]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/openvpn/calyx.nix
mermet: radicle: fix publicKey old config name
[sourcephile-nix.git] / hosts / losurdo / networking / openvpn / calyx.nix
1 { inputs, pkgs, lib, config, ... }:
2 let
3 netns = "calyx";
4 inherit (config.services) openvpn;
5 apiUrl = "https://api.calyx.net:4430/3/cert";
6 ca = pkgs.fetchurl
7 {
8 url = "https://calyx.net/ca.crt";
9 # WARNING: a change to that CA will likely not be detected
10 # because it being already in the Nix store,
11 # and cause the preStart to fail.
12 hash = "sha256-zLs7TRXrHlPjqdaBN1cmbB062XhKs4cv5ajmrkg4O8s=";
13 curlOptsList = [ "-k" ];
14 } + "";
15 key-cert = "/run/openvpn-${netns}/key+cert.pem";
16 in
17 {
18 services.openvpn.servers.${netns} = {
19 inherit netns;
20 settings = {
21 # See: https://gitlab.com/nitrohorse/bitmask-openvpn-generator
22 remote =
23 # new-york (vpn2.calyx.net)
24 [ "162.247.72.193" ] ++
25 [ ];
26 remote-random = true;
27 port = "443";
28 proto = "tcp";
29 inherit ca;
30 key = key-cert;
31 cert = key-cert;
32
33 auth = "SHA1";
34 client = true;
35 dev = "ov-${netns}";
36 dev-type = "tun";
37 keepalive = "10 30";
38 nobind = true;
39 persist-key = true;
40 persist-tun = true;
41 remote-cert-tls = "server";
42 reneg-sec = 0;
43 script-security = 2;
44 tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
45 tls-client = true;
46 up-restart = true;
47 verb = 3;
48 };
49 };
50 systemd.services."openvpn-${netns}" = {
51 preStart = ''
52 (
53 set -ex
54 ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -vLs ${apiUrl}
55 chmod 700 ${key-cert}
56 )
57 '';
58 unitConfig = {
59 StartLimitIntervalSec = 0;
60 };
61 serviceConfig = {
62 RuntimeDirectory = [ "openvpn-${netns}" ];
63 RuntimeDirectoryMode = "0700";
64 };
65 };
66 networking.nftables.ruleset = ''
67 table inet filter {
68 chain output-net {
69 skuid root tcp dport https counter accept comment "OpenVPN Calyx"
70 skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
71 }
72 }
73 '';
74 services.netns.namespaces.${netns} = {
75 nftables = lib.mkBefore ''
76 include "${inputs.julm-nix + "/nixos/profiles/networking/nftables.txt"}"
77 '';
78 };
79 }