feat: pyload config change, cyberghost change

hosts/nas/modules/cyberghost.nix

@@ -12,6 +12,14 @@ in
     mode = "0400";
     owner = "root";
   };
+  sops.secrets.cyberghost-cert = {
+    mode = "0400";
+    owner = "root";
+  };
+  sops.secrets.cyberghost-key = {
+    mode = "0400";
+    owner = "root";
+  };
 
   environment.systemPackages = [ pkgs.openvpn ];
 
@@ -23,7 +31,7 @@ in
       client
       dev tun
       proto udp
-      87-1-hu.cg-dialup.net 443
+      remote 87-1-hu.cg-dialup.net 443
       resolv-retry infinite
       nobind
       persist-key
@@ -32,11 +40,20 @@ in
       # Authentication
       auth-user-pass ${config.sops.secrets.cyberghost-auth.path}
       ca ${config.sops.secrets.cyberghost-ca.path}
+      cert ${config.sops.secrets.cyberghost-cert.path}
+      key ${config.sops.secrets.cyberghost-key.path}
 
       # Security
-      cipher AES-256-CBC
+      data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
+      data-ciphers-fallback AES-256-CBC
       auth SHA256
       remote-cert-tls server
+      script-security 2
+
+      # Connection
+      ping 5
+      explicit-exit-notify 2
+      route-delay 5
 
       # Split tunnel: Don't pull routes from server, we'll set our own
       route-nopull
@@ -48,7 +65,7 @@ in
       # Keep local network route direct
       route ${localNetwork} net_gateway
 
-      verb 3
+      verb 4
     '';
   };
 

hosts/nas/modules/pyload.nix

@@ -89,6 +89,9 @@ in
       # Enable ExternalScripts plugin for hooks
       PYLOAD__EXTERNALSCRIPTS__ENABLED = "1";
       PYLOAD__EXTERNALSCRIPTS__UNLOCK = "1";  # Run hooks asynchronously
+
+      # DdownloadCom plugin: don't fall back to free if premium fails
+      PYLOAD__DDOWNLOADCOM__FALLBACK = "0";
     };
 
     serviceConfig = {