hosts/losurdo/networking/openvpn/calyx.nix

   1 { inputs, pkgs, lib, config, ... }:
   2 let
   3   netns = "calyx";
   4   inherit (config.services) openvpn;
   5   apiUrl = "https://api.calyx.net:4430/3/cert";
   6   ca = pkgs.fetchurl
   7     {
   8       url = "https://calyx.net/ca.crt";
   9       # WARNING: a change to that CA will likely not be detected
  10       # because it being already in the Nix store,
  11       # and cause the preStart to fail.
  12       hash = "sha256-zLs7TRXrHlPjqdaBN1cmbB062XhKs4cv5ajmrkg4O8s=";
  13       curlOptsList = [ "-k" ];
  14     } + "";
  15   key-cert = "/run/openvpn-${netns}/key+cert.pem";
  16 in
  17 {
  18   services.openvpn.servers.${netns} = {
  19     inherit netns;
  20     settings = {
  21       # See: https://gitlab.com/nitrohorse/bitmask-openvpn-generator
  22       remote =
  23         #  new-york (vpn2.calyx.net)
  24         [ "162.247.72.193" ] ++
  25         [ ];
  26       remote-random = true;
  27       port = "443";
  28       proto = "tcp";
  29       inherit ca;
  30       key = key-cert;
  31       cert = key-cert;
  32
  33       auth = "SHA1";
  34       client = true;
  35       dev = "ov-${netns}";
  36       dev-type = "tun";
  37       keepalive = "10 30";
  38       nobind = true;
  39       persist-key = true;
  40       persist-tun = true;
  41       remote-cert-tls = "server";
  42       reneg-sec = 0;
  43       script-security = 2;
  44       tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
  45       tls-client = true;
  46       up-restart = true;
  47       verb = 3;
  48     };
  49   };
  50   systemd.services."openvpn-${netns}" = {
  51     preStart = ''
  52       (
  53       set -ex
  54       ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -vLs ${apiUrl}
  55       chmod 700 ${key-cert}
  56       )
  57     '';
  58     unitConfig = {
  59       StartLimitIntervalSec = 0;
  60     };
  61     serviceConfig = {
  62       RuntimeDirectory = [ "openvpn-${netns}" ];
  63       RuntimeDirectoryMode = "0700";
  64     };
  65   };
  66   networking.nftables.ruleset = ''
  67     table inet filter {
  68       chain output-net {
  69         skuid root tcp dport https counter accept comment "OpenVPN Calyx"
  70         skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
  71       }
  72     }
  73   '';
  74   services.netns.namespaces.${netns} = {
  75     nftables = lib.mkBefore ''
  76       include "${inputs.julm-nix + "/nixos/profiles/networking/nftables.txt"}"
  77     '';
  78   };
  79 }