128 lines
3.5 KiB
Nix
128 lines
3.5 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
options,
|
|
...
|
|
}:
|
|
|
|
let
|
|
cfg = config.networking.vpn-netns;
|
|
in
|
|
|
|
{
|
|
imports = [
|
|
./encapsulation.nix
|
|
./forwarding.nix
|
|
];
|
|
|
|
options.networking.vpn-netns = with lib; {
|
|
restrictedServices = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ ];
|
|
description = "A list of valid systemd service names to be encapsulated in the vpn netns.";
|
|
};
|
|
|
|
nameserver = mkOption {
|
|
type = types.singleLineStr;
|
|
description = "The DNS server associated with the wireguard connection.";
|
|
};
|
|
|
|
wireguardInterface = mkOption {
|
|
type = types.str;
|
|
description = "The name of the wireguard interface.";
|
|
};
|
|
|
|
wireguardOptions = mkOption {
|
|
type = with types; submodule { freeformType = attrsOf anything; };
|
|
description = "Regular wireguard settings used to setup interface ${wgInterface}.";
|
|
};
|
|
|
|
interfaceNamespace = mkOption {
|
|
type = types.singleLineStr;
|
|
default = "vpn";
|
|
description = "The name of the encapsulating netns.";
|
|
};
|
|
|
|
vethInterfaceName = mkOption {
|
|
type = types.singleLineStr;
|
|
default = "vethvpn";
|
|
description = "The name of the veth interface accross netns.";
|
|
};
|
|
|
|
vethIP = mkOption {
|
|
type = types.singleLineStr;
|
|
default = "10.0.0.1";
|
|
description = "The veth IP address of encapsulated services";
|
|
};
|
|
|
|
vethOuterIP = mkOption {
|
|
type = types.singleLineStr;
|
|
default = "10.0.0.2";
|
|
description = "The veth IP address of non-encapsulated services.";
|
|
};
|
|
|
|
portForwarding = {
|
|
enable = mkEnableOption "a port forwarding service.";
|
|
|
|
leaseDuration = mkOption {
|
|
type = types.int;
|
|
default = 60;
|
|
description = "The NATPMP lease duration in seconds.";
|
|
};
|
|
|
|
updateDuration = mkOption {
|
|
type = types.int;
|
|
default = 2;
|
|
description = ''
|
|
How long the update script takes (in seconds).
|
|
This is substracted from the timer, so that leases do not get
|
|
interrupted. Tweak this based on your hardware performance etc.
|
|
'';
|
|
};
|
|
|
|
endpoint = mkOption {
|
|
type = types.singleLineStr;
|
|
default = cfg.nameserver;
|
|
description = "The VPN endpoint (with which to negotiate the lease).";
|
|
};
|
|
|
|
temporaryPortRange = mkOption {
|
|
type = options.networking.firewall.allowedUDPPortRanges.type.nestedTypes.elemType;
|
|
default = {
|
|
from = 30000;
|
|
to = 30010;
|
|
};
|
|
description = ''
|
|
The port range used for local port redirection. Make sure it doesn't
|
|
interfere with other services, including the assignable port from your
|
|
VPN provider.
|
|
'';
|
|
};
|
|
};
|
|
|
|
encapsulatedServices = mkOption {
|
|
default = { };
|
|
type =
|
|
with types;
|
|
attrsOf (submodule {
|
|
options.enable = mkEnableOption "network namespace encapsulation for this service.";
|
|
|
|
options.portForwarding = {
|
|
enable = mkEnableOption "port forwarding for this service.";
|
|
|
|
updateScript = mkOption {
|
|
type = str;
|
|
example = ''
|
|
echo listenPort=$PORT > /var/lib/service/config.conf
|
|
'';
|
|
description = ''
|
|
The script to apply everytime the forwarded port changes.
|
|
The shell has access to the `$PORT` variable with the corresponding
|
|
port. Be cautious, this script can perform arbitrary commands.
|
|
'';
|
|
};
|
|
};
|
|
});
|
|
};
|
|
};
|
|
}
|