sourcephile / git / julm / julm-nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
git: push: replace --force with --force-with-lease --force-if-includes
[julm/julm-nix.git] / nixos / profiles / openvpn / calyx.nix
diff --git a/nixos/profiles/openvpn/calyx.nix b/nixos/profiles/openvpn/calyx.nix
index 60c01c26488b0ce2f4bc5e038fa356c8a6fb8119..28fe78fa1299b5dd1c8243e360c02f8ab97826f0 100644 (file)
--- a/nixos/profiles/openvpn/calyx.nix
+++ b/nixos/profiles/openvpn/calyx.nix
@@ -6,7 +6,7 @@ let
   ca = pkgs.fetchurl
     {
       url = "https://calyx.net/ca.crt";
-      hash = "sha256-NKLkpjjeGMN07htuWydBMQ03ytxF9CLm8SLNl3IPPGc=";
+      hash = "sha256-zLs7TRXrHlPjqdaBN1cmbB062XhKs4cv5ajmrkg4O8s=";
       curlOptsList = [ "-k" ];
     } + "";
   key-cert = "/run/openvpn-${netns}/key+cert.pem";
@@ -16,8 +16,8 @@ in
     inherit netns;
     settings = {
       remote =
-        # new-york
-        [ "162.247.73.193" ] ++
+        # new-york (vpn2.calyx.net)
+        [ "162.247.72.193" ] ++
         [ ];
       remote-random = true;
       port = "443";
@@ -27,7 +27,6 @@ in
       cert = key-cert;
 
       auth = "SHA1";
-      cipher = "AES-128-CBC";
       client = true;
       dev = "ov-${netns}";
       dev-type = "tun";
@@ -40,16 +39,16 @@ in
       script-security = 2;
       tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
       tls-client = true;
-      tun-ipv6 = true;
       up-restart = true;
       verb = 3;
     };
   };
   systemd.services."openvpn-${netns}" = {
+    after = [ "network-online.target" ];
     preStart = ''
       (
       set -ex
-      ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
+      ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -vLs ${apiUrl}
       chmod 700 ${key-cert}
       )
     '';
@@ -69,6 +68,24 @@ in
   services.netns.namespaces.${netns} = {
     nftables = lib.mkBefore ''
       include "${../networking/nftables.txt}"
+      table inet filter {
+        chain output-lan {
+          meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
+          log prefix "calyx: output-lan: " counter drop
+        }
+        chain output-net {
+          tcp dport { http, https } counter accept comment "HTTP"
+          log prefix "calyx: output-net: " counter drop
+        }
+        chain output {
+          ip daddr 10.0.0.0/8 counter goto output-lan
+          ip daddr 172.16.0.0/12 counter goto output-lan
+          ip daddr 192.168.0.0/16 counter goto output-lan
+          ip daddr 224.0.0.0/3 counter goto output-lan
+          jump output-net
+          log prefix "calyx: output: " counter drop
+        }
+      }
     '';
   };
 }
julm's NixOS and home-manager configs