servo: update OVPN IP address

2025-05-18 06:07:10 +00:00
parent ffdb00ea19
commit 07ecda1116
5 changed files with 20 additions and 19 deletions
--- a/hosts/by-name/servo/net/ovpn.nix
+++ b/hosts/by-name/servo/net/ovpn.nix
@@ -1,6 +1,6 @@
 { config, ... }:
 {
-  sane.ovpn.addrV4 = "172.23.174.114";
+  sane.ovpn.addrV4 = "172.23.174.114";  #< this applies to the dynamic VPNs -- NOT the static VPN
  # sane.ovpn.addrV6 = "fd00:0000:1337:cafe:1111:1111:8df3:14b0";

  # OVPN CONFIG (https://www.ovpn.com):
@@ -12,9 +12,9 @@
    dns.ipv4 = "46.227.67.134";  #< DNS requests inside the namespace are forwarded here
    # wg.port = 51822;
    wg.privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
-    wg.address.ipv4 = "185.157.162.178";
-    wg.peer.publicKey = "SkkEZDCBde22KTs/Hc7FWvDBfdOCQA4YtBEuC3n5KGs=";
-    wg.peer.endpoint = "vpn36.prd.amsterdam.ovpn.com:9930";
-    # wg.peer.endpoint = "185.157.162.10:9930";
+    wg.address.ipv4 = "156.146.51.235";  #< IP address for my end of the VPN tunnel. for OVPN public IPv4, this is also the public IP address.
+    wg.peer.publicKey = "7cpFX9zXv+2hQnGOKpqyDC4HvjkBDOUOfF7zS7xBayE=";  #< pubkey by which i can authenticate OVPN, varies per OVPN endpoint
+    wg.peer.endpoint = "vpn102.prd.seattle.ovpn.com:9930";
+    # wg.peer.endpoint = "156.146.51.227:9929";
  };
 }
--- a/hosts/by-name/servo/services/email/default.nix
+++ b/hosts/by-name/servo/services/email/default.nix
@@ -25,10 +25,10 @@
 #
 # debugging: general connectivity issues
 # - test that inbound port 25 is unblocked:
-#   - `curl https://canyouseeme.org/ --data 'port=25&IP=185.157.162.178' | grep 'see your service'`
+#   - `curl https://canyouseeme.org/ --data 'port=25&IP=$MX_IP' | grep 'see your service'`
 #     - and retry with port 465, 587
 #     - i think this API requires the queried IP match the source IP
-#   - if necessary, `systemctl stop postfix` and `sudo nc -l 185.157.162.178 25`, then try https://canyouseeme.org
+#   - if necessary, `systemctl stop postfix` and `sudo nc -l $MX_IP 25`, then try https://canyouseeme.org

 { ... }:
 {
--- a/hosts/by-name/servo/services/email/postfix.nix
+++ b/hosts/by-name/servo/services/email/postfix.nix
@@ -112,7 +112,7 @@ in
    # smtpd_milters = local:/run/opendkim/opendkim.sock
    # milter docs: http://www.postfix.org/MILTER_README.html
    # mail filters for receiving email and from authorized SMTP clients (i.e. via submission)
-    # smtpd_milters = inet:185.157.162.190:8891
+    # smtpd_milters = inet:$IP:8891
    # opendkim.sock will add a Authentication-Results header, with `dkim=pass|fail|...` value to received messages
    smtpd_milters = "unix:/run/opendkim/opendkim.sock";
    # mail filters for sendmail
--- a/scripts/check-uninsane
+++ b/scripts/check-uninsane
@@ -5,7 +5,7 @@ echo "this script will check that uninsane.org is baseline operational"
 echo "it doesn't check all services, just the most critical ones"
 echo ""

