openvpn: uses secret ip as remote

options/default.nix

@@ -14,6 +14,10 @@
     hostname = lib.mkOption {
       type = lib.types.str;
     };
+    networking.externalInterface = lib.mkOption {
+      type = lib.types.str;
+      default = "eth0";
+    };
 
     user = {
       name = lib.mkOption {

options/podman.nix

@@ -2,10 +2,7 @@
 {
   options.profile.podman = {
     enable = lib.mkEnableOption "podman";
-    caddy.enable = lib.mkOption {
+    caddy.enable = lib.mkEnableOption "caddy podman";
-      type = lib.types.bool;
+    kavita.enable = lib.mkEnableOption "kavita podman";
-      default = true;
-    };
-    kavita.enable = lib.mkEnableOption "kavita docker";
   };
 }

options/services.nix

@@ -10,5 +10,7 @@ in
     kavita.enable = mkEnableOption "kavita";
     samba.enable = mkEnableOption "samba";
     nextcloud.enable = mkEnableOption "nextcloud";
+    syncthing.enable = mkEnableOption "syncthing";
+    openvpn.enable = mkEnableOption "openvpn";
   };
 }

profiles/homeserver.nix

@@ -6,6 +6,7 @@
 
   profile = {
     hostname = "homeserver";
+    networking.externalInterface = "enp9s0";
     user = {
       name = "homeserver";
       fullName = "Homeserver";
@@ -23,8 +24,6 @@
     networking.firewall.allowedTCPPorts = [ 80 443 ];
     podman = {
       enable = true;
-      caddy.enable = false;
-      kavita.enable = true;
     };
 
     services = {
@@ -34,6 +33,8 @@
       kavita.enable = true;
       samba.enable = true;
       nextcloud.enable = true;
+      syncthing.enable = true;
+      openvpn.enable = true;
     };
   };
 }

secrets/kavita.yaml

@@ -0,0 +1,24 @@
+kavita:
+    token: ENC[AES256_GCM,data:58jQJq5H/QA/yFlfZgHWrSgE3X+c1F96s+8jIGxzWRb91m4KJ8lGy6NHyZpev5l4XhV3ghhM2/0Gs7HNZn8jn5hdrMsvk0a1iG8Rw9PaF+bnERPOFDO9zQ==,iv:uwPYTIRFvCfMxYmHZOMRKkqi3J0MNiedvbVkqlh+hUs=,tag:cG/IwPO1qjQA/NgsRQhIFQ==,type:str]
+    api_key: ENC[AES256_GCM,data:SDfzZNTj5GJC6uzz7DP/k8s4Yzr8p/8pIBqvECndF4pxg0nD,iv:j1fw5Nm05PcbI8+wViQ4t/rd+BgflVnUNzbzVzmTmsY=,tag:TA6dvBw+fZpMhNeG9klRdg==,type:str]
+    opds_url: ENC[AES256_GCM,data:qgtncw2H/mrCKrdGJdjA2AtQp2lUZGFmT21u1RdMRjAyxxzEfC1kCwQHbhaIlxvKn1M/CqXpa/gXrZAM+TptCAoyN2Kn28DmbA==,iv:o5XJl35EZumAcPiK9NmnPV65YSu8Y4fgIgHmXzoGdqA=,tag:ZQvnWdfAofAfA8EWr7jA0g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa0c1VlR4V1RUWE1vNUg2
+            bXpuNStTRWozRGhaTGZtcGtMWDBUbm1OREZZClJDQm1uRytFRFNyenY1RUloVXNv
+            Q0F6bFNjMFZZUFUxT1JQTHJnd0Z1QUUKLS0tIEpOaUw4OEdRVUhvYmNoYTRaL2Zy
+            SjFCNUtDbWticUs3d05PS3NuVW00TFkKlqV1V+/Eb5gMj/5NMprAElkBWrO/8tkl
+            /exWXMOie/WCKiwryoyLe6yms+aOl6x5csbyJtpO2piRs7Xp1sso7g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-14T04:52:39Z"
+    mac: ENC[AES256_GCM,data:WJrCCdEEaxm/b7KurXl3KUjgnT7sLKkqeu8MhYhKTOajcqTYeLcHZDNu0XZpuB1xJowP8aS9v8aTFkJIexvT44Fqf23qzzYSjSqTyR+0yjGXwJxImB3/noHtYiDMXd/TGhdyLhzPnicoOFy8qsNGy2wvFGhEKxwGT0dQf2Wuvr0=,iv:KVhNsFHkW1cLEeMjxEpyhguFp8LMhw0yF6qkPqh8238=,tag:oMXDVoIGUIRPJEfKpY+7vA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

