]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/openvpn/calyx.nix
systemd-creds: reencrypt when .gpg newer than .cred
[julm/julm-nix.git] / nixos / profiles / openvpn / calyx.nix
1 { pkgs, lib, config, ... }:
2 let
3 netns = "calyx";
4 inherit (config.services) openvpn;
5 apiUrl = "https://api.calyx.net:4430/3/cert";
6 ca = pkgs.fetchurl
7 {
8 url = "https://calyx.net/ca.crt";
9 hash = "sha256-NKLkpjjeGMN07htuWydBMQ03ytxF9CLm8SLNl3IPPGc=";
10 curlOptsList = [ "-k" ];
11 } + "";
12 key-cert = "/run/openvpn-${netns}/key+cert.pem";
13 in
14 {
15 services.openvpn.servers.${netns} = {
16 inherit netns;
17 settings = {
18 remote =
19 # new-york
20 [ "162.247.73.193" ] ++
21 [ ];
22 remote-random = true;
23 port = "443";
24 proto = "tcp";
25 inherit ca;
26 key = key-cert;
27 cert = key-cert;
28
29 auth = "SHA1";
30 cipher = "AES-128-CBC";
31 client = true;
32 dev = "ov-${netns}";
33 dev-type = "tun";
34 keepalive = "10 30";
35 nobind = true;
36 persist-key = true;
37 persist-tun = true;
38 remote-cert-tls = "server";
39 reneg-sec = 0;
40 script-security = 2;
41 tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
42 tls-client = true;
43 tun-ipv6 = true;
44 up-restart = true;
45 verb = 3;
46 };
47 };
48 systemd.services."openvpn-${netns}" = {
49 preStart = ''
50 (
51 set -ex
52 ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
53 chmod 700 ${key-cert}
54 )
55 '';
56 serviceConfig = {
57 RuntimeDirectory = [ "openvpn-${netns}" ];
58 RuntimeDirectoryMode = "0700";
59 };
60 };
61 networking.nftables.ruleset = ''
62 table inet filter {
63 chain output-net {
64 skuid root tcp dport https counter accept comment "OpenVPN Calyx"
65 skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
66 }
67 }
68 '';
69 services.netns.namespaces.${netns} = {
70 nftables = lib.mkBefore ''
71 include "${../networking/nftables.txt}"
72 '';
73 };
74 }