-{ inputs, pkgs, lib, config, ... }:
+{
+ inputs,
+ pkgs,
+ lib,
+ config,
+ ...
+}:
let
netns = "riseup";
inherit (config.services) openvpn;
services.openvpn.servers.${netns} = {
inherit netns;
settings = {
- # curl -Ls https://api.black.riseup.net/3/config/eip-service.json |
- # jq .gateways.'[]'.host
+ # curl -Ls https://api.black.riseup.net/3/config/eip-service.json | jq .gateways.'[]'.host
remote = [
"vpn01-sea.riseup.net"
"vpn02-par.riseup.net"
"vpn06-ams.riseup.net"
"vpn07-par.riseup.net"
"vpn08-par.riseup.net"
- "vpn09-mia.riseup.net"
"vpn10-mtl.riseup.net"
"vpn11-par.riseup.net"
"vpn12-nyc.riseup.net"
"vpn14-par.riseup.net"
"vpn15-sea.riseup.net"
"vpn16-sea.riseup.net"
- "vpn17-mia.riseup.net"
"vpn18-mtl.riseup.net"
"vpn19-ams.riseup.net"
"vpn20-par.riseup.net"
+ "vpn21-par.riseup.net"
+ "vpn22-mia.riseup.net"
+ "vpn23-mia.riseup.net"
];
remote-random = true;
port = "53";
proto = "udp";
- ca = pkgs.fetchurl
- {
+ ca =
+ pkgs.fetchurl {
url = "https://black.riseup.net/ca.crt";
hash = "sha256-+kzojhwMbFwcf9W6CzXcCaLzBtgeOgXp19XPrP3ZhFM=";
- } + "";
+ }
+ + "";
key = key-cert;
cert = key-cert;
networking.nftables.ruleset = ''
table inet filter {
chain output-net {
- skuid root ${openvpn.servers.${netns}.settings.proto} dport ${openvpn.servers.${netns}.settings.port} counter accept comment "OpenVPN Riseup"
+ skuid root ${openvpn.servers.${netns}.settings.proto} dport ${
+ openvpn.servers.${netns}.settings.port
+ } counter accept comment "OpenVPN Riseup"
}
}
'';
sourcephile / git / sourcephile-nix.git / blobdiff