decouple vpn and proxies

2025-01-11 22:25:03 +03:00 · 2025-01-11 22:25:03 +03:00 · 476c13d296
commit 476c13d296
parent 1518f7007b
13 changed files with 103 additions and 45 deletions
--- a/lil-maid/default.nix
+++ b/lil-maid/default.nix
@ -1,7 +1,4 @@
 {
-  programs.bash.shellAliases = {
-    e = "emacs -nw";
-  };
  maid = {
    sys = {
      enable = true;
@ -21,12 +18,18 @@
    sddm.enable = true;
    hm.enable = true;
    hypr.enable = true;
-    # kde.enable = true;
+#   kde.enable = true;

    rust.enable = true;

    firefox.enable = true;
-    vpn.hft.enable = true;
+
+    proxies = {
+      yor.enable = true;
+    };
+    vpn = {
+      hft.enable = true;
+    };

    unfree = [
      "obsidian"
--- a/lil-maid/modules/default.nix
+++ b/lil-maid/modules/default.nix
@ -1,4 +1,7 @@
 {
+  services.xserver.windowManager.qtile = {
+    enable = true;
+  };
  imports = [
    ./net.nix
    ./firewall.nix
@ -8,5 +11,7 @@
    ./social.nix
    ./stash.nix
    ./net.nix
+
+    ./devenv.nix
  ];
 }
--- a/lil-maid/modules/devenv.nix
+++ b/lil-maid/modules/devenv.nix
@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+{
+  # TODO: dotfiles for DOOM emacs.
+
+  environment.systemPackages = with pkgs; [
+    # BTW I use it for real.
+    emacs
+
+    # Spellcheck
+    ispell
+    languagetool
+    proselint
+
+    # VCS
+    git
+    jujutsu
+
+    # Markdown
+    pandoc
+
+    # NixOS Devops
+
+    # Binary cache
+    attic-client
+
+    # Deployment
+    colmena
+    nixos-anywhere
+
+    # Other useful tools.
+    fd
+    hyperfine
+    ripgrep
+    p7zip
+  ];
+}
--- a/lil-maid/modules/stash.nix
+++ b/lil-maid/modules/stash.nix
@ -1,3 +1,5 @@
+# Temporary location for modules and other code. Stacked here until
+# there's no similarties which useful to take out.
 { pkgs, inputs, ... }:
 {
  imports = [ inputs.vnj.nixosModules.x86_64-linux.default ];
@ -27,20 +29,15 @@

  environment.systemPackages = with pkgs; [
    obsidian
-    git
-    # element-desktop
-    # monero-gui
-    emacs
-    fd
-    ripgrep
+    sioyek
    signal-desktop
-    terraform
    pavucontrol
    vlc
    wine
    winetricks
    yandex-cloud
    qbittorrent
+    element-desktop
  ];

  fonts.packages = with pkgs; [
