mirror of
https://github.com/daylinmorgan/oizys.git
synced 2024-12-22 01:50:44 -06:00
add secrets handling to mullvad
This commit is contained in:
parent
356057e2b2
commit
28476eff68
5 changed files with 72 additions and 51 deletions
|
@ -11,13 +11,9 @@
|
|||
nix-ld = enabled // {
|
||||
overkill = enabled;
|
||||
};
|
||||
languages =
|
||||
"misc|nim|node|nushell|python|tex"
|
||||
# + "roc|zig"
|
||||
|> listify;
|
||||
languages = "misc|nim|node|nushell|python|tex" |> listify;
|
||||
}
|
||||
// (
|
||||
# llm
|
||||
''
|
||||
vpn|desktop|hyprland|chrome
|
||||
backups|hp-scanner|llm
|
||||
|
@ -27,15 +23,20 @@
|
|||
|> enableAttrs
|
||||
);
|
||||
|
||||
sops.defaultSopsFile = ./secrets.yaml;
|
||||
# This will automatically import SSH keys as age keys
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
sops.secrets.restic-othalan = {
|
||||
# Permission modes are in octal representation (same as chmod),
|
||||
mode = "0440";
|
||||
# It is recommended to get the group/name name from
|
||||
# `config.users.users.<?name>.{name,group}` to avoid misconfiguration
|
||||
owner = config.users.users.daylin.name;
|
||||
group = config.users.users.daylin.group;
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
|
||||
# This will automatically import SSH keys as age keys
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
secrets.mullvad-userpass = { };
|
||||
secrets."mullvad_ca.crt" = { };
|
||||
secrets.restic-othalan = {
|
||||
# Permission modes are in octal representation (same as chmod),
|
||||
mode = "0440";
|
||||
# It is recommended to get the group/name name from
|
||||
# `config.users.users.<?name>.{name,group}` to avoid misconfiguration
|
||||
owner = config.users.users.daylin.name;
|
||||
group = config.users.users.daylin.group;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
restic-othalan: ENC[AES256_GCM,data:HNIya1Rp,iv:8QkDewpXoy+3ahuuaCN/HfbGOgfQQ0Ud5emD7zVPE2s=,tag:bDfumEnt20lun5hnLY+eVA==,type:str]
|
||||
mullvad-userpass: ENC[AES256_GCM,data:2gwF8GvnBLDogBb+ePNqnw==,iv:luAfk7C41UKZ6H+TidfIUylP9cDt77HHRl7RgfhU3Xk=,tag:LoqZ2iiaxBd97F7PPO5K/Q==,type:str]
|
||||
mullvad_ca.crt: ENC[AES256_GCM,data:zjju+4NLdFcUN6ff1KbOOGMxYJhlzvn4Zg7FAO4JxytcbLkv0YsmbZK0XLQHfiL1dvgkaZfIjLsFPRVFUQ2XnwNEErlGjO4IQauMetaxnJl7PuG/6xSQPRDsj4XXLMH8I5g7iUVyC3WDiFPUrlpPsNfPmkpz/Iodyc6cPhiAgzmEKrMu+tljf60rP8oRop4DE4mhv03bnq3yWuATkT9KbTkb+n3JyrkgwNmhTBdbYW+xQ/udzUsoMiOw3mtOhY46U/mYCS8TRJau6biFKqs/at/T7D26pXi3z4zV7Am5h1vkdgwz8rLqWMGklBCSyL+DiTvrzy0xYqxCI2Py05y0Q9zDJj+AUNgNXBcDZnFRRb5SZgiSQ4nDObRADRL0MXvz8PDwrtB6poBtOCEn3w8qTK1GDeQcG2qOZfriDg1KgQNw7ZQNopCvR8cRihh6202pywi5x2CnAwGtBNrryKAW0zazyTwvle0xcVnsnBMNlTK18MbOynK+LnW7d1UNkz/0YxoGfVwc4XhDcuJvWRsU6Aob2ZhYgQR1tBZjS5if40VdTYKY20LIfO5V9HHLsdvyyY6F77dXUDWdBzwe6LbZ4y517Ij61/dMwLKrhuonADfy8fGc0pnhbeyqJKmJ+dakCj3fpYeSgJ6ogMnKRaO5yG46bp3okWNTF+wNKykmSbVMA2qjU0qpjzA8zrqxoebLowOJDZKvYzakKOZXKi2EykZeVKz0c+yKZLLu8QVs0ndYoT+tTiKqwpfFPMrZYZ/S1MT4EvnPc2tgsbeum9lF8ajs3UB1SnEEKf0ydX7tP8PrIo4IB9LauehMvHwOgk99Sxpt6PNCopPlJOWEPeGVFLMUI0EXcY1tC+7tLvOJC7f64ut/x1IVeGnH3VKHiecxJ5naPt2yfYx1AcGxhNf0Cf6EQDqM//zZAowzfn2m3Mcwz5nf0C20xf6fJeiF3ciM6VMG3R1CC3NSrYVh2UFCxLCz3XtCqwNAgz1DD3MF3uwX1sJTvD8mI1AJjXorpbu62HwlsSwWIKGqYmqxo7Zj6XNzFeBiNyJGsG8tNned0QGWoUFfihG5DKh4wpaKQE2TYZxC+kXJiagD5NB+hLt40By85xeam2YOeLP9OcWc4CF0SgBdejh0bxqN1WZKICnSoNrucVDPLZu26rDDCZd5V4Pyhz32Gv+GE68098sbQz0yVCWdZO6EXMjwn7BaYpEv+3BYdchqUm+4X3BdbH7UhRzXZ1SDtz/sYI0BzYe0AY1dhUBvyhimVgCrVhqcBT54Ri4/QHfDbTCws7J20jlf94s5xOPas9L8HrQeAwY6Zt8VZiYd6etQv/KhT7ZaHSRz283qE2uUgGk07WP81hASLDTfGLTARWBjZGoKCeVKGpItAhU2Buk7Ehh7yBglLIhpOxKdan98eJqdH19APH5115ZHO5M9snLDAz09MH16YLR2GadFLaMMM4wWNV0ELSk67JedQ5feG7s5Fker3JQHGYXPDylcUrs+/hpDXvjS/Ov6deD/1LeIbROkC7fcMtb9fDZgtlo97y+DthtlFWIYX2HTlVZU1krdbzorGTJ94ytVg4cfTYg2eiXL4xl97BvstrWVVXW+TsjuZxl1DVfaC/PhpDd5IzndboL7xJLY3djfo61XVoYmDE2GlRJkwHfLV2/ZTaxpUt08B8uRGHol6trFZNnsJDonqpXE6wKgQCM9NXobgliybRi+BULpM0eIVMbb4+WOBUppvm3WcM53VhfOWjRcaY799ltnr9IudkiipMW23WmLF/C25espGLo7lbxBCNhW1vnXBwWIzG4QJ2sBpGaIr7m82LiqucQMLvadjLQLwn+3XL2xB+aoO3LEJp3a9ds4XrNiJP8AiI2X2dtZERBltjXmmF49NGTVflLYErOag2KLOmbc4AGC4vLeZSi52cdRmRBBANJ3d0+upnn+Ejpxq1vQNhEeh56hgDC/dDQqBsQkzmgXyUQn8n5nvL4mphktSs2I1pFPZrPFogMfBfLJBKz0HtCRuCbU+dhYkvQzeMH/yykvcLUfZR4IJ8FpTZ5VnJcYlTecwiISCaz2u7HwGa1REM8yNPdIdKQnQCgC8eNRv98s97R4mIxnBERtuxsVCnSl2po9InEoTi0Z+eV8WHNbyQGThn+PMPSEZqbYEp/RXDa9p26z5Ed9iDTYBqqnV+zTa78m64f38L2XkCkoQV0uDKZs4auCCJ4a2/8lbbzL5nW5f0MPvHDAmbXEPg/0UtHB1L6yZ0CSrT9alKRNIThd/lIUCWMhUL0ihzeEzPw0EP0WfrAYTQZ5yWhY/bFHilBX4WDG1fdWrDNCnUGsczQKC3cbfO5dk3dFaHcSUwN2H5oxa3idaA9S0siWyENio88LA7SU3uk35jNHy/LHzn5lU3IFIxa7Ivx2L7+z19G1orxWxuWjNoesoquUeKfihAezmcTO6+JgrIwqActIMvHK5ZLa6FTIa1or5AoPTAO1GU90LvMOFbCCxoD52vPrkT2+lhIwxh9BLrIQx1yCsn+1W/myvREdl4wWSULUKEM+pVfmlBzxrPCKTd188HPiTvp1sJUyKXL7ow38Sky84tcTSHaU49SdJ4v/MuGtYngspilt0Jo58wFhV3/XWHCKTp5TH9CQjEmunBAwjEG+rG6h3ooo0r8g/KOVyFcRdjgBsUk+x6OuRFOsgmRIezVXdRDceAf5aBGxtKqcOv3tQyzpLM5PAJSp0nFDdiiezEyNeBRxQPk3iKEQxv773u4y5SoLpdVIEbslTZ1BMky9B489jtanr7LZgcYpPGEu0voDS+TtOvAGz+d8e6VMOP2t/wD9PFjsT75yqYxyzYNOHfXEwMbUQyQf9Ucrwfz6fi01VyaxG2PJ8T19+KPhgP/kU6oTEVu1JN4VnbUF8fiDpMtFEMTZ,iv:2SPtErk/uh5/RTQpdXEZaHEOkzmHPmJ+y2ICPouJXOg=,tag:8KnPW4MLWgoPMsy2ji4tDg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -23,8 +25,8 @@ sops:
|
|||
Sng0U242THBSZ005MjJ4d0syT2RBNWMK8+a7qrx0l2T5qAqqrRpH0BTAsSlST5/O
|
||||
HXvwlTZ3m/RITWVPfh9rr2tCYKZYA6a+afjVeQYs+FvGlTCuE1LmUA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-29T00:41:44Z"
|
||||
mac: ENC[AES256_GCM,data:4+H5OmCCTrMrkz9sLHcdwu8EFc+iS3MUTfhLgH6crfE0QSmV87b4JKQTVtdoYnzB8f2hRS/DeAImaLs68NQ/c7raLKwKmX1Bx2htV92MEOhoEjnZ6IbpCzY9FhrtRFjjBrg/nAuMpK0ktYW3w9C/v/jq/YEnP+pabkPhsUav8GU=,iv:LtBd2nj21ZCOXmvfbCIz/lvYC4neRk7ZTnY/rbJnATU=,tag:o9K/TxIp/NLmcvpXHYPHoQ==,type:str]
