diff options
Diffstat (limited to 'nixos/kanata/configuration.nix')
| -rw-r--r-- | nixos/kanata/configuration.nix | 64 |
1 files changed, 63 insertions, 1 deletions
diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix index ee0c15a..6bfd7b8 100644 --- a/nixos/kanata/configuration.nix +++ b/nixos/kanata/configuration.nix @@ -96,6 +96,9 @@ in sops.secrets.grafana-admin-pass = { owner = "grafana"; }; sops.secrets.cf-kusanari-kanata-credentials = { owner = "cloudflared"; }; sops.secrets.nitter-account-jsonl = { }; + sops.secrets.interlink-password = { }; + sops.secrets.interlink-ovpn = { }; + sops.secrets.interlink-ovpn-creds = { }; # TODO: insecure? sops.secrets.invidious-hmac = { mode = "0444"; }; @@ -129,7 +132,10 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; modules = { - persistence.directories = [ "/var/lib/tailscale" ]; + persistence.directories = [ + "/var/lib/tailscale" + "/var/lib/nixos-containers" + ]; persistence = { enable = true; @@ -227,6 +233,62 @@ in }; }; + containers.v-ext-proxy = { + autoStart = true; + enableTun = true; + # Tailscale authkeys expire after 90 days, which means if a system + # restarts, there's a high chance that the key will be invalid. + # Therefore, we use classic authentication with non-ephemeral storage. + ephemeral = false; + privateNetwork = true; + hostAddress = "172.16.1.1"; + localAddress = "172.16.1.2"; + bindMounts."/run/secrets/interlink-password".hostPath = config.sops.secrets.interlink-password.path; + # bindMounts."/run/secrets/interlink-ovpn".hostPath = config.sops.secrets.interlink-ovpn.path; + # bindMounts."/run/secrets/interlink-ovpn-creds".hostPath = config.sops.secrets.interlink-ovpn-creds.path; + config = { config, pkgs, lib, ... }: { + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + extraUpFlags = [ + "--advertise-exit-node=true" + ]; + }; + + networking.openconnect.interfaces.openconnect0 = { + autoStart = true; + + gateway = "133.242.23.15"; # JP#11 + # gateway = "133.242.17.239"; # JP#1 + protocol = "anyconnect"; + user = "sk146241"; + passwordFile = "/run/secrets/interlink-password"; + + extraOptions = { + servercert = "pin-sha256:42cxGem/A2lRRPLefN3tSlPHFD1mK0BLh7tbUJeXvhE="; # JP#11 + # servercert = "pin-sha256:OvJIFf7gPPbnR7tdG0Uj10GET5eynt+o5pfKBIEA+ws="; # JP#1 + }; + }; + systemd.services.openconnect-openconnect0 = { + serviceConfig = { + # XXX: On initial startup, the service would fail with + # 'No route to host'. + Restart = "on-failure"; + RestartSec = "5s"; + }; + }; + + # services.openvpn.servers.interlink-sekai = { + # autoStart = true; + # config = "config /run/secrets/interlink-ovpn"; + # up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev"; + # down = "${pkgs.openresolv}/sbin/resolvconf -d $dev"; + # }; + + system.stateVersion = "24.05"; + }; + }; + # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # |