hosts/losurdo/networking/openvpn/calyx.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   netns = "calyx";
   4   inherit (config.services) openvpn;
   5   apiUrl = "https://api.calyx.net:4430/3/cert";
   6   ca = pkgs.fetchurl {
   7     url = "https://calyx.net/ca.crt";
   8     hash = "sha256-NKLkpjjeGMN07htuWydBMQ03ytxF9CLm8SLNl3IPPGc=";
   9     curlOpts = ["-k"];
  10   } + "";
  11   key-cert = "/run/openvpn-${netns}/key+cert.pem";
  12 in
  13 {
  14 services.openvpn.servers.${netns} = {
  15   inherit netns;
  16   settings = {
  17     remote =
  18       # new-york
  19       ["162.247.73.193"] ++
  20       [];
  21     port = "443";
  22     proto = "tcp";
  23     inherit ca;
  24     key = key-cert;
  25     cert = key-cert;
  26
  27     auth = "SHA1";
  28     cipher = "AES-128-CBC";
  29     client = true;
  30     dev = "ov-${netns}";
  31     dev-type = "tun";
  32     keepalive = "10 30";
  33     nobind = true;
  34     persist-key = true;
  35     persist-tun = true;
  36     remote-cert-tls = "server";
  37     reneg-sec = 0;
  38     script-security = 2;
  39     tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
  40     tls-client = true;
  41     tun-ipv6 = true;
  42     up-restart = true;
  43     verb = 3;
  44   };
  45 };
  46 systemd.services."openvpn-${netns}" = {
  47   preStart = ''
  48     (
  49     set -ex
  50     ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
  51     chmod 700 ${key-cert}
  52     )
  53   '';
  54   serviceConfig = {
  55     RuntimeDirectory = [ "openvpn-${netns}" ];
  56     RuntimeDirectoryMode = "0700";
  57   };
  58 };
  59 networking.nftables.ruleset = ''
  60   add rule inet filter fw2net meta skuid root tcp dport 443 counter accept comment "OpenVPN Calyx"
  61   add rule inet filter fw2net meta skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
  62 '';
  63 services.netns.namespaces.${netns} = {
  64   nftables = lib.mkBefore ''
  65     table inet filter {
  66       include "${../../../../networking/nftables/filter.txt}"
  67       chain input {
  68         type filter hook input priority filter
  69         policy drop
  70         iifname lo accept
  71         jump check-tcp
  72         ct state { established, related } accept
  73         jump accept-connectivity-input
  74         jump check-broadcast
  75         ct state invalid drop
  76       }
  77       chain forward {
  78         type filter hook forward priority filter
  79         policy drop
  80         jump accept-connectivity-forward
  81       }
  82       chain output {
  83         type filter hook output priority filter
  84         policy drop
  85         oifname lo accept
  86         ct state { related, established } accept
  87         jump accept-connectivity-output
  88       }
  89     }
  90   '';
  91 };
  92 }