nixos/profiles/openvpn/calyx.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   netns = "calyx";
   4   inherit (config.services) openvpn;
   5   apiUrl = "https://api.calyx.net:4430/3/cert";
   6   ca = pkgs.fetchurl
   7     {
   8       url = "https://calyx.net/ca.crt";
   9       hash = "sha256-zLs7TRXrHlPjqdaBN1cmbB062XhKs4cv5ajmrkg4O8s=";
  10       curlOptsList = [ "-k" ];
  11     } + "";
  12   key-cert = "/run/openvpn-${netns}/key+cert.pem";
  13 in
  14 {
  15   services.openvpn.servers.${netns} = {
  16     inherit netns;
  17     settings = {
  18       remote =
  19         # new-york (vpn2.calyx.net)
  20         [ "162.247.72.193" ] ++
  21         [ ];
  22       remote-random = true;
  23       port = "443";
  24       proto = "tcp";
  25       inherit ca;
  26       key = key-cert;
  27       cert = key-cert;
  28
  29       auth = "SHA1";
  30       client = true;
  31       dev = "ov-${netns}";
  32       dev-type = "tun";
  33       keepalive = "10 30";
  34       nobind = true;
  35       persist-key = true;
  36       persist-tun = true;
  37       remote-cert-tls = "server";
  38       reneg-sec = 0;
  39       script-security = 2;
  40       tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
  41       tls-client = true;
  42       up-restart = true;
  43       verb = 3;
  44     };
  45   };
  46   systemd.services."openvpn-${netns}" = {
  47     after = [ "network-online.target" ];
  48     preStart = ''
  49       (
  50       set -ex
  51       ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -vLs ${apiUrl}
  52       chmod 700 ${key-cert}
  53       )
  54     '';
  55     serviceConfig = {
  56       RuntimeDirectory = [ "openvpn-${netns}" ];
  57       RuntimeDirectoryMode = "0700";
  58     };
  59   };
  60   networking.nftables.ruleset = ''
  61     table inet filter {
  62       chain output-net {
  63         skuid root tcp dport https counter accept comment "OpenVPN Calyx"
  64         skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
  65       }
  66     }
  67   '';
  68   services.netns.namespaces.${netns} = {
  69     nftables = lib.mkBefore ''
  70       include "${../networking/nftables.txt}"
  71       table inet filter {
  72         chain output-lan {
  73           meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
  74           log prefix "calyx: output-lan: " counter drop
  75         }
  76         chain output-net {
  77           tcp dport { http, https } counter accept comment "HTTP"
  78           log prefix "calyx: output-net: " counter drop
  79         }
  80         chain output {
  81           ip daddr 10.0.0.0/8 counter goto output-lan
  82           ip daddr 172.16.0.0/12 counter goto output-lan
  83           ip daddr 192.168.0.0/16 counter goto output-lan
  84           ip daddr 224.0.0.0/3 counter goto output-lan
  85           jump output-net
  86           log prefix "calyx: output: " counter drop
  87         }
  88       }
  89     '';
  90   };
  91 }