nixos/profiles/openvpn/riseup.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   ...
   6 }:
   7 let
   8   netns = "riseup";
   9   inherit (config.services) openvpn;
  10   apiUrl = "https://api.black.riseup.net/3/cert";
  11   key-cert = "/run/openvpn-${netns}/key+cert.pem";
  12 in
  13 {
  14   services.openvpn.servers.${netns} = {
  15     inherit netns;
  16     settings = {
  17       # HowTo(maint/update):
  18       # curl -Ls https://api.black.riseup.net/3/config/eip-service.json |
  19       # jq .gateways.'[]'.host
  20       remote = [
  21         "vpn01-sea.riseup.net"
  22         "vpn02-par.riseup.net"
  23         "vpn03-par.riseup.net"
  24         "vpn04-ams.riseup.net"
  25         "vpn05-par.riseup.net"
  26         "vpn06-ams.riseup.net"
  27         "vpn07-par.riseup.net"
  28         "vpn08-par.riseup.net"
  29         "vpn10-mtl.riseup.net"
  30         "vpn11-par.riseup.net"
  31         "vpn12-nyc.riseup.net"
  32         "vpn13-ams.riseup.net"
  33         "vpn14-par.riseup.net"
  34         "vpn15-sea.riseup.net"
  35         "vpn16-sea.riseup.net"
  36         "vpn18-mtl.riseup.net"
  37         "vpn19-ams.riseup.net"
  38         "vpn20-par.riseup.net"
  39         "vpn21-par.riseup.net"
  40         "vpn22-mia.riseup.net"
  41         "vpn23-mia.riseup.net"
  42       ];
  43       remote-random = true;
  44       port = "80";
  45       proto = "udp";
  46       ca =
  47         pkgs.fetchurl {
  48           url = "https://black.riseup.net/ca.crt";
  49           hash = "sha256-+kzojhwMbFwcf9W6CzXcCaLzBtgeOgXp19XPrP3ZhFM=";
  50         }
  51         + "";
  52       key = key-cert;
  53       cert = key-cert;
  54
  55       auth = "SHA512";
  56       auth-nocache = true;
  57       client = true;
  58       /*
  59         data-ciphers = [
  60           "AES-128-GCM"
  61           "AES-192-GCM"
  62           "AES-256-GCM"
  63           "CHACHA20-POLY1305"
  64         ];
  65       */
  66       dev = "ov-${netns}";
  67       dev-type = "tun";
  68       keepalive = "10 30";
  69       nobind = true;
  70       persist-key = true;
  71       persist-tun = true;
  72       remote-cert-tls = "server";
  73       reneg-sec = 0;
  74       script-security = 2;
  75       tls-cipher = "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384";
  76       tls-client = true;
  77       tls-version-min = "1.2";
  78       #tun-ipv6 = true;
  79       up-restart = true;
  80       verb = 3;
  81     };
  82   };
  83   systemd.services."openvpn-${netns}" = {
  84     preStart = ''
  85       (
  86       set -ex
  87       ${pkgs.curl}/bin/curl -v -X POST --cacert ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt -o ${key-cert} -Ls ${apiUrl}
  88       chmod 700 ${key-cert}
  89       )
  90     '';
  91     unitConfig = {
  92       StartLimitIntervalSec = 0;
  93     };
  94     serviceConfig = {
  95       RuntimeDirectory = [ "openvpn-${netns}" ];
  96       RuntimeDirectoryMode = "0700";
  97     };
  98   };
  99   environment.systemPackages = [
 100     pkgs.riseup-vpn
 101   ];
 102   networking.nftables.ruleset = ''
 103     table inet filter {
 104       chain output-net {
 105         skuid root ${openvpn.servers.${netns}.settings.proto} dport ${
 106           openvpn.servers.${netns}.settings.port
 107         } counter accept comment "OpenVPN Riseup"
 108       }
 109     }
 110   '';
 111   services.netns.namespaces.${netns} = {
 112     nftables = lib.mkBefore ''
 113       include "${../networking/nftables.nft}"
 114     '';
 115   };
 116 }