nixy/dnscrypt2: add separate service for wg netns

common/wg_pubkey_proton

@@ -0,0 +1 @@
+g6DkXWKI/68RsLjROIwCEcyB/ZhyK5Q7OWcz1TtqER0=

nixy/configuration.nix

@@ -31,6 +31,14 @@
         sopsFile = ../common/secrets/wg_preshared.yaml;
       };
 
+      "wg_privkey_proton" = {
+        sopsFile = ./secrets/wg_privkey_proton.yaml;
+      };
+
+      "wg_endpoint_proton" = {
+        sopsFile = ./secrets/wg_privkey_proton.yaml;
+      };
+
       "borgbase_enc_key" = {
         sopsFile = ./secrets/borgbase_enc_key.yaml;
         owner = config.users.users.akill.name;
@@ -191,6 +199,102 @@
           ExecStart = "${zremap.defaultPackage.${system}}/bin/zremap %I";
         };
       };
+
+      "netns@" = {
+        description = "%I network namespace";
+        before = ["network.target"];
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          ExecStart = "${pkgs.iproute}/bin/ip netns add %I";
+          ExecStop = "${pkgs.iproute}/bin/ip netns del %I";
+        };
+      };
+
+      "wg_proton" = {
+        description = "wg network interface";
+        bindsTo = ["netns@wg.service"];
+        requires = ["network-online.target"];
+        after = ["netns@wg.service"];
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          ExecStart = pkgs.writers.writeBash "wg-up" ''
+            set -e
+            ENDPOINT_IP=$(${pkgs.coreutils-full}/bin/cat "${config.sops.secrets."wg_endpoint_proton".path}")
+            ${pkgs.iproute}/bin/ip link add proton_wg type wireguard
+            ${pkgs.iproute}/bin/ip link set proton_wg netns wg
+            ${pkgs.iproute}/bin/ip -n wg address add 10.2.0.2/32 dev proton_wg
+            ${pkgs.iproute}/bin/ip netns exec wg \
+              ${pkgs.wireguard-tools}/bin/wg set "proton_wg" private-key "${config.sops.secrets."wg_privkey_proton".path}"
+            ${pkgs.iproute}/bin/ip netns exec wg \
+              ${pkgs.wireguard-tools}/bin/wg set "proton_wg" peer "g6DkXWKI/68RsLjROIwCEcyB/ZhyK5Q7OWcz1TtqER0=" \
+                endpoint "$ENDPOINT_IP:51820" \
+                persistent-keepalive "25" \
+                allowed-ips "0.0.0.0/0"
+            ${pkgs.iproute}/bin/ip -n wg link set lo up
+            ${pkgs.iproute}/bin/ip -n wg link set proton_wg up
+            ${pkgs.iproute}/bin/ip -n wg route add default dev proton_wg
+          '';
+          ExecStop = pkgs.writers.writeBash "wg-down" ''
+            ${pkgs.iproute}/bin/ip -n wg route del default dev proton_wg
+            ${pkgs.iproute}/bin/ip -n wg link del proton_wg
+          '';
+        };
+      };
+
+      "dnscrypt-proxy2_proton" = {
+        description = "DNSCrypt-proxy client proton";
+        wants = [
+          "network-online.target"
+          "nss-lookup.target"
+        ];
+        before = [
+          "nss-lookup.target"
+        ];
+        after = ["wg_proton.service"];
+        bindsTo = ["netns@wg.service"];
+        serviceConfig = {
+          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+          CacheDirectory = "dnscrypt-proxy";
+          DynamicUser = true;
+          ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${config.services.dnscrypt-proxy2.configFile}";
+          LockPersonality = true;
+          LogsDirectory = "dnscrypt-proxy";
+          MemoryDenyWriteExecute = true;
+          NetworkNamespacePath = "/var/run/netns/wg";
+          NonBlocking = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          Restart = "always";
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RuntimeDirectory = "dnscrypt-proxy";
+          StateDirectory = "dnscrypt-proxy";
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "@chown"
+            "~@aio"
+            "~@keyring"
+            "~@memlock"
+            "~@setuid"
+            "~@timer"
+          ];
+        };
+      };
     };
 
     extraConfig = ''

nixy/secrets/wg_privkey_proton.yaml

@@ -0,0 +1,22 @@
+wg_privkey_proton: ENC[AES256_GCM,data:qVVd+1s2T3sKDi03V+eMvgqW8LAVl/yEKwtG2EMn8NhBCN7RvlttC5SeIDM=,iv:/QcrtmMjCzZRulumIz5u9oxyaRt+HUq96ZiP8ecpvAo=,tag:1DCaJqVGfg3sfvKTQnmzZA==,type:str]
+wg_endpoint_proton: ENC[AES256_GCM,data:ggoWnB6nGjGc/kSOaCo=,iv:1r5J6SO5JYH7+bMhE2lGwfFETVFeS61eCXtej0Pl07M=,tag:p+0hhQ/vqZzZML24YReA0g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdXZpL1lrOEYyYVdFTzNJ
+            SHhXRVc5Y0o4ZzN2THRjM215UWczVjZOTXg4CjBJZ2VxN0t0ZFgzTmJMeXo5SWZk
+            UjRlNmdRTVVPbHVEeXM3TWhoS0pSUTQKLS0tIEtkTURBc1A3d2lTalhmeEoxUkZj
+            K3BHZnUzN3ZrL1dFQk8rWFpZR05pbFUKObrnIpY3NR1o3/lKhTfVpQU+eQRTi7wF
+            SAjGZ5BRdCi5x1VWRxiT1Fvjqkm7kBEQFvdSvbqW2UK6lVHtWgt2Vg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-12T13:30:18Z"
+    mac: ENC[AES256_GCM,data:3UqJGcNGPZDlLA3a0uNHUI0ykDC0ByxAR2ZsrsbWQMv3BS6zyBuc+zpTHQZoIPGsAMUetuB3OuA0IQNll3abg6u2AadEQBUf1PYMWlo58txLYlAs/q0g+575F+LhDSgmDMKOFXz4HqbFP0RYTHkPnmjWPMWWY3G9o6B3Iaw5+Kc=,iv:massJRpGcH4pDZxJrpQYy80XVViyw+qFsZ8Sk9Xze08=,tag:eDvuNadKGKBS/3jauvnuFQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1