{lib, ...}: let # generate via openvpn --genkey --secret openvpn-laptop.key client-key = "/root/openvpn.key"; domain = "vpn.xenia.me.uk"; vpn-dev = "tun0"; port = 1194; in { imports = [ ./adguardhome ./gitea ./nextcloud ./sshd ./syncthing ./terraria/windy_limbo_of_melancholy.nix ./traefik/adguardhome.nix ./traefik/gitea.nix ./traefik/nextcloud.nix ./traefik/qbittorrent.nix ]; services.syncthing = let user = "xenia"; dataDir = "/var/lib/syncthing"; in { user = user; group = "users"; dataDir = dataDir; folders = { "Archive".path = lib.mkForce (dataDir + "/Archive"); "Books".path = lib.mkForce (dataDir + "/Books"); "Comics".path = lib.mkForce (dataDir + "/Comics"); "Documents".path = lib.mkForce (dataDir + "/Documents"); "Exports".path = lib.mkForce (dataDir + "/Exports"); "Notes".path = lib.mkForce (dataDir + "/Notes"); "Pictures".path = lib.mkForce (dataDir + "/Pictures"); "Tasks".path = lib.mkForce (dataDir + "/Tasks"); "Zotero".path = lib.mkForce (dataDir + "/Zotero"); }; }; networking = { nat = { enable = true; externalInterface = "enp42s0"; internalInterfaces = [vpn-dev]; }; firewall = { trustedInterfaces = [vpn-dev]; allowedUDPPorts = [port]; }; }; services.openvpn = { restartAfterSleep = true; servers.xenia.config = '' dev ${vpn-dev} proto udp ifconfig 10.8.0.1 10.8.0.2 secret ${client-key} port ${toString port} cipher AES-256-CBC auth-nocache comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key ''; }; environment.etc."openvpn/client.ovpn" = { text = '' dev tun remote "${domain}" ifconfig 10.8.0.2 10.8.0.1 port ${toString port} redirect-gateway def1 cipher AES-256-CBC auth-nocache comp-lzo keepalive 10 60 resolv-retry infinite nobind persist-key persist-tun secret [inline] ''; mode = "600"; }; system.activationScripts.openvpn-addkey = '' f="/etc/openvpn/client.ovpn" if ! grep -q '' $f; then echo "appending secret key" echo "" >> $f cat ${client-key} >> $f echo "" >> $f fi ''; }