Setup relay server

2026-03-28 06:26:08 +01:00 · 2026-03-24 13:18:01 +01:00 · 2026-03-24 13:18:01 +01:00 · d04d69157e
commit d04d69157e
parent a1945ec137
9 changed files with 354 additions and 50 deletions
--- a/profiles/relay1.nix
+++ b/profiles/relay1.nix
@ -0,0 +1,160 @@
+{
+  modulesPath,
+  config,
+  ...
+}:
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ../environment.nix
+    ../modules/openssh.nix
+  ];
+
+  networking.useDHCP = true;
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  time.timeZone = "Europe/Amsterdam";
+
+  boot.tmp.cleanOnBoot = true;
+  networking.firewall.allowPing = true;
+  networking.firewall.allowedTCPPorts = [ 443 ];
+  networking.usePredictableInterfaceNames = false;
+  custom.services.openssh.enable = true;
+  services.openssh.openFirewall = true;
+
+  services.nscd.enableNsncd = true;
+  zramSwap.enable = true;
+
+  sops.secrets = {
+    openvpnCa = {
+      key = "openvpn/ca.crt";
+    };
+    openvpnServerCert = {
+      key = "openvpn/server.crt";
+    };
+    openvpnServerKey = {
+      key = "openvpn/server.key";
+    };
+    openvpnDh = {
+      key = "openvpn/dh.pem";
+    };
+    openvpnTlsCrypt = {
+      key = "openvpn/tls-crypt.key";
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /etc/openvpn/ccd 0750 root root -"
+  ];
+
+  environment.etc."openvpn/ccd/wsl".text = ''
+    iroute 10.33.0.0 255.255.0.0
+    iroute 10.46.0.0 255.255.0.0
+    iroute 10.133.0.0 255.255.0.0
+    iroute 10.134.0.0 255.255.0.0
+    iroute 10.161.0.0 255.255.0.0
+    iroute 10.200.0.0 255.255.0.0
+  '';
+
+  services.openvpn.servers.relay.config = ''
+    port 443
+    proto tcp-server
+    dev tun
+    topology subnet
+
+    user nobody
+    group nogroup
+    persist-key
+    persist-tun
+    keepalive 10 120
+
+    ca ${config.sops.secrets.openvpnCa.path}
+    cert ${config.sops.secrets.openvpnServerCert.path}
+    key ${config.sops.secrets.openvpnServerKey.path}
+    dh ${config.sops.secrets.openvpnDh.path}
+    tls-crypt ${config.sops.secrets.openvpnTlsCrypt.path}
+
+    server 10.8.0.0 255.255.255.0
+    client-config-dir /etc/openvpn/ccd
+
+    route 10.33.0.0 255.255.0.0
+    route 10.46.0.0 255.255.0.0
+    route 10.133.0.0 255.255.0.0
+    route 10.134.0.0 255.255.0.0
+    route 10.161.0.0 255.255.0.0
+    route 10.200.0.0 255.255.0.0
+
+    push "route 10.33.0.0 255.255.0.0"
+    push "route 10.46.0.0 255.255.0.0"
+    push "route 10.133.0.0 255.255.0.0"
+    push "route 10.134.0.0 255.255.0.0"
+    push "route 10.161.0.0 255.255.0.0"
+    push "route 10.200.0.0 255.255.0.0"
+
+    push "dhcp-option DNS 1.1.1.1"
+    push "dhcp-option DNS 9.9.9.9"
+
+    status /var/log/openvpn-relay-status.log
+    log-append /var/log/openvpn-relay.log
+    verb 3
+  '';
+
+  disko.devices = {
+    disk.disk1 = {
+      device = "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "lvm_pv";
+              vg = "pool";
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      pool = {
+        type = "lvm_vg";
+        lvs = {
+          root = {
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}