nixos/services/Legion.nix

{ ... }:
let
  # generate via openvpn --genkey --secret openvpn-laptop.key
  client-key = "/root/openvpn.key";
  domain = "vpn.xenia.me.uk";
  vpn-dev = "tun0";
  port = 1194;
in {
  imports = [
    ./adguardhome/default.nix
    ./gitea/default.nix
    ./nextcloud/default.nix
    ./sshd/default.nix
    ./syncthing/default.nix
    ./terraria/windy_limbo_of_melancholy.nix
    ./traefik/adguardhome.nix
    ./traefik/gitea.nix
    ./traefik/nextcloud.nix
    ./traefik/qbittorrent.nix
  ];
  services.syncthing = let
    user = "xenia";
    group = "users";
    dataDir = "/var/lib/syncthing";
  in {
    inherit user group dataDir;
    settings.folders = {
      "Archive".path = dataDir + "/Archive";
      "Books".path = dataDir + "/Books";
      "Comics".path = dataDir + "/Comics";
      "Documents".path = dataDir + "/Documents";
      "Exports".path = dataDir + "/Exports";
      "Notes".path = dataDir + "/Notes";
      "Pictures".path = dataDir + "/Pictures";
      "Tasks".path = dataDir + "/Tasks";
      "Zotero".path = dataDir + "/Zotero";
    };
  };

  networking = {
    nat = {
      enable = true;
      externalInterface = "enp42s0";
      internalInterfaces = [ vpn-dev ];
    };
    firewall = {
      trustedInterfaces = [ vpn-dev ];
      allowedUDPPorts = [ port ];
    };
  };

  services.openvpn = {
    restartAfterSleep = true;
    servers.xenia.config = ''
      dev ${vpn-dev}
      proto udp
      ifconfig 10.8.0.1 10.8.0.2
      secret ${client-key}
      port ${toString port}

      cipher AES-256-CBC
      auth-nocache

      comp-lzo
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
    '';
  };

  environment.etc."openvpn/client.ovpn" = {
    text = ''
      dev tun
      remote "${domain}"
      ifconfig 10.8.0.2 10.8.0.1
      port ${toString port}
      redirect-gateway def1

      cipher AES-256-CBC
      auth-nocache

      comp-lzo
      keepalive 10 60
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      secret [inline]

    '';
    mode = "600";
  };
  system.activationScripts.openvpn-addkey = ''
    f="/etc/openvpn/client.ovpn"
    if ! grep -q '<secret>' $f; then
      echo "appending secret key"
      echo "<secret>" >> $f
      cat ${client-key} >> $f
      echo "</secret>" >> $f
    fi
  '';
}
Add Vanguard back to syncthing 2023-08-30 07:28:36 +01:00			`{ ... }:`
			`let`
Major cleanup for files Reduce complexity and in flake.nix and be more efficient in re-using things Removed some reduandant files in home/ and tidied up the structure somewhat Moved things from desktop, gui, etc... to top level Changed env to shell, indiv shell expressions import relevant others 2023-07-16 17:35:36 +01:00			`# generate via openvpn --genkey --secret openvpn-laptop.key`
			`client-key = "/root/openvpn.key";`
			`domain = "vpn.xenia.me.uk";`
			`vpn-dev = "tun0";`
			`port = 1194;`
			`in {`
Add initial settings for new server machine Legion Adapt existing settings for Vanguard being used as server 2023-06-04 10:55:46 +01:00			`imports = [`
Add more explicit import names 2023-08-30 07:34:45 +01:00			`./adguardhome/default.nix`
			`./gitea/default.nix`
			`./nextcloud/default.nix`
			`./sshd/default.nix`
			`./syncthing/default.nix`
Add initial settings for new server machine Legion Adapt existing settings for Vanguard being used as server 2023-06-04 10:55:46 +01:00			`./terraria/windy_limbo_of_melancholy.nix`
			`./traefik/adguardhome.nix`
			`./traefik/gitea.nix`
			`./traefik/nextcloud.nix`
			`./traefik/qbittorrent.nix`
			`];`
Set more sensible default directories for syncthing 2023-07-21 11:38:46 +01:00			`services.syncthing = let`
Major cleanup for files Reduce complexity and in flake.nix and be more efficient in re-using things Removed some reduandant files in home/ and tidied up the structure somewhat Moved things from desktop, gui, etc... to top level Changed env to shell, indiv shell expressions import relevant others 2023-07-16 17:35:36 +01:00			`user = "xenia";`
Add Vanguard back to syncthing 2023-08-30 07:28:36 +01:00			`group = "users";`
Set more sensible default directories for syncthing 2023-07-21 11:38:46 +01:00			`dataDir = "/var/lib/syncthing";`
			`in {`
Add Vanguard back to syncthing 2023-08-30 07:28:36 +01:00			`inherit user group dataDir;`
More syncthing option renaming 2023-07-24 13:30:39 +01:00			`settings.folders = {`
Add Vanguard back to syncthing 2023-08-30 07:28:36 +01:00			`"Archive".path = dataDir + "/Archive";`
			`"Books".path = dataDir + "/Books";`
			`"Comics".path = dataDir + "/Comics";`
			`"Documents".path = dataDir + "/Documents";`
			`"Exports".path = dataDir + "/Exports";`
			`"Notes".path = dataDir + "/Notes";`
			`"Pictures".path = dataDir + "/Pictures";`
			`"Tasks".path = dataDir + "/Tasks";`
			`"Zotero".path = dataDir + "/Zotero";`
Set more sensible default directories for syncthing 2023-07-21 11:38:46 +01:00			`};`
Major cleanup for files Reduce complexity and in flake.nix and be more efficient in re-using things Removed some reduandant files in home/ and tidied up the structure somewhat Moved things from desktop, gui, etc... to top level Changed env to shell, indiv shell expressions import relevant others 2023-07-16 17:35:36 +01:00			`};`

