nixos/jackflix: Switch to AirVPN

2023-07-30 15:12:45 +01:00
parent e36a706956
commit 1bf3904678
4 changed files with 40 additions and 21 deletions
--- a/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
@@ -4,13 +4,14 @@ let
  inherit (lib.my) networkdAssignment;

  wg = {
-    keyFile = "jackflix/mullvad-privkey";
+    keyFile = "jackflix/airvpn-privkey";
+    pskFile = "jackflix/airvpn-psk";
    fwMark = 42;
    routeTable = 51820;
  };

-  # Forwarded in Mullvad config
-  transmissionPeerPort = 56528;
+  # Forwarded in AirVPN config
+  transmissionPeerPort = 47016;
 in
 {
  config = mkMerge [
@@ -21,6 +22,10 @@ in
            group = "systemd-network";
            mode = "440";
          };
+          files."${wg.pskFile}" = {
+            group = "systemd-network";
+            mode = "440";
+          };
        };

        firewall = {
@@ -56,6 +61,8 @@ in
            netdevConfig = {
              Name = "vpn";
              Kind = "wireguard";
+              # Specified by AirVPN
+              MTUBytes = "1320";
            };
            wireguardConfig = {
              PrivateKeyFile = config.age.secrets."${keyFile}".path;
@@ -64,10 +71,11 @@ in
            };
            wireguardPeers = [
              {
-                # mlvd-ams-wg-202
+                # AirVPN NL
                wireguardPeerConfig = {
-                  Endpoint = "169.150.196.15:51820";
-                  PublicKey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";
+                  Endpoint = "2a00:1678:1337:2329:e5f:35d4:4404:ef9f:1637";
+                  PublicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+                  PresharedKeyFile = config.age.secrets."${pskFile}".path;
                  AllowedIPs = [ "0.0.0.0/0" "::/0" ];
                };
              }
@@ -83,8 +91,8 @@ in
            ];
            "90-vpn" = with wg; {
              matchConfig.Name = "vpn";
-              address = [ "10.67.83.59/32" "fc00:bbbb:bbbb:bb01::4:533a/128" ];
-              dns = [ "10.64.0.1" ];
+              address = [ "10.182.97.37/32" "fd7d:76ee:e68f:a993:735d:ef5e:6907:b122/128" ];
+              dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
              routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
                {
                  Family = "both";
--- a/secrets/jackflix/airvpn-privkey.age
+++ b/secrets/jackflix/airvpn-privkey.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhNYTRudyA0U3FE
+K3R0R3VEKzRCWitIWFZ5T1RjcG9NcjE0ZWZZbk9qMG5Ra3BmZlVRCkdqRU44RWZo
+K0xabCtRM08xNDFXQmZ4YjVQNmhKQ05QMzZkUFdWNkNQaXcKLT4gWDI1NTE5IEQ5
+UkM1UVhielJHSHVDVFV2ZWpBNmI3RElvUGVueG5yenNmVCtJb1BBUm8KSWxCZDFD
+SnBMMnM0M2E0aWwwVjg4NklIZ0dnVVdYOHQrUEJNZ3ZlK1ZibwotPiA1fS1ncmVh
+c2UKYVUxbkQyTXRXL0pRTVUvWDJRSXRxYUtyam1ObVZhUmtxVHhyb2hJZzJ2OXhk
+UVF6R0NQaituZFNvaStOV051dgo4K3RXZG1SSFNMSXpLL05KeTRQN05ja2U0cVVu
+TE9jcWg0SjNKUXNKME9ZbDhqbm4KLS0tIFQ2K2h1QlRHdFVaL2xCZDJWelEvSHhF
+NUphd2VNMmFPZi9oa0syQlBrdEUK1ajfpNzcQ6OH1hC2BcLRW7oKgzZjX9r0qZNf
+n+q5vzcHM6nXNOzgM9ddjoLOyjKy4beZTMnwCBhuDaeqCydlIpKNgkZFaR2RT4+G
+g64=
+-----END AGE ENCRYPTED FILE-----
--- a/secrets/jackflix/airvpn-psk.age
+++ b/secrets/jackflix/airvpn-psk.age
@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhNYTRudyBUK2JU
+NDZCQkgzVi9oNlRzMjZGbWJwWkxvN2hFTndGaTQzc2QwcnBLUjJFCnVjbFFNdVRT
+YU5uOVFOT0Erc3R1TjY0ZzF3TGZKS2k0VFFiN0Rlb3psRkkKLT4gWDI1NTE5IFA0
+WEtBbk9WbEwvSVZHSEFOVTI0UHdrMStxRUZzbFJDQk8wc1loZnNQemsKRkdyMm9R
+WFZlVUVIUUhmOU9XVitnQjQ5eWFYSkFMZ2Q5UVN6K2FYT0tkZwotPiB7Vi1ncmVh
+c2Ugbl5qID0lIyl1KyBvXnJJeHsKTHpKMDRjeHV5S1NISE16UgotLS0gSUhnNnVN
+VHd0aHNpcEdrSDIxWkZ3eElodnhCS0kzTjJSakJYRnZLZE9FTQpPxKNiNPNsDJXX
+mfubEEJTh78EvFllgObtGS7NJ3dvkT6Pg/UgcfevrPrd3w8cxLvnwuWzzxD9TAvp
+tFe84figvpNUeUSkIN7DsKIHzQ==
+-----END AGE ENCRYPTED FILE-----
--- a/secrets/jackflix/mullvad-privkey.age
+++ b/secrets/jackflix/mullvad-privkey.age
@@ -1,13 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhNYTRudyBkek5i
-cmhBN2tTZEVsUDdZNEwwT1M4ZWVVaStTRmNINHJtcnFtSmx2VFNNCm9wSDNXMHpn
-NjgrMnJEdDNpazl0am81d0EyN3UxaC9tWVV6U0VPQ2MxZ28KLT4gWDI1NTE5IG1p
-SjRkMmo4NkFLSnAwZHlZRlJaUWsyOU51eWJCQXlFcVhzQWQrVnZ2WHMKNW9OeUFr
-WjlwbEw5bEx2eER0SG0xRGJwQXV0Vy9YNzd3SWdxb1VpdG5EYwotPiAsdW0sdC1n
-cmVhc2UgJFM6dyZ8KTAgZXdweCxnUkwKb1RKQytRQlN5aFQ1SDlOekZYcGlvY1N1
-eHNubGxlNzVjd0k4dTczbUoxQmM1ZHl6NHk3M2EvMXFUSkNRcEdKTwpnQzltamRE
-dUZYMExWakZCOHFKbXdLTk14Nm1RLzVWejFCclZIRHNYUG55K0QzR0cvQytkaEpV
-Ci0tLSBDOGZSOTZVOGs2WHA0cVNTY3hsOUhDL1hXNGE5NngwMytGVWswZlA5R280
-Cle7K5aU/uguNVxjKN2w6orJ023uQSnix7IxYkKOoU71Y1s84lbc4GUPv1aNUTsT
-uc7LoiwGLKrO9YdRsfqzJsbGQlqCkNXg8Q1EcE0s
-----END AGE ENCRYPTED FILE-----