From 3aa8d0b418d0f571f5d761e7c28ecef863d84410 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sun, 5 Jul 2026 01:31:15 +0900 Subject: [PATCH] lupine5/openvpn: init --- hosts/lupine/configuration.nix | 2 + hosts/lupine/services/openvpn.nix | 87 +++++++++++++++++++++++++++++++ values.nix | 4 ++ 3 files changed, 93 insertions(+) create mode 100644 hosts/lupine/services/openvpn.nix diff --git a/hosts/lupine/configuration.nix b/hosts/lupine/configuration.nix index b5115dd..5604598 100644 --- a/hosts/lupine/configuration.nix +++ b/hosts/lupine/configuration.nix @@ -5,6 +5,8 @@ (fp /base) ./services/gitea-runner.nix + ] ++ lib.optionals (lupineName == "lupine-5") [ + ./services/openvpn.nix ]; sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml; diff --git a/hosts/lupine/services/openvpn.nix b/hosts/lupine/services/openvpn.nix new file mode 100644 index 0000000..ecdd3ed --- /dev/null +++ b/hosts/lupine/services/openvpn.nix @@ -0,0 +1,87 @@ +{ pkgs, lib, values, ... }: +let + renderConfig = attrs: lib.pipe attrs [ + (lib.filterAttrs (_: value: !(builtins.isNull value || value == false))) + (builtins.mapAttrs (_: value: + if builtins.isList value then builtins.concatStringsSep " " (map toString value) + else if value == true then value + else if builtins.any (f: f value) [ + builtins.isString + builtins.isInt + builtins.isFloat + lib.isPath + lib.isDerivation + ] then toString value + else throw "Unknown value in lupine openvpn config:\n${value}" + )) + (lib.mapAttrsToList (name: value: if value == true then name else "${name} ${value}")) + (builtins.concatStringsSep "\n") + (x: x + "\n\n") + ]; +in +{ + services.openvpn.servers."ov-tunnel" = { + config = renderConfig { + # TODO: use aliases + local = values.services.knutsen-vpn; + port = 1194; + proto = "udp"; + + dev = "tap0"; + dev-type = "tap"; + + script-security = 0; + + # TODO: set up + # ca = ""; + # cert = ""; + # key = ""; + # dh = ""; + + # Maintain a record of client <-> virtual IP address + # associations in this file. If OpenVPN goes down or + # is restarted, reconnecting clients can be assigned + # the same virtual IP address from the pool that was + # previously assigned. + + # ifconfig-pool-persist = ./ipp.txt; + + server-bridge = builtins.concatStringsSep " " [ + # Gateway + "129.241.210.129" + # Netmask + "255.255.255.128" + # Pool start + values.services.knutsen-tap + # Pool end + values.services.ludvigsen-tap + ]; + + keepalive = "10 120"; + data-ciphers = "none"; + + user = "nobody"; + group = "nobody"; + + status = "/var/log/openvpn-status.log"; + + client-config-dir = pkgs.writeTextDir "ludvigsen" '' + # Sett IP-adr. for tap0 til ludvigsens PVV-addresse. + ifconfig-push ${values.services.ludvigsen-vpn} 255.255.255.128 + + # Hvordan skal man faa dette til aa funke, tro? + # ifconfig-ipv6-push 2001:700:300:1900::xxx/64 + + # La ludvigsen bruke std. PVV-gateway til all trafikk (unntatt VPN-tunnellen). + push "redirect-gateway" + ''; + + persist-key = true; + persist-tun = true; + + verb = 5; + + explicit-exit-notify = 1; + }; + }; +} diff --git a/values.nix b/values.nix index 1566917..30c961c 100644 --- a/values.nix +++ b/values.nix @@ -26,6 +26,10 @@ in rec { ipv4 = pvv-ipv4 213; ipv6 = pvv-ipv6 213; }; + + knutsen-vpn = pvv-ipv4 191; + knutsen-tap = pvv-ipv4 253; + ludvigsen-tap = pvv-ipv4 254; }; hosts = {