secrets/openvpn.yaml

@@ -0,0 +1,26 @@
+openvpn:
+    server:
+        ip: ENC[AES256_GCM,data:hv/lHgWGsx1LBR3wcg7O,iv:JtkecUzT50YGgDQMNlXQC9C1h53sm46EYfhdzT+0K9s=,tag:sdCiPlus1DJRPoET2e4HIQ==,type:str]
+    key:
+        phone: ENC[AES256_GCM,data:JobVqgDl1Lk8jsIPeJgfA3tuMY1IHkTL2+rWY8CQkyJ9Q+dLIS8hMrmlqhtfiEkaWs3NFqwFuyUhK8uuOa0stBzQ/lZiQ7OKjOH8Y3d4fs6sF/FCuaVOuwfAXNy2gVEG2HgKBzFkBT/ciFxF3guy2EVNaLZCm01PaA8XMr8piXDs6lqt/YoEUNr2l+LfOsphrxLCYpGxRJxJkUWjoNGm/ZtbxI/HFO94l9JAlSoCfETqgEgWOOP3OgGKFSjr6pVty5Nw6iKHnhzFYdXyPFy67MPK9NvLWM3sAZnKrmF+B6lUFGAyZwKDwenKbjM/e5VOZrEGjj7O7EgMG7tYkbPngCPvRhQ4URIibKhKlmuP/On2WuJsNhNW7mtGMAKps0Q3B9GVAWeEGAhJUo5Y3FHGtSs0dRglAo6DCB0bgSTpa87LmY0JskW+PXCTQzJgVd6EnqL+ewMXM+1ID9upedivBZpTPbN41KAz9pCa/EziSsz7vEijq1i40RS/TTvjAC2SJkiv0tCmM7/jAoPDd/N4l7doqhk8jvokGw2PBmYkxnhPo0B2Ofhx+td/Pe/Q1fDHt42POTQ1EEuptD+utvPZUdLaOGg2ybiEYn8lsB9oEK4tVZoPaxOqHPlckSOcnTjwLmQ8M2Nf5e+iW74w+dfJrXuSz15XMSGthWmYHNPZGYo24+437HcVpEs2txcysK003PTy62X56jB5Wrv3l8rqqufVeMZDgLqo3Lw3btniFs6b3lJp1+dvYwGFXBhMeOuoannOi0bQvtIwxqTYgovHv+7/HPD06Hg9ZuU6/Lip3Vp/XR0kT3IfU7S0rmxTSVdgmlJbY8IM5VDMJTk=,iv:y6rP58/eIdMOWK1KsIYOL3pve4ew8mLQZBmIWjVWRCM=,tag:PlUTapNdWwkVKqy2yzLTdQ==,type:str]
+        laptop: ENC[AES256_GCM,data:n6atoq4XVXd8xBdXpmlrZ1ZCB3dsuwJ7XUUEJeoFmxkLoT8b+A/SrEo3Cp0xaU7pwMmWZvWBj0trTGlodFM07b+rrpPHiYSPrZkKOSYTx4kj7s6jf2Fu/514fsNS76+hEu3Iof3Bxw+LhEQ3jL1Bd1lYU0+x5bh0b3JSl71VDto40VBoiM1UdQtO54XlfsfKJC9Qy6asWqDUIEpU4L4JElfFXNO9fWSUbHQX1m5UWLaZpAcAwcJknnpdr8MJPbaE2LLf9gddEoEYqZqeDcrxlWuVavgzqCwCdCHuwecmiF/Luvx1F1/O+btG0z2Iz7UzvZKjGONUV0lNE1aJiCLZhNdFluHiv+hTmjU4GRiUe2GJFACOp624GtSENrafnFV8m+cLYqrMnmCByk5FoW1CQ4Clm0txbIRRHG1zZcrwf8G/S0VAJ0CMeEHZJoe6Adh0a/BdxWaLvexxl2OQBAhv0KiISfkp5oU3RPIo5ITrNE06fXXRiVXUiB3YXV+tOUmfUzTqBBLwOiS2yT2ggRxS9j8cWvNpQJFQB0zfYE3Q9TNdzvItXD/0TtGfxC/hBEorjqQEeFrVg60qbV3m8pxZMcCSUK/2+fBrBmuJsZ6KkEX1mqMP+QLg8JyAX8Eyn3FI+EPbcoHTrTts0hrOUbSwKQjJiN3nwOm9iGB2u8q3xUUo8uV4Bx9tyVpZPmeTS3S9aA8md2UnwUHQLd+DsKtdgFMUeW7ynZKGVesi+Tf5TEkw39/zhUor/JbwoXBlKLmPNs+X3a50yr22uRqyQ0rC7WQ2DfR5cXTgS2itcFC/iyUdB0DolDX49flK3Wyr4+taMVA7nf0qnbfMmus=,iv:s8yYzh/sF2Nb+fnr+/X9GhGCg2Ft/bNJk5L+FQhG3nU=,tag:NT7jH148RvcjnmsarL9qZQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbnpHV0dlaWxXSDNnYnBa
+            NDhaMWdEMDB2allPUm9MUll0QVNWUmNNZlN3CkUxNFF6YmMxMjdWRDlMMTNHZUNq
+            YVJDQWZWT1pVWkFDMVA1ank1amUySjQKLS0tIEs2SFNWTEhLRjdaM2sya3FmYVdP
+            NmVZSk5jUUs3ZnhCTC9NOEQ1WkRJem8KvwC+Tc67NgV6rJM9vdfWbVaJSrX7xZS4
+            aRvTzGL4Q2e+BnrFcyX8QiiZFgEUGEbk6MYbPELeGapwW79WvHzP8A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-14T09:39:43Z"
+    mac: ENC[AES256_GCM,data:OnbOkWUCl8Oa+XXHJ8sQVZ+8rQ/XFmMXQlzgJA/wXJgKAdU/FPF6XnfdYdXTH7MTu/nRhctnnRaTbPWaGaWYSejdPOQcu60z53lbALuRAWZXHAa0/tGC6pFV//3TwLd5FduOq9NnPeO0lM4yWF67z1wTDpygnrqoHDkY53OpGvU=,iv:Oj7UIFBg4/We07GD+mIJNb6K/QiGSvOXdNeyf2ezxck=,tag:rvG1y6xR1XaK5e5M9X/jrg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

