diff --git a/infra/libkookie/configuration/server/warez/default.nix b/infra/libkookie/configuration/server/warez/default.nix new file mode 100644 index 00000000000..3516a757bde --- /dev/null +++ b/infra/libkookie/configuration/server/warez/default.nix @@ -0,0 +1,68 @@ +{ pkgs, ... }: + +{ + systemd.services.mullvad-ns = { + description = "Mullvad NetNS"; + path = with pkgs; [ iproute ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + PrivateNetwork = false; + }; + + script = '' + ip netns add mullvad-ns + + # Create veth to tunnel traffic into/out of the ns + ip link add veth-mullvad type veth peer veth-main netns mullvad-ns + ip address add 10.49.0.1/30 dev veth-mullvad + ip netns exec mullvad-ns ip address add 10.49.0.2/30 dev veth-main + ip link set veth-mullvad up + ip netns exec mullvad-ns ip link set veth-main up + ''; + + postStop = '' + ip netns del mullvad-ns + ''; + }; + + # services.ferm2.extraForwards = '' + # proto tcp ACCEPT; + # ''; + + networking.wireguard.interfaces.mullvad = { + interfaceNamespace = "mullvad-ns"; + privateKeyFile = "/var/lib/mullvad/private"; + ips = [ "10.67.102.9/32" "fc00:bbbb:bbbb:bb01::4:6608/128"]; + peers = [ { + publicKey = "veGD6/aEY6sMfN3Ls7YWPmNgu3AheO7nQqsFT47YSws="; + allowedIPs = [ "0.0.0.0/0" "::0/0"]; + endpoint = "185.213.154.69:51820"; + }]; + }; + + systemd.services.wireguard-mullvad = { + requires = [ "mullvad-ns.service" ]; + after = [ "mullvad-ns.service" ]; + }; + + environment.etc."netns/mullvad-ns/resolv.conf" = { + enable = true; + text = '' + nameserver 193.138.218.74 + options edns0 + ''; + }; + + services.transmission.enable = true; + systemd.services.transmission = { + serviceConfig = { + NetworkNamespacePath = "/run/netns/mullvad-ns"; + BindPaths= ["/etc/netns/mullvad-ns/resolv.conf:/etc/resolv.conf"]; + }; + requires = [ "wireguard-mullvad.service" ]; + after = [ "wireguard-mullvad.service" ]; + }; +} +