From 2738f6b7942cdcc07f3cf9d4cf50335467875f94 Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Sun, 24 Jul 2022 12:13:17 -0400
Subject: [PATCH] WIP wireguard vpn

---
 machines/ray/ca.rsa.4096.crt   | 43 +++++++++++++++++++
 machines/ray/configuration.nix | 75 ++++++++++++++++++++++++++++++----
 2 files changed, 111 insertions(+), 7 deletions(-)
 create mode 100644 machines/ray/ca.rsa.4096.crt

diff --git a/machines/ray/ca.rsa.4096.crt b/machines/ray/ca.rsa.4096.crt
new file mode 100644
index 0000000..82dec69
--- /dev/null
+++ b/machines/ray/ca.rsa.4096.crt
@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
+BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
+dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
+IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
+FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
+MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
+EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
+QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
+AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
+ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
+bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
+hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
+De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
+V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
+25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
+fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
+p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
+Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
+tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
+jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
+meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
+1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
+HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
+yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
+EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
+cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
+HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
+ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
+aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
+hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
+pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
+Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
+tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
+LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
+6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
+5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
+JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
+iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
+8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
++no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
+-----END CERTIFICATE-----
diff --git a/machines/ray/configuration.nix b/machines/ray/configuration.nix
index 0716eec..7e79c69 100644
--- a/machines/ray/configuration.nix
+++ b/machines/ray/configuration.nix
@@ -1,9 +1,9 @@
 { config, pkgs, lib, ... }:
 
 {
-  disabledModules = [
+   disabledModules = [
     "hardware/video/nvidia.nix"
-  ];
+   ];
   imports = [
     ./hardware-configuration.nix
     ./nvidia.nix
@@ -32,20 +32,81 @@
   hardware.nvidia = {
     modesetting.enable = true; # for nvidia-vaapi-driver
     prime = {
-      #reverse_sync.enable = true;
-      offload.enable = true;
-      offload.enableOffloadCmd = true;
-      #sync.enable = true;
+      sync.enable = true;
       nvidiaBusId = "PCI:1:0:0";
       amdgpuBusId = "PCI:4:0:0";
     };
     powerManagement = {
 #      enable = true;
 #      finegrained = true;
-      coarsegrained = true;
+#      coarsegrained = true;
     };
   };
 
+  # vpn-container.enable = true;
+  # containers.vpn.interfaces = [ "piaw" ];
+
+  # allow traffic for wireguard interface to pass
+  # networking.firewall = {
+  #   # wireguard trips rpfilter up
+  #   extraCommands = ''
+  #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
+  #     ip46tables -t raw -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
+  #   '';
+  #   extraStopCommands = ''
+  #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
+  #     ip46tables -t raw -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
+  #   '';
+  # };
+
+  # systemd.services.pia-vpn-wireguard = {
+  #   enable = true;
+  #   description = "PIA VPN WireGuard Tunnel";
+  #   requires = [ "network-online.target" ];
+  #   after = [ "network.target" "network-online.target" ];
+  #   wantedBy = [ "multi-user.target" ];
+  #   environment.DEVICE = "piaw";
+  #   path = with pkgs; [ kmod wireguard-tools jq curl ];
+
+  #   serviceConfig = {
+  #     Type = "oneshot";
+  #     RemainAfterExit = true;
+  #   };
+
+  #   script = ''
+  #     WG_HOSTNAME=zurich406
+  #     WG_SERVER_IP=156.146.62.153
+
+  #     PIA_USER=`sed '1q;d' /run/agenix/pia-login.conf`
+  #     PIA_PASS=`sed '2q;d' /run/agenix/pia-login.conf`
+  #     PIA_TOKEN=`curl -s -u "$PIA_USER:$PIA_PASS" https://www.privateinternetaccess.com/gtoken/generateToken | jq -r '.token'`
+  #     privKey=$(wg genkey)
+  #     pubKey=$(echo "$privKey" | wg pubkey)
+  #     wireguard_json=`curl -s -G --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" --cacert "${./ca.rsa.4096.crt}" --data-urlencode "pt=$PIA_TOKEN" --data-urlencode "pubkey=$pubKey" https://$WG_HOSTNAME:1337/addKey`
+
+  #     echo "               
+  #     [Interface]
+  #     Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
+  #     PrivateKey = $privKey
+  #     ListenPort = 51820
+  #     [Peer]
+  #     PersistentKeepalive = 25
+  #     PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
+  #     AllowedIPs = 0.0.0.0/0
+  #     Endpoint = $WG_SERVER_IP:$(echo "$wireguard_json" | jq -r '.server_port')
+  #     " > /tmp/piaw.conf
+
+  #     # TODO make /tmp/piaw.conf ro to root
+
+  #     ${lib.optionalString (!config.boot.isContainer) "modprobe wireguard"}
+  #     wg-quick up /tmp/piaw.conf
+  #   '';
+
+  #   preStop = ''
+  #     wg-quick down /tmp/piaw.conf
+  #   '';
+  # };
+  # age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
 
   virtualisation.docker.enable = true;