feat: fix VPN configuration and disable sandboxing for VPS

TophC7 · TophC7 · commit 9b4722067a5a · 2026-01-14T20:27:32.000-05:00
diff --git a/hosts/caenus/default.nix b/hosts/caenus/default.nix
@@ -46,6 +46,9 @@
   ## System-wide packages ##
   programs.nix-ld.enable = true;
 
+  # VPS with limited kernel permissions; disable sandboxing
+  nix.settings.sandbox = false;
+
   # https://wiki.nixos.org/wiki/FAQ/When_do_I_update_stateVersion
   system.stateVersion = "24.11";
 }
diff --git a/hosts/nexus/config/wireguard.nix b/hosts/nexus/config/wireguard.nix
@@ -18,11 +18,15 @@ let
 
   # ── Dynamic VPN Client Discovery ──
   # Filter hosts that are VPN clients:
-  # - Not this host (nexus)
-  # - Has vpn config
-  # - Has endpoint set (clients connect TO a server, servers don't have endpoint)
+  # - Not this host (nexus - the server)
+  # - Has vpn config with publicKey
+  # - Has a /32 address (clients have /32, server has /24)
   vpnClients = lib.filterAttrs (
-    name: spec: name != host.hostName && spec.vpn or null != null && spec.vpn.endpoint or null != null
+    name: spec:
+    name != host.hostName
+    && spec.vpn or null != null
+    && spec.vpn.publicKey or null != null
+    && lib.hasSuffix "/32" (spec.vpn.address or "")
   ) hosts;
 
   # Build peer config from host spec
@@ -51,6 +55,12 @@ in
       allowedUDPPorts = [ vpnPort ];
       # Trust the VPN interface - allow all traffic from VPN peers
       trustedInterfaces = [ vpnInterface ];
+      # Allow rathole container (on pangolin bridge) to reach WireGuard
+      # Docker NAT rules intercept local-destined traffic before the normal
+      # firewall rules apply, so we need an explicit rule for br-pangolin
+      extraInputRules = ''
+        iifname "br-pangolin" udp dport ${toString vpnPort} accept
+      '';
     };
   };
 }
diff --git a/mix/default.nix b/mix/default.nix
@@ -28,8 +28,6 @@
         "video"
         "wheel"
       ];
-
-      wgEndpoint = "pangolin.ryot.foo:51821";
     in
     {
       ## Secrets ##
@@ -115,9 +113,12 @@
           user = "toph";
           ip = "10.2.2.4";
           desktop = {
-            niri = {
+            hyprland = {
               enable = true;
               default = true;
+            };
+            niri = {
+              enable = true;
               dms = {
                 includeBinds = true;
                 includeColors = true;
@@ -139,9 +140,8 @@
             tank = true;
           };
           vpn = {
-            publicKey = "ECl4YWWZfuAdYesxSUOSq7mTIYwII/eYg78dLR9XpmU=";
+            publicKey = "A+pF7xjkh+TcI2w9CqZydF8oRSQQxNvPpGp18/R3YCE=";
             address = "10.10.0.4/32";
-            endpoint = wgEndpoint;
           };
         };
 
@@ -152,8 +152,10 @@
             hyprland = {
               enable = true;
               default = true;
+              dms = {
+                sourceOutputs = true;
+              };
             };
-            niri.enable = true;
           };
           greeter = {
             type = "dms";
@@ -184,7 +186,7 @@
           isMinimal = true;
           mounts.repo = true;
           vpn = {
-            publicKey = "iOSuhmjJhUcqQQBnYOs/3WSs6dyX6JnqWzZ7JbceulU=";
+            publicKey = "CsFrUwKp1EQoBJqKkn44/P8q2+Zm5U0YTEpkLlrKlzI=";
             address = "10.10.0.1/24"; # Server address
             # No endpoint - this is the VPN server
           };
@@ -215,7 +217,6 @@
           vpn = {
             publicKey = "9vgWTiGy9lwjXT6/hqxXNodw4jdhZPVRpbwTIWAxDWg=";
             address = "10.10.0.8/32";
-            endpoint = wgEndpoint;
           };
         };
 
@@ -224,7 +225,6 @@
           vpn = {
             publicKey = "n9EbRKf4syovfi3lnTJ7NCuywLh1IuHL7XX+wK3drUg=";
             address = "10.10.0.10/32";
-            endpoint = wgEndpoint;
           };
         };
       };
diff --git a/modules/hosts/common/vpn.nix b/modules/hosts/common/vpn.nix
@@ -20,6 +20,11 @@ let
   # Get private key for this host from secrets
   hostPrivateKey = secrets.service."wg-${host.hostName}".privateKey or "";
 
+  # Default endpoint: use secrets.service.caenus.ip (can be overridden per-host)
+  caelusIp = secrets.service.caenus.ip;
+  defaultEndpoint = "${caelusIp}:51821";
+  endpoint = if cfgWg ? endpoint && cfgWg.endpoint != null then cfgWg.endpoint else defaultEndpoint;
+
   # Allowed IP ranges for the VPN (semicolon-separated for NetworkManager)
   allowedIPs = lib.concatStringsSep ";" [
     "10.10.0.0/24" # VPN subnet (includes DNS at 10.10.0.1)
@@ -31,7 +36,7 @@ let
   ];
 in
 {
-  config = lib.mkIf (cfgWg != null && cfgWg.endpoint != null) {
+  config = lib.mkIf (cfgWg != null) {
     assertions = [
       {
         assertion = nexusPublicKey != null;
@@ -58,7 +63,7 @@ in
 
       # Peer config - section name includes the public key
       "wireguard-peer.${nexusPublicKey}" = {
-        endpoint = cfgWg.endpoint;
+        endpoint = endpoint;
         persistent-keepalive = "25";
         allowed-ips = allowedIPs;
       };

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,9 @@`
`46`	`46`	`## System-wide packages ##`
`47`	`47`	`programs.nix-ld.enable = true;`
`48`	`48`
	`49`	`+ # VPS with limited kernel permissions; disable sandboxing`
	`50`	`+ nix.settings.sandbox = false;`
	`51`	`+`
`49`	`52`	`# https://wiki.nixos.org/wiki/FAQ/When_do_I_update_stateVersion`
`50`	`53`	`system.stateVersion = "24.11";`
`51`	`54`	`}`