nixOps and OpenVPN

Currently I have a droplet at digitalocean which powers my OpenVPN as well as some other stuff.

I was able to cover “other stuff” by nixOps for now, but struggle with the OpenVPN.

The current OpenVPN is fully managed by some script I found online. This script creates and deletes certificates and key files as necessary, but I have to SSH into the machine to do so.

After I have created some new user or deleted one, I have to manually back up the new store, and I have to manually download and distribute the clientside config file from there for each individual client.

I’d prefer if there was a way to have all of this managed through nixOps, such that I just add a VPN user in the nixOps config, run a deploy and then everything happens manually, having all files I need for the client locally available.

Is there something for nixOps that would make this possible?

PS: I’m in no way fixed to OpenVPN, I’d be fine with any VPN service that I could run on the droplet and that I could use on nixOS, Arch Linux and Windows clients, either through NetworkManager, Windows Network Settings or Client Software (which is allowed to be propretiary, but shouldn’t cost much).

Anyone has an idea?

Having OpenVPN available is some kind of showstopper for me…

I once built a proof of concept that used NixOps to build an OpenVPN and Wireguard mesh. I have some PRs in with NixOps that makes this easier (creating fresh CA’s and certificate infrastructure automatically requires enhanced resource creation). It was similar to what you describe, client configuration and certs generated as needed for each machine and for a configurable number of external clients.

Not sure if it’s available publicly. I’ll take a look.

Any links to the prototype?