mermet: knot: use builtins.path

[sourcephile-nix.git] / hosts / losurdo / networking / openvpn / riseup.nix

diff --git a/hosts/losurdo/networking/openvpn/riseup.nix b/hosts/losurdo/networking/openvpn/riseup.nix
index 7e7e6ca2630716574a24ff67740568ea5f7da5ca..670d9aaa3a8f40b3b60a9d68ab1d7f80d9b6134a 100644 (file)
--- a/hosts/losurdo/networking/openvpn/riseup.nix
+++ b/hosts/losurdo/networking/openvpn/riseup.nix
@@ -1,99 +1,96 @@
-{ pkgs, lib, config, ... }:
+{ inputs, pkgs, lib, config, ... }:
 let
   netns = "riseup";
   inherit (config.services) openvpn;
   apiUrl = "https://api.black.riseup.net/3/cert";
-  ca = pkgs.fetchurl {
-    url = "https://black.riseup.net/ca.crt";
-    hash = "sha256-Zdvnfz2k7iWlbgmmcUJrpJZ1dp7o0qXeJhP0HWJD7ro=";
-  } + "";
   key-cert = "/run/openvpn-${netns}/key+cert.pem";
 in
 {
-services.openvpn.servers.${netns} = {
-  inherit netns;
-  settings = {
-    remote =
-      # amsterdam
-      ["212.83.182.127" "212.83.165.160" "212.129.4.141"] ++
-      # paris
-      #["212.83.146.228" "212.83.143.67" "163.172.126.44"] ++
-      # miami
-      ["37.218.244.249" "37.218.244.251"] ++
-      # montreal
-      ["199.58.83.10" "199.58.83.10" "199.58.83.12"] ++
-      # new-york
-      ["185.220.103.12"] ++
-      # seattle
-      ["198.252.153.28" "198.252.153.28"] ++
-      [];
-    remote-random = true;
-    port = "443";
-    proto = "tcp";
-    inherit ca;
-    key = key-cert;
-    cert = key-cert;
+  services.openvpn.servers.${netns} = {
+    inherit netns;
+    settings = {
+      # curl -Ls https://api.black.riseup.net/3/config/eip-service.json |
+      # jq .gateways.'[]'.host
+      remote = [
+        "vpn01-sea.riseup.net"
+        "vpn02-par.riseup.net"
+        "vpn03-par.riseup.net"
+        "vpn04-ams.riseup.net"
+        "vpn05-par.riseup.net"
+        "vpn06-ams.riseup.net"
+        "vpn07-par.riseup.net"
+        "vpn08-par.riseup.net"
+        "vpn09-mia.riseup.net"
+        "vpn10-mtl.riseup.net"
+        "vpn11-par.riseup.net"
+        "vpn12-nyc.riseup.net"
+        "vpn13-ams.riseup.net"
+        "vpn14-par.riseup.net"
+        "vpn15-sea.riseup.net"
+        "vpn16-sea.riseup.net"
+        "vpn17-mia.riseup.net"
+        "vpn18-mtl.riseup.net"
+        "vpn19-ams.riseup.net"
+        "vpn20-par.riseup.net"
+      ];
+      remote-random = true;
+      port = "53";
+      proto = "udp";
+      ca = pkgs.fetchurl
+        {
+          url = "https://black.riseup.net/ca.crt";
+          hash = "sha256-+kzojhwMbFwcf9W6CzXcCaLzBtgeOgXp19XPrP3ZhFM=";
+        } + "";
+      key = key-cert;
+      cert = key-cert;
 
-    auth = "SHA1";
-    cipher = "AES-128-CBC";
-    client = true;
-    dev = "ov-${netns}";
-    dev-type = "tun";
-    keepalive = "10 30";
-    nobind = true;
-    persist-key = true;
-    persist-tun = true;
-    remote-cert-tls = "server";
-    reneg-sec = 0;
-    script-security = 2;
-    tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
-    tls-client = true;
-    tun-ipv6 = true;
-    up-restart = true;
-    verb = 3;
+      auth = "SHA1";
+      client = true;
+      dev = "ov-${netns}";
+      dev-type = "tun";
+      keepalive = "10 30";
+      nobind = true;
+      persist-key = true;
+      persist-tun = true;
+      remote-cert-tls = "server";
+      reneg-sec = 0;
+      script-security = 2;
+      tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
+      tls-client = true;
+      tun-ipv6 = true;
+      up-restart = true;
+      verb = 3;
+    };
   };
-};
-systemd.services."openvpn-${netns}" = {
-  preStart = ''
-    set -e
-    ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
-    chmod 700 ${key-cert}
-  '';
-  serviceConfig = {
-    RuntimeDirectory = [ "openvpn-${netns}" ];
-    RuntimeDirectoryMode = "0700";
+  systemd.services."openvpn-${netns}" = {
+    preStart = ''
+      (
+      set -ex
+      ${pkgs.curl}/bin/curl -v -X POST --cacert ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt -o ${key-cert} -Ls ${apiUrl}
+      chmod 700 ${key-cert}
+      )
+    '';
+    unitConfig = {
+      StartLimitIntervalSec = 0;
+    };
+    serviceConfig = {
+      RuntimeDirectory = [ "openvpn-${netns}" ];
+      RuntimeDirectoryMode = "0700";
+    };
   };
-};
-networking.nftables.ruleset = ''
-  add rule inet filter fw2net meta skuid root tcp dport 443 counter accept comment "OpenVPN Riseup"
-'';
-services.netns.namespaces.${netns} = {
-  nftables = lib.mkBefore ''
+  environment.systemPackages = [
+    pkgs.riseup-vpn
+  ];
+  networking.nftables.ruleset = ''
     table inet filter {
-      include "${../../../../networking/nftables/filter.txt}"
-      chain input {
-        type filter hook input priority filter
-        policy drop
-        iifname lo accept
-        jump check-tcp
-        ct state { established, related } accept
-        jump accept-connectivity-input
-        jump check-broadcast
-        ct state invalid drop
-      }
-      chain forward {
-        type filter hook forward priority filter
-        policy drop
-        jump accept-connectivity-forward
-      }
-      chain output {
-        type filter hook output priority filter
-        policy drop
-        oifname lo accept
-        ct state { related, established } accept
-        jump accept-connectivity-output
+      chain output-net {
+        skuid root ${openvpn.servers.${netns}.settings.proto} dport ${openvpn.servers.${netns}.settings.port} counter accept comment "OpenVPN Riseup"
       }
     }
   '';
-};
+  services.netns.namespaces.${netns} = {
+    nftables = lib.mkBefore ''
+      include "${inputs.julm-nix + "/nixos/profiles/networking/nftables.txt"}"
+    '';
+  };
 }