68 lines
1.7 KiB
Nix
68 lines
1.7 KiB
Nix
{ pkgs, config, lib, ... }:
|
|
|
|
let
|
|
cfg = config.modules.system.vpn-confinement;
|
|
in
|
|
{
|
|
options.modules.system.vpn-confinement = {
|
|
enable = lib.mkEnableOption "enables vpn-confinement";
|
|
|
|
# toggle for mullvad mexico w/ openvpn
|
|
vpncon_mex = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = "enable pia vpn to mexico using openvpn";
|
|
};
|
|
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
# Define VPN network namespace
|
|
vpnNamespaces.wgmex = {
|
|
enable = true;
|
|
wireguardConfigFile = config.sops.secrets."vpncon_mex_config".path;
|
|
accessibleFrom = [
|
|
"10.0.0.0/8"
|
|
];
|
|
portMappings = [
|
|
{ from = 7000; to = 7200; }
|
|
];
|
|
openVPNPorts = [{
|
|
port = 60729;
|
|
protocol = "both";
|
|
}];
|
|
};
|
|
|
|
# Addd systemd service to VPN network namespace
|
|
systemd.services.transmission.vpnConfinement = {
|
|
enable = true;
|
|
vpnNamespace = "wg";
|
|
};
|
|
|
|
# secrets only if VPN is enabled
|
|
sops.secrets = {
|
|
"vpncon_mex_config" = { owner = "root"; group = "root"; }
|
|
};
|
|
|
|
}
|
|
|
|
|
|
vpnNamespaces.<name> = { # The name is limited to 7 characters
|
|
enable = true;
|
|
wireguardConfigFile = config.sops.secrets."vpncon_mex_config".path;
|
|
accessibleFrom = [
|
|
"<ip or subnet>"
|
|
];
|
|
portMappings = [{
|
|
from = <port on host>;
|
|
to = <port in VPN network namespace>;
|
|
protocol = "<transport protocol>"; # protocol = "tcp"(default), "udp", or "both"
|
|
}];
|
|
openVPNPorts = [{
|
|
port = <port to access through VPN interface>;
|
|
protocol = "<transport protocol>"; # protocol = "tcp"(default), "udp", or "both"
|
|
}];
|
|
};
|
|
}
|