nix: update nixpkgs

[julm/julm-nix.git] / nixos / profiles / openvpn / calyx.nix

{ pkgs, lib, config, ... }:
let
  netns = "calyx";
  inherit (config.services) openvpn;
  apiUrl = "https://api.calyx.net:4430/3/cert";
  ca = pkgs.fetchurl
    {
      url = "https://calyx.net/ca.crt";
      hash = "sha256-NKLkpjjeGMN07htuWydBMQ03ytxF9CLm8SLNl3IPPGc=";
      curlOptsList = [ "-k" ];
    } + "";
  key-cert = "/run/openvpn-${netns}/key+cert.pem";
in
{
  services.openvpn.servers.${netns} = {
    inherit netns;
    settings = {
      remote =
        # new-york
        [ "162.247.73.193" ] ++
        [ ];
      remote-random = true;
      port = "443";
      proto = "tcp";
      inherit ca;
      key = key-cert;
      cert = key-cert;

      auth = "SHA1";
      cipher = "AES-128-CBC";
      client = true;
      dev = "ov-${netns}";
      dev-type = "tun";
      keepalive = "10 30";
      nobind = true;
      persist-key = true;
      persist-tun = true;
      remote-cert-tls = "server";
      reneg-sec = 0;
      script-security = 2;
      tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
      tls-client = true;
      tun-ipv6 = true;
      up-restart = true;
      verb = 3;
    };
  };
  systemd.services."openvpn-${netns}" = {
    after = [ "network-online.target" ];
    preStart = ''
      (
      set -ex
      ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
      chmod 700 ${key-cert}
      )
    '';
    serviceConfig = {
      RuntimeDirectory = [ "openvpn-${netns}" ];
      RuntimeDirectoryMode = "0700";
    };
  };
  networking.nftables.ruleset = ''
    table inet filter {
      chain output-net {
        skuid root tcp dport https counter accept comment "OpenVPN Calyx"
        skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
      }
    }
  '';
  services.netns.namespaces.${netns} = {
    nftables = lib.mkBefore ''
      include "${../networking/nftables.txt}"
    '';
  };
}