forked from Maroka-chan/VPN-Confinement
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathoptions.nix
149 lines (136 loc) · 4.12 KB
/
options.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
{ lib, ... }:
let
inherit (import ../lib/types.nix { inherit lib; }) ipAddress ipv4 ipv6;
inherit (lib) mkEnableOption mkOption;
inherit (lib.types) listOf submodule path port enum;
in {
options = {
enable = mkEnableOption ("vpn netns") // {
description = ''
Whether to enable the VPN namespace.
To access the networking namespace(netns) a veth pair
is created to connect it and the default namespace
through a linux bridge. One end of the pair is
connected to the linux bridge on the default netns.
The other end is connected to the vpn netns.
'';
};
accessibleFrom = mkOption {
type = listOf ipAddress;
default = [];
description = ''
Subnets, ranges, and specific addresses that the
namespace should be accessible to.
'';
example = [
"10.0.2.0/24"
"192.168.1.27"
"fd25:9ab6:6133::/64"
"fd25:9ab6:6133::203"
];
};
namespaceAddress = mkOption {
type = ipv4;
default = "192.168.15.1";
description = ''
The address of the veth interface connected to the vpn namespace.
This is the address used to reach the vpn namespace from other
namespaces connected to the linux bridge.
'';
};
namespaceAddressIPv6 = mkOption {
type = ipv6;
default = "fd93:9701:1d00::2";
description = ''
The address of the veth interface connected to the vpn namespace.
This is the address used to reach the vpn namespace from other
namespaces connected to the linux bridge.
'';
};
bridgeAddress = mkOption {
type = ipv4;
default = "192.168.15.5";
description = ''
The address of the linux bridge on the default namespace.
The linux bridge sits on the default namespace and
needs an address to make communication between connected
namespaces possible, including the default namespace.
'';
};
bridgeAddressIPv6 = mkOption {
type = ipv6;
default = "fd93:9701:1d00::1";
description = ''
The address of the linux bridge on the default namespace.
The linux bridge sits on the default namespace and
needs an address to make communication between connected
namespaces possible, including the default namespace.
'';
};
openVPNPorts = mkOption {
type = listOf (submodule {
options = {
port = mkOption {
type = port;
description = "The port to open.";
};
protocol = mkOption {
default = "tcp";
example = "both";
type = enum [ "tcp" "udp" "both" ];
description = "The transport layer protocol to use.";
};
};
});
default = [];
description = ''
Ports that should be accessible through the VPN interface.
'';
};
portMappings = mkOption {
type = listOf (submodule {
options = {
from = mkOption {
example = 80;
type = port;
description = "Port on the default netns.";
};
to = mkOption {
example = 443;
type = port;
description = "Port on the VPN netns.";
};
protocol = mkOption {
default = "tcp";
example = "both";
type = enum [ "tcp" "udp" "both" ];
description = "The transport layer protocol to use.";
};
};
});
default = [];
description = ''
A list of port mappings from
the host to ports in the namespace.
Neither the 'to' or 'from' ports should
be open on the default netns as they are
routed to the VPN netns.
The 'to' ports are automatically opened
in the VPN netns.
'';
example = [{
from = 80;
to = 80;
protocol = "tcp";
}];
};
wireguardConfigFile = mkOption {
type = path;
default = null;
example = "/secret/wg0.conf";
description = ''
Path to a wg-quick config file.
'';
};
};
}