-
Notifications
You must be signed in to change notification settings - Fork 0
/
pia.nix
78 lines (73 loc) · 1.53 KB
/
pia.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
{ config, pkgs, ... }:
with pkgs.lib;
let secret = "/root/secrets/pia-user-pass";
scripts = pkgs.stdenv.mkDerivation {
name = "pia-scripts";
src = ./pia;
installPhase = ''
mkdir -p $out
mkdir -p $out/share
mkdir -p $out/bin
cp crl.rsa.2048.pem $out/share
cp ca.rsa.2048.crt $out/share
cp up $out/bin/pia-up
cp down $out/bin/pia-down
'';
};
default = ''
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass ${secret}
comp-lzo
verb 1
reneg-sec 0
crl-verify ${scripts}/share/crl.rsa.2048.pem
ca ${scripts}/share/ca.rsa.2048.crt
disable-occ
redirect-gateway autolocal
'';
server = name: {
config = ''
${default}
remote ${name}.privateinternetaccess.com 1198
'';
autoStart = false;
up = ''
echo nameserver 8.8.8.8 | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev
echo -n ${name} > /var/run/pia
'';
down = ''
rm -f /var/run/pia
${pkgs.openresolv}/sbin/resolvconf -d $dev"
'';
};
in
{
environment.systemPackages = [ scripts ];
system.activationScripts.pia = {
text = ''
mkdir -p `dirname ${secret}`
install -m 0600 ${./pia/user-pass} ${secret}
'';
deps = [];
};
services.openvpn = {
servers = {
ca-toronto = server "ca-toronto";
ca-vancouver = server "ca-vancouver";
hk = server "hk";
japan = server "japan";
sg = server "sg";
us-texas = server "us-texas";
};
};
}