]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/openvpn/riseup.nix
apparmor: update PR#101071
[sourcephile-nix.git] / hosts / losurdo / networking / openvpn / riseup.nix
1 { pkgs, lib, config, ... }:
2 let
3 netns = "riseup";
4 inherit (config.services) openvpn;
5 inherit (config.security) gnupg;
6 in
7 {
8 services.netns.namespaces.${netns} = {
9 nftables = lib.mkBefore ''
10 table inet filter {
11 include "${../../../../var/nftables/filter.txt}"
12 chain input {
13 type filter hook input priority filter
14 policy drop
15 iifname lo accept
16 jump check-tcp
17 ct state { established, related } accept
18 jump accept-connectivity-input
19 jump check-broadcast
20 ct state invalid drop
21 }
22 chain forward {
23 type filter hook forward priority filter
24 policy drop
25 jump accept-connectivity-forward
26 }
27 chain output {
28 type filter hook output priority filter
29 policy drop
30 oifname lo accept
31 ct state { related, established } accept
32 jump accept-connectivity-output
33 }
34 }
35 '';
36 };
37 services.openvpn.servers.${netns} = {
38 netns = netns;
39 settings = {
40 verb = 3;
41 auth-user-pass = gnupg.secrets."openvpn/${netns}/auth-user-pass".path;
42 ca = riseup/RiseupCA.pem;
43 client = true;
44 dev = "ov-${netns}";
45 dev-type = "tun";
46 persist-tun = true;
47 nobind = true;
48 persist-key = true;
49 tls-client = true;
50 remote-cert-tls = "server";
51 remote = "198.252.153.226 1194 udp";
52 reneg-sec = 0;
53 script-security = 2;
54 up-restart = true;
55 };
56 };
57 security.gnupg.secrets."openvpn/${netns}/auth-user-pass" = {
58 systemdConfig.before = [ "openvpn-${netns}.service" ];
59 systemdConfig.wantedBy = [ "openvpn-${netns}.service" ];
60 };
61 networking.nftables.ruleset = ''
62 add rule inet filter fw2net udp dport 1194 counter accept comment "OpenVPN"
63 '';
64 }