update lock file

flake.lock

@@ -132,11 +132,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713898448,
+        "lastModified": 1718018037,
-        "narHash": "sha256-6q6ojsp/Z9P2goqnxyfCSzFOD92T3Uobmj8oVAicUOs=",
+        "narHash": "sha256-03rLBd/lKecgaKz0j5ESUf9lDn5R0SJatZTKLL5unWE=",
         "owner": "hercules-ci",
         "repo": "hercules-ci-effects",
-        "rev": "c0302ec12d569532a6b6bd218f698bc402e93adc",
+        "rev": "0ab08b23ce3c3f75fe9a5598756b6fb8bcf0b414",
         "type": "github"
       },
       "original": {
@@ -199,17 +199,18 @@
       "inputs": {
         "hyprcursor": "hyprcursor",
         "hyprlang": "hyprlang",
+        "hyprutils": "hyprutils",
         "hyprwayland-scanner": "hyprwayland-scanner",
         "nixpkgs": "nixpkgs",
         "systems": "systems",
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1718051463,
+        "lastModified": 1718313803,
-        "narHash": "sha256-ZB7Ov9pbyOUl6Up8o3Kvb/4bghhcbBk0JILLS/L7LUM=",
+        "narHash": "sha256-xyptaxC172FB/m4fSCSEYaCVYp6e8IWLDHvDLiSuu6M=",
         "ref": "refs/heads/main",
-        "rev": "811429bfd4a46f33c7788580f72038b0c3c1c2b1",
+        "rev": "8055b1c00a102f5419e40f5eddfb6ee8be693f33",
-        "revCount": 4795,
+        "revCount": 4822,
         "submodules": true,
         "type": "git",
         "url": "https://github.com/hyprwm/Hyprland"
@@ -269,6 +270,10 @@
     },
     "hyprlang": {
       "inputs": {
+        "hyprutils": [
+          "hyprland",
+          "hyprutils"
+        ],
         "nixpkgs": [
           "hyprland",
           "nixpkgs"
@@ -279,11 +284,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716473782,
+        "lastModified": 1717881852,
-        "narHash": "sha256-+qLn4lsHU6iL3+HTo1gTQ1tWzet8K9h+IfVemzEQZj8=",
+        "narHash": "sha256-XeeVoKHQgfKuXoP6q90sUqKyl7EYy3ol2dVZGM+Jj94=",
         "owner": "hyprwm",
         "repo": "hyprlang",
-        "rev": "87d5d984109c839482b88b4795db073eb9ed446f",
+        "rev": "ec6938c66253429192274d612912649a0cfe4d28",
         "type": "github"
       },
       "original": {
@@ -292,6 +297,31 @@
         "type": "github"
       }
     },
+    "hyprutils": {
+      "inputs": {
+        "nixpkgs": [
+          "hyprland",
+          "nixpkgs"
+        ],
+        "systems": [
+          "hyprland",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717881334,
+        "narHash": "sha256-a0inRgJhPL6v9v7RPM/rx1kbXdfe3xJA1c9z0ZkYnh4=",
+        "owner": "hyprwm",
+        "repo": "hyprutils",
+        "rev": "0693f9398ab693d89c9a0aa3b3d062dd61b7a60e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hyprwm",
+        "repo": "hyprutils",
+        "type": "github"
+      }
+    },
     "hyprwayland-scanner": {
       "inputs": {
         "nixpkgs": [
@@ -327,11 +357,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1717998128,
+        "lastModified": 1718298978,
-        "narHash": "sha256-yHRdkBgDXUuW5RRY0HuoHhnyUgI7RY7E2ceaGEyoOxg=",
+        "narHash": "sha256-7jIX4cUdn6LYP4l38S38nsSNbGMF5eXP9qKe69SR02k=",
         "owner": "nix-community",
         "repo": "neovim-nightly-overlay",
-        "rev": "8a60d0af103bfc26f6a4e9c023c3f202a5cda549",
+        "rev": "84299e229226207721e142246ff8343f8a8c6e5d",
         "type": "github"
       },
       "original": {
@@ -343,11 +373,11 @@
     "neovim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1717973250,
+        "lastModified": 1718209811,
-        "narHash": "sha256-3SETpW06kTp3K9Up2DIhXdr2kH3Zl9lqzrMv4Qpi6dM=",