			`networking = {`
			`nat = {`
			`enable = true;`
			`externalInterface = "enp42s0";`
Add Vanguard back to syncthing 2023-08-30 07:28:36 +01:00			`internalInterfaces = [ vpn-dev ];`
Major cleanup for files Reduce complexity and in flake.nix and be more efficient in re-using things Removed some reduandant files in home/ and tidied up the structure somewhat Moved things from desktop, gui, etc... to top level Changed env to shell, indiv shell expressions import relevant others 2023-07-16 17:35:36 +01:00			`};`
			`firewall = {`
Add Vanguard back to syncthing 2023-08-30 07:28:36 +01:00			`trustedInterfaces = [ vpn-dev ];`
			`allowedUDPPorts = [ port ];`
Major cleanup for files Reduce complexity and in flake.nix and be more efficient in re-using things Removed some reduandant files in home/ and tidied up the structure somewhat Moved things from desktop, gui, etc... to top level Changed env to shell, indiv shell expressions import relevant others 2023-07-16 17:35:36 +01:00			`};`
			`};`

			`services.openvpn = {`
			`restartAfterSleep = true;`
			`servers.xenia.config = ''`
			`dev ${vpn-dev}`
			`proto udp`
			`ifconfig 10.8.0.1 10.8.0.2`
			`secret ${client-key}`
			`port ${toString port}`

			`cipher AES-256-CBC`
			`auth-nocache`

			`comp-lzo`
			`keepalive 10 60`
			`ping-timer-rem`
			`persist-tun`
			`persist-key`
			`'';`
			`};`

			`environment.etc."openvpn/client.ovpn" = {`
			`text = ''`
			`dev tun`
			`remote "${domain}"`
			`ifconfig 10.8.0.2 10.8.0.1`
			`port ${toString port}`
			`redirect-gateway def1`

			`cipher AES-256-CBC`
			`auth-nocache`

			`comp-lzo`
			`keepalive 10 60`
			`resolv-retry infinite`
			`nobind`
			`persist-key`
			`persist-tun`
			`secret [inline]`

			`'';`
			`mode = "600";`
			`};`
			`system.activationScripts.openvpn-addkey = ''`
			`f="/etc/openvpn/client.ovpn"`
			`if ! grep -q '<secret>' $f; then`
			`echo "appending secret key"`
			`echo "<secret>" >> $f`
			`cat ${client-key} >> $f`
			`echo "</secret>" >> $f`
			`fi`
			`'';`
Add initial settings for new server machine Legion Adapt existing settings for Vanguard being used as server 2023-06-04 10:55:46 +01:00			`}`