diff --git a/flake.nix b/flake.nix index b51abd4..91a2d7b 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ # flake for blakes nixos config # define new devices in outputs -# generation: 94 current 2025-10-08 13:52:19 25.05.20251006.20c4598 6.12.50 * +# generation: 95 current 2025-10-08 14:44:19 25.05.20251006.20c4598 6.12.50 * { description = "blakes nix config"; inputs = { diff --git a/hosts/snowbelle/configuration.nix b/hosts/snowbelle/configuration.nix index aaa43c6..28b066e 100644 --- a/hosts/snowbelle/configuration.nix +++ b/hosts/snowbelle/configuration.nix @@ -19,8 +19,7 @@ syncthing.enable = true; tailscale.enable = true; vpns.enable = true; - vpns.openvpn_pia_mexico = false; - vpns.wg_pia_mexico = false; + vpns.wg_mex = true; nvidia.enable = true; }; homelab = { diff --git a/modules/system/vpns.nix b/modules/system/vpns.nix index 1546dcd..ff9c33a 100644 --- a/modules/system/vpns.nix +++ b/modules/system/vpns.nix @@ -13,7 +13,7 @@ in default = false; description = "enable pia vpn to mexico using openvpn"; }; - wg_pia_mexico = lib.mkOption { + wg_mex = lib.mkOption { type = lib.types.bool; default = false; description = "enable pia vpn to mexico using wireguard"; @@ -33,27 +33,29 @@ in }; }; - # enable pia mexico w/ wireguard + # enable mullvad mexico w/ wireguard networking.wireguard.interfaces = lib.mkIf cfg.wg_pia_mexico { - wg_piamex = { - privateKeyFile = config.sops.secrets."wg_pia_mexico_key".path; - listenPort = 51820; - ips = [ "10.4.244.34/32" ]; - - peers = [ - { - publicKey = "avK/Bdg+hyLMqP2k/7eEBTkxwCSzyy8FymwO/vFjbQg="; - allowedIPs = [ "0.0.0.0/0" ]; - endpoint = "77.81.142.245:1337"; + wg_mex = { + # client settings + privateKeyFile = config.sops.secrets."wg_mex_key".path; + ips = [ "10.74.252.231/32" "fc00:bbbb:bbbb:bb01::b:fce6/128" ]; + # remote settings + peers = [ { + publicKey = "yxyntWsANEwxeR0pOPNAcfWY7zEVICZe9G+GxortzEY="; + allowedIPs = [ "0.0.0.0/0" "::0/0" ]; + endpoint = "149.88.22.129:51820"; persistentKeepalive = 25; - } - ]; + } ]; + postSetup = '' + # Remove default route that wg might add + ip route del default dev wg-mullvad 2>/dev/null || true + ''; }; }; # secrets only if VPN is enabled sops.secrets = lib.mkIf cfg.enable { - "wg_pia_mexico_key" = { owner = "root"; group = "root"; }; + "wg_mex_key" = { owner = "root"; group = "root"; }; "pia_auth" = { owner = "root"; group = "root"; }; "openvpn_pia_mexico_config" = {owner = "root"; group = "root"; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index f8b8d39..c056a97 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -11,9 +11,9 @@ ssl_blakedheld_key: ENC[AES256_GCM,data:Jhb2yiIYlfJ8mewzohseWQYZ2pEYy8x2c9B6OH/P #ENC[AES256_GCM,data:A0ITyGOGMIoyVOcn5JOi1RAtqUM=,iv:+wWpmFbeLiX/Ae53pj0QmnYY3MEzOMib4cqbePUKtGI=,tag:JHXvrN4bOH+oD3Q70pUuew==,type:comment] pia_auth: ENC[AES256_GCM,data:rwAu4f5XVS4v4FCLj2zXAegIZeRPLIzUVv6TCrdfg9RGSDJYHgVAX0aFXCBQsDQju9RDycXmc9Id8IuyYN8=,iv:kEA4ADQyUI+zlQoZOKi81dw5BLE1oesqhVf6bfiLgB4=,tag:VHT2uPNW27F3KRM7ZhWdCw==,type:str] #ENC[AES256_GCM,data:7y1mtYNfbsagqtr66kOx2rinneEW3EZaCJIXzK0qjLX36g==,iv:8ozXuBYirLbKd8sCln2xv/WjhTojY85xU0cL5NVeMlQ=,tag:mclz0GfQ9j2EGWMiQ62QmA==,type:comment] -openvpn_pia_mexico_config: ENC[AES256_GCM,data:VsxrXpdrBpjP,iv:PIOTk/dADStM19EMwOsyoGBqy23eSoOCoiyUrd1obhQ=,tag:VP/gIg0by35glap3umK6uw==,type:str] +openvpn_pia_mexico_config: ENC[AES256_GCM,data:59HQ3OZ0QKq92jI=,iv:DZTNvfi6kLXG7dsNkPcXUmXhAG2UdPZBy/L9eWNmRdE=,tag:ndxDDQNL2z1fjxFfU2VRwQ==,type:str] #ENC[AES256_GCM,data:mbIgMJBhL8nWJzl8q2dFL8XtO1Xa1Q==,iv:caYHYp1boK9wRgCcQe40HTWT/HxAIvYe+HyaruI53Vc=,tag:S6wowhAHObEcs7z8FimZ1g==,type:comment] -wg_pia_mexico_key: ENC[AES256_GCM,data:bT5Vi8ZGtSG48bZ6UHSH8+4y/KBrRhVFDmA+0A9b1G9zLcQ0VwRtSOZ8bWc=,iv:Lo/vScSGQ0VbdAq14dQ8hrWK+LgH4hiUTP4Ndx/FNLE=,tag:+pSbZuXNxRaV13V4Df+M2g==,type:str] +wg_mex_key: ENC[AES256_GCM,data:vxDXixo6X6D33+p21L4hB0/yCH+TvMHZl991BkRsE/jdz7rzZuJF+zI7h+Q=,iv:8WR+feHXNUcat8DB2wY7wpos+P7TzgRF7rFD0fYosjY=,tag:p9b9ck0/VZjyLxtHut3n5Q==,type:str] #ENC[AES256_GCM,data:CO5nrcDbgymnEmCvuTexOBEMncuNM5lQ,iv:6HrxqSN6e7ODuz09MIFgPbIqDCKQySRDaKk5Wdu4HoQ=,tag:JBRjZeEdOg+trohfanO6Mg==,type:comment] vaultwarden_admin_token: ENC[AES256_GCM,data:G1v3N064ci0Fw5EtTzaryailWpsv6f4w6eoHp2vjXIBtIlScdQk1Q0W+eDNRk8Wr2C3ysTXQNbyYismNsls+jeS3W+YqkKL4fnh3a5UTzQrMqvaH11n3ak0X9R9vmt+ZJXBrUrAOKJ6RPHJJSWenhjDB77kwEdQ=,iv:f8X+x/AdmZ3b3dtcSFrxGgA2tCgDRpgddjlVu3mdCmM=,tag:c0MXljVvhwOdvrb/8hWlsQ==,type:str] #ENC[AES256_GCM,data:2ESzSsQZqKdjD7OXN8ZPThj6g9acJREe,iv:aDFPB0vs8NNo8ExLcJw7qtQvWbCb1XK6TJrHSK86qss=,tag:z+dypHAGUjEXP7Y9MHYWwg==,type:comment] @@ -29,7 +29,7 @@ sops: U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-08T17:55:56Z" - mac: ENC[AES256_GCM,data:Cut9mCck9q+9I4x1hI709TTVi2J/qJ2Lcs1C4/hya3JhsVAJQ7UR1NC19QbTsQzAmv5cpD6RzfGmATXo+9DUWkp/yiyQqfVIGw1UpiSzrQYMJPOb9uUWELgKvVTEf6xRjhIe1IgedcO1OefRhwMosk7q4DjLIIb6PsU2ibMjNts=,iv:wOS3aI2am+uKnRAorlSmDEjWu3YFB1SzbPae4jLAeyU=,tag:DHUxWQtp9EI34JykS+er2A==,type:str] + lastmodified: "2025-10-08T20:46:50Z" + mac: ENC[AES256_GCM,data:kSWpiorgrx4Ohv/ZpUCKuBy+g3VZ95UjaOeotUwXJzao3qbHHAKIRLCJnlJPjMDyT3aZc8AF3urQunl65LDHYAisTV1LxTAeFSsWm4xkJ5DcyhvTHh1yxa+G9lGZ6mBQK60Hg92+fqwS43ObYz8hwoVeeKXc0ZSwDqI5d8gSF9o=,iv:gVonEcRQTupdLEYgAfgI10L86h6q+PFdgpLHNsLHB/8=,tag:Rd2nlookzmUc0ZWnC/f1Dg==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0