setup everii vpn

2026-05-29 17:55:19 +03:00
parent 5d8d0555d9
commit 0e4657fa3a
6 changed files with 77 additions and 0 deletions
--- a/hosts/radish/hardware.nix
+++ b/hosts/radish/hardware.nix
@@ -69,9 +69,15 @@
    enable = true;
    extraPackages = with pkgs; [ rocmPackages.clr.icd ];
  };
+  services.resolved = {
+    enable = true;
+    dnsovertls = "opportunistic";
+    dnssec = "allow-downgrade";
+  };
  networking.networkmanager = {
    enable = true;
    wifi.backend = "iwd";
+    dns = "systemd-resolved";
    plugins = with pkgs; [
      networkmanager-openvpn
    ];
@@ -86,4 +92,50 @@
    }
  ];
  networking.firewall.allowedUDPPorts = [ 5353 ];
+
+  networking.wg-quick.interfaces = lib.mkMerge (
+    lib.map
+      (
+        {
+          region,
+          ipOctet,
+          publicKey,
+        }:
+        {
+          "everii-${region}" = {
+            address = [ "10.${toString ipOctet}.8.48/22" ];
+            dns = [ "10.${toString ipOctet}.1.1" ];
+            privateKeyFile = config.age.secrets."everii-vpn/${region}.key".path;
+            peers = [
+              {
+                allowedIPs = [ "10.${toString ipOctet}.0.0/16" ];
+                endpoint = "vpn.${region}.infra.everii.io:51821";
+                inherit publicKey;
+              }
+            ];
+            postUp = ''
+              ${pkgs.systemd}/bin/resolvectl domain everii-${region} ~${region}.everii ~${toString ipOctet}.10.in-addr.arpa
+              ${pkgs.systemd}/bin/resolvectl dnssec everii-${region} no
+            '';
+          };
+        }
+      )
+      [
+        {
+          region = "de1";
+          ipOctet = 13;
+          publicKey = "uBUgSTZb6WbfE960S3qFP/UUMtdsgNWqtkTaBkp6Xxo=";
+        }
+        {
+          region = "fi1";
+          ipOctet = 14;
+          publicKey = "Yoakl0lrL6IK1nT8x5SGpaS39fQxRAsP9Zjpu8/1RRs=";
+        }
+        {
+          region = "ch1";
+          ipOctet = 15;
+          publicKey = "gfciqAk+X02zoEKXSvRamx5+TGL3i4GpT7oUvHMD0xo=";
+        }
+      ]
+  );
 }
--- a/hosts/radish/secrets.nix
+++ b/hosts/radish/secrets.nix
@@ -10,6 +10,9 @@
      })
      [
        "borgbackup-radish"
+        "everii-vpn/de1.key"
+        "everii-vpn/ch1.key"
+        "everii-vpn/fi1.key"
      ]
  );
 }
--- a/secrets/everii-vpn/ch1.key.age
+++ b/secrets/everii-vpn/ch1.key.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA ynIsrUjxXEYLRtKoiyBKCn83JeZ5rFhGD3xi61ypVBc
+ZuKEpntuTCMigOf/jeQ3V6oklmqzuxyDpi4oVhtWsc4
+-> ssh-ed25519 DFiohQ /0VJWz6hK+0FNjBciDbPHX+ader97UxCiQYB1BFZh3E
+SiqY0KS5wBWHMgEbJMAU1WgvXqEJjBAOQ3l/eMuETdI
+-> ssh-ed25519 hRPDBg KSXXiPwj27sKoXMiwW7IqQJvE72lYIgUjiPnpvVSSmE
+ioQGtUPSMj4flm9j84PLGm4C/P0sHVmYX38SgB6Yl2c
+--- jUadITulpzJjYp3oWxkG0Qk5RwDXisrKgmXYMlcxCss
+ç[ ,J"ø$¥Èµå½Mõ.ã0×˜½Œcë§~ã,<2C>CŸ
+‰“s•¤×u1<02>™órDTf:FtwAÉtÿ„™hE¿›„Af
--- a/secrets/everii-vpn/de1.key.age
+++ b/secrets/everii-vpn/de1.key.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA sGsltqSPiC3jkgZcpRXobfPgKiuPYzU3XiNptcyniB4
+0Q7X+YuaRHT2/1sCrqyhnXCRGIcUKlHQKoo7W8TCwD0
+-> ssh-ed25519 DFiohQ o982CBPZ8MYPkm+ngw0WxJKc4vC0yo1poTz3ICnbJVM
+Ac600G8Gr8dhPaXxl8k7A7XpaX70iyLTzfFFTc+14Ag
+-> ssh-ed25519 hRPDBg Pf8NvKBZy/afSlFjZIySg6aSregAeMtUCj7e90b0qXw
+kW4Ph56hKVtR0MUaulZpSS28Kna1Wigcvcf1Uv2ESf8
+--- Jbu+08V6cvPbTBjwiZvIRtsdOPOtn/e3VCzQuyrCgLw
+®î|xÌ=×º6ú»ÙÄ)Ø˜jYy6¤Ê`Ø‚ÛØào wÔ¬ËZ€\LLfK,(œØq¸>AŽ_tM£êqŽü°°£Y‘>Õí
--- a/secrets/everii-vpn/fi1.key.age
+++ b/secrets/everii-vpn/fi1.key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -46,4 +46,7 @@ in
  "gitea-actions-runner.age".publicKeys = users ++ [ freun-dev ];
  "invidious-companion.age".publicKeys = users ++ [ apu ];
  "invidious.age".publicKeys = users ++ [ freun-dev ];
+  "everii-vpn/de1.key.age".publicKeys = users ++ [ radish ];
+  "everii-vpn/ch1.key.age".publicKeys = users ++ [ radish ];
+  "everii-vpn/fi1.key.age".publicKeys = users ++ [ radish ];
 }