nixos/hosts/Legion/configuration.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).
{ lib, ... }:
let
  # generate via openvpn --genkey --secret openvpn-laptop.key
  client-key = "/root/openvpn.key";
  domain = "vpn.xenia.me.uk";
  vpn-dev = "tun0";
  port = 1194;
in {
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  users.mutableUsers = false;
  system.autoUpgrade = {
    allowReboot = lib.mkForce true;
    rebootWindow = {
      lower = "03:00";
      upper = "05:00";
    };
  };
  networking = {
    nat = {
      enable = true;
      externalInterface = "enp42s0";
      internalInterfaces = [ vpn-dev ];
    };
    firewall = {
      trustedInterfaces = [ vpn-dev ];
      allowedUDPPorts = [ port ];
    };
  };
  services = {
    syncthing = let dataDir = "/var/lib/syncthing";
    in {
      inherit dataDir;
      settings.folders = {
        "Archive".path = dataDir + "/Archive";
        "Books".path = dataDir + "/Books";
        "Comics".path = dataDir + "/Comics";
        "Documents".path = dataDir + "/Documents";
        "Exports".path = dataDir + "/Exports";
        "Notes".path = dataDir + "/Notes";
        "Pictures".path = dataDir + "/Pictures";
        "Tasks".path = dataDir + "/Tasks";
        "Zotero".path = dataDir + "/Zotero";
      };
    };
    openvpn = {
      restartAfterSleep = true;
      servers.xenia.config = ''
        dev ${vpn-dev}
        proto udp
        ifconfig 10.8.0.1 10.8.0.2
        secret ${client-key}
        port ${toString port}

        cipher AES-256-CBC
        auth-nocache

        comp-lzo
        keepalive 10 60
        ping-timer-rem
        persist-tun
        persist-key
      '';
    };
  };

  environment.etc."openvpn/client.ovpn" = {
    text = ''
      dev tun
      remote "${domain}"
      ifconfig 10.8.0.2 10.8.0.1
      port ${toString port}
      redirect-gateway def1

      cipher AES-256-CBC
      auth-nocache

      comp-lzo
      keepalive 10 60
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      secret [inline]

    '';
    mode = "600";
  };
  system.activationScripts.openvpn-addkey = ''
    f="/etc/openvpn/client.ovpn"
    if ! grep -q '<secret>' $f; then
      echo "appending secret key"
      echo "<secret>" >> $f
      cat ${client-key} >> $f
      echo "</secret>" >> $f
    fi
  '';
}