.

2026-01-28 20:10:48 +01:00 · 2026-01-28 20:10:48 +01:00 · 57dafa4d25
commit 57dafa4d25
parent f4760f39da
6 changed files with 225 additions and 116 deletions
--- a/hosts/nixos/configuration.nix
+++ b/hosts/nixos/configuration.nix
@ -52,7 +52,8 @@
    ./system/secrets.nix # SOPS secrets
    ./system/compatibility.nix # Compatibility layers (nix-ld)
    ./system/game-drive.nix
-    ./system/vpn-namespace.nix # Isolated VPN Namespace
+    ./system/vpn.nix # System-wide VPN
    ./system/game-bypass.nix # Game bypass netns
    #./system/authelia.nix # SSO/2FA
    ../../modules/nixos/media.nix # Arr Stack
    ../../modules/nixos/steam-gamemode.nix # Steam GameMode Session
--- a/hosts/nixos/home/steam.nix
+++ b/hosts/nixos/home/steam.nix
@ -18,4 +18,23 @@
      };
    };
  };
  # Override Steam desktop entry to use bypass
  xdg.desktopEntries.steam = {
    name = "Steam";
    genericName = "Application Store";
    exec = "game-bypass steam %U";
    terminal = false;
    icon = "steam";
    categories = [
      "Network"
      "FileTransfer"
      "Game"
    ];
    mimeType = [
      "x-scheme-handler/steam"
      "x-scheme-handler/steamlink"
    ];
    prefetchIface = "steam";
  };
 }
--- a/hosts/nixos/system/game-bypass.nix
+++ b/hosts/nixos/system/game-bypass.nix
@ -0,0 +1,108 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  # Namespace setup for Game Bypass
  systemd.services.game-bypass-netns = {
    description = "Game Bypass Network Namespace (Direct Internet)";
    wants = [ "network.target" ];
    after = [ "network.target" ];
    requiredBy = [ "multi-user.target" ];
    path = [
      pkgs.iproute2
      pkgs.kmod
      pkgs.util-linux # for nsenter
      pkgs.dhcpcd
    ];
    script = ''
      NAME="physical"
      VETH_HOST="veth-game"
      VETH_NS="eth0"
      BRIDGE="br0"
      # 1. Create Namespace if not exists
      if ! ip netns list | grep -q "$NAME"; then
        ip netns add "$NAME"
      fi
      # 2. Setup Veth Pair
      # Cleanup previous
      ip link delete "$VETH_HOST" 2>/dev/null || true
      # Create pair
      ip link add "$VETH_HOST" type veth peer name "$VETH_NS-tmp"
      # Host side: Attach to Bridge
      ip link set "$VETH_HOST" master "$BRIDGE"
      ip link set "$VETH_HOST" up
      # Client side: Move to NS
      ip link set "$VETH_NS-tmp" netns "$NAME"
      # 3. Configure Inside Namespace
      # Rename to eth0
      ip netns exec "$NAME" ip link set "$VETH_NS-tmp" name "$VETH_NS"
      ip netns exec "$NAME" ip link set "$VETH_NS" up
      ip netns exec "$NAME" ip link set lo up
      # 4. DHCP
      # Run dhcpcd inside the namespace
      # We use -4 for IPv4 only if desired, or just standard
      ip netns exec "$NAME" dhcpcd --nobackground "$VETH_NS" &
      # 5. DNS (Use Google/Cloudflare directly)
      mkdir -p /etc/netns/"$NAME"
      echo "nameserver 1.1.1.1" > /etc/netns/"$NAME"/resolv.conf
      echo "nameserver 8.8.8.8" >> /etc/netns/"$NAME"/resolv.conf
    '';
    # We use oneshot to just launch dhcpcd
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      User = "root";
    };
  };
  # Wrapper script to launch apps in the bypass
  environment.systemPackages = [
    (pkgs.writeShellScriptBin "game-bypass" ''
      exec doas ip netns exec physical sudo -u ${config.users.users.ashie.name} -E -- "$@"
    '')
  ];
  # Security wrapper permissions
  security.doas.extraRules = [
    {
      users = [ "ashie" ];
      cmd = "/run/current-system/sw/bin/ip";
      args = [
        "netns"
        "exec"
        "physical"
        "sudo"
        "-u"
        "ashie"
        "-E"
        "--"
      ];
      noPass = true;
      keepEnv = true;
    }
  ];
