ovpn: use a single key per-device

this should fix the traffic collisions i'm seeing with the existing setup

hosts/by-name/lappy/default.nix

@@ -9,6 +9,8 @@
   sane.roles.pc = true;
   sane.services.wg-home.enable = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."lappy".wg-home.ip;
+  sane.ovpn.addrV4 = "172.23.119.72";
+  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:0332:aa96/128";
 
   # sane.guest.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;

hosts/common/net/vpn.nix

@@ -7,50 +7,61 @@
 
 { config, lib, pkgs, ... }:
 let
-  def-ovpn = name: { endpoint, publicKey, addrV4, id }: {
-    sane.vpn."ovpnd-${name}" = {
-      inherit endpoint publicKey addrV4 id;
-      privateKeyFile = config.sops.secrets."wg/ovpnd_${name}_privkey".path;
+  # N.B.: OVPN issues each key (i.e. device) a different IP (addrV4), and requires you use it.
+  # the IP it issues can be used to connect to any of their VPNs.
+  # effectively the IP and key map 1-to-1.
+  # it seems to still be possible to keep two active tunnels on one device, using the same key/IP address, though.
+  def-ovpn = name: { endpoint, publicKey, id }: let
+    inherit (config.sane.ovpn) addrV4;
+  in {
+    sane.vpn."ovpnd-${name}" = lib.mkIf (addrV4 != null) {
+      inherit addrV4 endpoint publicKey id;
+      privateKeyFile = config.sops.secrets."ovpn_privkey".path;
       dns = [
         "46.227.67.134"
         "192.165.9.158"
+        # "2a07:a880:4601:10f0:cd45::1"
+        # "2001:67c:750:1:cafe:cd45::1"
       ];
     };
 
-    sops.secrets."wg/ovpnd_${name}_privkey" = {
+    sops.secrets."ovpn_privkey" = lib.mkIf (addrV4 != null) {
       # needs to be readable by systemd-network or else it says "Ignoring network device" and doesn't expose it to networkctl.
       owner = "systemd-network";
     };
   };
 in lib.mkMerge [
+  {
+    options = with lib; {
+      sane.ovpn.addrV4 = mkOption {
+        type = types.nullOr types.str;
+        description = ''
+          ovpn issues one IP address per device.
+          set `null` to disable OVPN for this host.
+        '';
+      };
+    }
+  }
   (def-ovpn "us" {
     endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
     publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
     id = 1;
-    addrV4 = "172.27.237.218";
-    # addrV6 = "fd00:0000:1337:cafe:1111:1111:ab00:4c8f";
   })
-  # TODO: us-atl disabled until i can give it a different link-local address and wireguard key than us-mi
-  # (def-ovpn "us-atl" {
-  #   endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
-  #   publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
-  #   address = [
-  #     "172.21.182.178/32"
-  #     "fd00:0000:1337:cafe:1111:1111:cfcb:27e3/128"
-  #   ];
-  # })
   (def-ovpn "us-mi" {
     endpoint = "vpn34.prd.miami.ovpn.com:9929";
     publicKey = "VtJz2irbu8mdkIQvzlsYhU+k9d55or9mx4A2a14t0V0=";
     id = 2;
-    addrV4 = "172.21.182.178";
-    # addrV6 = "fd00:0000:1337:cafe:1111:1111:cfcb:27e3";
   })
   (def-ovpn "ukr" {
     endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
     publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
     id = 3;
     addrV4 = "172.18.180.159";
-    # addrV6 = "fd00:0000:1337:cafe:1111:1111:ec5c:add3";
   })
+  # TODO: us-atl disabled until i need it again, i guess.
+  # (def-ovpn "us-atl" {
+  #   endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
+  #   publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
+  #   id = 4;
+  # })
 ]

secrets/lappy/ovpn_privkey.bin

@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:u2Bej5jF/UoLQxPe4+aW1519oAAZ/hKMPu6rXFiRk/mVoLVic6+noflsOtbn,iv:H7+E3kmJS4nlsH9kVmIYakEQMpaE6sm3FrLVww7Cdxs=,tag:PvyMf+BT1T8qWxscftq68g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoTnNsMFdkcGwyZCt2eXR5\nVGREZDltT3E5V3EyMDlrWkxNTFVSeWkrbTI4CnZlL0wwRzlTNkxoMC9HQUcwV3VO\nR1c3OFpOUUFvSHBGZlZ3bVAxLzVOMmMKLS0tIHpOaStaV2VOdkVZRWp2L1dPUmNE\nRmNnSHRWZy9OL1ZrMzREcXg3RStlNkEKMs4nNfHcfuWOhttzzGeHELbVlm6hskdf\nMDifoyXBAk8iiqPFpLFAkkOt6bsn5Xwjo1EaVllLkb/l0wvRpTBgHw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bElSMUJid2hYN2hrMnV6\nMmJzMTNLYXNHUkZJdzMxOWZ5enUrbWFXSlZjCnEwbVRsT1EyemZYaFQvaEJtMk8w\nci9TV1ZCYzNWSTZzaExqVXUraUFxaDAKLS0tIE5Nc0RyczBUVFBiWmhWNURxNVlR\nMllYRGFrWVJlOVdsZjVHenpLMUFRTVkKSLKhh+oK+aSw3kWu9oo8szMEObzv2UCc\n4cWoemgyFWBnA8/ucZZs6nXuXouK7OuwLiwREVctjxstPF11hP6vJg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTmxYZ3gxZEU0SGFERm81\nTzlkMGFYTGI2bUNCTzVReENVWFhFNTBvc1NzCjlZUkNHcCtwMnduWUZTTTdjRzBi\nNlJqeFhuY1hhVmlLSkZ4VjRSYVBtdncKLS0tIC9WZ3dqdm45ZUd0RnpDamt4MmJE\nbE5sejJ4NEt4eEVKejJWaFgwMFBuUWMKtID7tF8Uq1PCu/mH70MQYq9fuTuKwjNu\nh0XaWAeQP4XYEFizGxCw9Viy4ZWy738sbgPHXeUGnb+Jy9DpTHo+zw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-05-26T13:18:51Z",
+		"mac": "ENC[AES256_GCM,data:Jc8qZ47WVHL8m3V/tQ/aWyORCDVzebffSxhqTOOyHdu4FpuQIJMkVfqipKnbQVC1oRSB8BSDW6LcVywWJpk00XG/NfqYYPw3q0UTpisJrX6GjqdqGDadBdOeuqlfTTCYJfAFDU4JiLnUCYlpdY2eUnD/fRi+2DsLFtsGj1Sdo4U=,iv:CL4THOlK+GZFd8h0WQmlOJBp+vijQSobPJG/KoFEuTI=,tag:PGLmQRDXcpXHVUOJonHK5A==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}