ let router-netns-up = pkgs.writeScript "router-netns-up" '' #!${pkgs.bash}/bin/bash + if ip netns list | grep -q router; then + echo "Netns setup is not idempotent. Needs restart." + exit 0 + fi ip netns add router ip netns exec router ip link set lo up ${lib.concatMapStrings (device: '' @@ -19,6 +23,11 @@ let '') devices} ip link add router-vport type veth peer name dragon-vport netns router + ip link add vpn-vport type veth peer name dragon-vpn-vport netns router + + ip netns add vpn + ip netns exec vpn ip link set lo up + ip link set vpn-vport netns vpn ip netns exec router ${pkgs.procps}/bin/sysctl -w net.ipv4.conf.default.forwarding=1 ip netns exec router ${pkgs.procps}/bin/sysctl -w net.ipv4.conf.all.forwarding=1 @@ -28,7 +37,6 @@ let router-netns-down = pkgs.writeScript "router-netns-down" '' #!${pkgs.bash}/bin/bash - ip netns del router ''; router-config = { config, lib, pkgs, ... }: { @@ -44,6 +52,7 @@ let interfaces.servers-vport = { vlan = 20; type = "internal"; }; interfaces.admin-vport = { vlan = 255; type = "internal"; }; interfaces.dragon-vport = { vlan = 20; }; + interfaces.dragon-vpn-vport = { vlan = 30; type = "internal"; }; extraOvsctlCmds = '' add-bond kjlan bond0 eno1 eno2 lacp=active @@ -275,6 +284,17 @@ in { additionalCapabilities = ["CAP_SYS_ADMIN" "CAP_NET_ADMIN"]; }; + containers.vpn = { + autoStart = true; + extraFlags = ["--network-namespace-path" "/var/run/netns/vpn"]; + privateNetwork = false; + config = { config, lib, pkgs, ... }: { + system.stateVersion = "22.11"; + networking.interfaces.vpn-vport.useDHCP = true; + }; + additionalCapabilities = ["CAP_NET_ADMIN"]; + }; + services.ddclient = { enable = true; configFile = "/opt/secret/he-ddclient.conf"; |