system/services/default.nix

@@ -6,5 +6,8 @@
     ./forgejo.nix
     ./samba.nix
     ./nextcloud.nix
+    ./syncthing.nix
+    ./kavita.nix
+    ./openvpn.nix
   ];
 }

system/services/kavita.nix

@@ -0,0 +1,31 @@
+{ config, lib, ... }:
+let
+  cfg = config.profile.services.kavita;
+  user = config.profile.user;
+  inherit (lib) mkIf;
+in
+{
+  config = mkIf cfg.enable {
+    fileSystems."/nas/kavita" = {
+      device = "/var/lib/kavita";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+    users.groups.kavita.members = [ user.name ];
+    users.groups.${user.name}.members = [ "kavita" ]; # Allow kavita to read users's files copied to /var/lib/kavita via NAS
+    sops.secrets."kavita/token" = {
+      owner = "kavita";
+      sopsFile = ../../secrets/kavita.yaml;
+    };
+    services.caddy.virtualHosts."kavita.tigor.web.id".extraConfig = ''
+      reverse_proxy 0.0.0.0:${toString config.services.kavita.settings.Port}
+    '';
+    services.kavita = {
+      enable = true;
+      tokenKeyFile = config.sops.secrets."kavita/token".path;
+      settings = {
+        Port = 40001;
+      };
+    };
+  };
+}

