nix: update julm-nix input

[sourcephile-nix.git] / hosts / losurdo / networking / openvpn / calyx.nix

diff --git a/hosts/losurdo/networking/openvpn/calyx.nix b/hosts/losurdo/networking/openvpn/calyx.nix
index 4672a88c40fefa2d7655239ea5c3c8708fcf6e4e..5546dbc87b62d3481da7acfcdf4a5f8250fb14cb 100644 (file)
--- a/hosts/losurdo/networking/openvpn/calyx.nix
+++ b/hosts/losurdo/networking/openvpn/calyx.nix
@@ -1,90 +1,77 @@
-{ pkgs, lib, config, ... }:
+{ inputs, pkgs, lib, config, ... }:
 let
   netns = "calyx";
   inherit (config.services) openvpn;
   apiUrl = "https://api.calyx.net:4430/3/cert";
-  ca = pkgs.fetchurl {
-    url = "https://calyx.net/ca.crt";
-    hash = "sha256-NKLkpjjeGMN07htuWydBMQ03ytxF9CLm8SLNl3IPPGc=";
-    curlOpts = ["-k"];
-  } + "";
+  ca = pkgs.fetchurl
+    {
+      url = "https://calyx.net/ca.crt";
+      # WARNING: a change to that CA will likely not be detected
+      # because it being already in the Nix store,
+      # and cause the preStart to fail.
+      hash = "sha256-zLs7TRXrHlPjqdaBN1cmbB062XhKs4cv5ajmrkg4O8s=";
+      curlOptsList = [ "-k" ];
+    } + "";
   key-cert = "/run/openvpn-${netns}/key+cert.pem";
 in
 {
-services.openvpn.servers.${netns} = {
-  inherit netns;
-  settings = {
-    remote =
-      # new-york
-      ["162.247.73.193"] ++
-      [];
-    port = "443";
-    proto = "tcp";
-    inherit ca;
-    key = key-cert;
-    cert = key-cert;
+  services.openvpn.servers.${netns} = {
+    inherit netns;
+    settings = {
+      # See: https://gitlab.com/nitrohorse/bitmask-openvpn-generator
+      remote =
+        #  new-york (vpn2.calyx.net)
+        [ "162.247.72.193" ] ++
+        [ ];
+      remote-random = true;
+      port = "443";
+      proto = "tcp";
+      inherit ca;
+      key = key-cert;
+      cert = key-cert;
 
-    auth = "SHA1";
-    cipher = "AES-128-CBC";
-    client = true;
-    dev = "ov-${netns}";
-    dev-type = "tun";
-    keepalive = "10 30";
-    nobind = true;
-    persist-key = true;
-    persist-tun = true;
-    remote-cert-tls = "server";
-    reneg-sec = 0;
-    script-security = 2;
-    tls-cipher = "DHE-RSA-AES128-SHA";
-    tls-client = true;
-    tun-ipv6 = true;
-    up-restart = true;
-    verb = 3;
+      auth = "SHA1";
+      client = true;
+      dev = "ov-${netns}";
+      dev-type = "tun";
+      keepalive = "10 30";
+      nobind = true;
+      persist-key = true;
+      persist-tun = true;
+      remote-cert-tls = "server";
+      reneg-sec = 0;
+      script-security = 2;
+      tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
+      tls-client = true;
+      tun-ipv6 = true;
+      up-restart = true;
+      verb = 3;
+    };
   };
-};
-systemd.services."openvpn-${netns}" = {
-  preStart = ''
-    set -e
-    ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
-    chmod 700 ${key-cert}
-  '';
-  serviceConfig = {
-    RuntimeDirectory = [ "openvpn-${netns}" ];
-    RuntimeDirectoryMode = "0700";
+  systemd.services."openvpn-${netns}" = {
+    preStart = ''
+      (
+      set -ex
+      ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -vLs ${apiUrl}
+      chmod 700 ${key-cert}
+      )
+    '';
+    serviceConfig = {
+      RuntimeDirectory = [ "openvpn-${netns}" ];
+      RuntimeDirectoryMode = "0700";
+    };
   };
-};
-networking.nftables.ruleset = ''
-  add rule inet filter fw2net meta skuid root tcp dport 443 counter accept comment "OpenVPN Calyx"
-  add rule inet filter fw2net meta skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
-'';
-services.netns.namespaces.${netns} = {
-  nftables = lib.mkBefore ''
+  networking.nftables.ruleset = ''
     table inet filter {
-      include "${../../../../networking/nftables/filter.txt}"
-      chain input {
-        type filter hook input priority filter
-        policy drop
-        iifname lo accept
-        jump check-tcp
-        ct state { established, related } accept
-        jump accept-connectivity-input
-        jump check-broadcast
-        ct state invalid drop
-      }
-      chain forward {
-        type filter hook forward priority filter
-        policy drop
-        jump accept-connectivity-forward
-      }
-      chain output {
-        type filter hook output priority filter
-        policy drop
-        oifname lo accept
-        ct state { related, established } accept
-        jump accept-connectivity-output
+      chain output-net {
+        skuid root tcp dport https counter accept comment "OpenVPN Calyx"
+        skuid root tcp dport 4430 counter accept comment "OpenVPN Calyx (API)"
       }
     }
   '';
-};
+  services.netns.namespaces.${netns} = {
+    nftables = lib.mkBefore ''
+      include "${inputs.julm-nix + "/nixos/profiles/networking/nftables.txt"}"
+    '';
+  };
 }