]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/openvpn/calyx.nix
prosody: restarting is needed to reload TLS certificates
[sourcephile-nix.git] / hosts / losurdo / networking / openvpn / calyx.nix
1 { pkgs, lib, config, ... }:
2 let
3 netns = "calyx";
4 inherit (config.services) openvpn;
5 apiUrl = "https://api.calyx.net:4430/3/cert";
6 ca = pkgs.fetchurl {
7 url = "https://calyx.net/ca.crt";
8 hash = "sha256-NKLkpjjeGMN07htuWydBMQ03ytxF9CLm8SLNl3IPPGc=";
9 curlOpts = ["-k"];
10 } + "";
11 key-cert = "/run/openvpn-${netns}/key+cert.pem";
12 in
13 {
14 services.openvpn.servers.${netns} = {
15 inherit netns;
16 settings = {
17 remote =
18 # new-york
19 ["162.247.73.193"] ++
20 [];
21 port = "443";
22 proto = "tcp";
23 inherit ca;
24 key = key-cert;
25 cert = key-cert;
26
27 auth = "SHA1";
28 cipher = "AES-128-CBC";
29 client = true;
30 dev = "ov-${netns}";
31 dev-type = "tun";
32 keepalive = "10 30";
33 nobind = true;
34 persist-key = true;
35 persist-tun = true;
36 remote-cert-tls = "server";
37 reneg-sec = 0;
38 script-security = 2;
39 tls-cipher = "DHE-RSA-AES128-SHA";
40 tls-client = true;
41 tun-ipv6 = true;
42 up-restart = true;
43 verb = 3;
44 };
45 };
46 systemd.services."openvpn-${netns}" = {
47 preStart = ''
48 (
49 set -ex
50 ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
51 chmod 700 ${key-cert}
52 )
53 '';
54 serviceConfig = {
55 RuntimeDirectory = [ "openvpn-${netns}" ];
56 RuntimeDirectoryMode = "0700";
57 };
58 };
59 networking.nftables.ruleset = ''
60 add rule inet filter fw2net meta skuid root tcp dport 443 counter accept comment "OpenVPN Calyx"
61 add rule inet filter fw2net meta skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
62 '';
63 services.netns.namespaces.${netns} = {
64 nftables = lib.mkBefore ''
65 table inet filter {
66 include "${../../../../networking/nftables/filter.txt}"
67 chain input {
68 type filter hook input priority filter
69 policy drop
70 iifname lo accept
71 jump check-tcp
72 ct state { established, related } accept
73 jump accept-connectivity-input
74 jump check-broadcast
75 ct state invalid drop
76 }
77 chain forward {
78 type filter hook forward priority filter
79 policy drop
80 jump accept-connectivity-forward
81 }
82 chain output {
83 type filter hook output priority filter
84 policy drop
85 oifname lo accept
86 ct state { related, established } accept
87 jump accept-connectivity-output
88 }
89 }
90 '';
91 };
92 }