tigor/NixOS
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: tigor:bbcbc73ee2d72054694b7746de0423ef3b64d79e
Branches Tags
tigor:main
..
compare: tigor:9ec97fbda5a74fa876ab74d79c696f3ac0f4b8d6
Branches Tags
tigor:main

No commits in common. "bbcbc73ee2d72054694b7746de0423ef3b64d79e" and "9ec97fbda5a74fa876ab74d79c696f3ac0f4b8d6" have entirely different histories.
bbcbc73ee2 ... 9ec97fbda5

3 changed files with 95 additions and 138 deletions
Show stats Expand all files Collapse all files

104
flake.lock
View file

@ -132,11 +132,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718018037, "lastModified": 1713898448,
"narHash": "sha256-03rLBd/lKecgaKz0j5ESUf9lDn5R0SJatZTKLL5unWE=", "narHash": "sha256-6q6ojsp/Z9P2goqnxyfCSzFOD92T3Uobmj8oVAicUOs=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "hercules-ci-effects", "repo": "hercules-ci-effects",
"rev": "0ab08b23ce3c3f75fe9a5598756b6fb8bcf0b414", "rev": "c0302ec12d569532a6b6bd218f698bc402e93adc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -199,18 +199,17 @@
"inputs": { "inputs": {
"hyprcursor": "hyprcursor", "hyprcursor": "hyprcursor",
"hyprlang": "hyprlang", "hyprlang": "hyprlang",
"hyprutils": "hyprutils",
"hyprwayland-scanner": "hyprwayland-scanner", "hyprwayland-scanner": "hyprwayland-scanner",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"systems": "systems", "systems": "systems",
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1718313803, "lastModified": 1718051463,
"narHash": "sha256-xyptaxC172FB/m4fSCSEYaCVYp6e8IWLDHvDLiSuu6M=", "narHash": "sha256-ZB7Ov9pbyOUl6Up8o3Kvb/4bghhcbBk0JILLS/L7LUM=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "8055b1c00a102f5419e40f5eddfb6ee8be693f33", "rev": "811429bfd4a46f33c7788580f72038b0c3c1c2b1",
"revCount": 4822, "revCount": 4795,
"submodules": true, "submodules": true,
"type": "git", "type": "git",
"url": "https://github.com/hyprwm/Hyprland" "url": "https://github.com/hyprwm/Hyprland"
@ -270,10 +269,6 @@
}, },
"hyprlang": { "hyprlang": {
"inputs": { "inputs": {
"hyprutils": [
"hyprland",
"hyprutils"
],
"nixpkgs": [ "nixpkgs": [
"hyprland", "hyprland",
"nixpkgs" "nixpkgs"
@ -284,11 +279,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717881852, "lastModified": 1716473782,
"narHash": "sha256-XeeVoKHQgfKuXoP6q90sUqKyl7EYy3ol2dVZGM+Jj94=", "narHash": "sha256-+qLn4lsHU6iL3+HTo1gTQ1tWzet8K9h+IfVemzEQZj8=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprlang", "repo": "hyprlang",
"rev": "ec6938c66253429192274d612912649a0cfe4d28", "rev": "87d5d984109c839482b88b4795db073eb9ed446f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -297,31 +292,6 @@
"type": "github" "type": "github"
} }
}, },
"hyprutils": {
"inputs": {
"nixpkgs": [
"hyprland",
"nixpkgs"
],
"systems": [
"hyprland",
"systems"
]
},
"locked": {
"lastModified": 1717881334,
"narHash": "sha256-a0inRgJhPL6v9v7RPM/rx1kbXdfe3xJA1c9z0ZkYnh4=",
"owner": "hyprwm",
"repo": "hyprutils",
"rev": "0693f9398ab693d89c9a0aa3b3d062dd61b7a60e",
"type": "github"
},
"original": {
"owner": "hyprwm",
"repo": "hyprutils",
"type": "github"
}
},
"hyprwayland-scanner": { "hyprwayland-scanner": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -357,11 +327,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1718298978, "lastModified": 1717998128,
"narHash": "sha256-7jIX4cUdn6LYP4l38S38nsSNbGMF5eXP9qKe69SR02k=", "narHash": "sha256-yHRdkBgDXUuW5RRY0HuoHhnyUgI7RY7E2ceaGEyoOxg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "neovim-nightly-overlay", "repo": "neovim-nightly-overlay",
