asmir/nixos_flake_config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: asmir:7a647287bbee00772317eef504d4577251b01e97
Branches Tags
asmir:master
asmir:gitea_typst
asmir:magento2
..
compare: asmir:6d08a3883f74bb4da601056ddf8c5c9ed422f442
Branches Tags
asmir:master
asmir:gitea_typst
asmir:magento2

4 Commits
7a647287bb ... 6d08a3883f

Author SHA1 Message Date
Asmir A
6d08a3883f
nixy/dnscrypt2: add separate service for wg netns 2024-05-12 15:44:59 +02:00
Asmir A
466dbc574d
nixy/sops: add vpn endpoint 2024-05-12 15:43:37 +02:00
Asmir A
cfc66a92cb
nixy/wireguard: add proton vpn with network namespace 2024-05-12 15:43:03 +02:00
Asmir A
390d3a3ddb
nixy/wireguard: add proton vpn free tier 2024-05-12 10:48:28 +02:00
3 changed files with 127 additions and 0 deletions
Show Stats Expand all files Collapse all files

1
common/wg_pubkey_proton Normal file
View File

@ -0,0 +1 @@
g6DkXWKI/68RsLjROIwCEcyB/ZhyK5Q7OWcz1TtqER0=

104
nixy/configuration.nix
View File

@ -31,6 +31,14 @@
sopsFile = ../common/secrets/wg_preshared.yaml; sopsFile = ../common/secrets/wg_preshared.yaml;
}; };
"wg_privkey_proton" = {
sopsFile = ./secrets/wg_privkey_proton.yaml;
};
"wg_endpoint_proton" = {
sopsFile = ./secrets/wg_privkey_proton.yaml;
};
"borgbase_enc_key" = { "borgbase_enc_key" = {
sopsFile = ./secrets/borgbase_enc_key.yaml; sopsFile = ./secrets/borgbase_enc_key.yaml;
owner = config.users.users.akill.name; owner = config.users.users.akill.name;
@ -191,6 +199,102 @@
ExecStart = "${zremap.defaultPackage.${system}}/bin/zremap %I"; ExecStart = "${zremap.defaultPackage.${system}}/bin/zremap %I";
}; };
}; };
"netns@" = {
description = "%I network namespace";
before = ["network.target"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute}/bin/ip netns add %I";
ExecStop = "${pkgs.iproute}/bin/ip netns del %I";
};
};
"wg_proton" = {
description = "wg network interface";
bindsTo = ["netns@wg.service"];
requires = ["network-online.target"];
after = ["netns@wg.service"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writers.writeBash "wg-up" ''
set -e
ENDPOINT_IP=$(${pkgs.coreutils-full}/bin/cat "${config.sops.secrets."wg_endpoint_proton".path}")
${pkgs.iproute}/bin/ip link add proton_wg type wireguard
${pkgs.iproute}/bin/ip link set proton_wg netns wg
${pkgs.iproute}/bin/ip -n wg address add 10.2.0.2/32 dev proton_wg
${pkgs.iproute}/bin/ip netns exec wg \
${pkgs.wireguard-tools}/bin/wg set "proton_wg" private-key "${config.sops.secrets."wg_privkey_proton".path}"
${pkgs.iproute}/bin/ip netns exec wg \
${pkgs.wireguard-tools}/bin/wg set "proton_wg" peer "g6DkXWKI/68RsLjROIwCEcyB/ZhyK5Q7OWcz1TtqER0=" \
endpoint "$ENDPOINT_IP:51820" \
persistent-keepalive "25" \
allowed-ips "0.0.0.0/0"
${pkgs.iproute}/bin/ip -n wg link set lo up
${pkgs.iproute}/bin/ip -n wg link set proton_wg up
${pkgs.iproute}/bin/ip -n wg route add default dev proton_wg
'';
ExecStop = pkgs.writers.writeBash "wg-down" ''
${pkgs.iproute}/bin/ip -n wg route del default dev proton_wg
${pkgs.iproute}/bin/ip -n wg link del proton_wg
'';
};
};
"dnscrypt-proxy2_proton" = {
description = "DNSCrypt-proxy client proton";
wants = [
"network-online.target"
"nss-lookup.target"
];
before = [
"nss-lookup.target"
];
after = ["wg_proton.service"];
bindsTo = ["netns@wg.service"];
serviceConfig = {
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CacheDirectory = "dnscrypt-proxy";
DynamicUser = true;
ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${config.services.dnscrypt-proxy2.configFile}";
LockPersonality = true;
LogsDirectory = "dnscrypt-proxy";
MemoryDenyWriteExecute = true;
NetworkNamespacePath = "/var/run/netns/wg";
NonBlocking = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
Restart = "always";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RuntimeDirectory = "dnscrypt-proxy";
StateDirectory = "dnscrypt-proxy";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@chown"
"~@aio"
"~@keyring"
"~@memlock"
"~@setuid"
"~@timer"
];
};
};
}; };
extraConfig = '' extraConfig = ''

22
nixy/secrets/wg_privkey_proton.yaml Normal file
View File

@ -0,0 +1,22 @@
wg_privkey_proton: ENC[AES256_GCM,data:qVVd+1s2T3sKDi03V+eMvgqW8LAVl/yEKwtG2EMn8NhBCN7RvlttC5SeIDM=,iv:/QcrtmMjCzZRulumIz5u9oxyaRt+HUq96ZiP8ecpvAo=,tag:1DCaJqVGfg3sfvKTQnmzZA==,type:str]
wg_endpoint_proton: ENC[AES256_GCM,data:ggoWnB6nGjGc/kSOaCo=,iv:1r5J6SO5JYH7+bMhE2lGwfFETVFeS61eCXtej0Pl07M=,tag:p+0hhQ/vqZzZML24YReA0g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdXZpL1lrOEYyYVdFTzNJ
SHhXRVc5Y0o4ZzN2THRjM215UWczVjZOTXg4CjBJZ2VxN0t0ZFgzTmJMeXo5SWZk
UjRlNmdRTVVPbHVEeXM3TWhoS0pSUTQKLS0tIEtkTURBc1A3d2lTalhmeEoxUkZj
K3BHZnUzN3ZrL1dFQk8rWFpZR05pbFUKObrnIpY3NR1o3/lKhTfVpQU+eQRTi7wF
SAjGZ5BRdCi5x1VWRxiT1Fvjqkm7kBEQFvdSvbqW2UK6lVHtWgt2Vg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-12T13:30:18Z"
mac: ENC[AES256_GCM,data:3UqJGcNGPZDlLA3a0uNHUI0ykDC0ByxAR2ZsrsbWQMv3BS6zyBuc+zpTHQZoIPGsAMUetuB3OuA0IQNll3abg6u2AadEQBUf1PYMWlo58txLYlAs/q0g+575F+LhDSgmDMKOFXz4HqbFP0RYTHkPnmjWPMWWY3G9o6B3Iaw5+Kc=,iv:massJRpGcH4pDZxJrpQYy80XVViyw+qFsZ8Sk9Xze08=,tag:eDvuNadKGKBS/3jauvnuFQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1