1 { pkgs, lib, config, ... }:
4 inherit (config.services) openvpn;
5 apiUrl = "https://api.calyx.net:4430/3/cert";
7 url = "https://calyx.net/ca.crt";
8 hash = "sha256-NKLkpjjeGMN07htuWydBMQ03ytxF9CLm8SLNl3IPPGc=";
11 key-cert = "/run/openvpn-${netns}/key+cert.pem";
14 services.openvpn.servers.${netns} = {
28 cipher = "AES-128-CBC";
36 remote-cert-tls = "server";
39 tls-cipher = "DHE-RSA-AES128-SHA";
46 systemd.services."openvpn-${netns}" = {
50 ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
55 RuntimeDirectory = [ "openvpn-${netns}" ];
56 RuntimeDirectoryMode = "0700";
59 networking.nftables.ruleset = ''
60 add rule inet filter fw2net meta skuid root tcp dport 443 counter accept comment "OpenVPN Calyx"
61 add rule inet filter fw2net meta skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
63 services.netns.namespaces.${netns} = {
64 nftables = lib.mkBefore ''
66 include "${../../../../networking/nftables/filter.txt}"
68 type filter hook input priority filter
72 ct state { established, related } accept
73 jump accept-connectivity-input
78 type filter hook forward priority filter
80 jump accept-connectivity-forward
83 type filter hook output priority filter
86 ct state { related, established } accept
87 jump accept-connectivity-output