add secrets handling to mullvad

2024-12-22 01:50:44 -06:00 · 2024-11-28 22:53:35 -06:00 · 2024-11-28 22:53:35 -06:00 · 28476eff68
commit 28476eff68
parent 356057e2b2
5 changed files with 72 additions and 51 deletions
--- a/hosts/othalan/default.nix
+++ b/hosts/othalan/default.nix
@ -11,13 +11,9 @@
      nix-ld = enabled // {
        overkill = enabled;
      };
-      languages =
-        "misc|nim|node|nushell|python|tex"
-        # + "roc|zig"
-        |> listify;
+      languages = "misc|nim|node|nushell|python|tex" |> listify;
    }
    // (
-      # llm
      ''
        vpn|desktop|hyprland|chrome
        backups|hp-scanner|llm
@ -27,15 +23,20 @@
      |> enableAttrs
    );

-  sops.defaultSopsFile = ./secrets.yaml;
-  # This will automatically import SSH keys as age keys
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.secrets.restic-othalan = {
-    # Permission modes are in octal representation (same as chmod),
-    mode = "0440";
-    # It is recommended to get the group/name name from
-    # `config.users.users.<?name>.{name,group}` to avoid misconfiguration
-    owner = config.users.users.daylin.name;
-    group = config.users.users.daylin.group;
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+
+    # This will automatically import SSH keys as age keys
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets.mullvad-userpass = { };
+    secrets."mullvad_ca.crt" = { };
+    secrets.restic-othalan = {
+      # Permission modes are in octal representation (same as chmod),
+      mode = "0440";
+      # It is recommended to get the group/name name from
+      # `config.users.users.<?name>.{name,group}` to avoid misconfiguration
+      owner = config.users.users.daylin.name;
+      group = config.users.users.daylin.group;
+    };
  };
 }
--- a/hosts/othalan/secrets.yaml
+++ b/hosts/othalan/secrets.yaml
@ -1,4 +1,6 @@
 restic-othalan: ENC[AES256_GCM,data:HNIya1Rp,iv:8QkDewpXoy+3ahuuaCN/HfbGOgfQQ0Ud5emD7zVPE2s=,tag:bDfumEnt20lun5hnLY+eVA==,type:str]
+mullvad-userpass: ENC[AES256_GCM,data:2gwF8GvnBLDogBb+ePNqnw==,iv:luAfk7C41UKZ6H+TidfIUylP9cDt77HHRl7RgfhU3Xk=,tag:LoqZ2iiaxBd97F7PPO5K/Q==,type:str]
+mullvad_ca.crt: ENC[AES256_GCM,data:zjju+4NLdFcUN6ff1KbOOGMxYJhlzvn4Zg7FAO4JxytcbLkv0YsmbZK0XLQHfiL1dvgkaZfIjLsFPRVFUQ2XnwNEErlGjO4IQauMetaxnJl7PuG/6xSQPRDsj4XXLMH8I5g7iUVyC3WDiFPUrlpPsNfPmkpz/Iodyc6cPhiAgzmEKrMu+tljf60rP8oRop4DE4mhv03bnq3yWuATkT9KbTkb+n3JyrkgwNmhTBdbYW+xQ/udzUsoMiOw3mtOhY46U/mYCS8TRJau6biFKqs/at/T7D26pXi3z4zV7Am5h1vkdgwz8rLqWMGklBCSyL+DiTvrzy0xYqxCI2Py05y0Q9zDJj+AUNgNXBcDZnFRRb5SZgiSQ4nDObRADRL0MXvz8PDwrtB6poBtOCEn3w8qTK1GDeQcG2qOZfriDg1KgQNw7ZQNopCvR8cRihh6202pywi5x2CnAwGtBNrryKAW0zazyTwvle0xcVnsnBMNlTK18MbOynK+LnW7d1UNkz/0YxoGfVwc4XhDcuJvWRsU6Aob2ZhYgQR1tBZjS5if40VdTYKY20LIfO5V9HHLsdvyyY6F77dXUDWdBzwe6LbZ4y517Ij61/dMwLKrhuonADfy8fGc0pnhbeyqJKmJ+dakCj3fpYeSgJ6ogMnKRaO5yG46bp3okWNTF+wNKykmSbVMA2qjU0qpjzA8zrqxoebLowOJDZKvYzakKOZXKi2EykZeVKz0c+yKZLLu8QVs0ndYoT+tTiKqwpfFPMrZYZ/S1MT4EvnPc2tgsbeum9lF8ajs3UB1SnEEKf0ydX7tP8PrIo4IB9LauehMvHwOgk99Sxpt6PNCopPlJOWEPeGVFLMUI0EXcY1tC+7tLvOJC7f64ut/x1IVeGnH3VKHiecxJ5naPt2yfYx1AcGxhNf0Cf6EQDqM//zZAowzfn2m3Mcwz5nf0C20xf6fJeiF3ciM6VMG3R1CC3NSrYVh2UFCxLCz3XtCqwNAgz1DD3MF3uwX1sJTvD8mI1AJjXorpbu62HwlsSwWIKGqYmqxo7Zj6XNzFeBiNyJGsG8tNned0QGWoUFfihG5DKh4wpaKQE2TYZxC+kXJiagD5NB+hLt40By85xeam2YOeLP9OcWc4CF0SgBdejh0bxqN1WZKICnSoNrucVDPLZu26rDDCZd5V4Pyhz32Gv+GE68098sbQz0yVCWdZO6EXMjwn7BaYpEv+3BYdchqUm+4X3BdbH7UhRzXZ1SDtz/sYI0BzYe0AY1dhUBvyhimVgCrVhqcBT54Ri4/QHfDbTCws7J20jlf94s5xOPas9L8HrQeAwY6Zt8VZiYd6etQv/KhT7ZaHSRz283qE2uUgGk07WP81hASLDTfGLTARWBjZGoKCeVKGpItAhU2Buk7Ehh7yBglLIhpOxKdan98eJqdH19APH5115ZHO5M9snLDAz09MH16YLR2GadFLaMMM4wWNV0ELSk67JedQ5feG7s5Fker3JQHGYXPDylcUrs+/hpDXvjS/Ov6deD/1LeIbROkC7fcMtb9fDZgtlo97y+DthtlFWIYX2HTlVZU1krdbzorGTJ94ytVg4cfTYg2eiXL4xl97BvstrWVVXW+TsjuZxl1DVfaC/PhpDd5IzndboL7xJLY3djfo61XVoYmDE2GlRJkwHfLV2/ZTaxpUt08B8uRGHol6trFZNnsJDonqpXE6wKgQCM9NXobgliybRi+BULpM0eIVMbb4+WOBUppvm3WcM53VhfOWjRcaY799ltnr9IudkiipMW23WmLF/C25espGLo7lbxBCNhW1vnXBwWIzG4QJ2sBpGaIr7m82LiqucQMLvadjLQLwn+3XL2xB+aoO3LEJp3a9ds4XrNiJP8AiI2X2dtZERBltjXmmF49NGTVflLYErOag2KLOmbc4AGC4vLeZSi52cdRmRBBANJ3d0+upnn+Ejpxq1vQNhEeh56hgDC/dDQqBsQkzmgXyUQn8n5nvL4mphktSs2I1pFPZrPFogMfBfLJBKz0HtCRuCbU+dhYkvQzeMH/yykvcLUfZR4IJ8FpTZ5VnJcYlTecwiISCaz2u7HwGa1REM8yNPdIdKQnQCgC8eNRv98s97R4mIxnBERtuxsVCnSl2po9InEoTi0Z+eV8WHNbyQGThn+PMPSEZqbYEp/RXDa9p26z5Ed9iDTYBqqnV+zTa78m64f38L2XkCkoQV0uDKZs4auCCJ4a2/8lbbzL5nW5f0MPvHDAmbXEPg/0UtHB1L6yZ0CSrT9alKRNIThd/lIUCWMhUL0ihzeEzPw0EP0WfrAYTQZ5yWhY/bFHilBX4WDG1fdWrDNCnUGsczQKC3cbfO5dk3dFaHcSUwN2H5oxa3idaA9S0siWyENio88LA7SU3uk35jNHy/LHzn5lU3IFIxa7Ivx2L7+z19G1orxWxuWjNoesoquUeKfihAezmcTO6+JgrIwqActIMvHK5ZLa6FTIa1or5AoPTAO1GU90LvMOFbCCxoD52vPrkT2+lhIwxh9BLrIQx1yCsn+1W/myvREdl4wWSULUKEM+pVfmlBzxrPCKTd188HPiTvp1sJUyKXL7ow38Sky84tcTSHaU49SdJ4v/MuGtYngspilt0Jo58wFhV3/XWHCKTp5TH9CQjEmunBAwjEG+rG6h3ooo0r8g/KOVyFcRdjgBsUk+x6OuRFOsgmRIezVXdRDceAf5aBGxtKqcOv3tQyzpLM5PAJSp0nFDdiiezEyNeBRxQPk3iKEQxv773u4y5SoLpdVIEbslTZ1BMky9B489jtanr7LZgcYpPGEu0voDS+TtOvAGz+d8e6VMOP2t/wD9PFjsT75yqYxyzYNOHfXEwMbUQyQf9Ucrwfz6fi01VyaxG2PJ8T19+KPhgP/kU6oTEVu1JN4VnbUF8fiDpMtFEMTZ,iv:2SPtErk/uh5/RTQpdXEZaHEOkzmHPmJ+y2ICPouJXOg=,tag:8KnPW4MLWgoPMsy2ji4tDg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -23,8 +25,8 @@ sops:
            Sng0U242THBSZ005MjJ4d0syT2RBNWMK8+a7qrx0l2T5qAqqrRpH0BTAsSlST5/O
            HXvwlTZ3m/RITWVPfh9rr2tCYKZYA6a+afjVeQYs+FvGlTCuE1LmUA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-29T00:41:44Z"
