Twins
/
server-configuration
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: aria2: run downloads through vpn 

But still allow the rpc to be accessed. This is done by reverse proxying
the rpc socket through a unix domain socket.
main
LeRoyce Pearson 2024-01-14 18:50:04 -07:00
parent 535d3d2797
commit b9db4b8d4d
1 changed files with 35 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
configuration.nix
View File

@ -137,24 +137,27 @@
after = [ "netns@wg.service" ]; after = [ "netns@wg.service" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
RemainAfterExist = true; RemainAfterExit = true;
ExecStart = with pkgs; writers.writeBash "wg-up" '' ExecStart = with pkgs; writers.writeBash "wg-up" ''
set -e set -e
# Create wireguard # Create wireguard
${iproute}/bin/ip link add wg0 type wireguard ${iproute}/bin/ip link add wg0 type wireguard
# move to wg network namespace
${iproute}/bin/ip link set wg0 netns wg
# Connect to vpn # Connect to vpn
${iproute}/bin/ip address add 10.65.64.220/32 dev wg0 ${iproute}/bin/ip -n wg address add 10.65.64.220/32 dev wg0
${iproute}/bin/ip -6 address add fc00:bbbb:bbbb:bb01::2:40db/128 dev wg0 ${iproute}/bin/ip -n wg -6 address add fc00:bbbb:bbbb:bb01::2:40db/128 dev wg0
${wireguard-tools}/bin/wg setconf wg0 /var/wireguard-keys/chief-frog.conf ${iproute}/bin/ip netns exec wg ${wireguard-tools}/bin/wg setconf wg0 /var/wireguard-keys/chief-frog.conf
# Open network # Open network
${iproute}/bin/ip link set wg0 up ${iproute}/bin/ip -n wg link set dev lo up
${iproute}/bin/ip route add default dev wg0 ${iproute}/bin/ip -n wg link set wg0 up
${iproute}/bin/ip -6 route add default dev wg0 ${iproute}/bin/ip -n wg route add default dev wg0
${iproute}/bin/ip -n wg -6 route add default dev wg0
''; '';
ExecStop = with pkgs; writers.writeBash "wg-down" '' ExecStop = with pkgs; writers.writeBash "wg-down" ''
${iproute}/bin/ip route del default dev wg0 ${iproute}/bin/ip -n wg route del default dev wg0
${iproute}/bin/ip -6 route del default dev wg0 ${iproute}/bin/ip -n wg -6 route del default dev wg0
${iproute}/bin/ip link del wg0 ${iproute}/bin/ip -n wg link del wg0
''; '';
}; };
}; };
@ -167,9 +170,27 @@
bindsTo = [ "netns@wg.service" ]; bindsTo = [ "netns@wg.service" ];
requires = [ "network-online.target" ]; requires = [ "network-online.target" ];
after = [ "wg.service" ]; after = [ "wg.service" ];
# serviceConfig = { serviceConfig = {
# NetworkNamespacePath = "/var/run/netns/wg"; NetworkNamespacePath = "/var/run/netns/wg";
# }; };
};
# reverse proxy the aria2 rpc from the `wg` network namespace to a unix domain socket
systemd.services."aria2-unix-domain-rpc" = {
bindsTo = [ "aria2.service" ];
after = [ "aria2.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
NetworkNamespacePath = "/var/run/netns/wg";
Type = "simple";
User = config.services.caddy.user;
Group = config.services.caddy.group;
RuntimeDirectory = "aria2";
ExecStart = with pkgs; writers.writeBash "aria2-unix-domain-rpc-listener" ''
set -e
${socat}/bin/socat UNIX-LISTEN:/run/aria2/rpc.sock,reuseaddr,fork TCP:localhost:6800
'';
};
}; };
systemd.services.dex.serviceConfig = { systemd.services.dex.serviceConfig = {
@ -479,7 +500,7 @@
@connected_via_tailscale remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48 @connected_via_tailscale remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48
handle @connected_via_tailscale { handle @connected_via_tailscale {
handle /jsonrpc { handle /jsonrpc {
reverse_proxy localhost:6800 reverse_proxy unix//run/aria2/rpc.sock
} }
handle_path /ariang* { handle_path /ariang* {
root * ${pkgs.ariang}/share/ariang root * ${pkgs.ariang}/share/ariang