setup everii vpn

2026-05-29 17:55:19 +03:00
parent 5d8d0555d9
commit 0e4657fa3a
6 changed files with 77 additions and 0 deletions
--- a/hosts/radish/hardware.nix
+++ b/hosts/radish/hardware.nix
@@ -69,9 +69,15 @@
    enable = true;
    extraPackages = with pkgs; [ rocmPackages.clr.icd ];
  };
  services.resolved = {
    enable = true;
    dnsovertls = "opportunistic";
    dnssec = "allow-downgrade";
  };
  networking.networkmanager = {
    enable = true;
    wifi.backend = "iwd";
    dns = "systemd-resolved";
    plugins = with pkgs; [
      networkmanager-openvpn
    ];
@@ -86,4 +92,50 @@
    }
  ];
  networking.firewall.allowedUDPPorts = [ 5353 ];
  networking.wg-quick.interfaces = lib.mkMerge (
    lib.map
      (
        {
          region,
          ipOctet,
          publicKey,
        }:
        {
          "everii-${region}" = {
            address = [ "10.${toString ipOctet}.8.48/22" ];
            dns = [ "10.${toString ipOctet}.1.1" ];
            privateKeyFile = config.age.secrets."everii-vpn/${region}.key".path;
            peers = [
              {
                allowedIPs = [ "10.${toString ipOctet}.0.0/16" ];
                endpoint = "vpn.${region}.infra.everii.io:51821";
                inherit publicKey;
              }
            ];
            postUp = ''
              ${pkgs.systemd}/bin/resolvectl domain everii-${region} ~${region}.everii ~${toString ipOctet}.10.in-addr.arpa
              ${pkgs.systemd}/bin/resolvectl dnssec everii-${region} no
            '';
          };
        }
      )
      [
        {
          region = "de1";
          ipOctet = 13;
          publicKey = "uBUgSTZb6WbfE960S3qFP/UUMtdsgNWqtkTaBkp6Xxo=";
        }
        {
          region = "fi1";
          ipOctet = 14;
          publicKey = "Yoakl0lrL6IK1nT8x5SGpaS39fQxRAsP9Zjpu8/1RRs=";
        }
        {
          region = "ch1";
          ipOctet = 15;
          publicKey = "gfciqAk+X02zoEKXSvRamx5+TGL3i4GpT7oUvHMD0xo=";
        }
      ]
  );
 }
--- a/hosts/radish/secrets.nix
+++ b/hosts/radish/secrets.nix
@@ -10,6 +10,9 @@
      })
      [
        "borgbackup-radish"
        "everii-vpn/de1.key"
        "everii-vpn/ch1.key"
        "everii-vpn/fi1.key"
      ]
  );
 }
--- a/secrets/everii-vpn/ch1.key.age
+++ b/secrets/everii-vpn/ch1.key.age
@@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 osOCZA ynIsrUjxXEYLRtKoiyBKCn83JeZ5rFhGD3xi61ypVBc
 ZuKEpntuTCMigOf/jeQ3V6oklmqzuxyDpi4oVhtWsc4
 -> ssh-ed25519 DFiohQ /0VJWz6hK+0FNjBciDbPHX+ader97UxCiQYB1BFZh3E
 SiqY0KS5wBWHMgEbJMAU1WgvXqEJjBAOQ3l/eMuETdI
 -> ssh-ed25519 hRPDBg KSXXiPwj27sKoXMiwW7IqQJvE72lYIgUjiPnpvVSSmE
 ioQGtUPSMj4flm9j84PLGm4C/P0sHVmYX38SgB6Yl2c
 --- jUadITulpzJjYp3oWxkG0Qk5RwDXisrKgmXYMlcxCss
 ç[ ,J"ø$¥Èµå½Mõ.ã0×˜½Œcë§~ã,<2C>CŸ
 ‰“s•¤×u1<02>™órDTf:FtwAÉtÿ„™hE¿›„Af
--- a/secrets/everii-vpn/de1.key.age
+++ b/secrets/everii-vpn/de1.key.age
@@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 osOCZA sGsltqSPiC3jkgZcpRXobfPgKiuPYzU3XiNptcyniB4
 0Q7X+YuaRHT2/1sCrqyhnXCRGIcUKlHQKoo7W8TCwD0
 -> ssh-ed25519 DFiohQ o982CBPZ8MYPkm+ngw0WxJKc4vC0yo1poTz3ICnbJVM
 Ac600G8Gr8dhPaXxl8k7A7XpaX70iyLTzfFFTc+14Ag
 -> ssh-ed25519 hRPDBg Pf8NvKBZy/afSlFjZIySg6aSregAeMtUCj7e90b0qXw
 kW4Ph56hKVtR0MUaulZpSS28Kna1Wigcvcf1Uv2ESf8
 --- Jbu+08V6cvPbTBjwiZvIRtsdOPOtn/e3VCzQuyrCgLw
 ®î|xÌ=×º6ú»ÙÄ)Ø˜jYy6¤Ê`Ø‚ÛØào wÔ¬ËZ€\LLfK,(œØq¸>AŽ_tM£êqŽü°°£Y‘>Õí
--- a/secrets/everii-vpn/fi1.key.age
+++ b/secrets/everii-vpn/fi1.key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -46,4 +46,7 @@ in
  "gitea-actions-runner.age".publicKeys = users ++ [ freun-dev ];
  "invidious-companion.age".publicKeys = users ++ [ apu ];
  "invidious.age".publicKeys = users ++ [ freun-dev ];
  "everii-vpn/de1.key.age".publicKeys = users ++ [ radish ];
  "everii-vpn/ch1.key.age".publicKeys = users ++ [ radish ];
  "everii-vpn/fi1.key.age".publicKeys = users ++ [ radish ];
 }