hosts/losurdo/networking/openvpn/calyx.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   netns = "calyx";
   4   inherit (config.services) openvpn;
   5   apiUrl = "https://api.calyx.net:4430/3/cert";
   6   ca = pkgs.fetchurl {
   7     url = "https://calyx.net/ca.crt";
   8     hash = "sha256-NKLkpjjeGMN07htuWydBMQ03ytxF9CLm8SLNl3IPPGc=";
   9     curlOpts = ["-k"];
  10   } + "";
  11   key-cert = "/run/openvpn-${netns}/key+cert.pem";
  12 in
  13 {
  14 services.openvpn.servers.${netns} = {
  15   inherit netns;
  16   settings = {
  17     remote =
  18       # new-york
  19       ["162.247.73.193"] ++
  20       [];
  21     port = "443";
  22     proto = "tcp";
  23     inherit ca;
  24     key = key-cert;
  25     cert = key-cert;
  26
  27     auth = "SHA1";
  28     cipher = "AES-128-CBC";
  29     client = true;
  30     dev = "ov-${netns}";
  31     dev-type = "tun";
  32     keepalive = "10 30";
  33     nobind = true;
  34     persist-key = true;
  35     persist-tun = true;
  36     remote-cert-tls = "server";
  37     reneg-sec = 0;
  38     script-security = 2;
  39     tls-cipher = "DHE-RSA-AES128-SHA";
  40     tls-client = true;
  41     tun-ipv6 = true;
  42     up-restart = true;
  43     verb = 3;
  44   };
  45 };
  46 systemd.services."openvpn-${netns}" = {
  47   preStart = ''
  48     set -e
  49     ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
  50     chmod 700 ${key-cert}
  51   '';
  52   serviceConfig = {
  53     RuntimeDirectory = [ "openvpn-${netns}" ];
  54     RuntimeDirectoryMode = "0700";
  55   };
  56 };
  57 networking.nftables.ruleset = ''
  58   add rule inet filter fw2net meta skuid root tcp dport 443 counter accept comment "OpenVPN Calyx"
  59   add rule inet filter fw2net meta skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
  60 '';
  61 services.netns.namespaces.${netns} = {
  62   nftables = lib.mkBefore ''
  63     table inet filter {
  64       include "${../../../../networking/nftables/filter.txt}"
  65       chain input {
  66         type filter hook input priority filter
  67         policy drop
  68         iifname lo accept
  69         jump check-tcp
  70         ct state { established, related } accept
  71         jump accept-connectivity-input
  72         jump check-broadcast
  73         ct state invalid drop
  74       }
  75       chain forward {
  76         type filter hook forward priority filter
  77         policy drop
  78         jump accept-connectivity-forward
  79       }
  80       chain output {
  81         type filter hook output priority filter
  82         policy drop
  83         oifname lo accept
  84         ct state { related, established } accept
  85         jump accept-connectivity-output
  86       }
  87     }
  88   '';
  89 };
  90 }