]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/openvpn/riseup.nix
losurdo: sanoid: tweak policy
[sourcephile-nix.git] / hosts / losurdo / networking / openvpn / riseup.nix
1 { inputs, pkgs, lib, config, ... }:
2 let
3 netns = "riseup";
4 inherit (config.services) openvpn;
5 apiUrl = "https://api.black.riseup.net/3/cert";
6 ca = pkgs.fetchurl
7 {
8 url = "https://black.riseup.net/ca.crt";
9 hash = "sha256-Zdvnfz2k7iWlbgmmcUJrpJZ1dp7o0qXeJhP0HWJD7ro=";
10 } + "";
11 key-cert = "/run/openvpn-${netns}/key+cert.pem";
12 in
13 {
14 services.openvpn.servers.${netns} = {
15 inherit netns;
16 settings = {
17 remote =
18 # amsterdam
19 [ "212.83.182.127" "212.83.165.160" "212.129.4.141" ] ++
20 # paris
21 #["212.83.146.228" "212.83.143.67" "163.172.126.44"] ++
22 # miami
23 [ "37.218.244.249" "37.218.244.251" ] ++
24 # montreal
25 [ "199.58.83.10" "199.58.83.10" "199.58.83.12" ] ++
26 # new-york
27 [ "185.220.103.12" ] ++
28 # seattle
29 [ "198.252.153.28" "198.252.153.28" ] ++
30 [ ];
31 remote-random = true;
32 port = "443";
33 proto = "tcp";
34 inherit ca;
35 key = key-cert;
36 cert = key-cert;
37
38 auth = "SHA1";
39 cipher = "AES-128-CBC";
40 client = true;
41 dev = "ov-${netns}";
42 dev-type = "tun";
43 keepalive = "10 30";
44 nobind = true;
45 persist-key = true;
46 persist-tun = true;
47 remote-cert-tls = "server";
48 reneg-sec = 0;
49 script-security = 2;
50 tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
51 tls-client = true;
52 tun-ipv6 = true;
53 up-restart = true;
54 verb = 3;
55 };
56 };
57 systemd.services."openvpn-${netns}" = {
58 preStart = ''
59 set -ex
60 ${pkgs.curl}/bin/curl -v -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
61 chmod 700 ${key-cert}
62 '';
63 unitConfig = {
64 StartLimitIntervalSec = 0;
65 };
66 serviceConfig = {
67 RuntimeDirectory = [ "openvpn-${netns}" ];
68 RuntimeDirectoryMode = "0700";
69 };
70 };
71 environment.systemPackages = [
72 pkgs.riseup-vpn
73 ];
74 networking.nftables.ruleset = ''
75 table inet filter {
76 chain output-net {
77 skuid root tcp dport https counter accept comment "OpenVPN Riseup"
78 }
79 }
80 '';
81 services.netns.namespaces.${netns} = {
82 nftables = lib.mkBefore ''
83 include "${inputs.julm-nix + "/nixos/profiles/networking/nftables.txt"}"
84 '';
85 };
86 }