--- a/lil-maid/modules/steam.nix
+++ b/lil-maid/modules/steam.nix
@ -1,4 +1,9 @@
+{ pkgs, ... }:
 {
+  environment.systemPackages = with pkgs; [
+    protontricks
+  ];
+
  programs = {
    gamescope = {
      enable = true;
--- a/m/hypr.nix
+++ b/m/hypr.nix
@ -14,6 +14,10 @@ in
      portalPackage = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland;
    };

+    programs.hyprlock = {
+      enable = true;
+    };
+
    environment.systemPackages = with pkgs; [
      dunst
      waybar
--- a/m/sops.nix
+++ b/m/sops.nix
@ -21,7 +21,6 @@ in
      (lib.mkIf sops.work.enable {
        "work/ovpn".sopsFile = ../secrets/work.yaml;
        "work/password".sopsFile = ../secrets/work.yaml;
-        "work/shadowsocks".sopsFile = ../secrets/work.yaml;
      })
    ];
  };
--- a/m/sys.nix
+++ b/m/sys.nix
@ -42,7 +42,6 @@ in
    };

    environment.systemPackages = with pkgs; [
-      jujutsu
      ifuse
      libimobiledevice
    ];
@ -52,17 +51,5 @@ in
      enable = true;
      powerOnBoot = sys.bluetooth.powerOnBoot;
    };
-    # nixpkgs.overlays = [
-    #   (final: prev:
-    #     let
-    #       der = pkgs.callPackage ./ivpn {
-    #         buildGoModule = pkgs.buildGo122Module;
-    #       };
-    #     in
-    #     { ivpn = der.ivpn;
-    #       ivpn-service = der.ivpn-service;
-    #     }
-    #   )
-    # ];
  };
 }
--- a/m/vpn/default.nix
+++ b/m/vpn/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
    ./hft.nix
+    ./shadowsocks.nix
  ];
 }
--- a/m/vpn/hft.nix
+++ b/m/vpn/hft.nix
@ -2,6 +2,7 @@
 let
  types = lib.types;
  hft = config.maid.vpn.hft;
+  proxies = config.maid.proxies;
 in
 {
  options.maid.vpn.hft = {
@ -14,6 +15,12 @@ in
  };

  config = lib.mkIf hft.enable {
+    assertions = [
+      { assertion = proxies.yor.enable;
+        message = "HFT OpenVPN requires shadowsocks server to bypass DPI";
+      }
+    ];
+
    services.openvpn.servers.hft = {
      autoStart = hft.autoStart;
      updateResolvConf = true;
@ -24,16 +31,8 @@ in
      '';
    };

-    systemd.services.hft-shadowsocks = {
-      wantedBy = [ "openvpn-hft.service" ];
-      partOf = [ "openvpn-hft.service" ];
-      after = [ "network.target" ];
-
-      description = "Shadowsocks to bypass OpenVPN block";
