blob: 99ba8d79dc9f60f4a52b2e15e3f55f500744f4d8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
{ pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
networkmanager-openvpn
];
networking.hostName = "work";
networking.networkmanager.enable = true;
networking.networkmanager.dns = "systemd-resolved";
networking.nameservers = [ "1.1.1.1" ];
services.openvpn.servers = {
ghostnet = {
config = ''
client
remote 185.57.9.6 1194
cert ${config.age.secrets.ghostnet-cert.path}
key ${config.age.secrets.ghostnet-key.path}
ca ${config.age.secrets.ghostnet-ca.path}
auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path}
reneg-sec 0
cipher AES-256-CBC
comp-lzo adaptive
dev tun
proto udp
remote-cert-tls server
tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nm-openvpn
group nm-openvpn
'';
updateResolvConf = false;
autoStart = false;
};
systems = {
config = ''
client
remote 'vpn-v2.one.com'
cert '${config.age.secrets.systems-cert.path}'
key '${config.age.secrets.systems-key.path}'
ca '${config.age.secrets.systems-ca.path}'
cipher AES-128-CBC
comp-lzo adaptive
dev tun
proto udp
port 1200
remote-cert-tls server
tls-auth '${config.age.secrets.systems-tls-auth.path}' 1
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nm-openvpn
group nm-openvpn
'';
updateResolvConf = false;
autoStart = false;
};
};
programs.update-systemd-resolved.servers = {
ghostnet = {
includeAutomatically = true;
settings = {
routeOnlyDomains = [ "hostnetbv.nl." ];
defaultRoute = false;
multicastDNS = "no";
dnsOverTLS = "opportunistic";
dnssec = "no";
};
};
};
services.resolved = {
enable = true;
dnssec = "true";
domains = [ "~." ];
fallbackDns = [ "1.1.1.1" ];
dnsovertls = "opportunistic";
llmnr = "true";
};
}
|