"rev": "84299e229226207721e142246ff8343f8a8c6e5d", "rev": "8a60d0af103bfc26f6a4e9c023c3f202a5cda549",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -373,11 +343,11 @@
"neovim-src": { "neovim-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1718209811, "lastModified": 1717973250,
"narHash": "sha256-hZYLBealuoS3bL3eXFeQVAoasThqf7DDwg8kW0ASTOE=", "narHash": "sha256-3SETpW06kTp3K9Up2DIhXdr2kH3Zl9lqzrMv4Qpi6dM=",
"owner": "neovim", "owner": "neovim",
"repo": "neovim", "repo": "neovim",
"rev": "53afdf360cf195c02c22865f4e63b273d1ef152e", "rev": "40329f32d809302196ffd3f47b4d01a1d67f5a9b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -388,11 +358,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1717974879, "lastModified": 1717602782,
"narHash": "sha256-GTO3C88+5DX171F/gVS3Qga/hOs/eRMxPFpiHq2t+D8=", "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c7b821ba2e1e635ba5a76d299af62821cbcb09f3", "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -420,11 +390,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1718160348, "lastModified": 1717786204,
"narHash": "sha256-9YrUjdztqi4Gz8n3mBuqvCkMo4ojrA6nASwyIKWMpus=", "narHash": "sha256-4q0s6m0GUcN7q+Y2DqD27iLvbcd1G50T2lv08kKxkSI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "57d6973abba7ea108bac64ae7629e7431e0199b6", "rev": "051f920625ab5aabe37c920346e3e69d7d34400e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -435,11 +405,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1718149104, "lastModified": 1717868076,
"narHash": "sha256-Ds1QpobBX2yoUDx9ZruqVGJ/uQPgcXoYuobBguyKEh8=", "narHash": "sha256-c83Y9t815Wa34khrux81j8K8ET94ESmCuwORSKm2bQY=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e913ae340076bbb73d9f4d3d065c2bca7caafb16", "rev": "cd18e2ae9ab8e2a0a8d715b60c91b54c0ac35ff9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -451,11 +421,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1718208800, "lastModified": 1717952948,
"narHash": "sha256-US1tAChvPxT52RV8GksWZS415tTS7PV42KTc2PNDBmc=", "narHash": "sha256-mJi4/gjiwQlSaxjA6AusXBN/6rQRaPCycR7bd8fydnQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cc54fb41d13736e92229c21627ea4f22199fee6b", "rev": "2819fffa7fa42156680f0d282c60d81e8fb185b7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -466,11 +436,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1718354773, "lastModified": 1718078179,
"narHash": "sha256-p0pjm5l6LOYoEzSMLZv0QSE4vgGwfhkCz7VN58IUjzc=", "narHash": "sha256-DjPinJD5qfICyAQ1F/kiDPDYXIZn0m9ZGh01QxYN6ug=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "2fe75ecfd4dd1d2063fcc31ccb5db6d9f2b6b33c", "rev": "17ca35f1d12452f5135d0b96a67a78eb72d203ae",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -499,11 +469,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1718137936, "lastModified": 1718058322,
"narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=", "narHash": "sha256-d5jLlAwVi4NzT9yc5UrPiOpDxTRhu8GGh0IIfeFcdrM=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "c279dec105dd53df13a5e57525da97905cc0f0d6", "rev": "d071c74a7de1e26d211b69b6fbae37ae2e31a87f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -544,11 +514,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717918856, "lastModified": 1716290197,
"narHash": "sha256-I38bmPLqamvOfVSArd1hhZtkVRAYBK38fOHZCU1P9Qg=", "narHash": "sha256-1u9Exrc7yx9qtES2brDh7/DDZ8w8ap1nboIOAtCgeuM=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "xdg-desktop-portal-hyprland", "repo": "xdg-desktop-portal-hyprland",
"rev": "72907822c19afc0983c69d59d299204381623725", "rev": "91e48d6acd8a5a611d26f925e51559ab743bc438",
"type": "github" "type": "github"
}, },
"original": { "original": {

