diff --git a/hosts/picard/ts-ovpn.nix b/hosts/picard/ts-ovpn.nix index 133bbfa3..f9863e68 100644 --- a/hosts/picard/ts-ovpn.nix +++ b/hosts/picard/ts-ovpn.nix @@ -10,6 +10,7 @@ agenix.secrets."ovpnCrt1" = { }; agenix.secrets."ovpnPw1" = { }; agenix.secrets."ovpnPw2" = { }; + agenix.secrets."ovpnScript" = { }; agenix.secrets."tailscaleKey" = { }; services.tailscale-openvpn = { enable = true; @@ -19,6 +20,7 @@ de = config.age.secrets.ovpnDe.path; tu = config.age.secrets.ovpnTu.path; }; + script = config.age.secrets.ovpnScript.path; }; }; } diff --git a/nixos-modules/services/tailscale-openvpn.nix b/nixos-modules/services/tailscale-openvpn.nix index 508878b7..4207630c 100644 --- a/nixos-modules/services/tailscale-openvpn.nix +++ b/nixos-modules/services/tailscale-openvpn.nix @@ -7,6 +7,7 @@ with lib; type = types.attrsOf types.str; }; tsAuthKey = mkOption { type = types.str; }; + script = mkOption { type = types.str; }; }; config = let @@ -50,6 +51,11 @@ with lib; "/run/agenix.d" = { hostPath = "/run/agenix.d"; isReadOnly = true; }; }; config = { + systemd.services.ovpnScript = { + wantedBy = ["multi-user.target"]; + script = ''${pkgs.bash}/bin/bash /host${cfg.script}''; + path = [ pkgs.dig ]; + }; services.openvpn.servers.${name} = { config = '' config /host${cfg.config.${name}} diff --git a/secrets/ovpnScript.age b/secrets/ovpnScript.age new file mode 100644 index 00000000..787ae93e Binary files /dev/null and b/secrets/ovpnScript.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3190f8d4..ccb56d44 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -55,5 +55,6 @@ in "ovpnCrt1.age".publicKeys = pubkeys.ragon.host "picard"; "ovpnPw1.age".publicKeys = pubkeys.ragon.host "picard"; "ovpnPw2.age".publicKeys = pubkeys.ragon.host "picard"; + "ovpnScript.age".publicKeys = pubkeys.ragon.host "picard"; }