diff --git a/services/Vanguard.nix b/services/Vanguard.nix index 108584cd..75a65d76 100644 --- a/services/Vanguard.nix +++ b/services/Vanguard.nix @@ -3,11 +3,12 @@ ./adguardhome ./gitea ./nextcloud + ./openvpn/Vanguard.nix ./sshd + ./syncthing/Vanguard.nix ./traefik/adguardhome.nix ./traefik/gitea.nix ./traefik/nextcloud.nix ./traefik/qbittorrent.nix - ./syncthing/Vanguard.nix ]; } diff --git a/services/openvpn/Vanguard.nix b/services/openvpn/Vanguard.nix new file mode 100644 index 00000000..eff984b6 --- /dev/null +++ b/services/openvpn/Vanguard.nix @@ -0,0 +1,71 @@ +{...}: let + # generate via openvpn --genkey --secret openvpn-laptop.key + client-key = "/root/openvpn.key"; + domain = "vpn.xenia.me.uk"; + vpn-dev = "tun0"; + port = 1194; +in { + networking = { + nat = { + enable = true; + externalInterface = "enp42s0"; + internalInterfaces = [vpn-dev]; + }; + firewall = { + trustedInterfaces = [vpn-dev]; + allowedUDPPorts = [port]; + }; + }; + + services.openvpn = { + restartAfterSleep = true; + servers.xenia.config = '' + dev ${vpn-dev} + proto udp + ifconfig 10.8.0.1 10.8.0.2 + secret ${client-key} + port ${toString port} + + cipher AES-256-CBC + auth-nocache + + comp-lzo + keepalive 10 60 + ping-timer-rem + persist-tun + persist-key + ''; + }; + + environment.etc."openvpn/client.ovpn" = { + text = '' + dev tun + remote "${domain}" + ifconfig 10.8.0.2 10.8.0.1 + port ${toString port} + redirect-gateway def1 + + cipher AES-256-CBC + auth-nocache + + comp-lzo + keepalive 10 60 + resolv-retry infinite + nobind + persist-key + persist-tun + secret [inline] + + ''; + mode = "600"; + }; + system.activationScripts.openvpn-addkey = '' + f="/etc/openvpn/client.ovpn" + if ! grep -q '' $f; then + echo "appending secret key" + echo "" >> $f + cat ${client-key} >> $f + echo "" >> $f + fi + ''; +}