hosts/losurdo/networking/openvpn/riseup.nix

   1 {
   2   inputs,
   3   pkgs,
   4   lib,
   5   config,
   6   ...
   7 }:
   8 let
   9   netns = "riseup";
  10   inherit (config.services) openvpn;
  11   apiUrl = "https://api.black.riseup.net/3/cert";
  12   key-cert = "/run/openvpn-${netns}/key+cert.pem";
  13 in
  14 {
  15   services.openvpn.servers.${netns} = {
  16     inherit netns;
  17     settings = {
  18       # curl -Ls https://api.black.riseup.net/3/config/eip-service.json | jq .gateways.'[]'.host
  19       remote = [
  20         "vpn01-sea.riseup.net"
  21         "vpn02-par.riseup.net"
  22         "vpn03-par.riseup.net"
  23         "vpn04-ams.riseup.net"
  24         "vpn05-par.riseup.net"
  25         "vpn06-ams.riseup.net"
  26         "vpn07-par.riseup.net"
  27         "vpn08-par.riseup.net"
  28         "vpn10-mtl.riseup.net"
  29         "vpn11-par.riseup.net"
  30         "vpn12-nyc.riseup.net"
  31         "vpn13-ams.riseup.net"
  32         "vpn14-par.riseup.net"
  33         "vpn15-sea.riseup.net"
  34         "vpn16-sea.riseup.net"
  35         "vpn18-mtl.riseup.net"
  36         "vpn19-ams.riseup.net"
  37         "vpn20-par.riseup.net"
  38         "vpn21-par.riseup.net"
  39         "vpn22-mia.riseup.net"
  40         "vpn23-mia.riseup.net"
  41       ];
  42       remote-random = true;
  43       port = "53";
  44       proto = "udp";
  45       ca =
  46         pkgs.fetchurl {
  47           url = "https://black.riseup.net/ca.crt";
  48           hash = "sha256-+kzojhwMbFwcf9W6CzXcCaLzBtgeOgXp19XPrP3ZhFM=";
  49         }
  50         + "";
  51       key = key-cert;
  52       cert = key-cert;
  53
  54       auth = "SHA1";
  55       client = true;
  56       dev = "ov-${netns}";
  57       dev-type = "tun";
  58       keepalive = "10 30";
  59       nobind = true;
  60       persist-key = true;
  61       persist-tun = true;
  62       remote-cert-tls = "server";
  63       reneg-sec = 0;
  64       script-security = 2;
  65       tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
  66       tls-client = true;
  67       tun-ipv6 = true;
  68       up-restart = true;
  69       verb = 3;
  70     };
  71   };
  72   systemd.services."openvpn-${netns}" = {
  73     preStart = ''
  74       (
  75       set -ex
  76       ${pkgs.curl}/bin/curl -v -X POST --cacert ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt -o ${key-cert} -Ls ${apiUrl}
  77       chmod 700 ${key-cert}
  78       )
  79     '';
  80     unitConfig = {
  81       StartLimitIntervalSec = 0;
  82     };
  83     serviceConfig = {
  84       RuntimeDirectory = [ "openvpn-${netns}" ];
  85       RuntimeDirectoryMode = "0700";
  86     };
  87   };
  88   environment.systemPackages = [
  89     pkgs.riseup-vpn
  90   ];
  91   networking.nftables.ruleset = ''
  92     table inet filter {
  93       chain output-net {
  94         skuid root ${openvpn.servers.${netns}.settings.proto} dport ${
  95           openvpn.servers.${netns}.settings.port
  96         } counter accept comment "OpenVPN Riseup"
  97       }
  98     }
  99   '';
 100   services.netns.namespaces.${netns} = {
 101     nftables = lib.mkBefore ''
 102       include "${inputs.julm-nix + "/nixos/profiles/networking/nftables.txt"}"
 103     '';
 104   };
 105 }