45 lines
1.3 KiB
Nix
45 lines
1.3 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
{
|
|
|
|
imports = [
|
|
../../profiles/sops.nix
|
|
];
|
|
|
|
sops.secrets."openvpn/galadriel/ca" = {};
|
|
sops.secrets."openvpn/galadriel/cert" = {};
|
|
sops.secrets."openvpn/galadriel/userkey" = {};
|
|
sops.secrets."openvpn/galadriel/tlscrypt" = {};
|
|
|
|
services.openvpn.servers = {
|
|
client = {
|
|
config = ''
|
|
client
|
|
dev tun
|
|
remote 134.19.179.141 443
|
|
resolv-retry infinite
|
|
nobind
|
|
persist-key
|
|
persist-tun
|
|
auth-nocache
|
|
verb 3
|
|
explicit-exit-notify 5
|
|
push-peer-info
|
|
setenv UV_IPV6 yes
|
|
ca "${config.sops.secrets."openvpn/galadriel/ca".path}"
|
|
cert "${config.sops.secrets."openvpn/galadriel/cert".path}"
|
|
key "${config.sops.secrets."openvpn/galadriel/userkey".path}"
|
|
remote-cert-tls server
|
|
comp-lzo no
|
|
data-ciphers AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
|
|
data-ciphers-fallback AES-256-CBC
|
|
proto udp
|
|
tls-crypt "${config.sops.secrets."openvpn/galadriel/tlscrypt".path}"
|
|
auth SHA512
|
|
'';
|
|
up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
|
|
down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
|
|
};
|
|
};
|
|
|
|
}
|