feat(nixos/kanata): configure protonvpn proxy

1 files changed, 57 insertions, 0 deletions

diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix
index 5d14ba6..d7041fd 100644
--- a/nixos/kanata/configuration.nix
+++ b/nixos/kanata/configuration.nix
@@ -99,6 +99,7 @@ in
   sops.secrets.interlink-password = { };
   sops.secrets.interlink-ovpn = { };
   sops.secrets.interlink-ovpn-creds = { };
+  sops.secrets.proton-private-key = { };
   # TODO: insecure?
   sops.secrets.invidious-hmac = { mode = "0444"; };
 
@@ -289,6 +290,62 @@ in
     };
   };
 
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  containers.v-proton-jp43 = {
+    autoStart = true;
+    enableTun = true;
+    # Tailscale authkeys expire after 90 days, which means if a system
+    # restarts, there's a high chance that the key will be invalid.
+    # Therefore, we use classic authentication with non-ephemeral storage.
+    ephemeral = false;
+    privateNetwork = true;
+    hostAddress = "172.16.1.3";
+    localAddress = "172.16.1.4";
+    bindMounts."/run/secrets/proton-private-key".hostPath = config.sops.secrets.proton-private-key.path;
+    config = { config, pkgs, lib, ... }: {
+      services.tailscale = {
+        enable = true;
+        useRoutingFeatures = "both";
+        extraUpFlags = [
+          "--advertise-exit-node=true"
+        ];
+      };
+
+      networking.firewall.allowedUDPPorts = [ 51820 ];
+
+      networking.wg-quick.interfaces.wg0 = {
+        autostart = true;
+
+        address = [ "10.2.0.2/32" ];
+        listenPort = 51820;
+
+        privateKeyFile = "/run/secrets/proton-private-key";
+
+        peers = [{
+          publicKey = "7FslkahrdLwGbv4QSX5Cft5CtQLmBUlpWC382SSF7Hw=";
+          # Exclude 100.64.0.0/10
+          allowedIPs = [
+            "0.0.0.0/0"
+            # "0.0.0.0/2"
+            # "64.0.0.0/3"
+            # "96.0.0.0/6"
+            # "100.0.0.0/10"
+            # "100.128.0.0/9"
+            # "101.0.0.0/8"
+            # "102.0.0.0/7"
+            # "104.0.0.0/5"
+            # "112.0.0.0/4"
+            # "128.0.0.0/1"
+          ];
+          endpoint = "103.125.235.19:51820";
+        }];
+      };
+
+      system.stateVersion = "24.05";
+    };
+  };
+
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
   #