]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/openvpn/calyx.nix
creds: finish to migrate to systemd-creds.nix
[sourcephile-nix.git] / hosts / losurdo / networking / openvpn / calyx.nix
1 { inputs, pkgs, lib, config, ... }:
2 let
3 netns = "calyx";
4 inherit (config.services) openvpn;
5 apiUrl = "https://api.calyx.net:4430/3/cert";
6 ca = pkgs.fetchurl {
7 url = "https://calyx.net/ca.crt";
8 hash = "sha256-NKLkpjjeGMN07htuWydBMQ03ytxF9CLm8SLNl3IPPGc=";
9 curlOptsList = ["-k"];
10 } + "";
11 key-cert = "/run/openvpn-${netns}/key+cert.pem";
12 in
13 {
14 services.openvpn.servers.${netns} = {
15 inherit netns;
16 settings = {
17 remote =
18 # new-york
19 ["162.247.73.193"] ++
20 [];
21 remote-random = true;
22 port = "443";
23 proto = "tcp";
24 inherit ca;
25 key = key-cert;
26 cert = key-cert;
27
28 auth = "SHA1";
29 cipher = "AES-128-CBC";
30 client = true;
31 dev = "ov-${netns}";
32 dev-type = "tun";
33 keepalive = "10 30";
34 nobind = true;
35 persist-key = true;
36 persist-tun = true;
37 remote-cert-tls = "server";
38 reneg-sec = 0;
39 script-security = 2;
40 tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
41 tls-client = true;
42 tun-ipv6 = true;
43 up-restart = true;
44 verb = 3;
45 };
46 };
47 systemd.services."openvpn-${netns}" = {
48 preStart = ''
49 (
50 set -ex
51 ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
52 chmod 700 ${key-cert}
53 )
54 '';
55 serviceConfig = {
56 RuntimeDirectory = [ "openvpn-${netns}" ];
57 RuntimeDirectoryMode = "0700";
58 };
59 };
60 networking.nftables.ruleset = ''
61 table inet filter {
62 chain output-net {
63 skuid root tcp dport https counter accept comment "OpenVPN Calyx"
64 skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
65 }
66 }
67 '';
68 services.netns.namespaces.${netns} = {
69 nftables = lib.mkBefore ''
70 include "${inputs.julm-nix + "/nixos/profiles/networking/nftables.txt"}"
71 '';
72 };
73 }