-      serviceConfig = {
-        Type = "simple";
-        ExecStart = ''${pkgs.shadowsocks-rust}/bin/sslocal --config ${config.sops.secrets."work/shadowsocks".path}'';
-      };
-    };
+    systemd.services.openvpn-hft.requires = [
+      "yor-proxy.service"
+    ];
  };
 }
--- a/m/vpn/shadowsocks.nix
+++ b/m/vpn/shadowsocks.nix
@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.maid.proxies;
+in
+{
+  options.maid.proxies = {
+    yor = {
+      enable = lib.mkEnableOption "Yor shadowsocks proxy";
+    };
+  };
+
+  config = lib.mkIf cfg.yor.enable {
+    systemd.services.yor-proxy = {
+      after = [ "network.target" ];
+      description = "`Yor` proxy server";
+
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = ''${pkgs.shadowsocks-rust}/bin/sslocal --config ${config.sops.secrets."viendesu/shadowsocks/yor".path}'';
+      };
+    };
+  };
+}
--- a/secrets/viendesu.yaml
+++ b/secrets/viendesu.yaml
@ -1,7 +1,7 @@
 viendesu:
    shadowsocks:
        gneg: ENC[AES256_GCM,data:SL1x5cfZeOTjjUBsQpvV3LqMQC5X85DGCxK40XUCwthtNj/5/AMw+DyKMp8bYwX3uABOYOv4SCZwKW4qNI62BztOaMLPA/B4V4QuwdrMNDZYmsU4rsdoVMEhBFT9Qrkx4bNWXVz9MJwAqoxgoZ6OQ+8AsXbdaLJ1y0ohaSEg7/RbzzB0SC7ZtQeBZuPctHIHwcF5JnQIWpQk5IFJlTWldwEvhnnnrwlWOZqngIf9+uD23YwPaywSXovzPgxvtHgM,iv:29lJtDiyYC+XgLIkumGbugCvvTXp9gDiOwKRdagDEjU=,tag:fApsukDpsWa+lvOlcotndA==,type:str]
-        yor: ENC[AES256_GCM,data:jGodjp48W32LYCZZJ84VKQQ4ZQA4CQVOni1pH3Ua7jJWwnQmPf6l9vCXjiMzUR2MYE6oqKnh5ltZ2LuigHHayA3QFF/fM47iASt1/8+iGMJKU9igjeOJwzKHqI0VjrkicsYPqvd11ruqDifV8lwzV4A9+kg4hoIoqyNArmCOoZp/1U11VPjCKtmEAZeX2sZDul12M4BiV47lPqeEjA7njYs6jZcw4NKmI8NLL8JitNTl4CkKKVOPmTMPcOPyfeTvfndO,iv:nKWw8z8LZ8/Z7oFsy4zSrwChnDDOyMolQgNUVPJE9XM=,tag:gb2v41j+bZk4qWLijsPjEg==,type:str]
+        yor: ENC[AES256_GCM,data:BnRgQ/M2uBt5gQEOq3dd5GqoU+b1kR6lul5E2iH+xdyK71XaBIwKdMDsLI/KRfQADjoUKmB9ZognvYT49Xy0f0I7CtEEqStLDy3cwI3qpIDUlGY8pBb3/c/hTJ7yi4n38kjP9w5vQEC1G1U4z2yskDcGw5DYW1oeH1XLiXklDphfPf+OCEfQ3gqGwaOliROMhcAL0QxeIXXEcEvMJvLDfko5ZqPWQdkSu30ea68YVkXoFPqs+DPIl+iqhtdCst9U5uOL,iv:JvQrWTmtkCSgDTy3SkvPtQwXyS45CZ57sEBdaPabvIE=,tag:eOCbVxvwx757jDmo8gTcTg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -17,8 +17,8 @@ sops:
