vpn: factor out more helpers
This commit is contained in:
parent
0f5279bbca
commit
005a79e680
|
@ -1,67 +1,59 @@
|
||||||
{ config, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
# to add a new OVPN VPN:
|
||||||
|
# - generate a privkey `wg genkey`
|
||||||
|
# - add this key to `sops secrets/universal.yaml`
|
||||||
|
# - upload pubkey to OVPN.com
|
||||||
|
# - generate config @ OVPN.com
|
||||||
|
# - copy the Address, PublicKey, Endpoint from OVPN's config
|
||||||
let
|
let
|
||||||
def-ovpn = { endpoint, publicKey, privateKeyFile, address }: {
|
def-ovpn = name: { endpoint, publicKey, address }: {
|
||||||
inherit address privateKeyFile;
|
networking.wg-quick.interfaces."ovpnd-${name}" = {
|
||||||
dns = [
|
inherit address;
|
||||||
"46.227.67.134"
|
privateKeyFile = config.sops.secrets."wg_ovpnd_${name}_privkey".path;
|
||||||
"192.165.9.158"
|
dns = [
|
||||||
];
|
"46.227.67.134"
|
||||||
peers = [
|
"192.165.9.158"
|
||||||
{
|
];
|
||||||
allowedIPs = [
|
peers = [
|
||||||
"0.0.0.0/0"
|
{
|
||||||
"::/0"
|
allowedIPs = [
|
||||||
];
|
"0.0.0.0/0"
|
||||||
inherit endpoint publicKey;
|
"::/0"
|
||||||
}
|
];
|
||||||
];
|
inherit endpoint publicKey;
|
||||||
# to start: `systemctl start wg-quick-ovpnd-{region}`
|
}
|
||||||
autostart = false;
|
];
|
||||||
|
# to start: `systemctl start wg-quick-ovpnd-${name}`
|
||||||
|
autostart = false;
|
||||||
|
};
|
||||||
|
sops.secrets."wg_ovpnd_${name}_privkey" = {
|
||||||
|
sopsFile = ../../secrets/universal.yaml;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
in {
|
in lib.mkMerge [
|
||||||
# to add a new OVPN VPN:
|
(def-ovpn "us" {
|
||||||
# - generate a privkey `wg genkey`
|
|
||||||
# - add this key to `sops secrets/universal.yaml`
|
|
||||||
# - upload pubkey to OVPN.com
|
|
||||||
# - generate config @ OVPN.com
|
|
||||||
# - copy the Address, PublicKey, Endpoint from OVPN's config
|
|
||||||
networking.wg-quick.interfaces.ovpnd-us = def-ovpn {
|
|
||||||
endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
|
endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
|
||||||
publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
|
publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
|
||||||
privateKeyFile = config.sops.secrets.wg_ovpnd_us_privkey.path;
|
|
||||||
address = [
|
address = [
|
||||||
"172.27.237.218/32"
|
"172.27.237.218/32"
|
||||||
