Add netns specific resolv.conf @arrakis

author: Mark Nipper <nipsy@bitgnome.net> 2025-11-18 10:05:34 -0800
committer: Mark Nipper <nipsy@bitgnome.net> 2025-11-18 10:05:34 -0800
commit: 84098b3e55f40d955e05a16549935de83367a2c1 (patch)
tree: ac813865060dbafd3b1b13562e3c0de6a96439d5
parent: 5993fff2d8b399b5f3fcdf0a4829f132884cd259 (diff)
download: nix-84098b3e55f40d955e05a16549935de83367a2c1.tar
nix-84098b3e55f40d955e05a16549935de83367a2c1.tar.gz
nix-84098b3e55f40d955e05a16549935de83367a2c1.tar.bz2
nix-84098b3e55f40d955e05a16549935de83367a2c1.tar.lz
nix-84098b3e55f40d955e05a16549935de83367a2c1.tar.xz
nix-84098b3e55f40d955e05a16549935de83367a2c1.tar.zst
nix-84098b3e55f40d955e05a16549935de83367a2c1.zip
1 files changed, 62 insertions, 55 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix
index 93f399b..06dac12 100644
--- a/hosts/arrakis/default.nix
+++ b/hosts/arrakis/default.nix
@@ -25,62 +25,69 @@
     zfs.package = pkgs.zfs_unstable;
   };
 
-  environment.etc."nftables-vpn.conf".text = ''
-    # VPN firewall
-
-    flush ruleset
-
-    table inet filter {
-    	chain input {
-    		type filter hook input priority filter; policy drop;
-
-    		# established/related connections
-    		ct state established,related accept
-
-    		# invalid connections
-    		ct state invalid drop
-
-    		# loopback interface
-    		iif lo accept
-
-    		# ICMP (routers may also want: mld-listener-query, nd-router-solicit)
-    		#ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept
-    		ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept
- 
-    		# services
-    		iif veth.vpn tcp dport 8080 accept # qBittorrent
-    		iif veth.vpn tcp dport 9696 accept # Prowlarr
-    		iifname wg1 tcp dport { 49152-65535 } accept # Transmission
-
-    		# drop everything else
-    		counter drop
-    	}
-    
-    	chain output {
-    		type filter hook output priority filter; policy drop;
-
-    		# explicitly allow my DNS traffic without VPN
-    		skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept
-    		skuid nipsy ip daddr 192.168.1.1 udp dport domain accept
-
-    		# explicitly allow my traffic without VPN
-    		oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent
-    		oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr
-    		oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr }
-    		oif lo skuid nipsy ip daddr 192.168.1.3 tcp dport 8080 accept # Prowlarr to qBittorrent
-
-    		# allow any traffic out through VPN
-    		oifname wg1 accept
-
-    		# drop everything else
-    		counter drop
-    	}
+  environment.etc = {
+    "netns/vpn/resolv.conf".text = ''
+      nameserver 10.64.0.1
+      options edns0
+    '';
 
-    	chain forward {
-    		type filter hook forward priority filter; policy drop;
-    	}
-    }
-  '';
+    "nftables-vpn.conf".text = ''
+      # VPN firewall
+  
+      flush ruleset
+  
+      table inet filter {
+      	chain input {
+      		type filter hook input priority filter; policy drop;
+  
+      		# established/related connections
+      		ct state established,related accept
+  
+      		# invalid connections
+      		ct state invalid drop
+  
+      		# loopback interface
+      		iif lo accept
+  
+      		# ICMP (routers may also want: mld-listener-query, nd-router-solicit)
+      		#ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, packet-too-big, parameter-problem, time-exceeded } accept
+      		ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, parameter-problem, router-advertisement, source-quench, time-exceeded } accept
+   
+      		# services
+      		iif veth.vpn tcp dport 8080 accept # qBittorrent
+      		iif veth.vpn tcp dport 9696 accept # Prowlarr
+      		iifname wg1 tcp dport { 49152-65535 } accept # Transmission
+  
+      		# drop everything else
+      		counter drop
+      	}
+      
+      	chain output {
+      		type filter hook output priority filter; policy drop;
+  
+      		# explicitly allow my DNS traffic without VPN
+      		skuid nipsy ip daddr 192.168.1.1 tcp dport domain accept
+      		skuid nipsy ip daddr 192.168.1.1 udp dport domain accept
+  
+      		# explicitly allow my traffic without VPN
+      		oifname veth.vpn skuid nipsy tcp sport 8080 accept # qBittorrent
+      		oifname veth.vpn skuid nipsy tcp sport 9696 accept # Prowlarr
+      		oifname veth.vpn skuid nipsy ip daddr 192.168.1.2 tcp dport { 7878, 8686, 8787, 8989 } accept # Prowlarr to { Radarr, Lidarr, Readarr, Sonarr }
+      		oif lo skuid nipsy ip daddr 192.168.1.3 tcp dport 8080 accept # Prowlarr to qBittorrent
+  
+      		# allow any traffic out through VPN
+      		oifname wg1 accept
+  
+      		# drop everything else
+      		counter drop
+      	}
+  
+      	chain forward {
+      		type filter hook forward priority filter; policy drop;
+      	}
+      }
+    '';
+  };
 
   environment.systemPackages = [
     pkgs.bitcoind
author	Mark Nipper <nipsy@bitgnome.net>	2025-11-18 10:05:34 -0800
committer	Mark Nipper <nipsy@bitgnome.net>	2025-11-18 10:05:34 -0800
commit	84098b3e55f40d955e05a16549935de83367a2c1 (patch)
tree	ac813865060dbafd3b1b13562e3c0de6a96439d5
parent	5993fff2d8b399b5f3fcdf0a4829f132884cd259 (diff)
download	nix-84098b3e55f40d955e05a16549935de83367a2c1.tar nix-84098b3e55f40d955e05a16549935de83367a2c1.tar.gz nix-84098b3e55f40d955e05a16549935de83367a2c1.tar.bz2 nix-84098b3e55f40d955e05a16549935de83367a2c1.tar.lz nix-84098b3e55f40d955e05a16549935de83367a2c1.tar.xz nix-84098b3e55f40d955e05a16549935de83367a2c1.tar.zst nix-84098b3e55f40d955e05a16549935de83367a2c1.zip