NixOS containers for restricting services to VPN network interface

I have a couple of services that I want to protect via an external measure.

While some services can be configured to only run on a specific network interface, you are trusting them to not have bugs and actually do that.

As there needs to be a way to force this for some services, but still allow “split tunneling” for others, a method for identifying is needed. And as it is smart to isolate webservices anyways, my thought came to using NixOS containers.

I have already created a few configs for some services but have questions.

• how do I allow a specific interface, take wg0 in the container? Do I use macvlans or interfaces?
• how is DNS handled?
• how can I still allow accessing a service for example on localhost:1234 ? I had issues with that depending on the config
• how can I sandbox services in multiple containers, but still allow them to communicate? For example qBittorrent and Jackett. I assume they talk over localhost, but might be IPC or dbus too.

Thanks!

You might be interested in how VPN Confinement configures this on NixOS using network namespaces.

Alternatively, systemd cgroups can do isolation for you, and if you use nginx for reverse proxying you can control everything else pretty tightly via firewall and reverse proxy settings (a reverse proxy is incredibly handy anyway even if you have sophisticated cgroups config).

Containers aren’t necessary for what you seem to be describing, though a more precise example/use case would help.

Yes I would like to not need user namespaces and containers. One goal is to prevent traffic leaks and I will checkout that nix flake.