From 28476eff6871df746bddcf38d2d6b8c69c472476 Mon Sep 17 00:00:00 2001 From: Daylin Morgan Date: Thu, 28 Nov 2024 22:53:35 -0600 Subject: [PATCH] add secrets handling to mullvad --- hosts/othalan/default.nix | 31 +++++++++++++++--------------- hosts/othalan/secrets.yaml | 6 ++++-- modules/networking/vpn.nix | 34 --------------------------------- modules/vpn/default.nix | 27 ++++++++++++++++++++++++++ modules/vpn/mullvad_us_chi.conf | 25 ++++++++++++++++++++++++ 5 files changed, 72 insertions(+), 51 deletions(-) delete mode 100644 modules/networking/vpn.nix create mode 100644 modules/vpn/default.nix create mode 100644 modules/vpn/mullvad_us_chi.conf diff --git a/hosts/othalan/default.nix b/hosts/othalan/default.nix index 8ba5757..c057c5e 100644 --- a/hosts/othalan/default.nix +++ b/hosts/othalan/default.nix @@ -11,13 +11,9 @@ nix-ld = enabled // { overkill = enabled; }; - languages = - "misc|nim|node|nushell|python|tex" - # + "roc|zig" - |> listify; + languages = "misc|nim|node|nushell|python|tex" |> listify; } // ( - # llm '' vpn|desktop|hyprland|chrome backups|hp-scanner|llm @@ -27,15 +23,20 @@ |> enableAttrs ); - sops.defaultSopsFile = ./secrets.yaml; - # This will automatically import SSH keys as age keys - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets.restic-othalan = { - # Permission modes are in octal representation (same as chmod), - mode = "0440"; - # It is recommended to get the group/name name from - # `config.users.users..{name,group}` to avoid misconfiguration - owner = config.users.users.daylin.name; - group = config.users.users.daylin.group; + sops = { + defaultSopsFile = ./secrets.yaml; + + # This will automatically import SSH keys as age keys + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets.mullvad-userpass = { }; + secrets."mullvad_ca.crt" = { }; + secrets.restic-othalan = { + # Permission modes are in octal representation (same as chmod), + mode = "0440"; + # It is recommended to get the group/name name from + # `config.users.users..{name,group}` to avoid misconfiguration + owner = config.users.users.daylin.name; + group = config.users.users.daylin.group; + }; }; } diff --git a/hosts/othalan/secrets.yaml b/hosts/othalan/secrets.yaml index 3aef485..5bfe768 100644 --- a/hosts/othalan/secrets.yaml +++ b/hosts/othalan/secrets.yaml @@ -1,4 +1,6 @@ restic-othalan: ENC[AES256_GCM,data:HNIya1Rp,iv:8QkDewpXoy+3ahuuaCN/HfbGOgfQQ0Ud5emD7zVPE2s=,tag:bDfumEnt20lun5hnLY+eVA==,type:str] +mullvad-userpass: ENC[AES256_GCM,data:2gwF8GvnBLDogBb+ePNqnw==,iv:luAfk7C41UKZ6H+TidfIUylP9cDt77HHRl7RgfhU3Xk=,tag:LoqZ2iiaxBd97F7PPO5K/Q==,type:str] +mullvad_ca.crt: