42 current 2025-10-07 19:48:37 25.05.20251001.5b5be50 6.12.49 *

flake.nix

@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 41 current  2025-10-07 19:39:59  25.05.20251001.5b5be50  6.12.49                          *
+# generation: 42 current  2025-10-07 19:48:37  25.05.20251001.5b5be50  6.12.49                          *
 {
   description = "blakes nix config";
   inputs = {

modules/system/vpns.nix

@@ -22,9 +22,32 @@ in
     services.openvpn.servers = lib.mkIf cfg.openvpn_pia_mexico { 
       openvpn_pia_mexico = {
         config = ''
-          config ${config.sops.secrets."openvpn_pia_mexico_config".path}
+          client
-          auth-user-pass /run/secrets/openvpn_pia_mexico_auth
+          dev tun
-        '';
+          proto udp
+          remote 77.81.142.240 1198
+          resolv-retry infinite
+          nobind
+          persist-key
+          persist-tun
+          cipher aes-128-cbc
+          auth sha1
+          tls-client
+          remote-cert-tls server
+
+          auth-user-pass
+          compress
+          verb 1
+          reneg-sec 0
+          crl-verify ${config.sops.secrets."openvpn_pia_mexico_crl".path}
+          ca ${config.sops.secrets."openvpn_pia_mexico_crt".path}
+
+          disable-occ
+                  '';
+#        config = ''
+#          config ${config.sops.secrets."openvpn_pia_mexico_config".path}
+#          auth-user-pass /run/secrets/openvpn_pia_mexico_auth
+#        '';
       };
     };
     sops.secrets = {
@@ -36,6 +59,10 @@ in
         owner = "root";
         group = "root";
       };
+      "openvpn_pia_mexico_crt" = {
+        owner = "root";
+        group = "root";
+      };
       "openvpn_pia_mexico_config" = {
         owner = "root";
         group = "root";