zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Verify RSA-SHA256 signatures on all PIA API responses
All checks were successful
Check Flake / check-flake (push) Successful in 3m18s
Details

Browse Source 
Every PIA API response includes a trailing RSA-SHA256 signature
(line 1 = JSON, lines 3+ = base64-encoded signature) which was
previously ignored entirely. Add verifyPIAResponse() that checks
each response against PIA's public signing key before trusting
the data. On verification failure the service aborts and systemd
restarts it.

Also bump RestartSec to 5m to avoid hammering PIA servers on
repeated failures.
This commit is contained in:
Zuckerberg
2026-02-26 22:06:35 -08:00
parent 1dd1b420d5
commit 9fdadd321c
3 changed files with 52 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
common/network/pia-vpn/vpn-container.nix
View File

@@ -73,7 +73,7 @@ in
config = { config, pkgs, lib, ... }:
let
scriptPkgs = with pkgs; [ wireguard-tools iproute2 curl jq iptables coreutils ];
scriptPkgs = with pkgs; [ wireguard-tools iproute2 curl jq iptables coreutils openssl ];
in
{
imports = allModules;
@@ -133,7 +133,7 @@ in
serviceConfig = {
Type = "simple";
Restart = "always";
RestartSec = "10s";
RestartSec = "5m";
RuntimeMaxSec = "30d";
};