"fd00:0000:1337:cafe:1111:1111:ab00:4c8f/128"
|
"fd00:0000:1337:cafe:1111:1111:ab00:4c8f/128"
|
||||||
];
|
];
|
||||||
};
|
})
|
||||||
networking.wg-quick.interfaces.ovpnd-us-atlanta = def-ovpn {
|
(def-ovpn "us-atlanta" {
|
||||||
endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
|
endpoint = "vpn18.prd.atlanta.ovpn.com:9929";
|
||||||
publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
|
publicKey = "Dpg/4v5s9u0YbrXukfrMpkA+XQqKIFpf8ZFgyw0IkE0=";
|
||||||
privateKeyFile = config.sops.secrets.wg_ovpnd_us_atlanta_privkey.path;
|
|
||||||
address = [
|
address = [
|
||||||
"172.21.182.178/32"
|
"172.21.182.178/32"
|
||||||
"fd00:0000:1337:cafe:1111:1111:cfcb:27e3/128"
|
"fd00:0000:1337:cafe:1111:1111:cfcb:27e3/128"
|
||||||
];
|
];
|
||||||
};
|
})
|
||||||
|
(def-ovpn "ukr" {
|
||||||
networking.wg-quick.interfaces.ovpnd-ukr = def-ovpn {
|
|
||||||
endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
|
endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
|
||||||
publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
|
publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
|
||||||
privateKeyFile = config.sops.secrets.wg_ovpnd_ukr_privkey.path;
|
|
||||||
address = [
|
address = [
|
||||||
"172.18.180.159/32"
|
"172.18.180.159/32"
|
||||||
"fd00:0000:1337:cafe:1111:1111:ec5c:add3/128"
|
"fd00:0000:1337:cafe:1111:1111:ec5c:add3/128"
|
||||||
];
|
];
|
||||||
};
|
})
|
||||||
|
]
|
||||||
sops.secrets."wg_ovpnd_us_privkey" = {
|
|
||||||
sopsFile = ../../secrets/universal.yaml;
|
|
||||||
};
|
|
||||||
sops.secrets."wg_ovpnd_us_atlanta_privkey" = {
|
|
||||||
sopsFile = ../../secrets/universal.yaml;
|
|
||||||
};
|
|
||||||
sops.secrets."wg_ovpnd_ukr_privkey" = {
|
|
||||||
sopsFile = ../../secrets/universal.yaml;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
#ENC[AES256_GCM,data:3Swm4ixzL+sg9UVl0VWUq5HmXoLFFY2tkfCLeACB,iv:brZxrQmInGekhv+sX72Ne2ow1katiT4upDBuTPStLuA=,tag:ORcRds8Fo86S5DkAHeeGKw==,type:comment]
|
#ENC[AES256_GCM,data:3Swm4ixzL+sg9UVl0VWUq5HmXoLFFY2tkfCLeACB,iv:brZxrQmInGekhv+sX72Ne2ow1katiT4upDBuTPStLuA=,tag:ORcRds8Fo86S5DkAHeeGKw==,type:comment]
|
||||||
#ENC[AES256_GCM,data:LA3vDETFSVN8HZ9dieFHAvV3oP4lmG2Hpiz50MF6NHpSf7mCLbgikTv7UFohKM3vLpU=,iv:rby8r8+ELAV5ZSxALxbRTeXn0u+gv8b5wlxLwbwHt2o=,tag:50csomwWpHmSvLEGiPBAdA==,type:comment]
|
#ENC[AES256_GCM,data:LA3vDETFSVN8HZ9dieFHAvV3oP4lmG2Hpiz50MF6NHpSf7mCLbgikTv7UFohKM3vLpU=,iv:rby8r8+ELAV5ZSxALxbRTeXn0u+gv8b5wlxLwbwHt2o=,tag:50csomwWpHmSvLEGiPBAdA==,type:comment]
