machines/losurdo/networking/openvpn/riseup.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   ns = "riseup";
   4   inherit (config.services) openvpn;
   5   inherit (config.security) gnupg;
   6 in
   7 {
   8 networking.nftables.ruleset = ''
   9   #add rule inet filter fw2net tcp dport {443,1194} counter accept comment "OpenVPN"
  10   add rule inet filter fw2net udp dport 1194 counter accept comment "OpenVPN"
  11 '';
  12 services.netns.namespaces.riseup = {
  13   nftables = lib.mkBefore ''
  14     table inet filter {
  15       include "${../../../../var/nftables/filter.txt}"
  16       chain input {
  17         type filter hook input priority filter
  18         policy drop
  19         iifname lo accept
  20         jump check-tcp
  21         ct state { established, related } accept
  22         jump accept-connectivity-input
  23         jump check-broadcast
  24         ct state invalid drop
  25       }
  26       chain forward {
  27         type filter hook forward priority filter
  28         policy drop
  29         jump accept-connectivity-forward
  30       }
  31       chain output {
  32         type filter hook output priority filter
  33         policy drop
  34         oifname lo accept
  35         ct state { related, established } accept
  36         jump accept-connectivity-output
  37       }
  38     }
  39   '';
  40 };
  41 security.gnupg.secrets."openvpn/riseup/auth-user-pass" = {
  42   systemdConfig.before = [ "openvpn-riseup.service" ];
  43   systemdConfig.wantedBy = [ "openvpn-riseup.service" ];
  44 };
  45 services.openvpn.servers.${ns} = {
  46   /*
  47     cert ${riseup/client.pem}
  48     key ${riseup/client.pem}
  49     remote 37.218.241.7 1194 tcp4
  50     remote 37.218.241.106 443 tcp4
  51     remote 163.172.126.44 443 tcp4
  52     remote 198.252.153.28 443 tcp4
  53     remote 199.58.81.143 443 tcp4
  54     remote 199.58.81.145 443 tcp4
  55     remote 212.83.143.67 443 tcp4
  56     remote 212.83.144.12 443 tcp4
  57     remote 212.83.146.228 443 tcp4
  58     remote 212.83.165.160 443 tcp4
  59     remote 212.83.182.127 443 tcp4
  60     remote 212.129.62.247 443 tcp4
  61     ca ${riseup/cacert.pem}
  62   */
  63   netns = ns;
  64   settings = {
  65     verb = 3;
  66     auth-user-pass = gnupg.secrets."openvpn/riseup/auth-user-pass".path;
  67     ca = riseup/RiseupCA.pem;
  68     client = true;
  69     dev = "ov-${ns}";
  70     dev-type = "tun";
  71     persist-tun = true;
  72     nobind = true;
  73     persist-key = true;
  74     tls-client = true;
  75     remote-cert-tls = "server";
  76     remote = "198.252.153.226 1194 udp";
  77     reneg-sec = 0;
  78     script-security = 2;
  79     up-restart = true;
  80   };
  81 };
  82 }