            N0V6Ri9xY2Fkc3JkSmVRdndZc3E5a2sKFiwkii+9vEMaObTSwwb2T7WaBH0VP0qp
            DHMt9nnKfZNun9nW7PGtQwuomfJ6SHGoKwsC2rlt2UqLcETgbgPF/w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-06T17:48:01Z"
-    mac: ENC[AES256_GCM,data:ZwUQF6/CqEtCRj3uOA8W+UdWZtrZPOhL4E+q293qCfg6GNaDcUEZ6prnCyTagexVmdYeGF6ZYVPwf9OeG6B4DeKgvUwtV7SvzRqnp1C/qtMYP5fhNO47y4bgGTsHhlLdy43TKxav4O8zJfkbCftFBn6VVNI9Lu+73ewFLuiOUrM=,iv:WInvcSPh98dR4sl9/LbUXkf6altRDHOlqiOPLAWkp+c=,tag:zKCd32I9w6BSukYREx6NXQ==,type:str]
+    lastmodified: "2025-01-11T19:19:48Z"
+    mac: ENC[AES256_GCM,data:C32Tm3+iDfp8AVADksUkdD6pBioXWbsyCE/tfIi7dI7e3XSt+0TXuDw2YsC7bsbNxcZo3K4ROKFmf7N0VUDG32I50CS/i+wwUQDzELuzyW/h8LK3/9/Ul1zPqQLyiPMMa5IxFRW64mkME3Zzcn9K2rTyH5W5IEdGOjR8/0v0X+Y=,iv:y3z7SMCwsKrJYFMKSPRkmux4xQ0xkAJCue24WpZX0bI=,tag:TPPQF7j/vH5IFudmOaX0pA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1
--- a/secrets/work.yaml
+++ b/secrets/work.yaml
@ -1,5 +1,4 @@
 work:
-    shadowsocks: ENC[AES256_GCM,data:q4CGvIi+kRLDth/YY1FYS3OR64jDoeTvLNxGryPGsLUBK8enOIH8fbXL2J122vzNOZ7KChRQEn+6J2Bxq5KJwpzwzfk2wRNtxpzNsegVcDM9AOjcn/4ygZLkHD0NInW/IX0WElObempVEjLSoe+jJQNzL70ZxNEgW4BqEbGfo0TULY+5YqWse+1jVz85VFMT6QqdiweIY3B1wq98JQUoOme/i2QPHcnMv0uJWyrS02OcSyjlHRBe5m7M4nq0uLQEWIlJ,iv:D6zv6PNIzzXZo8orA/FRseHHMDUEbk2QE0YfO3HYT9k=,tag:TuDWP+E1aKQekYgIUb6m4Q==,type:str]
    password: ENC[AES256_GCM,data:5qxuI746kcvfAGf5Xn7P,iv:cRptb0CCu/oJO54G4R/3xHTUig25VnCmpDXZeLHbBXg=,tag:gEid1MGUazHefOd2BoJhXA==,type:str]
    ovpn: ENC[AES256_GCM,data:zGwTt/kzJ6JGfXHw9fhMeWcc/dpBR4d/xT/J7SoRMLEGCuBlRC0/ekYiyKnu7K8KyAIn1o2BjuiiNntTYWwxzWqWUuafapHQnNSTfnvjgM6ha+snVZ8cSepxV/oYfxAVKb4wZteSSeFiu8+KJYdnhCH4DlnSjrs9RRh09y0Lb6WVge+g8lzGMpS/fXUwwPGVbEi1kADphS4sVGPceK7sWwxm0rDnS4HNKpF/AYzNhgcaEzyC6v4AmdUJKPWeF5EpbqAzb4NvjQKDA4FbcU3MMlJ75jBHd0X9zAqTLs3+cFuy/wycEVtSbxLbU7Lor+QDMLQiZ0w1HtcAh74ljr6lLygz8rmmqrgh48TAu7z8o56cnTupLbXHRcNr9fEtz0DO+b3xUvSp4c7nxyk+bYkElnAFi73f4zKqzSMpJHWfSvw4nq9mPsQPDlsJlY84PZDGG/uOgNI7rmctesUQ7wW1qeGR9/zp9mLWJ3BPnTN0J23pvrTzPZ3R5EazqxNzGFjGZVJalvd7W/J1M9DIowaNoBoaa/OgmnFni56PtK4b1y4uK+EczKysz62PZDPdUr0/eNPOCI5uFiR/VopnKtgOEezSsJsIbhCgRce5upQuP6Zr45PiNe+9UFb8+MiPIUEEx2+h+0eGnonEBU/z6KUSPjBFYT56wGOLP0zXiQRXMmCUQ9xCOTJeLbnpGrOjmqoO/f0jA6cPPwA81ikhJP9BTSJcMkEj2CIEBIyNNG0VTdRx