|
||||||
wg_ovpnd_us_privkey: ENC[AES256_GCM,data:5YkQ4r7HNWiRr/5pa1XfexxtJAz6kDjX+hNiZcheUWCXVIuK0/AuyzcdQ/0=,iv:vr1UHSlsWFnTwEfZj3pBLxvaibQxhSum3SL0Uaqtceo=,tag:dN2U+TkQAgJejgDDYIWdOA==,type:str]
|
wg_ovpnd_us_privkey: ENC[AES256_GCM,data:5YkQ4r7HNWiRr/5pa1XfexxtJAz6kDjX+hNiZcheUWCXVIuK0/AuyzcdQ/0=,iv:vr1UHSlsWFnTwEfZj3pBLxvaibQxhSum3SL0Uaqtceo=,tag:dN2U+TkQAgJejgDDYIWdOA==,type:str]
|
||||||
wg_ovpnd_us_atlanta_privkey: ENC[AES256_GCM,data:Drl4yylSy5+5BZoGPOQfWraYkem0k1huK6ryAu8SebH04A7wOkSKJyGs+i4=,iv:GpfscFYxGMJPzcx6HD3wn4Xwl0piC+Y6YRpEMnhbVuc=,tag:hFmLRbG97L/2hTouyWB9HQ==,type:str]
|
wg_ovpnd_us-atlanta_privkey: ENC[AES256_GCM,data:8vwZ1eeLHmHTQWsJhpxUtR7y7thWHaiN1uSOWRnFrYNQ7WhOPD/7Yo0BIiE=,iv:Xnz+yQ921j7hss/jpgERUjJfipoor1fOLX+oMDVG6fg=,tag:JE2Uo1rhyxlyeKiNQ4/m4Q==,type:str]
|
||||||
wg_ovpnd_ukr_privkey: ENC[AES256_GCM,data:5zfhsZnBk0Kb9Nb/3igsV/fN0ZDjwTAGTKyMLMly/l7MlJe6MEmd5Lv+JT8=,iv:Mov9eUP8WfvzfZ6NljgLolJ49GSqR7eSV+k0dgE1+1I=,tag:O9UtGX2qt+qEvabcsA0vIA==,type:str]
|
wg_ovpnd_ukr_privkey: ENC[AES256_GCM,data:5zfhsZnBk0Kb9Nb/3igsV/fN0ZDjwTAGTKyMLMly/l7MlJe6MEmd5Lv+JT8=,iv:Mov9eUP8WfvzfZ6NljgLolJ49GSqR7eSV+k0dgE1+1I=,tag:O9UtGX2qt+qEvabcsA0vIA==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
|
@ -81,8 +81,8 @@ sops:
|
||||||
YmhsY0FaSW5oWVNJMlhUSDRCeWQ4KzAKaQp321XYtAZ98f4QMl5PxivAYm6VMF43
|
YmhsY0FaSW5oWVNJMlhUSDRCeWQ4KzAKaQp321XYtAZ98f4QMl5PxivAYm6VMF43
|
||||||
wCThiQgvYAP59jvVDTZngvfWAD5PyWVVvMNbjHGvAzK5WnsTPmxlsg==
|
wCThiQgvYAP59jvVDTZngvfWAD5PyWVVvMNbjHGvAzK5WnsTPmxlsg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2022-12-13T03:19:57Z"
|
lastmodified: "2022-12-13T03:32:51Z"
|
||||||
mac: ENC[AES256_GCM,data:uSwcWp5vC09pBjj6dnxwT+A1i12rrs6a4mGyS2lfahyQTCMwD6Fn3dzpkMYRVCRXQi4R6BUfLLVumU7KU3v8UOksPoiHp1T3W1Sibme7hZ6CuPfAVrT/nZPmNathz+CUuZ/pJHoGyY2fZKQMXWez7H1M2JcxueOKtwd1eXCqpvc=,iv:hv5PIflnnotxXRn/H0UuQ2f0r7RON55OV1vn45pJd7Y=,tag:mBnx097TtYE3f8d/br/J/w==,type:str]
|
mac: ENC[AES256_GCM,data:SrhiUtkKbohZLUp2n4CE02mAnSBaon8KSxpzGLwVpTgUZHWhrVg4idMNGYHC7hUjcDM1AF3MVd0LYVEKtP/b4W2w/LLfTLB/nIdZcmZa0Q3/ISJI8B8nzeb/VT/I9BT2ZV8NRa4euTqMZZ37LShnzWxiT5IesP7wpDAwo21lGBE=,iv:uPjnQU1X8WgL90tZGXEuwRJXPHiARbshZv5tmNnhjHY=,tag:O4Bf4Cj5Dn+Rs+2pPJfhdw==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.7.3
|
||||||
|
|
Loading…
Reference in New Issue
Block a user