system/services/openvpn.nix

@@ -0,0 +1,125 @@
+# It's a pain setting up Certificate Authority, Public Key Infrastructure, etc. for OpenVPN.
+# Instead setup multiple openvpn servers with multiple ports, with each server having one client.
+#
+# Does not scale well, but it's good enough for personal use.
+#
+# TODO: Create CA, and ROOTCA, and use them to sign the keys, then store in sops-nix secrets.
+
+
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.profile.services.openvpn;
+  domain = "vpn.tigor.web.id";
+  portLaptop = 1194;
+  portPhone = 1195;
+  vpn-dev-laptop = "tun0";
+  vpn-dev-phone = "tun1";
+  externalInterface = config.profile.networking.externalInterface;
+  inherit (lib) mkIf;
+in
+{
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.openvpn ]; # To generate keys with openvpn --genkey --secret <name>.key
+
+    networking.nat = {
+      enable = true;
+      inherit externalInterface;
+      internalInterfaces = [ vpn-dev-laptop vpn-dev-phone ];
+    };
+
+    networking.firewall.trustedInterfaces = [ vpn-dev-laptop vpn-dev-phone ];
+    networking.firewall.allowedUDPPorts = [ portLaptop portPhone ];
+
+    sops = {
+      # Activate the secrets.
+      secrets =
+        let
+          opts = {
+            sopsFile = ../../secrets/openvpn.yaml;
+          };
+        in
+        {
+          "openvpn/server/ip" = opts;
+          "openvpn/key/phone" = opts;
+          "openvpn/key/laptop" = opts;
+        };
+
+      # This section creates .ovpn files for the clients in /etc/openvpn folder. These should be shared with the clients.
+      templates =
+        let
+          template = { secretPlaceholder, port, ifConfig }: ''
+            dev tun
+            remote "${config.sops.placeholder."openvpn/server/ip"}"
+            port ${toString port}
+            ifconfig ${ifConfig}
+            redirect-gateway def1
+
+            cipher AES-256-CBC
+            auth-nocache
+
+            comp-lzo
+            keepalive 10 60
+            resolv-retry infinite
+            nobind
+            persist-key
+            persist-tun
+            secret [inline]
+
+            <secret>
+            ${secretPlaceholder}
+            </secret>
+          '';
+        in
+        {
+          "openvpn/key/phone" = {
+            content = template {
+              secretPlaceholder = config.sops.placeholder."openvpn/key/phone";
+              port = portPhone;
+              ifConfig = "10.8.1.1 10.8.1.2";
+            };
+            path = "/etc/openvpn/phone.ovpn";
+            owner = config.profile.user.name;
+          };
+          "openvpn/key/laptop" = {
+            content = template {
+              secretPlaceholder = config.sops.placeholder."openvpn/key/laptop";
+              port = portLaptop;
+              ifConfig = "10.8.2.1 10.8.2.2";
+            };
+            path = "/etc/openvpn/laptop.ovpn";
+            owner = config.profile.user.name;
+          };
+        };
+    };
+    services.openvpn.servers =
+      let
+        configTemplate = { secretFile, port, dev }: ''
+          dev ${dev}
+          proto udp
+          secret ${secretFile}
+          port ${toString port}
+
+          cipher AES-256-CBC
+          auth-nocache
+
+          comp-lzo
+          keepalive 10 60
+          ping-timer-rem
+          persist-tun
+          persist-key
+        '';
+      in
+      {
+        phone = {
+          config = configTemplate { secretFile = config.sops.secrets."openvpn/key/phone".path; port = portPhone; dev = vpn-dev-phone; };
+          autoStart = true;
+        };
+        laptop = {
+          config = configTemplate { secretFile = config.sops.secrets."openvpn/key/laptop".path; port = portLaptop; dev = vpn-dev-laptop; };
+          autoStart = true;
+        };
+      };
+  };
+}
+
+

system/services/syncthing.nix

@@ -0,0 +1,22 @@
+{ config, lib, ... }:
+let
+  cfg = config.profile.services.syncthing;
+  inherit (lib) mkIf;
+in
+{
+  config = mkIf cfg.enable {
+    services.caddy.virtualHosts."syncthing.tigor.web.id".extraConfig = ''
+      reverse_proxy 0.0.0.0:8384
+    '';
+    services.syncthing = {
+      enable = true;
+      settings = {
+        options.urAccepted = 1; # Allow anonymous usage reporting.
+      };
+      overrideFolders = false;
+      overrideDevices = false;
+      openDefaultPorts = true;
+      guiAddress = "0.0.0.0:8384";
+    };
+  };
+}