From 0e4657fa3ae99093c88b93e2d82752d0ff79d570 Mon Sep 17 00:00:00 2001
From: Joakim Repomaa <joakim.repomaa@mocoapp.com>
Date: Fri, 29 May 2026 17:55:19 +0300
Subject: [PATCH] setup everii vpn

---
 hosts/radish/hardware.nix      |  52 +++++++++++++++++++++++++++++++++
 hosts/radish/secrets.nix       |   3 ++
 secrets/everii-vpn/ch1.key.age |  10 +++++++
 secrets/everii-vpn/de1.key.age |   9 ++++++
 secrets/everii-vpn/fi1.key.age | Bin 0 -> 477 bytes
 secrets/secrets.nix            |   3 ++
 6 files changed, 77 insertions(+)
 create mode 100644 secrets/everii-vpn/ch1.key.age
 create mode 100644 secrets/everii-vpn/de1.key.age
 create mode 100644 secrets/everii-vpn/fi1.key.age

diff --git a/hosts/radish/hardware.nix b/hosts/radish/hardware.nix
index e96614a..963a308 100644
--- a/hosts/radish/hardware.nix
+++ b/hosts/radish/hardware.nix
@@ -69,9 +69,15 @@
     enable = true;
     extraPackages = with pkgs; [ rocmPackages.clr.icd ];
   };
+  services.resolved = {
+    enable = true;
+    dnsovertls = "opportunistic";
+    dnssec = "allow-downgrade";
+  };
   networking.networkmanager = {
     enable = true;
     wifi.backend = "iwd";
+    dns = "systemd-resolved";
     plugins = with pkgs; [
       networkmanager-openvpn
     ];
@@ -86,4 +92,50 @@
     }
   ];
   networking.firewall.allowedUDPPorts = [ 5353 ];
+
+  networking.wg-quick.interfaces = lib.mkMerge (
+    lib.map
+      (
+        {
+          region,
+          ipOctet,
+          publicKey,
+        }:
+        {
+          "everii-${region}" = {
+            address = [ "10.${toString ipOctet}.8.48/22" ];
+            dns = [ "10.${toString ipOctet}.1.1" ];
+            privateKeyFile = config.age.secrets."everii-vpn/${region}.key".path;
+            peers = [
+              {
+                allowedIPs = [ "10.${toString ipOctet}.0.0/16" ];
+                endpoint = "vpn.${region}.infra.everii.io:51821";
+                inherit publicKey;
+              }
+            ];
+            postUp = ''
+              ${pkgs.systemd}/bin/resolvectl domain everii-${region} ~${region}.everii ~${toString ipOctet}.10.in-addr.arpa
+              ${pkgs.systemd}/bin/resolvectl dnssec everii-${region} no
+            '';
+          };
+        }
+      )
+      [
+        {
+          region = "de1";
+          ipOctet = 13;
+          publicKey = "uBUgSTZb6WbfE960S3qFP/UUMtdsgNWqtkTaBkp6Xxo=";
+        }
+        {
+          region = "fi1";
+          ipOctet = 14;
+          publicKey = "Yoakl0lrL6IK1nT8x5SGpaS39fQxRAsP9Zjpu8/1RRs=";
+        }
+        {
+          region = "ch1";
+          ipOctet = 15;
+          publicKey = "gfciqAk+X02zoEKXSvRamx5+TGL3i4GpT7oUvHMD0xo=";
+        }
+      ]
+  );
 }
diff --git a/hosts/radish/secrets.nix b/hosts/radish/secrets.nix
index 9548e4c..9709304 100644
--- a/hosts/radish/secrets.nix
+++ b/hosts/radish/secrets.nix
@@ -10,6 +10,9 @@
       })
       [
         "borgbackup-radish"
+        "everii-vpn/de1.key"
+        "everii-vpn/ch1.key"
+        "everii-vpn/fi1.key"
       ]
   );
 }
diff --git a/secrets/everii-vpn/ch1.key.age b/secrets/everii-vpn/ch1.key.age
new file mode 100644
index 0000000..45468e9
--- /dev/null
+++ b/secrets/everii-vpn/ch1.key.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA ynIsrUjxXEYLRtKoiyBKCn83JeZ5rFhGD3xi61ypVBc
+ZuKEpntuTCMigOf/jeQ3V6oklmqzuxyDpi4oVhtWsc4
+-> ssh-ed25519 DFiohQ /0VJWz6hK+0FNjBciDbPHX+ader97UxCiQYB1BFZh3E
+SiqY0KS5wBWHMgEbJMAU1WgvXqEJjBAOQ3l/eMuETdI
+-> ssh-ed25519 hRPDBg KSXXiPwj27sKoXMiwW7IqQJvE72lYIgUjiPnpvVSSmE
+ioQGtUPSMj4flm9j84PLGm4C/P0sHVmYX38SgB6Yl2c
+--- jUadITulpzJjYp3oWxkG0Qk5RwDXisrKgmXYMlcxCss
+ç[ ,J"ø$¥Èµå½Mõ.ã0×˜½Œcë§~ã,CŸ
+‰“s•¤×u1™órDTf­:FtwAÉtÿ„™hE¿›„Af
\ No newline at end of file
diff --git a/secrets/everii-vpn/de1.key.age b/secrets/everii-vpn/de1.key.age
new file mode 100644
index 0000000..f062849
--- /dev/null
+++ b/secrets/everii-vpn/de1.key.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA sGsltqSPiC3jkgZcpRXobfPgKiuPYzU3XiNptcyniB4
+0Q7X+YuaRHT2/1sCrqyhnXCRGIcUKlHQKoo7W8TCwD0
+-> ssh-ed25519 DFiohQ o982CBPZ8MYPkm+ngw0WxJKc4vC0yo1poTz3ICnbJVM
+Ac600G8Gr8dhPaXxl8k7A7XpaX70iyLTzfFFTc+14Ag
+-> ssh-ed25519 hRPDBg Pf8NvKBZy/afSlFjZIySg6aSregAeMtUCj7e90b0qXw
+kW4Ph56hKVtR0MUaulZpSS28Kna1Wigcvcf1Uv2ESf8
+--- Jbu+08V6cvPbTBjwiZvIRtsdOPOtn/e3VCzQuyrCgLw
+®î|xÌ=×º6ú»ÙÄ)Ø˜jYy6¤Ê`Ø‚ÛØào wÔ¬ËZ€\LLfK,(œØq¸>AŽ_tM£êqŽü°°£Y‘>Õí
\ No newline at end of file
diff --git a/secrets/everii-vpn/fi1.key.age b/secrets/everii-vpn/fi1.key.age
new file mode 100644
index 0000000000000000000000000000000000000000..40be30c9b27fa12852d9e9c4bcf81fb20394af05
GIT binary patch
literal 477
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#Tok@hx_B
zcX4&I$j^6-%qVd#%yLOjE=&(83^8%e^w%~maZ3#Js7N)fDCY8va`&rn3vja3_X^85
z%F8V+^^GcxGW3XY4~h&bweYK`C@A(Q_R)9GHbJ+|#Vs>GBTyl%Ak{m`TR&7gEMGgw
zE!?*xEGNaoFg)Dbvn<!d#W*q2zf!xR*f7b@DW5B~(8oK{D6-Tz$0;wpvM4_((ZaDZ
zsJJxC&DSs0AR;KItSB|i&p)HgF&*8ujGzD)r*wt<Lcb`#NUz`meG5l7ztGZD<M0B@
z;J}O|w+NRq4+HNMlZxUBN1uqqz-+EUC&T0npS<F7KlhM|v<w4_>@>ghd?zQ9+)Urd
zG+%w~oZwR5EaMW>kVr0FU0sFLQd3iX1ON2Yl*HhIoJvO%{VekUZL@sKq%8eF-=x$^
zeV-tgQr~=i|7<Qjmaoc6rKcw7UU2ejt8ahwM*CZu%FYs5Ml0cBlZ7WEp8RGzoA0$f
sSLlsx-)(n(ovi<7&9|MMVED9C*qh<zkq;-2oO!!2QCOVY@%`Re0Kk=|Jpcdz

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 59cd63e..87b9276 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -46,4 +46,7 @@ in
   "gitea-actions-runner.age".publicKeys = users ++ [ freun-dev ];
   "invidious-companion.age".publicKeys = users ++ [ apu ];
   "invidious.age".publicKeys = users ++ [ freun-dev ];
+  "everii-vpn/de1.key.age".publicKeys = users ++ [ radish ];
+  "everii-vpn/ch1.key.age".publicKeys = users ++ [ radish ];
+  "everii-vpn/fi1.key.age".publicKeys = users ++ [ radish ];
 }