diff options
| -rw-r--r-- | flake.nix | 10 | ||||
| -rw-r--r-- | hosts/work.nix | 61 | ||||
| -rw-r--r-- | secrets/ghostnet-auth-user-pass.age | bin | 0 -> 251 bytes | |||
| -rw-r--r-- | secrets/ghostnet-ca.age | bin | 0 -> 2645 bytes | |||
| -rw-r--r-- | secrets/ghostnet-cert.age | bin | 0 -> 6886 bytes | |||
| -rw-r--r-- | secrets/ghostnet-key.age | bin | 0 -> 3506 bytes | |||
| -rw-r--r-- | secrets/ghostnet-tls-auth.age | bin | 0 -> 870 bytes | |||
| -rw-r--r-- | secrets/secrets.nix | bin | 0 -> 640 bytes | |||
| -rw-r--r-- | secrets/systems-auth-user-pass.age | bin | 0 -> 268 bytes | |||
| -rw-r--r-- | secrets/systems-ca.age | bin | 0 -> 1028 bytes | |||
| -rw-r--r-- | secrets/systems-cert.age | bin | 0 -> 1263 bytes | |||
| -rw-r--r-- | secrets/systems-key.age | bin | 0 -> 2088 bytes | |||
| -rw-r--r-- | secrets/systems-tls-auth.age | bin | 0 -> 870 bytes |
13 files changed, 68 insertions, 3 deletions
@@ -26,6 +26,16 @@ environment.systemPackages = [ agenix.packages."x86_64-linux".default ]; + age.secrets.ghostnet-cert.file = ./secrets/ghostnet-cert.age; + age.secrets.ghostnet-key.file = ./secrets/ghostnet-key.age; + age.secrets.ghostnet-ca.file = ./secrets/ghostnet-ca.age; + age.secrets.ghostnet-tls-auth.file = ./secrets/ghostnet-tls-auth.age; + age.secrets.ghostnet-auth-user-pass.file = ./secrets/ghostnet-auth-user-pass.age; + + age.secrets.systems-cert.file = ./secrets/systems-cert.age; + age.secrets.systems-key.file = ./secrets/systems-key.age; + age.secrets.systems-ca.file = ./secrets/systems-ca.age; + age.secrets.systems-tls-auth.file = ./secrets/systems-tls-auth.age; } ./config/shared.nix ]; diff --git a/hosts/work.nix b/hosts/work.nix index a094dab..d0b97cc 100644 --- a/hosts/work.nix +++ b/hosts/work.nix @@ -30,9 +30,64 @@ LC_TIME = "nl_NL.UTF-8"; }; - services.xserver.xkb = { - layout = "us"; - variant = ""; + services = { + openssh.enable = true; + openvpn.servers = { + ghostnet = { + config = '' + client + remote 185.57.9.6 1194 + cert ${config.age.secrets.ghostnet-cert.path} + key ${config.age.secrets.ghostnet-key.path} + ca ${config.age.secrets.ghostnet-ca.path} + auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path} + reneg-sec 0 + cipher AES-256-CBC + comp-lzo adaptive + dev tun + proto udp + remote-cert-tls server + tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1 + nobind + auth-nocache + script-security 2 + persist-key + persist-tun + user nm-openvpn + group nm-openvpn + ''; + updateResolvConf = false; + }; + systems = { + config = '' + client + remote 'vpn-v2.one.com' + cert '${config.age.secrets.systems-cert.path}' + key '${config.age.secrets.systems-key.path}' + ca '${config.age.secrets.systems-ca.path}' + cipher AES-128-CBC + comp-lzo adaptive + dev tun + proto udp + port 1200 + remote-cert-tls server + tls-auth '${config.age.secrets.systems-tls-auth.path}' 1 + nobind + auth-nocache + script-security 2 + persist-key + persist-tun + user nm-openvpn + group nm-openvpn + ''; + updateResolvConf = false; + }; + }; + + xserver.xkb = { + layout = "us"; + variant = ""; + }; }; users.users.jras = { diff --git a/secrets/ghostnet-auth-user-pass.age b/secrets/ghostnet-auth-user-pass.age Binary files differnew file mode 100644 index 0000000..6f4ec07 --- /dev/null +++ b/secrets/ghostnet-auth-user-pass.age diff --git a/secrets/ghostnet-ca.age b/secrets/ghostnet-ca.age Binary files differnew file mode 100644 index 0000000..d1acce4 --- /dev/null +++ b/secrets/ghostnet-ca.age diff --git a/secrets/ghostnet-cert.age b/secrets/ghostnet-cert.age Binary files differnew file mode 100644 index 0000000..925b00b --- /dev/null +++ b/secrets/ghostnet-cert.age diff --git a/secrets/ghostnet-key.age b/secrets/ghostnet-key.age Binary files differnew file mode 100644 index 0000000..8ce067b --- /dev/null +++ b/secrets/ghostnet-key.age diff --git a/secrets/ghostnet-tls-auth.age b/secrets/ghostnet-tls-auth.age Binary files differnew file mode 100644 index 0000000..b09cd08 --- /dev/null +++ b/secrets/ghostnet-tls-auth.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix Binary files differnew file mode 100644 index 0000000..e35076e --- /dev/null +++ b/secrets/secrets.nix diff --git a/secrets/systems-auth-user-pass.age b/secrets/systems-auth-user-pass.age Binary files differnew file mode 100644 index 0000000..15c21cb --- /dev/null +++ b/secrets/systems-auth-user-pass.age diff --git a/secrets/systems-ca.age b/secrets/systems-ca.age Binary files differnew file mode 100644 index 0000000..adfd220 --- /dev/null +++ b/secrets/systems-ca.age diff --git a/secrets/systems-cert.age b/secrets/systems-cert.age Binary files differnew file mode 100644 index 0000000..db890f4 --- /dev/null +++ b/secrets/systems-cert.age diff --git a/secrets/systems-key.age b/secrets/systems-key.age Binary files differnew file mode 100644 index 0000000..5c4ee61 --- /dev/null +++ b/secrets/systems-key.age diff --git a/secrets/systems-tls-auth.age b/secrets/systems-tls-auth.age Binary files differnew file mode 100644 index 0000000..e270fef --- /dev/null +++ b/secrets/systems-tls-auth.age |