From e9decbda682e53323a6595094fb7f75fb372bea9 Mon Sep 17 00:00:00 2001
From: James Eversole <james@eversole.co>
Date: Mon, 11 Sep 2023 19:52:03 -0500
Subject: [PATCH] Configure single-client OpenVPN

---
 flake.nix               |  2 ++
 nix/system/network.nix  | 15 +++++++++++
 nix/system/openvpn.nix  | 56 +++++++++++++++++++++++++++++++++++++++++
 nix/system/security.nix |  1 +
 nix/system/system.nix   | 10 +-------
 5 files changed, 75 insertions(+), 9 deletions(-)
 create mode 100644 nix/system/network.nix
 create mode 100644 nix/system/openvpn.nix

diff --git a/flake.nix b/flake.nix
index 7e971c0..5be9e1a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -62,6 +62,8 @@
                     ./nix/system/dns.nix
                     ./nix/system/hardware.nix
                     ./nix/system/nix-conf.nix
+                    ./nix/system/network.nix
+                    ./nix/system/openvpn.nix
                     ./nix/system/security.nix
                     ./nix/system/system.nix
                     ./nix/system/virtualisation.nix
diff --git a/nix/system/network.nix b/nix/system/network.nix
new file mode 100644
index 0000000..a4f15f8
--- /dev/null
+++ b/nix/system/network.nix
@@ -0,0 +1,15 @@
+{ ... }: {
+  networking = {
+    hostName = "eve-psr-nix0";
+    firewall = {
+      allowedTCPPorts = [ 22 80 443 ];
+      allowedUDPPorts = [ 22 80 443 53 1194 ];
+      trustedInterfaces = [ "tun0" ];
+    };
+    nat = {
+      enable = true;
+      externalInterface = "enp1s0";
+      internalInterfaces = [ "tun0" ];
+    };
+  };
+}
diff --git a/nix/system/openvpn.nix b/nix/system/openvpn.nix
new file mode 100644
index 0000000..4ed1ba6
--- /dev/null
+++ b/nix/system/openvpn.nix
@@ -0,0 +1,56 @@
+{ config, pkgs, ... }:
+let
+  client-key = "/home/sezycei/srv/sec/openvpn/James/laptop.key";
+  domain = "matri.cx";
+  port = 1194;
+in
+{
+  services.openvpn.servers.laptop.config = ''
+    dev tun0
+    proto udp
+    ifconfig 10.8.0.1 10.8.0.2
+    secret ${client-key}
+    port ${toString port}
+
+    cipher AES-256-CBC
+    auth-nocache
+
+    comp-lzo
+    keepalive 10 60
+    ping-timer-rem
+    persist-tun
+    persist-key
+  '';
+
+  environment.etc."openvpn/laptop-client.ovpn" = {
+    text = ''
+      dev tun
+      remote "${domain}"
+      ifconfig 10.8.0.2 10.8.0.1
+      port ${toString port}
+      redirect-gateway def1
+
+      cipher AES-256-CBC
+      auth-nocache
+
+      comp-lzo
+      keepalive 10 60
+      resolv-retry infinite
+      nobind
+      persist-key
+      persist-tun
+      secret [inline]
+
+    '';
+    mode = "600";
+  };
+  system.activationScripts.openvpn-addkey = ''
+    f="/etc/openvpn/laptop-client.ovpn"
+    if ! grep -q '<secret>' $f; then
+      echo "appending secret key"
+      echo "<secret>" >> $f
+      cat ${client-key} >> $f
+      echo "</secret>" >> $f
+    fi
+  '';
+}
diff --git a/nix/system/security.nix b/nix/system/security.nix
index 5362de5..756c4ae 100644
--- a/nix/system/security.nix
+++ b/nix/system/security.nix
@@ -2,6 +2,7 @@
   services.openssh = {
     enable = true;
   };
+
   security = {
     sudo.wheelNeedsPassword = false;
     acme = {
diff --git a/nix/system/system.nix b/nix/system/system.nix
index f002199..094c696 100644
--- a/nix/system/system.nix
+++ b/nix/system/system.nix
@@ -5,15 +5,7 @@
     loader.efi.canTouchEfiVariables = true;
   };
 
-  environment.systemPackages = with pkgs; [ git pciutils vim wget ];
-
-  networking = {
-    hostName = "eve-psr-nix0";
-    firewall = {
-      allowedTCPPorts = [ 22 80 443 ];
-      allowedUDPPorts = [ 22 80 443 53 ];
-    };
-  };
+  environment.systemPackages = with pkgs; [ git pciutils openvpn vim wget ];
 
   programs.ssh.knownHosts = {
     selbeiskami = {