setup everii vpn

2026-05-29 17:55:19 +03:00
parent 5d8d0555d9
commit 0e4657fa3a
6 changed files with 77 additions and 0 deletions
--- a/hosts/radish/hardware.nix
+++ b/hosts/radish/hardware.nix
@@ -69,9 +69,15 @@
    enable = true;
    extraPackages = with pkgs; [ rocmPackages.clr.icd ];
  };
+  services.resolved = {
+    enable = true;
+    dnsovertls = "opportunistic";
+    dnssec = "allow-downgrade";
+  };
  networking.networkmanager = {
    enable = true;
    wifi.backend = "iwd";
+    dns = "systemd-resolved";
    plugins = with pkgs; [
      networkmanager-openvpn
    ];
@@ -86,4 +92,50 @@
    }
  ];
  networking.firewall.allowedUDPPorts = [ 5353 ];
+
+  networking.wg-quick.interfaces = lib.mkMerge (
+    lib.map
+      (
+        {
+          region,
+          ipOctet,
+          publicKey,
+        }:
+        {
+          "everii-${region}" = {
+            address = [ "10.${toString ipOctet}.8.48/22" ];
+            dns = [ "10.${toString ipOctet}.1.1" ];
+            privateKeyFile = config.age.secrets."everii-vpn/${region}.key".path;
+            peers = [
+              {
+                allowedIPs = [ "10.${toString ipOctet}.0.0/16" ];
+                endpoint = "vpn.${region}.infra.everii.io:51821";
+                inherit publicKey;
+              }
+            ];
+            postUp = ''
+              ${pkgs.systemd}/bin/resolvectl domain everii-${region} ~${region}.everii ~${toString ipOctet}.10.in-addr.arpa
+              ${pkgs.systemd}/bin/resolvectl dnssec everii-${region} no
+            '';
+          };
+        }
+      )
+      [
+        {
+          region = "de1";
+          ipOctet = 13;
+          publicKey = "uBUgSTZb6WbfE960S3qFP/UUMtdsgNWqtkTaBkp6Xxo=";
+        }
+        {
+          region = "fi1";
+          ipOctet = 14;
+          publicKey = "Yoakl0lrL6IK1nT8x5SGpaS39fQxRAsP9Zjpu8/1RRs=";
+        }
+        {
+          region = "ch1";
+          ipOctet = 15;
+          publicKey = "gfciqAk+X02zoEKXSvRamx5+TGL3i4GpT7oUvHMD0xo=";
+        }
+      ]
+  );
 }
--- a/hosts/radish/secrets.nix
+++ b/hosts/radish/secrets.nix
@@ -10,6 +10,9 @@
      })
      [
        "borgbackup-radish"
+        "everii-vpn/de1.key"
+        "everii-vpn/ch1.key"
+        "everii-vpn/fi1.key"
      ]
  );
 }