]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/openvpn/riseup.nix
losurdo: docker: enable service
[sourcephile-nix.git] / hosts / losurdo / networking / openvpn / riseup.nix
1 { inputs, pkgs, lib, config, ... }:
2 let
3 netns = "riseup";
4 inherit (config.services) openvpn;
5 apiUrl = "https://api.black.riseup.net/3/cert";
6 key-cert = "/run/openvpn-${netns}/key+cert.pem";
7 in
8 {
9 services.openvpn.servers.${netns} = {
10 inherit netns;
11 settings = {
12 # curl -Ls https://api.black.riseup.net/3/config/eip-service.json |
13 # jq .gateways.'[]'.host
14 remote = [
15 "vpn01-sea.riseup.net"
16 "vpn02-par.riseup.net"
17 "vpn03-par.riseup.net"
18 "vpn04-ams.riseup.net"
19 "vpn05-par.riseup.net"
20 "vpn06-ams.riseup.net"
21 "vpn07-par.riseup.net"
22 "vpn08-par.riseup.net"
23 "vpn09-mia.riseup.net"
24 "vpn10-mtl.riseup.net"
25 "vpn11-par.riseup.net"
26 "vpn12-nyc.riseup.net"
27 "vpn13-ams.riseup.net"
28 "vpn14-par.riseup.net"
29 "vpn15-sea.riseup.net"
30 "vpn16-sea.riseup.net"
31 "vpn17-mia.riseup.net"
32 "vpn18-mtl.riseup.net"
33 "vpn19-ams.riseup.net"
34 "vpn20-par.riseup.net"
35 ];
36 remote-random = true;
37 port = "53";
38 proto = "udp";
39 ca = pkgs.fetchurl
40 {
41 url = "https://black.riseup.net/ca.crt";
42 hash = "sha256-+kzojhwMbFwcf9W6CzXcCaLzBtgeOgXp19XPrP3ZhFM=";
43 } + "";
44 key = key-cert;
45 cert = key-cert;
46
47 auth = "SHA1";
48 client = true;
49 dev = "ov-${netns}";
50 dev-type = "tun";
51 keepalive = "10 30";
52 nobind = true;
53 persist-key = true;
54 persist-tun = true;
55 remote-cert-tls = "server";
56 reneg-sec = 0;
57 script-security = 2;
58 tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
59 tls-client = true;
60 tun-ipv6 = true;
61 up-restart = true;
62 verb = 3;
63 };
64 };
65 systemd.services."openvpn-${netns}" = {
66 preStart = ''
67 (
68 set -ex
69 ${pkgs.curl}/bin/curl -v -X POST --cacert ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt -o ${key-cert} -Ls ${apiUrl}
70 chmod 700 ${key-cert}
71 )
72 '';
73 unitConfig = {
74 StartLimitIntervalSec = 0;
75 };
76 serviceConfig = {
77 RuntimeDirectory = [ "openvpn-${netns}" ];
78 RuntimeDirectoryMode = "0700";
79 };
80 };
81 environment.systemPackages = [
82 pkgs.riseup-vpn
83 ];
84 networking.nftables.ruleset = ''
85 table inet filter {
86 chain output-net {
87 skuid root ${openvpn.servers.${netns}.settings.proto} dport ${openvpn.servers.${netns}.settings.port} counter accept comment "OpenVPN Riseup"
88 }
89 }
90 '';
91 services.netns.namespaces.${netns} = {
92 nftables = lib.mkBefore ''
93 include "${inputs.julm-nix + "/nixos/profiles/networking/nftables.txt"}"
94 '';
95 };
96 }