losurdo: nftables: fix netns rules

[sourcephile-nix.git] / hosts / losurdo / networking / openvpn / calyx.nix

{ inputs, pkgs, lib, config, ... }:
let
  netns = "calyx";
  inherit (config.services) openvpn;
  apiUrl = "https://api.calyx.net:4430/3/cert";
  ca = pkgs.fetchurl {
    url = "https://calyx.net/ca.crt";
    hash = "sha256-NKLkpjjeGMN07htuWydBMQ03ytxF9CLm8SLNl3IPPGc=";
    curlOpts = ["-k"];
  } + "";
  key-cert = "/run/openvpn-${netns}/key+cert.pem";
in
{
services.openvpn.servers.${netns} = {
  inherit netns;
  settings = {
    remote =
      # new-york
      ["162.247.73.193"] ++
      [];
    port = "443";
    proto = "tcp";
    inherit ca;
    key = key-cert;
    cert = key-cert;

    auth = "SHA1";
    cipher = "AES-128-CBC";
    client = true;
    dev = "ov-${netns}";
    dev-type = "tun";
    keepalive = "10 30";
    nobind = true;
    persist-key = true;
    persist-tun = true;
    remote-cert-tls = "server";
    reneg-sec = 0;
    script-security = 2;
    tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
    tls-client = true;
    tun-ipv6 = true;
    up-restart = true;
    verb = 3;
  };
};
systemd.services."openvpn-${netns}" = {
  preStart = ''
    (
    set -ex
    ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
    chmod 700 ${key-cert}
    )
  '';
  serviceConfig = {
    RuntimeDirectory = [ "openvpn-${netns}" ];
    RuntimeDirectoryMode = "0700";
  };
};
networking.nftables.ruleset = ''
  table inet filter {
    chain output-net {
      skuid root tcp dport https counter accept comment "OpenVPN Calyx"
      skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
    }
  }
'';
services.netns.namespaces.${netns} = {
  nftables = lib.mkBefore ''
    include "${inputs.julm-nix + "/nixos/profiles/networking/nftables.txt"}"
  '';
};
}