dynamic nodes

author: Jasper Ras <jaspert.ras@gmail.com> 2025-03-29 12:54:20 +0100
committer: Jasper Ras <jaspert.ras@gmail.com> 2025-03-29 12:54:20 +0100
commit: 5bf105b94f3c63bc738b788b2b651985eed96c11 (patch)
tree: c8b98b552fede2854fdc9ebf59f8a030ebd7e3cd /nodes/work/networking.nix
parent: 5b41ca762c6a44fa7a77e5f5324bcecf8a47f4c7 (diff)
1 files changed, 87 insertions, 0 deletions
diff --git a/nodes/work/networking.nix b/nodes/work/networking.nix
new file mode 100644
index 0000000..99ba8d7
--- /dev/null
+++ b/nodes/work/networking.nix
@@ -0,0 +1,87 @@
+{ pkgs, config, ... }:
+{
+	environment.systemPackages = with pkgs; [
+    networkmanager-openvpn
+  ];
+
+  networking.hostName = "work";
+  networking.networkmanager.enable = true;
+  networking.networkmanager.dns = "systemd-resolved";
+  networking.nameservers = [ "1.1.1.1" ];
+
+  services.openvpn.servers = {
+    ghostnet = {
+      config = ''
+        client
+        remote 185.57.9.6 1194
+        cert ${config.age.secrets.ghostnet-cert.path}
+        key ${config.age.secrets.ghostnet-key.path}
+        ca ${config.age.secrets.ghostnet-ca.path}
+        auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path}
+        reneg-sec 0
+        cipher AES-256-CBC
+        comp-lzo adaptive
+        dev tun
+        proto udp
+        remote-cert-tls server
+        tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1
+        nobind
+        auth-nocache
+        script-security 2
+        persist-key
+        persist-tun
+        user nm-openvpn
+        group nm-openvpn
+      '';
+      updateResolvConf = false;
+      autoStart = false;
+    };
+    systems = {
+      config = ''
+        client
+        remote 'vpn-v2.one.com'
+        cert '${config.age.secrets.systems-cert.path}'
+        key '${config.age.secrets.systems-key.path}'
+        ca '${config.age.secrets.systems-ca.path}'
+        cipher AES-128-CBC
+        comp-lzo adaptive
+        dev tun
+        proto udp
+        port 1200
+        remote-cert-tls server
+        tls-auth '${config.age.secrets.systems-tls-auth.path}' 1
+        nobind
+        auth-nocache
+        script-security 2
+        persist-key
+        persist-tun
+        user nm-openvpn
+        group nm-openvpn
+      '';
+      updateResolvConf = false;
+      autoStart = false;
+    };
+  };
+
+  programs.update-systemd-resolved.servers = {
+    ghostnet = {
+      includeAutomatically = true;
+      settings = {
+        routeOnlyDomains = [ "hostnetbv.nl." ];
+        defaultRoute = false;
+        multicastDNS = "no";
+        dnsOverTLS = "opportunistic";
+        dnssec = "no";
+      };
+    };
+  };
+
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = [ "~." ];
+    fallbackDns = [ "1.1.1.1" ];
+    dnsovertls = "opportunistic";
+    llmnr = "true";
+  };
+}
author	Jasper Ras <jaspert.ras@gmail.com>	2025-03-29 12:54:20 +0100
committer	Jasper Ras <jaspert.ras@gmail.com>	2025-03-29 12:54:20 +0100
commit	5bf105b94f3c63bc738b788b2b651985eed96c11 (patch)
tree	c8b98b552fede2854fdc9ebf59f8a030ebd7e3cd /nodes/work/networking.nix
parent	5b41ca762c6a44fa7a77e5f5324bcecf8a47f4c7 (diff)