  # Also need sudo rules?
  # "sudo -u ashie" inside the namespace might prompt for password if not configured.
  # Usually user running sudo to switch to themselves needs no password if standard setup,
  # OR we can just use setpriv/su if we are already root (which ip netns exec is).
  # Wait, `ip netns exec` runs as root.
  # So we are root inside the NS. We then drop privileges to 'ashie'.
  # `sudo -u ashie` works fine if we are root.
 }
--- a/hosts/nixos/system/vpn-namespace.nix
+++ b/hosts/nixos/system/vpn-namespace.nix
@ -1,114 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  # Ensure iproute2 is available
  environment.systemPackages = [ pkgs.iproute2 ];
  systemd.services.vpn-netns = {
    description = "VPN Network Namespace Setup";
    wants = [ "network-online.target" ];
    after = [ "network-online.target" ];
    requiredBy = [ "multi-user.target" ];
    path = [
      pkgs.iproute2
      pkgs.wireguard-tools
      pkgs.kmod
    ];
    script = ''
      # 1. Create Namespace if not exists
      if ! ip netns list | grep -q "vpn"; then
        ip netns add vpn
      fi
      # 2. Cleanup & Create WireGuard Interface
      # Delete if exists INSIDE namespace (from previous run)
      ip netns exec vpn ip link delete wg0 2>/dev/null || true
      # Delete if exists in default namespace
      ip link delete wg0 2>/dev/null || true
      ip link add wg0 type wireguard
      ip link set mtu 1320 dev wg0
      # 3. Move to Namespace
      ip link set wg0 netns vpn
      # 4. Configure WireGuard (INSIDE NAMESPACE)
      # We read secrets from the sops-rendered files
      PRIVATE_KEY=$(cat ${config.sops.secrets.wireguard_private_key.path})
      PEER_KEY=$(cat ${config.sops.secrets.wireguard_public_key.path})
      ENDPOINT_IP=$(cat ${config.sops.secrets.wireguard_endpoint_ip.path})
      ENDPOINT_PORT=$(cat ${config.sops.secrets.wireguard_endpoint_port.path})
      ADDRESS=$(cat ${config.sops.secrets.wireguard_addresses.path})
      PRESHARED_KEY=$(cat ${config.sops.secrets.wireguard_preshared_key.path})
      # Pass private key via stdin to file
      echo "$PRIVATE_KEY" > /run/wg0.key
      chmod 600 /run/wg0.key
      # Setup interface inside netns
      ip netns exec vpn wg set wg0 \
        private-key /run/wg0.key \
        peer "$PEER_KEY" \
        preshared-key <(echo "$PRESHARED_KEY") \
        endpoint "$ENDPOINT_IP:$ENDPOINT_PORT" \
        allowed-ips 0.0.0.0/0
      rm /run/wg0.key
      # Assign IP Address
      ip netns exec vpn ip addr add "$ADDRESS" dev wg0
      # Set MTU (Optimized for VPN to avoid fragmentation)
      ip netns exec vpn ip link set mtu 1320 dev wg0
      # Bring Up
      ip netns exec vpn ip link set wg0 up
      ip netns exec vpn ip link set lo up
      # Set Default Route
      ip netns exec vpn ip route add default dev wg0
      # 5. DNS (Optional - force Google/Cloudflare inside namespace)
      mkdir -p /etc/netns/vpn
      echo "nameserver 1.1.1.1" > /etc/netns/vpn/resolv.conf
    '';
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      User = "root";
    };
  };
  # Allow user 'ashie' to run the namespace launcher without password
  security.doas.extraRules = [
    {
      users = [ "ashie" ];
      cmd = "/run/current-system/sw/bin/ip";
      args = [
        "netns"
        "exec"
        "vpn"
        "doas"
        "-u"
        "ashie"
        "--"
      ]; # Permit the specific chain
      noPass = true;
    }
    # Allow running the script itself
    {
      users = [ "ashie" ];
      cmd = "/home/ashie/nixos/scripts/launch-vpn-app.sh";
      noPass = true;
      keepEnv = true;
    }
  ];
 }
--- a/hosts/nixos/system/vpn.nix
+++ b/hosts/nixos/system/vpn.nix
@ -0,0 +1,95 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 {
  networking.wg-quick.interfaces = {
    wg0 = {
      address = [ "10.66.219.165/32" ]; # Fallback, should ideally come from secret but wg-quick needs it here or in config
      # We will rely on the config file generation to include the address if possible,
      # but nixos module usually requires 'address' or 'configFile'.
      # Since we are using secrets for everything, we might need a script or careful usage of configFile.
      # Better approach with sops: use the declarative config but read secrets from file for keys.
      # However, 'address' usually isn't secret.
      # In vpn-namespace.nix: ADDRESS=$(cat ${config.sops.secrets.wireguard_addresses.path})
      # Valid approach for secrets in wg-quick:
      # Use configFile pointing to a secret file, OR use normal config with privateKeyFile.
      autostart = true;
      dns = [ "1.1.1.1" ]; # Force DNS through VPN (or public DNS)
      privateKeyFile = config.sops.secrets.wireguard_private_key.path;
      peers = [
        {
          publicKey = "KPj/q9j/..."; # We need the public key here.
          # PROB: The user's vpn-namespace.nix was reading PEER_KEY from a secret.
          # NixOS wg-quick module expects publicKey as a string literal in the nix config, usually.
          # If the peer public key is secret, we can't easily put it in nix store (it ends up world readable).
          # BUT: Public keys are generally safe to be public.
          # However, since the user has it in sops, they might want to keep it secret.
          # ALTERNATIVE: Use `configFile` option and generate the whole config from secrets at runtime.
          # But `networking.wg-quick.interfaces.<name>.configFile` expects a path.
          # Let's write a script to generate the config file from secrets and start it.
          # actually, the `networking.wg-quick` module is just a wrapper around systemd services.
          # Let's try to stick to the module if possible.
          # If we can't, we can write a systemd service just like vpn-namespace.nix but for the main netns.
        }
      ];
    };
  };
  # RE-EVALUATION:
  # Since all WireGuard parameters (Addresses, Endpoint, Keys) are in sops secrets,
  # trying to use `networking.wg-quick.interfaces` is clumsy because it expects static values for non-secrets.
  # We should create a systemd service that constructs the config and runs wg-quick.
  systemd.services.wg-quick-wg0 = {
    description = "WireGuard Tunnel wg0";
    wantedBy = [ "multi-user.target" ];
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    path = [
      pkgs.wireguard-tools
      pkgs.bash
    ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = pkgs.writeShellScript "wg0-up" ''
        # Generate Config
        PRIVATE_KEY=$(cat ${config.sops.secrets.wireguard_private_key.path})
        PEER_KEY=$(cat ${config.sops.secrets.wireguard_public_key.path})
        ENDPOINT_IP=$(cat ${config.sops.secrets.wireguard_endpoint_ip.path})
        ENDPOINT_PORT=$(cat ${config.sops.secrets.wireguard_endpoint_port.path})
        ADDRESS=$(cat ${config.sops.secrets.wireguard_addresses.path})
        PRESHARED_KEY=$(cat ${config.sops.secrets.wireguard_preshared_key.path})
        cat > /run/wg0.conf <<EOF
        [Interface]
        Address = $ADDRESS
        PrivateKey = $PRIVATE_KEY
        DNS = 1.1.1.1
        [Peer]
        PublicKey = $PEER_KEY
        PresharedKey = $PRESHARED_KEY
        Endpoint = $ENDPOINT_IP:$ENDPOINT_PORT
        AllowedIPs = 0.0.0.0/0
        EOF
        chmod 600 /run/wg0.conf
        ${pkgs.wireguard-tools}/bin/wg-quick up /run/wg0.conf
      '';
      ExecStop = "${pkgs.wireguard-tools}/bin/wg-quick down /run/wg0.conf";
    };
  };
 }
--- a/modules/nixos/steam-gamemode.nix
+++ b/modules/nixos/steam-gamemode.nix
@ -36,7 +36,7 @@
          fi
          echo "Launching gamescope..."
-          exec ${pkgs.gamescope}/bin/gamescope -f -e -- steam -gamepadui
+          exec ${pkgs.gamescope}/bin/gamescope -f -e -- game-bypass steam -gamepadui
        ''}
        Type=Application
      '';