nixos/profiles/openvpn/calyx.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   ...
   6 }:
   7 let
   8   netns = "calyx";
   9   inherit (config.services) openvpn;
  10   apiUrl = "https://api.calyx.net:4430/3/cert";
  11   ca =
  12     pkgs.fetchurl {
  13       url = "https://calyx.net/ca.crt";
  14       hash = "sha256-zLs7TRXrHlPjqdaBN1cmbB062XhKs4cv5ajmrkg4O8s=";
  15       curlOptsList = [ "-k" ];
  16     }
  17     + "";
  18   key-cert = "/run/openvpn-${netns}/key+cert.pem";
  19 in
  20 {
  21   services.openvpn.servers.${netns} = {
  22     inherit netns;
  23     settings = {
  24       remote =
  25         # new-york (vpn2.calyx.net)
  26         [ "162.247.72.193" ] ++ [ ];
  27       remote-random = true;
  28       port = "443";
  29       proto = "tcp";
  30       inherit ca;
  31       key = key-cert;
  32       cert = key-cert;
  33
  34       auth = "SHA1";
  35       client = true;
  36       dev = "ov-${netns}";
  37       dev-type = "tun";
  38       keepalive = "10 30";
  39       nobind = true;
  40       persist-key = true;
  41       persist-tun = true;
  42       remote-cert-tls = "server";
  43       reneg-sec = 0;
  44       script-security = 2;
  45       tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
  46       tls-client = true;
  47       up-restart = true;
  48       verb = 3;
  49     };
  50   };
  51   systemd.services."openvpn-${netns}" = {
  52     after = [ "network-online.target" ];
  53     preStart = ''
  54       (
  55       set -ex
  56       ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -vLs ${apiUrl}
  57       chmod 700 ${key-cert}
  58       )
  59     '';
  60     serviceConfig = {
  61       RuntimeDirectory = [ "openvpn-${netns}" ];
  62       RuntimeDirectoryMode = "0700";
  63     };
  64   };
  65   networking.nftables.ruleset = ''
  66     table inet filter {
  67       chain output-net {
  68         skuid root tcp dport https counter accept comment "OpenVPN Calyx"
  69         skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
  70       }
  71     }
  72   '';
  73   services.netns.namespaces.${netns} = {
  74     nftables = lib.mkBefore ''
  75       include "${../networking/nftables.txt}"
  76       table inet filter {
  77         chain output-lan {
  78           meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
  79           log prefix "calyx: output-lan: " counter drop
  80         }
  81         chain output-net {
  82           tcp dport { http, https } counter accept comment "HTTP"
  83           log prefix "calyx: output-net: " counter drop
  84         }
  85         chain output {
  86           ip daddr 10.0.0.0/8 counter goto output-lan
  87           ip daddr 172.16.0.0/12 counter goto output-lan
  88           ip daddr 192.168.0.0/16 counter goto output-lan
  89           ip daddr 224.0.0.0/3 counter goto output-lan
  90           jump output-net
  91           log prefix "calyx: output: " counter drop
  92         }
  93       }
  94     '';
  95   };
  96 }