-OVPNS_IPV4=185.157.162.178
+OVPNS_IPV4=156.146.51.235
 DOOF_IPV4=205.201.63.12

 usage() {
@@ -98,6 +98,12 @@ check "[DOOF] https://uninsane.org online" curl "--connect-to" "uninsane.org:443
 check "[DOOF] https://matrix.uninsane.org online" curl "--connect-to" "matrix.uninsane.org:443:$DOOF_IPV4:443" --silent --fail-with-body https://matrix.uninsane.org

 check "uninsane.org DMARC record" nslookup -querytype=TXT _dmarc.uninsane.org.
+_checkPtr() {
+  local fwd=$1
+  local rev=$2
+  nslookup "$fwd" | grep "name = $rev$"
+}
+check "mx.uninsane.org PTR" _checkPtr "$OVPNS_IPV4" mx.uninsane.org.

 check "servo-hn wireguard network" ping -c 1 -W 3 servo-hn

--- a/secrets/servo/wg_ovpns_privkey.bin
+++ b/secrets/servo/wg_ovpns_privkey.bin
@@ -1,10 +1,6 @@
 {
-	"data": "ENC[AES256_GCM,data:Qd0BDxy5uggFgJSaohdXG5J/copzeCIY7hnwquXjYbeYKH465ELxkFQXZcvv,iv:C/a7dQcGH8kUaydupAqbnP34smi/dpTSv/lRl+WDaSo=,tag:O0GvldqETifBwmzDuwBN2g==,type:str]",
+	"data": "ENC[AES256_GCM,data:dunfeBCYqKUc3RhVb+9CHCU9DEGIN4nQpgJL5fKqiBeUKUUHDVUKbyYRVQ7k,iv:yYFCsODxUM9lUXsYCqMXc08BwNq76LUJoD1ckyYAlIw=,tag:T3mX4oWFJ3hH7WzsZe1v2A==,type:str]",
 	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
@@ -23,10 +19,9 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZ29SUlhIRE0xbExuU2No\nakFxaEoxU1RvZmFGak5DbWIwYmpSMWtDemt3CkkrSHFGcXRQenZOK2N3Tk1ReW43\nM3c3N1J1WFhMaXBmVFJTTnU2bDIxdW8KLS0tIEVuYjM0T0I1dmNkQmxReURYemxK\nV3pIUUw0dTMxSWNlTTFta3VjemlEZU0KIUOwzoJXFGx5EbqRSObMTNrop/du5cfJ\nH01x46zgTAQOQOA7qlYdO429SMsQaPH3XX33M2plm4/0hKzlLZ4rRg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2023-05-14T08:37:29Z",
-		"mac": "ENC[AES256_GCM,data:GqTK4BvWgN1e8PViUcpGUimZnBmGjwZnrQrVwCIVj2KNgS5jqNYT91gLJ+CHsS5nbBfTGTJ0aRdoM5fOTLOFN+K6GZD/FIhDPrhvc3nyUK0qudWm1L+kAVnB5RYLewVYeWGKtuEGUHZSieOFRfiptXwPRPTccz9XCDYi7oIGTU4=,iv:TemQfusctCqSL/qjs72Unk6eYYFVHnIeo1zvEAiV4Pg=,tag:AG+FroYCsLgJeKtR0RX28w==,type:str]",
-		"pgp": null,
+		"lastmodified": "2025-05-18T06:30:44Z",
+		"mac": "ENC[AES256_GCM,data:+yuAJy3o/qk+/u5gNRbqzVVOXQuA6sgyn7RKXnm+KX/AVoLBwjMjjDVwZ37VV3RP81o2eFrBCz2mFjWk2cx5n3CCD2ieiwdV0lf9z92vromal3fdm9JFEDsWHPTVZnXBNvJ0awsC+Xeo/AjXeqqmQW4cs1vulHhIVIwPB38RaDs=,iv:mnzhiIAhL42LPs6m8Uhq1PmStz3vMRIlWnmxmzpjY2U=,tag:G03wZAUsRtVL9S1qIuXxDA==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.3"
+		"version": "3.10.2"
 	}
-}
+}