implement OVPN wireguard service

modules/universal/default.nix

@@ -7,6 +7,7 @@
     ./nix-cache.nix
     ./secrets.nix
     ./users.nix
+    ./vpn.nix
   ];
 
   time.timeZone = "America/Los_Angeles";

modules/universal/secrets.nix

@@ -32,7 +32,7 @@
   # This will add secrets.yml to the nix store
   # You can avoid this by adding a string to the full path instead, i.e.
   # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ./../../secrets/example.yaml;
+  sops.defaultSopsFile = ./../../secrets/universal.yaml;
   # This will automatically import SSH keys as age keys
   sops.age.sshKeyPaths = [
     "/etc/ssh/ssh_host_ed25519_key"
@@ -44,9 +44,9 @@
   # This will generate a new key if the key specified above does not exist
   # sops.age.generateKey = true;
   # This is the actual specification of the secrets.
-  sops.secrets.example_key = {
-    owner = config.users.users.colin.name;
-  };
+  # sops.secrets.example_key = {
+  #   owner = config.users.users.colin.name;
+  # };
   # sops.secrets."myservice/my_subdir/my_secret" = {};
 }
 

modules/universal/vpn.nix

@@ -0,0 +1,29 @@
+{ config, ... }:
+
+{
+  networking.wg-quick.interfaces.ovpnd = {
+    address = [
+      "172.27.237.218/32"
+      "fd00:0000:1337:cafe:1111:1111:ab00:4c8f/128"
+    ];
+    dns = [
+      "46.227.67.134"
+      "192.165.9.158"
+    ];
+    peers = [
+      {
+        allowedIPs = [
+          "0.0.0.0/0"
+          "::/0"
+        ];
+        endpoint = "vpn31.prd.losangeles.ovpn.com:9929";
+        publicKey = "VW6bEWMOlOneta1bf6YFE25N/oMGh1E1UFBCfyggd0k=";
+      }
+    ];
+    privateKeyFile = config.sops.secrets.wg_ovpnd_privkey.path;
+    # to start: `systemctl start wg-quick-ovpnd`
+    autostart = false;
+  };
+
+  sops.secrets."wg_ovpnd_privkey" = {};
+}

secrets/universal.yaml

@@ -1,13 +1,4 @@
-#ENC[AES256_GCM,data:AAbDZxW7S1fPR86UqIUvZZEKp9LPhZFBz6WtBFmRqeYaPKOJpQMr0UqJzF1r9Qy8Mhl9Ruc=,iv:8CkXkab3jkLx1F6yFGwvS8AObP0+zVqthuEZxD6fVFQ=,tag:NTXhSKgr3nLEuqVUU2qPeg==,type:comment]
-example_key: ENC[AES256_GCM,data:gag/QcjPTiwcnOTs6w==,iv:3WbDtKwoZdZl0M87pWFxGCEsdbEDoCpnN9nJ0s+4uFg=,tag:UmDD/dTU96QsvSjKVLm8nQ==,type:str]
-#ENC[AES256_GCM,data:qwFF9yIBquSi77GLsqoh5Vg=,iv:hJCpayOTOJndiwmxb32pO4RhH+92C8tFo3CThLBUzg4=,tag:I+fM3LE+8a7sSiNhA9xPIg==,type:comment]
-#ENC[AES256_GCM,data:pOJQW/WI9kB9oBRBZUk=,iv:nbc7gmgwvp2+e81gXJb7oGJFxd0IL3ezEzTRhZvZPks=,tag:Xeeh+LYR8IrVjSQMxCDR/A==,type:comment]
-#ENC[AES256_GCM,data:cFpWD8Ul9rZovu+gXHUK5qY2T74=,iv:wE1ykWPxNegTOBrOZKuXDS/ToTQ7uSQ5Ipk77zBeva4=,tag:HoW8U9HZGSG7qwVr10gBHA==,type:comment]
-#ENC[AES256_GCM,data:lNhCWy1l2tZ5smucunZFszd7dIY=,iv:vHOxwiyubDskeoENEwlzDV3pmxEKU0P+KJmwLijzj/Q=,tag:3iLW04LWFiznc+gKOOCYtw==,type:comment]
-#ENC[AES256_GCM,data:DE55QRx9NQjaPoTFVPDHtmxEvNSJRZTdQIo=,iv:MI67iZuHlwuKg4gkeSCutaNGWaFmF7eymuGkPsZSi94=,tag:YUb+62kKPcKU/WunbwqrzQ==,type:comment]
-#ENC[AES256_GCM,data:XiLZ7+vIX4bpeeEbsP0DpAA=,iv:HsmzKRESXMStssiECODj9bcsahmzxqtzOfodQ3Ze4Fo=,tag:gUBEreck3v9ySvAle9LIyQ==,type:comment]
-#ENC[AES256_GCM,data:exigJhzg3dKrLw==,iv:ZiTyNtYSbJpy7k86oOm5jNp/Aj+u+WVjr4hoDha3Jfw=,tag:e1IrQ7GL9StnLXeSeMN6vQ==,type:comment]
-#ENC[AES256_GCM,data:pwKO2o2lgbAFR9g=,iv:GF0NtijdFrXLPbKN6nMXavvdSV0jCaey3qm+8JxC9bk=,tag:XZ80r545lJEdTZ9XWhBABg==,type:comment]
+wg_ovpnd_privkey: ENC[AES256_GCM,data:qmyCOcD5TA7SKqSDCTZOTahkfYVZMJUGuyselmQbqj1uer3e4cBRSMuIiRI=,iv:jnHvGgVu/8HWT8MkI2wtGqlCs6wTu0C8huHpkdDmBYk=,tag:a0r0f/6LTBUuhvLGu+SFug==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -86,8 +77,8 @@ sops:
             U2oyUUNiVm14bkJEcXlIUFpiaDFTRUEKTrtvjVgsUbRJDV640i84flkBD9RgtEZ2
             mFPEMDOobtEvqEYlUTUsYeHjVQe0gEHXkLd3zFPErVx4FB0dLZpGrg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-06-06T23:21:20Z"
-    mac: ENC[AES256_GCM,data:pU5882gcNu2hmINn/xnDriHX8PvrEqepnf8/B+WGYrkd6yqpsVPCivlhGFmPvPaRt/o0AVMuH7Wbwm3+rmOpR1LFfJUtnFcejWVpVNE6BuxuWTdF90EENUStKg3DWV4uspRlQds856GR7pkDblkmAOgWZ7zD3ILS3sF/fLuFLr0=,iv:TCsuetCjhhJc/0K4UQrCD9+zWEVssI6Yx0AQ/+eDSn0=,tag:ZsKZZB5S9bgLIRJBLO/KgQ==,type:str]
+    lastmodified: "2022-06-10T00:01:27Z"
+    mac: ENC[AES256_GCM,data:Bjzzhxg94zCo9drdD5uAaaTa3a/aQv4R/Bk0HJa/bbL8U9w+IBROha6lZtp8S3l6vdTXWW88xfqGVAvWLHv0zADqa5e48lQf+osJzMYxoL8cMtB71q6Yz/9CTNZ2CxumGO4hnBiEQaCx52OijhSELu2tWFt+e6i20cVqUJSo3yM=,iv:TQW2B/E5TuS9zAQBHyx0yC1ekPjSieUZ1SBzyDQWhic=,tag:f7791BJEtAL1Y6VHgq6WyA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3