-    mac: ENC[AES256_GCM,data:4+H5OmCCTrMrkz9sLHcdwu8EFc+iS3MUTfhLgH6crfE0QSmV87b4JKQTVtdoYnzB8f2hRS/DeAImaLs68NQ/c7raLKwKmX1Bx2htV92MEOhoEjnZ6IbpCzY9FhrtRFjjBrg/nAuMpK0ktYW3w9C/v/jq/YEnP+pabkPhsUav8GU=,iv:LtBd2nj21ZCOXmvfbCIz/lvYC4neRk7ZTnY/rbJnATU=,tag:o9K/TxIp/NLmcvpXHYPHoQ==,type:str]
+    lastmodified: "2024-11-29T04:55:36Z"
+    mac: ENC[AES256_GCM,data:1gw1iRbSg5iXAAuo1o3Q1bQWfkB4wHs9WfzK2MRKkzBtvZCxbPW4K1r/19mmpjYm45SRw0EH7gj0w5fZX6iAQPkcNR1zXEpM8mt9I0Yrj6Ifhg11nuU5q+mUAvyi/yYc3xDSD1vU+jWcxa33kz500xREHJmGvbBePIoJn4Niljw=,iv:N6LasEb4EgS4ZMNVW29THHA65sBwJ0yoG27rsIkQAgE=,tag:zR8TKReatGctpNhtYUe1mA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/modules/networking/vpn.nix
+++ b/modules/networking/vpn.nix
@ -1,34 +0,0 @@
-{
-  config,
-  pkgs,
-  mkOizysModule,
-  ...
-}:
-mkOizysModule config "vpn" {
-  environment.systemPackages = with pkgs; [
-    openconnect
-    openvpn
-  ];
-
-  services.openvpn.servers = {
-    # subscription expired
-    # express-ny = {
-    #   config = ''
-    #     config /home/daylin/.config/openvpn/express-ny/config.ovpn
-    #     auth-user-pass /home/daylin/.config/openvpn/express-ny/credentials
-    #   '';
-    #   autoStart = false;
-    #   updateResolvConf = true;
-    # };
-    #
-
-    mullvad-chi = {
-      config = ''
-        config /home/daylin/.config/openvpn/mullvad-chi/mullvad_us_chi.conf
-      '';
-      autoStart = false;
-      updateResolvConf = true;
-    };
-  };
-
-}
--- a/modules/vpn/default.nix
+++ b/modules/vpn/default.nix
@ -0,0 +1,27 @@
+{
+  config,
+  pkgs,
+  mkOizysModule,
+  ...
+}:
+
+mkOizysModule config "vpn" {
+  environment.systemPackages = with pkgs; [
+
+    openconnect
+    openvpn
+  ];
+  services.openvpn.servers = {
+
+    mullvad-chi = {
+      config = ''
+        config ${./mullvad_us_chi.conf}
+        auth-user-pass ${config.sops.secrets.mullvad-userpass.path}
+        ca ${config.sops.secrets."mullvad_ca.crt".path}
+      '';
+
+      autoStart = false;
+      updateResolvConf = true;
+    };
+  };
+}
--- a/modules/vpn/mullvad_us_chi.conf
+++ b/modules/vpn/mullvad_us_chi.conf
@ -0,0 +1,25 @@
+client
+dev tun
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+verb 3
+remote-cert-tls server
+ping 10
+ping-restart 60
+sndbuf 524288
+rcvbuf 524288
+cipher AES-256-GCM
+tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
+proto udp
+#auth-user-pass mullvad_userpass.txt
+#ca mullvad_ca.crt
+script-security 2
+#up update-resolv-conf
+#down update-resolv-conf
+fast-io
+remote-random
+remote 68.235.43.34 1195 # us-chi-ovpn-001
+remote 68.235.43.98 1195 # us-chi-ovpn-003
+remote 68.235.43.66 1195 # us-chi-ovpn-002