hosts/losurdo/networking/openvpn/riseup.nix

   1 { inputs, pkgs, lib, config, ... }:
   2 let
   3   netns = "riseup";
   4   inherit (config.services) openvpn;
   5   apiUrl = "https://api.black.riseup.net/3/cert";
   6   ca = pkgs.fetchurl {
   7     url = "https://black.riseup.net/ca.crt";
   8     hash = "sha256-Zdvnfz2k7iWlbgmmcUJrpJZ1dp7o0qXeJhP0HWJD7ro=";
   9   } + "";
  10   key-cert = "/run/openvpn-${netns}/key+cert.pem";
  11 in
  12 {
  13 services.openvpn.servers.${netns} = {
  14   inherit netns;
  15   settings = {
  16     remote =
  17       # amsterdam
  18       ["212.83.182.127" "212.83.165.160" "212.129.4.141"] ++
  19       # paris
  20       #["212.83.146.228" "212.83.143.67" "163.172.126.44"] ++
  21       # miami
  22       ["37.218.244.249" "37.218.244.251"] ++
  23       # montreal
  24       ["199.58.83.10" "199.58.83.10" "199.58.83.12"] ++
  25       # new-york
  26       ["185.220.103.12"] ++
  27       # seattle
  28       ["198.252.153.28" "198.252.153.28"] ++
  29       [];
  30     remote-random = true;
  31     port = "443";
  32     proto = "tcp";
  33     inherit ca;
  34     key = key-cert;
  35     cert = key-cert;
  36
  37     auth = "SHA1";
  38     cipher = "AES-128-CBC";
  39     client = true;
  40     dev = "ov-${netns}";
  41     dev-type = "tun";
  42     keepalive = "10 30";
  43     nobind = true;
  44     persist-key = true;
  45     persist-tun = true;
  46     remote-cert-tls = "server";
  47     reneg-sec = 0;
  48     script-security = 2;
  49     tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
  50     tls-client = true;
  51     tun-ipv6 = true;
  52     up-restart = true;
  53     verb = 3;
  54   };
  55 };
  56 systemd.services."openvpn-${netns}" = {
  57   preStart = ''
  58     set -ex
  59     ${pkgs.curl}/bin/curl -v -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
  60     chmod 700 ${key-cert}
  61   '';
  62   unitConfig = {
  63     StartLimitIntervalSec = 0;
  64   };
  65   serviceConfig = {
  66     RuntimeDirectory = [ "openvpn-${netns}" ];
  67     RuntimeDirectoryMode = "0700";
  68   };
  69 };
  70 environment.systemPackages = [
  71   pkgs.riseup-vpn
  72 ];
  73 networking.nftables.ruleset = ''
  74   table inet filter {
  75     chain output-net {
  76       skuid root tcp dport https counter accept comment "OpenVPN Riseup"
  77     }
  78   }
  79 '';
  80 services.netns.namespaces.${netns} = {
  81   nftables = lib.mkBefore ''
  82     include "${inputs.julm-nix + "/nixos/profiles/networking/nftables.txt"}"
  83   '';
  84 };
  85 }