about summary refs log tree commit diff
path: root/nixos/kanata/configuration.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/kanata/configuration.nix')
-rw-r--r--nixos/kanata/configuration.nix64
1 files changed, 63 insertions, 1 deletions
diff --git a/nixos/kanata/configuration.nix b/nixos/kanata/configuration.nix
index ee0c15a..6bfd7b8 100644
--- a/nixos/kanata/configuration.nix
+++ b/nixos/kanata/configuration.nix
@@ -96,6 +96,9 @@ in
   sops.secrets.grafana-admin-pass = { owner = "grafana"; };
   sops.secrets.cf-kusanari-kanata-credentials = { owner = "cloudflared"; };
   sops.secrets.nitter-account-jsonl = { };
+  sops.secrets.interlink-password = { };
+  sops.secrets.interlink-ovpn = { };
+  sops.secrets.interlink-ovpn-creds = { };
   # TODO: insecure?
   sops.secrets.invidious-hmac = { mode = "0444"; };
 
@@ -129,7 +132,10 @@ in
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   modules = {
-    persistence.directories = [ "/var/lib/tailscale" ];
+    persistence.directories = [
+      "/var/lib/tailscale"
+      "/var/lib/nixos-containers"
+    ];
 
     persistence = {
       enable = true;
@@ -227,6 +233,62 @@ in
     };
   };
 
+  containers.v-ext-proxy = {
+    autoStart = true;
+    enableTun = true;
+    # Tailscale authkeys expire after 90 days, which means if a system
+    # restarts, there's a high chance that the key will be invalid.
+    # Therefore, we use classic authentication with non-ephemeral storage.
+    ephemeral = false;
+    privateNetwork = true;
+    hostAddress = "172.16.1.1";
+    localAddress = "172.16.1.2";
+    bindMounts."/run/secrets/interlink-password".hostPath = config.sops.secrets.interlink-password.path;
+    # bindMounts."/run/secrets/interlink-ovpn".hostPath = config.sops.secrets.interlink-ovpn.path;
+    # bindMounts."/run/secrets/interlink-ovpn-creds".hostPath = config.sops.secrets.interlink-ovpn-creds.path;
+    config = { config, pkgs, lib, ... }: {
+      services.tailscale = {
+        enable = true;
+        useRoutingFeatures = "both";
+        extraUpFlags = [
+          "--advertise-exit-node=true"
+        ];
+      };
+
+      networking.openconnect.interfaces.openconnect0 = {
+        autoStart = true;
+
+        gateway = "133.242.23.15"; # JP#11
+        # gateway = "133.242.17.239"; # JP#1
+        protocol = "anyconnect";
+        user = "sk146241";
+        passwordFile = "/run/secrets/interlink-password";
+
+        extraOptions = {
+          servercert = "pin-sha256:42cxGem/A2lRRPLefN3tSlPHFD1mK0BLh7tbUJeXvhE="; # JP#11
+          # servercert = "pin-sha256:OvJIFf7gPPbnR7tdG0Uj10GET5eynt+o5pfKBIEA+ws="; # JP#1
+        };
+      };
+      systemd.services.openconnect-openconnect0  = {
+        serviceConfig = {
+          # XXX: On initial startup, the service would fail with
+          # 'No route to host'.
+          Restart = "on-failure";
+          RestartSec = "5s";
+        };
+      };
+
+      # services.openvpn.servers.interlink-sekai = {
+      #   autoStart = true;
+      #   config = "config /run/secrets/interlink-ovpn";
+      #   up = "echo nameserver $nameserver |  ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
+      #   down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
+      # };
+
+      system.stateVersion = "24.05";
+    };
+  };
+
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
   #
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-10 05:56:20 +0000