nix: update julm-nix input

[sourcephile-nix.git] / hosts / losurdo / networking / openvpn / calyx.nix

diff --git a/hosts/losurdo/networking/openvpn/calyx.nix b/hosts/losurdo/networking/openvpn/calyx.nix
index f965e8d76a70cdbf053dc48b8a479b562ff0596b..5546dbc87b62d3481da7acfcdf4a5f8250fb14cb 100644 (file)
--- a/hosts/losurdo/networking/openvpn/calyx.nix
+++ b/hosts/losurdo/networking/openvpn/calyx.nix
@@ -6,7 +6,10 @@ let
   ca = pkgs.fetchurl
     {
       url = "https://calyx.net/ca.crt";
-      hash = "sha256-NKLkpjjeGMN07htuWydBMQ03ytxF9CLm8SLNl3IPPGc=";
+      # WARNING: a change to that CA will likely not be detected
+      # because it being already in the Nix store,
+      # and cause the preStart to fail.
+      hash = "sha256-zLs7TRXrHlPjqdaBN1cmbB062XhKs4cv5ajmrkg4O8s=";
       curlOptsList = [ "-k" ];
     } + "";
   key-cert = "/run/openvpn-${netns}/key+cert.pem";
@@ -15,9 +18,10 @@ in
   services.openvpn.servers.${netns} = {
     inherit netns;
     settings = {
+      # See: https://gitlab.com/nitrohorse/bitmask-openvpn-generator
       remote =
-        # new-york
-        [ "162.247.73.193" ] ++
+        #  new-york (vpn2.calyx.net)
+        [ "162.247.72.193" ] ++
         [ ];
       remote-random = true;
       port = "443";
@@ -27,7 +31,6 @@ in
       cert = key-cert;
 
       auth = "SHA1";
-      cipher = "AES-128-CBC";
       client = true;
       dev = "ov-${netns}";
       dev-type = "tun";
@@ -49,7 +52,7 @@ in
     preStart = ''
       (
       set -ex
-      ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
+      ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -vLs ${apiUrl}
       chmod 700 ${key-cert}
       )
     '';