add ukraine VPN

2022-07-09 00:48:09 -07:00 · 2022-07-09 00:48:09 -07:00 · f790147fb0
commit f790147fb0
parent dca68a019b
4 changed files with 56 additions and 4 deletions
--- a/modules/universal/vpn.nix
+++ b/modules/universal/vpn.nix
@ -25,7 +25,34 @@
    autostart = false;
  };

+  networking.wg-quick.interfaces.ovpnd-ukr = {
+    address = [
+      "172.18.180.159/32"
+      "fd00:0000:1337:cafe:1111:1111:ec5c:add3/128"
+    ];
+    dns = [
+      "46.227.67.134"
+      "192.165.9.158"
+    ];
+    peers = [
+      {
+        allowedIPs = [
+          "0.0.0.0/0"
+          "::/0"
+        ];
+        endpoint = "vpn96.prd.kyiv.ovpn.com:9929";
+        publicKey = "CjZcXDxaaKpW8b5As1EcNbI6+42A6BjWahwXDCwfVFg=";
+      }
+    ];
+    privateKeyFile = config.sops.secrets.wg_ovpnd_ukr_privkey.path;
+    # to start: `systemctl start wg-quick-ovpnd-ukr`
+    autostart = false;
+  };
+
  sops.secrets."wg_ovpnd_privkey" = {
    sopsFile = ../../secrets/universal.yaml;
  };
+  sops.secrets."wg_ovpnd_ukr_privkey" = {
+    sopsFile = ../../secrets/universal.yaml;
+  };
 }
--- a/pkgs/sane-scripts/src/bin/sane-vpn-down
+++ b/pkgs/sane-scripts/src/bin/sane-vpn-down
@ -1,4 +1,16 @@
 #!/usr/bin/env bash
+
+# first arg should be the region, e.g. `us` or `ukr`
+
+case $1 in
+ukr)
+  iface=wg-quick-ovpnd-ukr;;
+us)
+  iface=wg-quick-ovpnd;;
+*)
+  echo "invalid vpn name '$1'"; exit 1;;
+esac
+
 echo vpn: $(curl https://ipinfo.io/ip)
-sudo systemctl stop wg-quick-ovpnd
+sudo systemctl stop $iface
 echo plain:   $(curl https://ipinfo.io/ip)
--- a/pkgs/sane-scripts/src/bin/sane-vpn-up
+++ b/pkgs/sane-scripts/src/bin/sane-vpn-up
@ -1,4 +1,16 @@
 #!/usr/bin/env bash
+
+# first arg should be the region, e.g. `us` or `ukr`
+
+case $1 in
+ukr)
+  iface=wg-quick-ovpnd-ukr;;
+us)
+  iface=wg-quick-ovpnd;;
+*)
+  echo "invalid vpn name '$1'"; exit 1;;
+esac
+
 echo plain: $(curl https://ipinfo.io/ip)
-sudo systemctl start wg-quick-ovpnd
+sudo systemctl start $iface
 echo vpn:   $(curl https://ipinfo.io/ip)
--- a/secrets/universal.yaml
+++ b/secrets/universal.yaml
@ -1,4 +1,5 @@
 wg_ovpnd_privkey: ENC[AES256_GCM,data:qmyCOcD5TA7SKqSDCTZOTahkfYVZMJUGuyselmQbqj1uer3e4cBRSMuIiRI=,iv:jnHvGgVu/8HWT8MkI2wtGqlCs6wTu0C8huHpkdDmBYk=,tag:a0r0f/6LTBUuhvLGu+SFug==,type:str]
+wg_ovpnd_ukr_privkey: ENC[AES256_GCM,data:5zfhsZnBk0Kb9Nb/3igsV/fN0ZDjwTAGTKyMLMly/l7MlJe6MEmd5Lv+JT8=,iv:Mov9eUP8WfvzfZ6NljgLolJ49GSqR7eSV+k0dgE1+1I=,tag:O9UtGX2qt+qEvabcsA0vIA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -77,8 +78,8 @@ sops:
            T1ZLaWRwWFJkNE82NC80QTdjZ1l1Zm8K7QhAMCO/65Z0N4coN+sc7WYNVI+BvV01
            q5DXWTtePrPRQ8ZCqT7gWdSQc8iS410HEZ2Nya5IA+ktGxMO9h1EXA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-06-21T09:01:02Z"
-    mac: ENC[AES256_GCM,data:G6crbY/fKKHjiCI7m+uOIRHrW2CJFM6DPD598h/vqRwYI0laIkasr7vUMuV72RyqAW52F90kIYyLY5qhu4uTOBqHK5aJHAxNo55knHrpXYQemMMt5UGC3AwgswLWkqze43EhIj7NrA6LTFF4MX+rD3yhFC+IAQOgZ1HiIk9h0sY=,iv:kDDHyNlaCCq9AVSr5qaF1OYZxNAGgxSGL5bxYL3Q79w=,tag:5FNaXMHjTyjyPScOXgep6Q==,type:str]
+    lastmodified: "2022-07-09T07:40:05Z"
+    mac: ENC[AES256_GCM,data:U7kbbCm6I+S86En04h+jKFhqm+++iFHluA0ceChTEJEFaWX4FqMQHAthHl4Bce+AMjhdu5IjTajnAHp2RDvGRMoyissAH0+SwWR5lEKVhHZFl2jQga1T8rmScfCnP5nK8lRUiSBtbEZWPE+Pct63mR7rEUVFLtKIIoqOYfpB6XI=,iv:sa3eUtOnjs49y2EL/ndP/1f9iyOB4wTAc97TZ8zhBXQ=,tag:n91xs8Carw6OO/rk3dO+Fw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3