ENC[AES256_GCM,data:zjju+4NLdFcUN6ff1KbOOGMxYJhlzvn4Zg7FAO4JxytcbLkv0YsmbZK0XLQHfiL1dvgkaZfIjLsFPRVFUQ2XnwNEErlGjO4IQauMetaxnJl7PuG/6xSQPRDsj4XXLMH8I5g7iUVyC3WDiFPUrlpPsNfPmkpz/Iodyc6cPhiAgzmEKrMu+tljf60rP8oRop4DE4mhv03bnq3yWuATkT9KbTkb+n3JyrkgwNmhTBdbYW+xQ/udzUsoMiOw3mtOhY46U/mYCS8TRJau6biFKqs/at/T7D26pXi3z4zV7Am5h1vkdgwz8rLqWMGklBCSyL+DiTvrzy0xYqxCI2Py05y0Q9zDJj+AUNgNXBcDZnFRRb5SZgiSQ4nDObRADRL0MXvz8PDwrtB6poBtOCEn3w8qTK1GDeQcG2qOZfriDg1KgQNw7ZQNopCvR8cRihh6202pywi5x2CnAwGtBNrryKAW0zazyTwvle0xcVnsnBMNlTK18MbOynK+LnW7d1UNkz/0YxoGfVwc4XhDcuJvWRsU6Aob2ZhYgQR1tBZjS5if40VdTYKY20LIfO5V9HHLsdvyyY6F77dXUDWdBzwe6LbZ4y517Ij61/dMwLKrhuonADfy8fGc0pnhbeyqJKmJ+dakCj3fpYeSgJ6ogMnKRaO5yG46bp3okWNTF+wNKykmSbVMA2qjU0qpjzA8zrqxoebLowOJDZKvYzakKOZXKi2EykZeVKz0c+yKZLLu8QVs0ndYoT+tTiKqwpfFPMrZYZ/S1MT4EvnPc2tgsbeum9lF8ajs3UB1SnEEKf0ydX7tP8PrIo4IB9LauehMvHwOgk99Sxpt6PNCopPlJOWEPeGVFLMUI0EXcY1tC+7tLvOJC7f64ut/x1IVeGnH3VKHiecxJ5naPt2yfYx1AcGxhNf0Cf6EQDqM//zZAowzfn2m3Mcwz5nf0C20xf6fJeiF3ciM6VMG3R1CC3NSrYVh2UFCxLCz3XtCqwNAgz1DD3MF3uwX1sJTvD8mI1AJjXorpbu62HwlsSwWIKGqYmqxo7Zj6XNzFeBiNyJGsG8tNned0QGWoUFfihG5DKh4wpaKQE2TYZxC+kXJiagD5NB+hLt40By85xeam2YOeLP9OcWc4CF0SgBdejh0bxqN1WZKICnSoNrucVDPLZu26rDDCZd5V4Pyhz32Gv+GE68098sbQz0yVCWdZO6EXMjwn7BaYpEv+3BYdchqUm+4X3BdbH7UhRzXZ1SDtz/sYI0BzYe0AY1dhUBvyhimVgCrVhqcBT54Ri4/QHfDbTCws7J20jlf94s5xOPas9L8HrQeAwY6Zt8VZiYd6etQv/KhT7ZaHSRz283qE2uUgGk07WP81hASLDTfGLTARWBjZGoKCeVKGpItAhU2Buk7Ehh7yBglLIhpOxKdan98eJqdH19APH5115ZHO5M9snLDAz09MH16YLR2GadFLaMMM4wWNV0ELSk67JedQ5feG7s5Fker3JQHGYXPDylcUrs+/hpDXvjS/Ov6deD/1LeIbROkC7fcMtb9fDZgtlo97y+DthtlFWIYX2HTlVZU1krdbzorGTJ94ytVg4cfTYg2eiXL4xl97BvstrWVVXW+TsjuZxl1DVfaC/PhpDd5IzndboL7xJLY3djfo61XVoYmDE2GlRJkwHfLV2/ZTaxpUt08B8uRGHol6trFZNnsJDonqpXE6wKgQCM9NXobgliybRi+BULpM0eIVMbb4+WOBUppvm3WcM53VhfOWjRcaY799ltnr9IudkiipMW23WmLF/C25espGLo7lbxBCNhW1vnXBwWIzG4QJ2sBpGaIr7m82LiqucQMLvadjLQLwn+3XL2xB+aoO3LEJp3a9ds4XrNiJP8AiI2X2dtZERBltjXmmF49NGTVflLYErOag2KLOmbc4AGC4vLeZSi52cdRmRBBANJ3d0+upnn+Ejpxq1vQNhEeh56hgDC/dDQqBsQkzmgXyUQn8n5nvL4mphktSs2I1pFPZrPFogMfBfLJBKz0HtCRuCbU+dhYkvQzeMH/yykvcLUfZR4IJ8FpTZ5VnJcYlTecwiISCaz2u7HwGa1REM8yNPdIdKQnQCgC8eNRv98s97R4mIxnBERtuxsVCnSl2po9InEoTi0Z+eV8WHNbyQGThn+PMPSEZqbYEp/RXDa9p26z5Ed9iDTYBqqnV+zTa78m64f38L2XkCkoQV0uDKZs4auCCJ4a2/8lbbzL5nW5f0MPvHDAmbXEPg/0UtHB1L6yZ0CSrT9alKRNIThd/lIUCWMhUL0ihzeEzPw0EP0WfrAYTQZ5yWhY/bFHilBX4WDG1fdWrDNCnUGsczQKC3cbfO5dk3dFaHcSUwN2H5oxa3idaA9S0siWyENio88LA7SU3uk35jNHy/LHzn5lU3IFIxa7Ivx2L7+z19G1orxWxuWjNoesoquUeKfihAezmcTO6+JgrIwqActIMvHK5ZLa6FTIa1or5AoPTAO1GU90LvMOFbCCxoD52vPrkT2+lhIwxh9BLrIQx1yCsn+1W/myvREdl4wWSULUKEM+pVfmlBzxrPCKTd188HPiTvp1sJUyKXL7ow38Sky84tcTSHaU49SdJ4v/MuGtYngspilt0Jo58wFhV3/XWHCKTp5TH9CQjEmunBAwjEG+rG6h3ooo0r8g/KOVyFcRdjgBsUk+x6OuRFOsgmRIezVXdRDceAf5aBGxtKqcOv3tQyzpLM5PAJSp0nFDdiiezEyNeBRxQPk3iKEQxv773u4y5SoLpdVIEbslTZ1BMky9B489jtanr7LZgcYpPGEu0voDS+TtOvAGz+d8e6VMOP2t/wD9PFjsT75yqYxyzYNOHfXEwMbUQyQf9Ucrwfz6fi01VyaxG2PJ8T19+KPhgP/kU6oTEVu1JN4VnbUF8fiDpMtFEMTZ,iv:2SPtErk/uh5/RTQpdXEZaHEOkzmHPmJ+y2ICPouJXOg=,tag:8KnPW4MLWgoPMsy2ji4tDg==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +25,8 @@ sops: Sng0U242THBSZ005MjJ4d0syT2RBNWMK8+a7qrx0l2T5qAqqrRpH0BTAsSlST5/O