+        "narHash": "sha256-hZYLBealuoS3bL3eXFeQVAoasThqf7DDwg8kW0ASTOE=",
         "owner": "neovim",
         "repo": "neovim",
-        "rev": "40329f32d809302196ffd3f47b4d01a1d67f5a9b",
+        "rev": "53afdf360cf195c02c22865f4e63b273d1ef152e",
         "type": "github"
       },
       "original": {
@@ -358,11 +388,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1717602782,
+        "lastModified": 1717974879,
-        "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
+        "narHash": "sha256-GTO3C88+5DX171F/gVS3Qga/hOs/eRMxPFpiHq2t+D8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
+        "rev": "c7b821ba2e1e635ba5a76d299af62821cbcb09f3",
         "type": "github"
       },
       "original": {
@@ -390,11 +420,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1717786204,
+        "lastModified": 1718160348,
-        "narHash": "sha256-4q0s6m0GUcN7q+Y2DqD27iLvbcd1G50T2lv08kKxkSI=",
+        "narHash": "sha256-9YrUjdztqi4Gz8n3mBuqvCkMo4ojrA6nASwyIKWMpus=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "051f920625ab5aabe37c920346e3e69d7d34400e",
+        "rev": "57d6973abba7ea108bac64ae7629e7431e0199b6",
         "type": "github"
       },
       "original": {
@@ -405,11 +435,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1717868076,
+        "lastModified": 1718149104,
-        "narHash": "sha256-c83Y9t815Wa34khrux81j8K8ET94ESmCuwORSKm2bQY=",
+        "narHash": "sha256-Ds1QpobBX2yoUDx9ZruqVGJ/uQPgcXoYuobBguyKEh8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cd18e2ae9ab8e2a0a8d715b60c91b54c0ac35ff9",
+        "rev": "e913ae340076bbb73d9f4d3d065c2bca7caafb16",
         "type": "github"
       },
       "original": {
@@ -421,11 +451,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1717952948,
+        "lastModified": 1718208800,
-        "narHash": "sha256-mJi4/gjiwQlSaxjA6AusXBN/6rQRaPCycR7bd8fydnQ=",
+        "narHash": "sha256-US1tAChvPxT52RV8GksWZS415tTS7PV42KTc2PNDBmc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2819fffa7fa42156680f0d282c60d81e8fb185b7",
+        "rev": "cc54fb41d13736e92229c21627ea4f22199fee6b",
         "type": "github"
       },
       "original": {
@@ -436,11 +466,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1718078179,
+        "lastModified": 1718354773,
-        "narHash": "sha256-DjPinJD5qfICyAQ1F/kiDPDYXIZn0m9ZGh01QxYN6ug=",
+        "narHash": "sha256-p0pjm5l6LOYoEzSMLZv0QSE4vgGwfhkCz7VN58IUjzc=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "17ca35f1d12452f5135d0b96a67a78eb72d203ae",
+        "rev": "2fe75ecfd4dd1d2063fcc31ccb5db6d9f2b6b33c",
         "type": "github"
       },
       "original": {
@@ -469,11 +499,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1718058322,
+        "lastModified": 1718137936,
-        "narHash": "sha256-d5jLlAwVi4NzT9yc5UrPiOpDxTRhu8GGh0IIfeFcdrM=",
+        "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d071c74a7de1e26d211b69b6fbae37ae2e31a87f",
+        "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
         "type": "github"
       },
       "original": {
@@ -514,11 +544,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1716290197,
+        "lastModified": 1717918856,
-        "narHash": "sha256-1u9Exrc7yx9qtES2brDh7/DDZ8w8ap1nboIOAtCgeuM=",
+        "narHash": "sha256-I38bmPLqamvOfVSArd1hhZtkVRAYBK38fOHZCU1P9Qg=",
         "owner": "hyprwm",
         "repo": "xdg-desktop-portal-hyprland",
-        "rev": "91e48d6acd8a5a611d26f925e51559ab743bc438",
+        "rev": "72907822c19afc0983c69d59d299204381623725",
         "type": "github"
       },
       "original": {

