diff options
| author | sefidel <contact@sefidel.net> | 2024-02-08 03:03:43 +0900 |
|---|---|---|
| committer | sefidel <contact@sefidel.net> | 2024-02-08 03:03:43 +0900 |
| commit | a68d1ba1c27cbf678db06a7e956d8e9a64be686c (patch) | |
| tree | e46e1d20ab092a62c5d62f80c24a26e120e0c81e /nixos/kanata/configuration.nix | |
| parent | cfe73a14c141cc953b0b0d711c4c69cdd75c11fc (diff) | |
| download | nixrc-a68d1ba1c27cbf678db06a7e956d8e9a64be686c.zip | |
feat(nixos/kanata): configure protonvpn proxy
Diffstat (limited to 'nixos/kanata/configuration.nix')
| -rw-r--r-- | nixos/kanata/configuration.nix | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix index 5d14ba6..d7041fd 100644 --- a/nixos/kanata/configuration.nix +++ b/nixos/kanata/configuration.nix @@ -99,6 +99,7 @@ in sops.secrets.interlink-password = { }; sops.secrets.interlink-ovpn = { }; sops.secrets.interlink-ovpn-creds = { }; + sops.secrets.proton-private-key = { }; # TODO: insecure? sops.secrets.invidious-hmac = { mode = "0444"; }; @@ -289,6 +290,62 @@ in }; }; + networking.firewall.allowedUDPPorts = [ 51820 ]; + + containers.v-proton-jp43 = { + autoStart = true; + enableTun = true; + # Tailscale authkeys expire after 90 days, which means if a system + # restarts, there's a high chance that the key will be invalid. + # Therefore, we use classic authentication with non-ephemeral storage. + ephemeral = false; + privateNetwork = true; + hostAddress = "172.16.1.3"; + localAddress = "172.16.1.4"; + bindMounts."/run/secrets/proton-private-key".hostPath = config.sops.secrets.proton-private-key.path; + config = { config, pkgs, lib, ... }: { + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + extraUpFlags = [ + "--advertise-exit-node=true" + ]; + }; + + networking.firewall.allowedUDPPorts = [ 51820 ]; + + networking.wg-quick.interfaces.wg0 = { + autostart = true; + + address = [ "10.2.0.2/32" ]; + listenPort = 51820; + + privateKeyFile = "/run/secrets/proton-private-key"; + + peers = [{ + publicKey = "7FslkahrdLwGbv4QSX5Cft5CtQLmBUlpWC382SSF7Hw="; + # Exclude 100.64.0.0/10 + allowedIPs = [ + "0.0.0.0/0" + # "0.0.0.0/2" + # "64.0.0.0/3" + # "96.0.0.0/6" + # "100.0.0.0/10" + # "100.128.0.0/9" + # "101.0.0.0/8" + # "102.0.0.0/7" + # "104.0.0.0/5" + # "112.0.0.0/4" + # "128.0.0.0/1" + ]; + endpoint = "103.125.235.19:51820"; + }]; + }; + + system.stateVersion = "24.05"; + }; + }; + # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # |