{ pkgs, lib, config, ... }: let netns = "riseup"; inherit (config.services) openvpn; inherit (config.security) gnupg; in { services.netns.namespaces.${netns} = { nftables = lib.mkBefore '' table inet filter { include "${../../../../var/nftables/filter.txt}" chain input { type filter hook input priority filter policy drop iifname lo accept jump check-tcp ct state { established, related } accept jump accept-connectivity-input jump check-broadcast ct state invalid drop } chain forward { type filter hook forward priority filter policy drop jump accept-connectivity-forward } chain output { type filter hook output priority filter policy drop oifname lo accept ct state { related, established } accept jump accept-connectivity-output } } ''; }; services.openvpn.servers.${netns} = { netns = netns; settings = { verb = 3; auth-user-pass = gnupg.secrets."openvpn/${netns}/auth-user-pass".path; ca = riseup/RiseupCA.pem; client = true; dev = "ov-${netns}"; dev-type = "tun"; persist-tun = true; nobind = true; persist-key = true; tls-client = true; remote-cert-tls = "server"; remote = "198.252.153.226 1194 udp"; reneg-sec = 0; script-security = 2; up-restart = true; }; }; security.gnupg.secrets."openvpn/${netns}/auth-user-pass" = { systemdConfig.before = [ "openvpn-${netns}.service" ]; systemdConfig.wantedBy = [ "openvpn-${netns}.service" ]; }; networking.nftables.ruleset = '' add rule inet filter fw2net udp dport 1194 counter accept comment "OpenVPN" ''; }