feat: aria2: run downloads through vpn
But still allow the rpc to be accessed. This is done by reverse proxying the rpc socket through a unix domain socket.main
parent
535d3d2797
commit
b9db4b8d4d
|
@ -137,24 +137,27 @@
|
||||||
after = [ "netns@wg.service" ];
|
after = [ "netns@wg.service" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
RemainAfterExist = true;
|
RemainAfterExit = true;
|
||||||
ExecStart = with pkgs; writers.writeBash "wg-up" ''
|
ExecStart = with pkgs; writers.writeBash "wg-up" ''
|
||||||
set -e
|
set -e
|
||||||
# Create wireguard
|
# Create wireguard
|
||||||
${iproute}/bin/ip link add wg0 type wireguard
|
${iproute}/bin/ip link add wg0 type wireguard
|
||||||
|
# move to wg network namespace
|
||||||
|
${iproute}/bin/ip link set wg0 netns wg
|
||||||
# Connect to vpn
|
# Connect to vpn
|
||||||
${iproute}/bin/ip address add 10.65.64.220/32 dev wg0
|
${iproute}/bin/ip -n wg address add 10.65.64.220/32 dev wg0
|
||||||
${iproute}/bin/ip -6 address add fc00:bbbb:bbbb:bb01::2:40db/128 dev wg0
|
${iproute}/bin/ip -n wg -6 address add fc00:bbbb:bbbb:bb01::2:40db/128 dev wg0
|
||||||
${wireguard-tools}/bin/wg setconf wg0 /var/wireguard-keys/chief-frog.conf
|
${iproute}/bin/ip netns exec wg ${wireguard-tools}/bin/wg setconf wg0 /var/wireguard-keys/chief-frog.conf
|
||||||
# Open network
|
# Open network
|
||||||
${iproute}/bin/ip link set wg0 up
|
${iproute}/bin/ip -n wg link set dev lo up
|
||||||
${iproute}/bin/ip route add default dev wg0
|
${iproute}/bin/ip -n wg link set wg0 up
|
||||||
${iproute}/bin/ip -6 route add default dev wg0
|
${iproute}/bin/ip -n wg route add default dev wg0
|
||||||
|
${iproute}/bin/ip -n wg -6 route add default dev wg0
|
||||||
'';
|
'';
|
||||||
ExecStop = with pkgs; writers.writeBash "wg-down" ''
|
ExecStop = with pkgs; writers.writeBash "wg-down" ''
|
||||||
${iproute}/bin/ip route del default dev wg0
|
${iproute}/bin/ip -n wg route del default dev wg0
|
||||||
${iproute}/bin/ip -6 route del default dev wg0
|
${iproute}/bin/ip -n wg -6 route del default dev wg0
|
||||||
${iproute}/bin/ip link del wg0
|
${iproute}/bin/ip -n wg link del wg0
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -167,9 +170,27 @@
|
||||||
bindsTo = [ "netns@wg.service" ];
|
bindsTo = [ "netns@wg.service" ];
|
||||||
requires = [ "network-online.target" ];
|
requires = [ "network-online.target" ];
|
||||||
after = [ "wg.service" ];
|
after = [ "wg.service" ];
|
||||||
# serviceConfig = {
|
serviceConfig = {
|
||||||
# NetworkNamespacePath = "/var/run/netns/wg";
|
NetworkNamespacePath = "/var/run/netns/wg";
|
||||||
# };
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# reverse proxy the aria2 rpc from the `wg` network namespace to a unix domain socket
|
||||||
|
systemd.services."aria2-unix-domain-rpc" = {
|
||||||
|
bindsTo = [ "aria2.service" ];
|
||||||
|
after = [ "aria2.service" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
NetworkNamespacePath = "/var/run/netns/wg";
|
||||||
|
Type = "simple";
|
||||||
|
User = config.services.caddy.user;
|
||||||
|
Group = config.services.caddy.group;
|
||||||
|
RuntimeDirectory = "aria2";
|
||||||
|
ExecStart = with pkgs; writers.writeBash "aria2-unix-domain-rpc-listener" ''
|
||||||
|
set -e
|
||||||
|
${socat}/bin/socat UNIX-LISTEN:/run/aria2/rpc.sock,reuseaddr,fork TCP:localhost:6800
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.dex.serviceConfig = {
|
systemd.services.dex.serviceConfig = {
|
||||||
|
@ -479,7 +500,7 @@
|
||||||
@connected_via_tailscale remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48
|
@connected_via_tailscale remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48
|
||||||
handle @connected_via_tailscale {
|
handle @connected_via_tailscale {
|
||||||
handle /jsonrpc {
|
handle /jsonrpc {
|
||||||
reverse_proxy localhost:6800
|
reverse_proxy unix//run/aria2/rpc.sock
|
||||||
}
|
}
|
||||||
handle_path /ariang* {
|
handle_path /ariang* {
|
||||||
root * ${pkgs.ariang}/share/ariang
|
root * ${pkgs.ariang}/share/ariang
|
||||||
|
|
Loading…
Reference in New Issue