23
secrets/openvpn.yaml
View file

File diff suppressed because one or more lines are too long

106
system/services/openvpn.nix
View file

@ -1,11 +1,19 @@
# Guide on how to create client ovpn files, and server config: https://wiki.archlinux.org/title/OpenVPN/Checklist_guide # It's a pain setting up Certificate Authority, Public Key Infrastructure, etc. for OpenVPN.
# Instead setup multiple openvpn servers with multiple ports, with each server having one client.
#
# Does not scale well, but it's good enough for personal use.
#
# TODO: Create CA, and ROOTCA, and use them to sign the keys, then store in sops-nix secrets.
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.profile.services.openvpn; cfg = config.profile.services.openvpn;
domain = "vpn.tigor.web.id"; domain = "vpn.tigor.web.id";
port = 1194; portLaptop = 1194;
vpn-dev = "tun0"; portPhone = 1195;
vpn-dev-laptop = "tun0";
vpn-dev-phone = "tun1";
externalInterface = config.profile.networking.externalInterface; externalInterface = config.profile.networking.externalInterface;
inherit (lib) mkIf; inherit (lib) mkIf;
in in
@ -13,17 +21,14 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.openvpn ]; # To generate keys with openvpn --genkey --secret <name>.key environment.systemPackages = [ pkgs.openvpn ]; # To generate keys with openvpn --genkey --secret <name>.key
# Enable IP forwarding to allow the VPN to act as a gateway.
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nat = { networking.nat = {
enable = true; enable = true;
inherit externalInterface; inherit externalInterface;
internalInterfaces = [ vpn-dev ]; internalInterfaces = [ vpn-dev-laptop vpn-dev-phone ];
}; };
networking.firewall.trustedInterfaces = [ vpn-dev ]; networking.firewall.trustedInterfaces = [ vpn-dev-laptop vpn-dev-phone ];
networking.firewall.allowedUDPPorts = [ port ]; networking.firewall.allowedUDPPorts = [ portLaptop portPhone ];
sops = { sops = {
# Activate the secrets. # Activate the secrets.
@ -35,50 +40,41 @@ in
in in
{ {
"openvpn/server/ip" = opts; "openvpn/server/ip" = opts;
"openvpn/server/ca" = opts; "openvpn/key/phone" = opts;
"openvpn/server/cert" = opts; "openvpn/key/laptop" = opts;
"openvpn/server/key" = opts;
"openvpn/server/tls-auth" = opts;
"openvpn/server/dh" = opts;
"openvpn/clients/phone" = opts;
"openvpn/clients/laptop" = opts;
}; };
# This section creates .ovpn files for the clients in /etc/openvpn folder. These should be shared with the clients. # This section creates .ovpn files for the clients in /etc/openvpn folder. These should be shared with the clients.
templates = templates =
let let
# secretPlaceholder is a generated inline file from easyrsa build-client-full. template = { secretPlaceholder, port, ifConfig }: ''
# it contains <cert>, <key>, <ca> sections.
template = { secretPlaceholder, ifConfig }: ''
client
dev tun dev tun
remote "${domain}" remote "${config.sops.placeholder."openvpn/server/ip"}"
port ${toString port} port ${toString port}
ifconfig ${ifConfig}
redirect-gateway def1 redirect-gateway def1
cipher AES-256-CBC cipher AES-256-CBC
auth-nocache auth-nocache
comp-lzo
keepalive 10 60 keepalive 10 60
resolv-retry infinite resolv-retry infinite
nobind nobind
persist-key persist-key
persist-tun persist-tun
key-direction 1 secret [inline]
tls-client
<tls-auth>
${config.sops.placeholder."openvpn/server/tls-auth"}
</tls-auth>
<secret>
${secretPlaceholder} ${secretPlaceholder}
</secret>
''; '';
in in
{ {
"openvpn/key/phone" = { "openvpn/key/phone" = {
content = template { content = template {
secretPlaceholder = config.sops.placeholder."openvpn/clients/phone"; secretPlaceholder = config.sops.placeholder."openvpn/key/phone";
port = portPhone;
ifConfig = "10.8.1.1 10.8.1.2"; ifConfig = "10.8.1.1 10.8.1.2";
}; };
path = "/etc/openvpn/phone.ovpn"; path = "/etc/openvpn/phone.ovpn";
@ -86,7 +82,8 @@ in
}; };
"openvpn/key/laptop" = { "openvpn/key/laptop" = {
content = template { content = template {
secretPlaceholder = config.sops.placeholder."openvpn/clients/laptop"; secretPlaceholder = config.sops.placeholder."openvpn/key/laptop";
port = portLaptop;
ifConfig = "10.8.2.1 10.8.2.2"; ifConfig = "10.8.2.1 10.8.2.2";
}; };
path = "/etc/openvpn/laptop.ovpn"; path = "/etc/openvpn/laptop.ovpn";
@ -94,31 +91,34 @@ in
}; };
}; };
}; };
services.openvpn.servers.homeserver = { services.openvpn.servers =
config = '' let
dev ${vpn-dev} configTemplate = { secretFile, port, dev }: ''
proto udp dev ${dev}
proto udp
secret ${secretFile}
port ${toString port}
tls-server cipher AES-256-CBC
cipher AES-256-CBC auth-nocache
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
server 10.10.10.0 255.255.255.0 comp-lzo
keepalive 10 60
allow-compression no ping-timer-rem
ca ${config.sops.secrets."openvpn/server/ca".path} persist-tun
cert ${config.sops.secrets."openvpn/server/cert".path} persist-key
key ${config.sops.secrets."openvpn/server/key".path} '';
dh ${config.sops.secrets."openvpn/server/dh".path} in
tls-auth ${config.sops.secrets."openvpn/server/tls-auth".path} 0 {
phone = {
keepalive 10 60 config = configTemplate { secretFile = config.sops.secrets."openvpn/key/phone".path; port = portPhone; dev = vpn-dev-phone; };
ping-timer-rem autoStart = true;
persist-tun };
persist-key laptop = {
''; config = configTemplate { secretFile = config.sops.secrets."openvpn/key/laptop".path; port = portLaptop; dev = vpn-dev-laptop; };
autoStart = true; autoStart = true;
}; };
};
}; };
} }