system/services/openvpn.nix

@@ -1,19 +1,11 @@
-# It's a pain setting up Certificate Authority, Public Key Infrastructure, etc. for OpenVPN.
+# Guide on how to create client ovpn files, and server config: https://wiki.archlinux.org/title/OpenVPN/Checklist_guide
-# Instead setup multiple openvpn servers with multiple ports, with each server having one client.
-#
-# Does not scale well, but it's good enough for personal use.
-#
-# TODO: Create CA, and ROOTCA, and use them to sign the keys, then store in sops-nix secrets.
-
 
 { config, lib, pkgs, ... }:
 let
   cfg = config.profile.services.openvpn;
   domain = "vpn.tigor.web.id";
-  portLaptop = 1194;
+  port = 1194;
-  portPhone = 1195;
+  vpn-dev = "tun0";
-  vpn-dev-laptop = "tun0";
-  vpn-dev-phone = "tun1";
   externalInterface = config.profile.networking.externalInterface;
   inherit (lib) mkIf;
 in
@@ -21,14 +13,17 @@ in
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.openvpn ]; # To generate keys with openvpn --genkey --secret <name>.key
 
+    # Enable IP forwarding to allow the VPN to act as a gateway.
+    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
     networking.nat = {
       enable = true;
       inherit externalInterface;
-      internalInterfaces = [ vpn-dev-laptop vpn-dev-phone ];
+      internalInterfaces = [ vpn-dev ];
     };
 
-    networking.firewall.trustedInterfaces = [ vpn-dev-laptop vpn-dev-phone ];
+    networking.firewall.trustedInterfaces = [ vpn-dev ];
-    networking.firewall.allowedUDPPorts = [ portLaptop portPhone ];
+    networking.firewall.allowedUDPPorts = [ port ];
 
     sops = {
       # Activate the secrets.
@@ -40,41 +35,50 @@ in
         in
         {
           "openvpn/server/ip" = opts;
-          "openvpn/key/phone" = opts;
+          "openvpn/server/ca" = opts;
-          "openvpn/key/laptop" = opts;
+          "openvpn/server/cert" = opts;
+          "openvpn/server/key" = opts;
+          "openvpn/server/tls-auth" = opts;
+          "openvpn/server/dh" = opts;
+          "openvpn/clients/phone" = opts;
+          "openvpn/clients/laptop" = opts;
         };
 
       # This section creates .ovpn files for the clients in /etc/openvpn folder. These should be shared with the clients.
       templates =
         let
-          template = { secretPlaceholder, port, ifConfig }: ''
+          # secretPlaceholder is a generated inline file from easyrsa build-client-full.
+          # it contains <cert>, <key>, <ca> sections.
+          template = { secretPlaceholder, ifConfig }: ''
+            client
+
             dev tun
-            remote "${config.sops.placeholder."openvpn/server/ip"}"
+            remote "${domain}"
             port ${toString port}
-            ifconfig ${ifConfig}
             redirect-gateway def1
 
             cipher AES-256-CBC
             auth-nocache
 
-            comp-lzo
             keepalive 10 60
             resolv-retry infinite
             nobind
             persist-key
             persist-tun
-            secret [inline]
+            key-direction 1
+
+            tls-client
+            <tls-auth>
+            ${config.sops.placeholder."openvpn/server/tls-auth"}
+            </tls-auth>
 
-            <secret>
             ${secretPlaceholder}
-            </secret>
           '';
         in
         {
           "openvpn/key/phone" = {
             content = template {
-              secretPlaceholder = config.sops.placeholder."openvpn/key/phone";
+              secretPlaceholder = config.sops.placeholder."openvpn/clients/phone";
-              port = portPhone;
               ifConfig = "10.8.1.1 10.8.1.2";
             };
             path = "/etc/openvpn/phone.ovpn";
@@ -82,8 +86,7 @@ in
           };
           "openvpn/key/laptop" = {
             content = template {
-              secretPlaceholder = config.sops.placeholder."openvpn/key/laptop";
+              secretPlaceholder = config.sops.placeholder."openvpn/clients/laptop";
-              port = portLaptop;
               ifConfig = "10.8.2.1 10.8.2.2";
             };
             path = "/etc/openvpn/laptop.ovpn";
@@ -91,34 +94,31 @@ in
           };
         };
     };
-    services.openvpn.servers =
+    services.openvpn.servers.homeserver = {
-      let
+      config = ''
-        configTemplate = { secretFile, port, dev }: ''
+        dev ${vpn-dev}
-          dev ${dev}
+        proto udp
-          proto udp
-          secret ${secretFile}
-          port ${toString port}
 
-          cipher AES-256-CBC
+        tls-server
-          auth-nocache
+        cipher AES-256-CBC
+        tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
 
-          comp-lzo
+        server 10.10.10.0 255.255.255.0
-          keepalive 10 60
+
-          ping-timer-rem
+        allow-compression no
-          persist-tun
+        ca ${config.sops.secrets."openvpn/server/ca".path}
-          persist-key
+        cert ${config.sops.secrets."openvpn/server/cert".path}
-        '';
+        key ${config.sops.secrets."openvpn/server/key".path}
-      in
+        dh ${config.sops.secrets."openvpn/server/dh".path}
-      {
+        tls-auth ${config.sops.secrets."openvpn/server/tls-auth".path} 0
-        phone = {
+
-          config = configTemplate { secretFile = config.sops.secrets."openvpn/key/phone".path; port = portPhone; dev = vpn-dev-phone; };
+        keepalive 10 60
-          autoStart = true;
+        ping-timer-rem
-        };
+        persist-tun
-        laptop = {
+        persist-key
-          config = configTemplate { secretFile = config.sops.secrets."openvpn/key/laptop".path; port = portLaptop; dev = vpn-dev-laptop; };
+      '';
-          autoStart = true;
+      autoStart = true;
-        };
+    };
-      };
   };
 }