oignon: add openvpn for riseup

diff --git a/homes/julm.nix b/homes/julm.nix
index 0c2dd6fa8edb795ef8ce601778edf2ccb63df8a2..5988b04a3c0e752a1317e0fbd953a45a3065f808 100644 (file)
--- a/homes/julm.nix
+++ b/homes/julm.nix
@@ -10,6 +10,7 @@ imports = [
 host.desktop = lib.elem config.host.name [ /*"losurdo"*/ "oignon" ];
 host.server = lib.elem config.host.name [ "losurdo" "mermet" ];
 programs.bash.enable = true;
+programs.bash.shellAliases.firefox = "sudo ip netns exec riseup sudo -u $USER firefox";
 programs.gpg.enable = true;
 home.file.".gnupg/gpg.conf".text = ''
   # julm@autogeree.net

diff --git a/hosts/oignon.nix b/hosts/oignon.nix
index 5f72eb760f67c3dec9ef1c76712704af191f2da8..2494fd3ec6112d71aee24b15c87ede900e71cf90 100644 (file)
--- a/hosts/oignon.nix
+++ b/hosts/oignon.nix
@@ -7,6 +7,7 @@ in
 imports = [
   ../profiles/dnscrypt-proxy2.nix
   oignon/hardware.nix
+  oignon/openvpn.nix
   oignon/tor.nix
   oignon/backup.nix
 ];

diff --git a/hosts/oignon/openvpn.nix b/hosts/oignon/openvpn.nix
new file mode 100644 (file)
index 0000000..c1a4bf6
--- /dev/null
+++ b/hosts/oignon/openvpn.nix
@@ -0,0 +1,28 @@
+{ pkgs, lib, config, hostName, private, ... }:
+let
+  inherit (config.services) openvpn;
+in
+{
+services.netns.namespaces."riseup" = {
+};
+services.openvpn.servers."riseup" = {
+  netns = "riseup";
+  settings = {
+    verb = 3;
+    auth-user-pass = "${private}/${hostName}/openvpn/riseup/auth-user-pass";
+    ca = openvpn/riseup/RiseupCA.pem;
+    client = true;
+    dev = "ov-riseup";
+    dev-type = "tun";
+    persist-tun = true;
+    nobind = true;
+    persist-key = true;
+    tls-client = true;
+    remote-cert-tls = "server";
+    remote = "198.252.153.226 1194 udp";
+    reneg-sec = 0;
+    script-security = 2;
+    up-restart = true;
+  };
+};
+}