|
||||
lastmodified: "2024-11-29T04:55:36Z"
|
||||
mac: ENC[AES256_GCM,data:1gw1iRbSg5iXAAuo1o3Q1bQWfkB4wHs9WfzK2MRKkzBtvZCxbPW4K1r/19mmpjYm45SRw0EH7gj0w5fZX6iAQPkcNR1zXEpM8mt9I0Yrj6Ifhg11nuU5q+mUAvyi/yYc3xDSD1vU+jWcxa33kz500xREHJmGvbBePIoJn4Niljw=,iv:N6LasEb4EgS4ZMNVW29THHA65sBwJ0yoG27rsIkQAgE=,tag:zR8TKReatGctpNhtYUe1mA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.1
|
||||
|
|
|
@ -1,34 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
mkOizysModule,
|
||||
...
|
||||
}:
|
||||
mkOizysModule config "vpn" {
|
||||
environment.systemPackages = with pkgs; [
|
||||
openconnect
|
||||
openvpn
|
||||
];
|
||||
|
||||
services.openvpn.servers = {
|
||||
# subscription expired
|
||||
# express-ny = {
|
||||
# config = ''
|
||||
# config /home/daylin/.config/openvpn/express-ny/config.ovpn
|
||||
# auth-user-pass /home/daylin/.config/openvpn/express-ny/credentials
|
||||
# '';
|
||||
# autoStart = false;
|
||||
# updateResolvConf = true;
|
||||
# };
|
||||
#
|
||||
|
||||
mullvad-chi = {
|
||||
config = ''
|
||||
config /home/daylin/.config/openvpn/mullvad-chi/mullvad_us_chi.conf
|
||||
'';
|
||||
autoStart = false;
|
||||
updateResolvConf = true;
|
||||
};
|
||||
};
|
||||
|
||||
}
|
27
modules/vpn/default.nix
Normal file
27
modules/vpn/default.nix
Normal file
|
@ -0,0 +1,27 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
mkOizysModule,
|
||||
...
|
||||
}:
|
||||
|
||||
mkOizysModule config "vpn" {
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
||||
openconnect
|
||||
openvpn
|
||||
];
|
||||
services.openvpn.servers = {
|
||||
|
||||
mullvad-chi = {
|
||||
config = ''
|
||||
config ${./mullvad_us_chi.conf}
|
||||
auth-user-pass ${config.sops.secrets.mullvad-userpass.path}
|
||||
ca ${config.sops.secrets."mullvad_ca.crt".path}
|
||||
'';
|
||||
|
||||
autoStart = false;
|
||||
updateResolvConf = true;
|
||||
};
|
||||
};
|
||||
}
|
25
modules/vpn/mullvad_us_chi.conf
Normal file
25
modules/vpn/mullvad_us_chi.conf
Normal file
|
@ -0,0 +1,25 @@
|
|||
client
|
||||
dev tun
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
persist-key
|
||||
persist-tun
|
||||
verb 3
|
||||
remote-cert-tls server
|
||||
ping 10
|
||||
ping-restart 60
|
||||
sndbuf 524288
|
||||
rcvbuf 524288
|
||||
cipher AES-256-GCM
|
||||
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
|
||||
proto udp
|
||||
#auth-user-pass mullvad_userpass.txt
|
||||
#ca mullvad_ca.crt
|
||||
script-security 2
|
||||
#up update-resolv-conf
|
||||
#down update-resolv-conf
|
||||
fast-io
|
||||
remote-random
|
||||
remote 68.235.43.34 1195 # us-chi-ovpn-001
|
||||
remote 68.235.43.98 1195 # us-chi-ovpn-003
|
||||
remote 68.235.43.66 1195 # us-chi-ovpn-002
|
Loading…
Reference in a new issue