modules/vpn-container.nix at main · yemou.pink/nix-configs

yemou.pink / nix-configs
Nix configurations for my homelab
nix-configs / modules / vpn-container.nix
at main 2.9 kB view raw
  1{ config, lib, ... }:
  2{
  3  sops.secrets = {
  4    "protonvpn-torrent/private-key" = {
  5      owner = "systemd-network";
  6      group = "systemd-network";
  7    };
  8    "protonvpn-torrent/public-key" = {
  9      owner = "systemd-network";
 10      group = "systemd-network";
 11    };
 12  };
 13
 14  imports = [ ./containers.nix ];
 15
 16  networking.nat = {
 17    enable = true;
 18    internalInterfaces = [ "ve-vpn" ];
 19    externalInterface =
 20      if (config.networking.hostName == "lutea") then
 21        "enp7s0"
 22      else if (config.networking.hostName == "lily") then
 23        "enp0s31f6"
 24      else
 25        "";
 26    enableIPv6 = true;
 27  };
 28
 29  systemd.network.networks."50-ignore-virtual-interfaces" = {
 30    matchConfig.Name = "ve-*";
 31    linkConfig.Unmanaged = true;
 32  };
 33
 34  containers.vpn = {
 35    autoStart = true;
 36    privateNetwork = true;
 37    hostAddress = "192.168.2.1";
 38    localAddress = "192.168.2.2";
 39    hostAddress6 = "fd6c:696c:6163::1";
 40    localAddress6 = "fd6c:696c:6163::2";
 41    ephemeral = true;
 42    bindMounts = {
 43      pubkey = {
 44        hostPath = config.sops.secrets."protonvpn-torrent/public-key".path;
 45        mountPoint = "/pubkey";
 46        isReadOnly = true;
 47      };
 48      privkey = {
 49        hostPath = config.sops.secrets."protonvpn-torrent/private-key".path;
 50        mountPoint = "/privkey";
 51        isReadOnly = true;
 52      };
 53    };
 54    config = { ... }: lib.mkMerge config.garden.container.vpn.config;
 55  };
 56
 57  garden.container.vpn.config = [
 58    {
 59      networking = {
 60        useHostResolvConf = false;
 61        firewall.checkReversePath = "loose";
 62        nameservers = config.networking.nameservers;
 63      };
 64
 65      services.resolved = {
 66        enable = true;
 67        dnssec = "true";
 68        dnsovertls = "true";
 69        domains = [ "~." ];
 70        fallbackDns = [ ];
 71      };
 72
 73      systemd.network = {
 74        enable = true;
 75        networks = {
 76          "50-vpn-torrent" = {
 77            matchConfig.Name = "vpn";
 78            address = [
 79              "2a07:b944::2:2/128"
 80              "10.2.0.2/32"
 81            ];
 82            gateway = [
 83              "2a07:b944::2:1"
 84              "10.2.0.1"
 85            ];
 86            dns = [
 87              "2a07:b944::2:1"
 88              "10.2.0.1"
 89            ];
 90            routes = [
 91              { Destination = "2a07:b944::2:1"; }
 92              { Destination = "10.2.0.1"; }
 93            ];
 94          };
 95        };
 96        netdevs."50-vpn-torrent" = {
 97          netdevConfig = {
 98            Kind = "wireguard";
 99            Name = "vpn";
100          };
101          wireguardConfig = {
102            PrivateKeyFile = /privkey;
103            RouteTable = "main";
104          };
105          wireguardPeers = [
106            {
107              PublicKeyFile = /pubkey;
108              Endpoint = "89.222.103.6:51820";
109              AllowedIPs = [
110                "::/0"
111                "0.0.0.0/0"
112              ];
113            }
114          ];
115        };
116      };
117    }
118    { system.stateVersion = "25.11"; }
119  ];
120}