HXvwlTZ3m/RITWVPfh9rr2tCYKZYA6a+afjVeQYs+FvGlTCuE1LmUA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-29T00:41:44Z" - mac: ENC[AES256_GCM,data:4+H5OmCCTrMrkz9sLHcdwu8EFc+iS3MUTfhLgH6crfE0QSmV87b4JKQTVtdoYnzB8f2hRS/DeAImaLs68NQ/c7raLKwKmX1Bx2htV92MEOhoEjnZ6IbpCzY9FhrtRFjjBrg/nAuMpK0ktYW3w9C/v/jq/YEnP+pabkPhsUav8GU=,iv:LtBd2nj21ZCOXmvfbCIz/lvYC4neRk7ZTnY/rbJnATU=,tag:o9K/TxIp/NLmcvpXHYPHoQ==,type:str] + lastmodified: "2024-11-29T04:55:36Z" + mac: ENC[AES256_GCM,data:1gw1iRbSg5iXAAuo1o3Q1bQWfkB4wHs9WfzK2MRKkzBtvZCxbPW4K1r/19mmpjYm45SRw0EH7gj0w5fZX6iAQPkcNR1zXEpM8mt9I0Yrj6Ifhg11nuU5q+mUAvyi/yYc3xDSD1vU+jWcxa33kz500xREHJmGvbBePIoJn4Niljw=,iv:N6LasEb4EgS4ZMNVW29THHA65sBwJ0yoG27rsIkQAgE=,tag:zR8TKReatGctpNhtYUe1mA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/modules/networking/vpn.nix b/modules/networking/vpn.nix deleted file mode 100644 index f3625dd..0000000 --- a/modules/networking/vpn.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - config, - pkgs, - mkOizysModule, - ... -}: -mkOizysModule config "vpn" { - environment.systemPackages = with pkgs; [ - openconnect - openvpn - ]; - - services.openvpn.servers = { - # subscription expired - # express-ny = { - # config = '' - # config /home/daylin/.config/openvpn/express-ny/config.ovpn - # auth-user-pass /home/daylin/.config/openvpn/express-ny/credentials - # ''; - # autoStart = false; - # updateResolvConf = true; - # }; - # - - mullvad-chi = { - config = '' - config /home/daylin/.config/openvpn/mullvad-chi/mullvad_us_chi.conf - ''; - autoStart = false; - updateResolvConf = true; - }; - }; - -} diff --git a/modules/vpn/default.nix b/modules/vpn/default.nix new file mode 100644 index 0000000..8935040 --- /dev/null +++ b/modules/vpn/default.nix @@ -0,0 +1,27 @@ +{ + config, + pkgs, + mkOizysModule, + ... +}: + +mkOizysModule config "vpn" { + environment.systemPackages = with pkgs; [ + + openconnect + openvpn + ]; + services.openvpn.servers = { + + mullvad-chi = { + config = '' + config ${./mullvad_us_chi.conf} + auth-user-pass ${config.sops.secrets.mullvad-userpass.path} + ca ${config.sops.secrets."mullvad_ca.crt".path} + ''; + + autoStart = false; + updateResolvConf = true; + }; + }; +} diff --git a/modules/vpn/mullvad_us_chi.conf b/modules/vpn/mullvad_us_chi.conf new file mode 100644 index 0000000..4b4bd28 --- /dev/null +++ b/modules/vpn/mullvad_us_chi.conf @@ -0,0 +1,25 @@ +client +dev tun +resolv-retry infinite +nobind +persist-key +persist-tun +verb 3 +remote-cert-tls server +ping 10 +ping-restart 60 +sndbuf 524288 +rcvbuf 524288 +cipher AES-256-GCM +tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 +proto udp +#auth-user-pass mullvad_userpass.txt +#ca mullvad_ca.crt +script-security 2 +#up update-resolv-conf +#down update-resolv-conf +fast-io +remote-random +remote 68.235.43.34 1195 # us-chi-ovpn-001 +remote 68.235.43.98 1195 # us-chi-ovpn-003 +remote 68.235.43.66 1195 # us-chi-ovpn-002