nixos/services/Legion.nix

{...}: let
  # generate via openvpn --genkey --secret openvpn-laptop.key
  client-key = "/root/openvpn.key";
  domain = "vpn.xenia.me.uk";
  vpn-dev = "tun0";
  port = 1194;
in {
  imports = [
    ./adguardhome
    ./gitea
    ./nextcloud
    ./sshd
    ./syncthing
    ./terraria/windy_limbo_of_melancholy.nix
    ./traefik/adguardhome.nix
    ./traefik/gitea.nix
    ./traefik/nextcloud.nix
    ./traefik/qbittorrent.nix
  ];
  services.syncthing = {
    user = "xenia";
    group = "users";
  };

  networking = {
    nat = {
      enable = true;
      externalInterface = "enp42s0";
      internalInterfaces = [vpn-dev];
    };
    firewall = {
      trustedInterfaces = [vpn-dev];
      allowedUDPPorts = [port];
    };
  };

  services.openvpn = {
    restartAfterSleep = true;
    servers.xenia.config = ''
      dev ${vpn-dev}
      proto udp
      ifconfig 10.8.0.1 10.8.0.2
      secret ${client-key}
      port ${toString port}

      cipher AES-256-CBC
      auth-nocache

      comp-lzo
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
    '';
  };

  environment.etc."openvpn/client.ovpn" = {
    text = ''
      dev tun
      remote "${domain}"
      ifconfig 10.8.0.2 10.8.0.1
      port ${toString port}
      redirect-gateway def1

      cipher AES-256-CBC
      auth-nocache

      comp-lzo
      keepalive 10 60
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      secret [inline]

    '';
    mode = "600";
  };
  system.activationScripts.openvpn-addkey = ''
    f="/etc/openvpn/client.ovpn"
    if ! grep -q '<secret>' $f; then
      echo "appending secret key"
      echo "<secret>" >> $f
      cat ${client-key} >> $f
      echo "</secret>" >> $f
    fi
  '';
}