diff --git a/hosts/oignon/openvpn/riseup/RiseupCA.pem b/hosts/oignon/openvpn/riseup/RiseupCA.pem
new file mode 100644 (file)
index 0000000..aa626d3
--- /dev/null
+++ b/hosts/oignon/openvpn/riseup/RiseupCA.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF2jCCA8KgAwIBAgIIVogyQTSIzc8wDQYJKoZIhvcNAQELBQAwgYYxGDAWBgNV
+BAMTD1Jpc2V1cCBOZXR3b3JrczEYMBYGA1UEChMPUmlzZXVwIE5ldHdvcmtzMRAw
+DgYDVQQHEwdTZWF0dGxlMQswCQYDVQQIEwJXQTELMAkGA1UEBhMCVVMxJDAiBgkq
+hkiG9w0BCQEWFWNvbGxlY3RpdmVAcmlzZXVwLm5ldDAiGA8yMDE2MDEwMjIwMjU0
+MFoYDzIwMjYwMzMwMjAyNjAxWjCBhjEYMBYGA1UEAxMPUmlzZXVwIE5ldHdvcmtz
+MRgwFgYDVQQKEw9SaXNldXAgTmV0d29ya3MxEDAOBgNVBAcTB1NlYXR0bGUxCzAJ
+BgNVBAgTAldBMQswCQYDVQQGEwJVUzEkMCIGCSqGSIb3DQEJARYVY29sbGVjdGl2
+ZUByaXNldXAubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw2VV
+uoz4xqeB1ROIwXBRaj0prOqEFX89A7+2rslGRfjM8NPHyBLGleoHTK3DPwadtQeg
+ulaEOAjM5EMXTEX/o9H46L6h729HUWPCwVssvvOjyxTyGJDf7Ihd/Ab7ODtlJSyc
+g31aXMioA5pGz5QnS3VGz4nE9+NL+jobc/NbhaacsEPR/7xO7meRNu/1S+YiHK1y
+BSVrfap3XItlcNHDGNQkPyyJbS3pAS1lQs2HCBTzcFCamCkDOC7cRh9wZ4GH8U2f
+2s0mDD5zhRpheNW4gFBtGpqHiRXv7WJW612aaXzKQQoIq2loGNvOpnyBPKL3jjUT
+Rxv5IzWMV0nAofMCy25u/S4J65uSEd9mLNXFJ3rl+cFaybcOUXktTbS7bZy6cMyf
+/gO28bEXIWr5WfZf8jCbPyOVfExZquG3aS+0YPWmIJCheXQzgiwplZy93oND1GGQ
+f+1R2F7GPwNXQdefv2xm7PTWhHbSWHHmeY89qYED+yFJrX5ChoFoBbYs1lMmdU/C
+2MnQBFtvcVockXFAUONyMKiq8ZP6sQ1lu0rO9Bvkhx55sJLZOmjN3g4S1K97PbbI
+5DzHKcR0JQSt8ZtCY/MuMbwvlNYo98bFWvlfKET0KPtogNNH0PNfJmStKR8jWGjE
+HnUNXo7YDfK90iEKTjLz2K5CYzH5Dm6iYJNaaykCAwEAAaNGMEQwEgYDVR0TAQH/
+BAgwBgEB/wIBADAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTGek7ebtq2Ibm+
+2K6je1IMobvEkzANBgkqhkiG9w0BAQsFAAOCAgEAO2B3jnL+8LeoRkc282qUpHyu
+xYj0Qd68l0CJ0FjfA2OCR/6h1W4gZVH+fTd/mhgrNXj28GRT53JEh1jdRC7ENTXu
+W9O8I9gCbWQ6V4nkZ9lpq8UEmKTFGnngVu8VCmSDF+y0kFuEtmt0jyd2UkJfC/vy
+Gh78OCHEdGAeOTYHXamiuA9Z7wMuncPjP476gSW2kfWTdxV25ad4tT5dA5d42xDm
+YE2UKzHeB9amOmvyh08LPD0idT5oROCIHsHBhQC9oltJXO5j6GyHRg88C1inyv6R
+xk+w9ek4wSBpoJg5t3hdbZr3JTUsuu4WPtAET0fMQpJC+niaBbegwtvdLZFM+d8x
+ead3ZpMO+XrpazDFGtdPTQdi5EIYmr2RL9eTeQbVPwMB9TgFpBXP+iYIuTpNo8jn
+8zS4EcPRmz6PQJVK4zkHczfvquyU9RuOwEgb8qN4tSNxF0Z94uSVUoXCG9WZLf8q
+MfsGesYiR/qLnLn3MfAyWm3OVOUvGzczDE2T8VvY7rXc2+8ra5aK0TNAgEz9ey6D
+/dGzM1JCCe1A08s+2+eRX//pmqmOCoGrY7zwIVS2T249h6iIMM9yT0C3ZXRoTnVN
+osyidOkVuQr0YK6shJ0WaK4F1MktdjOZKPoIc9QLw+TrSU2hfyla36T0bNWMC/TJ
+YtxDI+d1jIFZ7zMmts4=
+-----END CERTIFICATE-----

diff --git a/install b/install
index 07783bf5c3632d577d033cbbd2d7af7b13cbaea8..fa3c41c2a276b6c6cc09cbbd0cdb7a28888d44c9 100755 (executable)
--- a/install
+++ b/install
@@ -3,6 +3,7 @@ if test "$(id -u)" != 0
 then sudo "$0" "$@"
 else
   cd "${0%/*}"
+  chmod -R g-rwx,o-rwx "$PWD/private/root"
   ln -sfn "$PWD/private/root" /root/private
   trap 'git reset private/root' EXIT
   git rm -rf --cached --ignore-unmatch private/root # prevent copying to /nix/store

diff --git a/nixpkgs/patches.nix b/nixpkgs/patches.nix
index ee79f4a3e3119b82a9751701d2642f721ac489d3..23015302b5ef7cadc51bb80898f1a5351e581318 100644 (file)
--- a/nixpkgs/patches.nix
+++ b/nixpkgs/patches.nix
@@ -16,6 +16,11 @@
   url = "https://github.com/NixOS/nixpkgs/pull/122455.diff";
   sha256 = "sha256-f7UN1f7rJ+nnu/wCsi/21bf71jg9d7d7jL+NTgDngY4=";
 }
+{
+  meta.description = "openvpn";
+  url = "https://github.com/NixOS/nixpkgs/pull/109643.diff";
+  sha256 = "sha256-i9dhidO/Yf/u6wE08ZIL/s6A/LoaXfz14+Xqc2YvJQg=";
+}
 /*
 {
   meta.description = "fuse: fix mount.fuse -o setuid=";

diff --git a/private/root/oignon/openvpn/riseup/auth-user-pass b/private/root/oignon/openvpn/riseup/auth-user-pass
new file mode 100644 (file)
index 0000000..8da3676
Binary files /dev/null and b/private/root/oignon/openvpn/riseup/auth-user-pass differ