3z9oyiBjKeqzU8P95L0YO7sD0qopd+BCOYOedQrSfgk+1gMJ2xzFFRBMcXY595OfMzNctkOacxQAOGfCdBFUSp1rsp46eTG5LlAVyQ+KA0ZmeEvVvHCWPTV/N1y6qM4HfKy62KA7ahmMaznHFBTRMtrVAWontcNH703wj5MGNTpDSPYw6+UBhmpkZoFjSNxzv2+t/xuFBeUij5KaEUEFmQvqfhxPQRZXZa0CC5CbTd4Iwms9Z+cVGltqQqrGw7opgkj7WgpSlnpExy+hgqIS9Erv81SN6r6mLesha/kIJXl829jeFwTB7wuSJK1JX9mHhA841ZtMzWO7zYBCI39N0Fd79PXf7+yExGzM4gSkckObPpgIKsTM0tBCBqQFyaukj8PKv3xp5nIqo1pYOQAY9Lr6zhTZJi6PXGtLpRVGgTUzozS7np8ize3QzYOqiAoilVqMqRmYTGr3t3v+1ETkFKfmDW9lyHYZHuN5oAi/ymTX3iCN9aV9XvjdTY/e9TQOBfPQ7dgpvoFKVEyA4APirF3h6kwzU7eXuhTCqKmWP+wqgWGN6B6B1nb0pnZl5uWM3ed281df2mjysAtLH7cOnT6nQWFTOVs4He4mSTxwBbzLfMua8mI+huhnGM1lLOSHAlNy+J568kwFKuPV7/EHKHCngmN7po1sKKnI53eWqJoSzMgebdYTsT64rHy7HM+Nk33xxHV75SKbnh16m70jDiwKxUQsgn7xxVPpvyRjzfP7ediwAa4I543fziAWc7FZivB0/Cvo2umwFPRg1m9pzbNoEBWtGryw6s0jNB0edD99c/EMoJWv1WDrBU2TSm3KMPQ5EoFJyjszb6aW4QAPYg44Xw77Fnaaht0v57afnbHvVS8GCIXh6Rqs8PQePRKgFHg6GZLGMhMSWYMoaRXX2rQ9KIe+VQ1BilXQcocuBzL8MJktaGKSpjsZ7YXrEm57dlfyqjpckgXYA8wk7wcMyL4dsWC1nTfrPd7n0SZIXvZ+EqR37eRlC8RRFCn2KpL0KzoaoYWvhoq4pvffKYq+9KNw9yYJfqgnuxjxrg8p6izl3cgqEXV6aiDnqaDUv81yvSkspcEMO/hn4gyTgebkcm/P7YHu+aZnhxwehoGIr17uYZVye4bJATrZid5JidvadFlB4kfn4q8ZLpuQSrjrP36RCmVteFsP/BGeAjk/cubXpCe4XR3VRR3Siq6kAWXLYh7hv3N5jrr5vwkzFQvWZmy1RW7NvX2B1YBLqIYYgBf42Hn1Rft8z1bAVEjX58HFK6I+d36qaenNi35WI2M3ufJmkWVyasaDRHMwP25ysYfavSoIiW6STtHx42k11aPakBJD0lLRB3WbrOkFfqPmn87EcTeqbWLeS51eQQ1hUqxIrXdnHDhbgZE/Ke0GBcXqekVR/CTSvFBCwwvjOy6SrwyCnzPOX+Qg6s7x1yJi9Q9S9AALYdsVxOXCO/sn3OAXBLcdyP5MFS2vRvh/5vCBnEQbfRrHTHi7EWty341DseB3PZpOiBSE6A6rUcdEAT8qKxcbZRxpQja1tmdxJGjBCiweYe30bsALifggpyK+n3oxsjjcNwjFlTQ9oaWHSrMSHMEVnQ1IsPqZkcQ2JNbX3WO7+fDKktWGA5TEWoF02S2z5sacb7pRkekElm4EmIDfQsQyCsbQZZmBID5G5JHwz1X9DcyfFWsATrj/qPt3qkTPfKkJ3grn9FZGsNDEePGE7eo7gJ7bIN2s6qF6dnxxtIdRrT/3pVKzuYE1SEfSbVFfJ8KMVe20ac7LL0tKQiqj+INLTSUIQzZg9D8iYVt7mhdPEVL0uvScp2Mu0VRIi28tzqe5znMq/hYiVRbCdod6nHQUdDegFIqpwsUNBJDL/WGXSqo3coO/57JeYYsxkoR7Fge7iAG2hAgylkTfdJzpsusXqBaqxNw5rDGwkXFflv0ZQViROXUc1Yv9wfZli4M9rmC/JIyikzDyRrn+990csrCsi+jNHFXyrPvR2PPWrUYufilun/B70jz+TDJnRRTMw7bKgd26l13+rmmDZj15k98MbbYPoAVpFWwSnKdZge4Xdgp2CNn9qSYnlv5dUUBUMrboMNnQfEUSMAjSZZ44HnDuAwaRzLJsHhHBm7gF17hSdoSVeKmEcUmzLQ68wPT3ravz4z6KmHUTolSF0nqIpeu2wm9SoccRm4qBo6snxU3nkNzEiiLJz3qyLGRuUnDWHmFzSsGRCZ559+Uswe4kzQuz5YTn8hoSy9dylvCvy0pvgp4MvZsFe3N8Yven+L3hohb9s52i1MYRw3jpM+rznrzoJSVpiwOSTfCa1tK9g3XclOFdy88WZDKAh6i/VJI3cERZdXnwucFqvus3OppjiNgwEcpgVfaBcDL/cguHHFAkcj1TxGgzJ4RwmtP93+Kp3XN8+NQMV611p7SwJsXwFlOu4i5MCyMuYUBba0kDcTRyEg1OcM7ZVM7322kyTzu75C+fJDXPrL59xWHU3U9Y9Rhn1Gl1Inhy03bJ+xFp20K2dQfroAAgGf+HTwVWTFzygx5D1DLGsoH8ckdDHYTvOLexjltzxSw8aHSReXo0NfkP6qxFN4NYikzpQ5bx9FWIFL5nmHKRfBlumqyaM4OIvIhAp9kP4+xYdiVJCjzkidW2Kw33hRX7Fbu/2u0ID1pjVYmq72nyj+2+/dOebfYXvCH+rFf3v/U+KQ5F6wRLwwgJCbE28+JolirUt8PxX3+cfeskYtnZs6cEpIrmJmVqCXf9qwP2k9vFT2Bp6oS5ff2ENNiRJWBXkQWivrhS1wuZJ66XNNYa/r1W0kW9twh9vADBIHSzaZtif/SI0lYOt4Nt74Fx9ZqOWwpgmU6JrDiDVxtao5g4AZp81G4gUx6JwoS0HSi3i7/ImfrX+tZG2smjiLHoxPJYLN9uqqHF5IBkPmdlAG+1kqsjsXIgb3zLQBCjTNsd96cFgyT8lXQOGD7Hz31NDBX3FnsTyxOWNzyWpDbFSOh4VlY77eP3y3673qIJ7JPAjLyeutQ7quiqvYtVVyzWN3c1Hbuagd9tz/hl3tPfQn+B1SlSO/5KZROYBN9b4Iqslu5hE7VVPXv2by/qLCAm04daFLpHO+wzPByU02qDDoamA6wHLy8kY/z9Au4A1dm2v0BZ8+xVpbMbFGiou04AAtR/cOFECmNLQiLFaEDq3rkGFbcUXGLm8t52mnO/3FhxO0sw15o7HKRZpCDOMJuWnxjZzPu/wmqWOFh3d1jEWvU+Y6+JR9Lzf9pncLvt/9E83YijgPKVviSwFWG1gc3Ob0HDBZxizk1+cTlncLXKeKOjS65EMdtB9Mo8lcaD2BfTAwDOAK+bH6eICq0pNny95yqAv2p1aFpHqFLe9KrYELjHISl7b0J7oh3Xbwe+wcLZMWwthKkCLOufqOft4HPuCAVjQz2XPeTlc9b3,iv:FEBT6q49/pXSon8NFmPMww6t0oQiDhql4dUq/Hof4rk=,tag:LI/uE+iyFgWK1SPUf3ZiLg==,type:str]
 sops:
@ -17,8 +16,8 @@ sops:
            QzcyK0h6YldzTkYrZFJXb3YzOG9qK0EKpbeTaXm6pAgAmaUKdu9s/+VBVxzWZwmj
            aditPFcdqIhgkSoRoJhBLE7S4QZ6clCmKP4gCWVHg0KgpyKaZgxOFw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-06T17:51:32Z"
-    mac: ENC[AES256_GCM,data:QnGDLbYOckEv4E1zhlk+/SGXcsVWwvQSlUT9KmebbmhMK26n9oC8geFFDwUbmCdLH0sc3pwKtKByBVi6zbFL80h3oHKUdO0WOp327y+sLgIIgZCL8IPeK9MhBOnNof3Sxm1HGEpa7u+Re79V3Ge4DRfGosZ9+kEMD7VDI+TlMtg=,iv:puq/41f14R0/yyEehahJ4n0qzQypW8S4OvKgLXpkPLA=,tag:2TbabTs2tth62nJuafYPLQ==,type:str]
+    lastmodified: "2025-01-11T19:19:16Z"
+    mac: ENC[AES256_GCM,data:2Tgt19GSch+rpJAtWQXxPAdkXhR19J673ax8m1x2KAaK2A4rWAWbkGMftM5/4RrTlnuj1q7N9piNYI9HcVvel3hLX9Ww0gklKz2B41eIsMdCdak8b7J98oWPMWlaIULT23mh02lGLTd2NDl+G8VTQDFcUY5/0ixA9e9AZEF5xrU=,iv:cVi9QfHKue/7KXOaueldETkUIycHjntMy/wWlXJ3Eow=,tag:Y+pyu5IrcaOFPyuA0DRYyA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.0
+    version: 3.9.1