rust pobeda

modules/vpn/default.nix

@@ -0,0 +1,8 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hft.nix
+    ./shadowsocks.nix
+  ];
+}

modules/vpn/hft.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+let
+  secrets = config.sops.secrets;
+in
+{
+  sops.secrets."work/ovpn".sopsFile = ../../secrets/work.yaml;
+  sops.secrets."work/password".sopsFile = ../../secrets/work.yaml;
+
+  services.openvpn.servers.hft = {
+    autoStart = false;
+    updateResolvConf = true;
+
+    config = ''
+      config ${secrets."work/ovpn".path}
+      askpass ${secrets."work/password".path}
+    '';
+  };
+  systemd.services.openvpn-hft.requires = ["yor-proxy.service"];
+}

modules/vpn/shadowsocks.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+let
+  secrets = config.sops.secrets;
+  yorCfg = secrets."viendesu/shadowsocks/yor".path;
+in
+{
+  sops.secrets = {
+    "viendesu/shadowsocks/gneg".sopsFile = ../../secrets/viendesu.yaml;
+    "viendesu/shadowsocks/yor".sopsFile = ../../secrets/viendesu.yaml;
+  };
+
+  systemd.services.yor-proxy = {
+    after = [ "network.target" ];
+    description = "`Yor` shadowsocks";
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = ''${pkgs.shadowsocks-rust}/bin/sslocal --config ${yorCfg}'';
+    };
+  };
+}