zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Verify RSA-SHA256 signature on PIA server list response
All checks were successful
Check Flake / check-flake (push) Successful in 3m20s
Details

Browse Source 
The server list endpoint returns JSON on line 1 with a base64-encoded
RSA-SHA256 signature on lines 3+. This was previously ignored. Add
verifyServerList() that checks the signature against PIA's public
signing key before trusting the data. On failure the service aborts
and systemd restarts it.

Also bump RestartSec to 5m to avoid hammering PIA servers on repeated
failures, and add openssl to container dependencies.
This commit is contained in:
Zuckerberg
2026-02-26 22:32:23 -08:00
parent 1dd1b420d5
commit ce9bda8a0b
3 changed files with 36 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
common/network/pia-vpn/vpn-container.nix
View File

@@ -73,7 +73,7 @@ in
config = { config, pkgs, lib, ... }:
let
scriptPkgs = with pkgs; [ wireguard-tools iproute2 curl jq iptables coreutils ];
scriptPkgs = with pkgs; [ wireguard-tools iproute2 curl jq iptables coreutils openssl ];
in
{
imports = allModules;
@@ -133,7 +133,7 @@ in
serviceConfig = {
Type = "simple";
Restart = "always";
RestartSec = "10s";
RestartSec = "5m";
RuntimeMaxSec = "30d";
};