From 2f0469e072a2722fdc51bc5bcc5b045c2d72313a Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+sourcephile-nix@sourcephile.fr>
Date: Thu, 13 Jul 2023 10:48:24 +0200
Subject: [PATCH] losurdo: openvpn-calyx: update CA and IPv4

---
 hosts/losurdo/networking/openvpn/calyx.nix | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/hosts/losurdo/networking/openvpn/calyx.nix b/hosts/losurdo/networking/openvpn/calyx.nix
index f965e8d..5546dbc 100644
--- a/hosts/losurdo/networking/openvpn/calyx.nix
+++ b/hosts/losurdo/networking/openvpn/calyx.nix
@@ -6,7 +6,10 @@ let
   ca = pkgs.fetchurl
     {
       url = "https://calyx.net/ca.crt";
-      hash = "sha256-NKLkpjjeGMN07htuWydBMQ03ytxF9CLm8SLNl3IPPGc=";
+      # WARNING: a change to that CA will likely not be detected
+      # because it being already in the Nix store,
+      # and cause the preStart to fail.
+      hash = "sha256-zLs7TRXrHlPjqdaBN1cmbB062XhKs4cv5ajmrkg4O8s=";
       curlOptsList = [ "-k" ];
     } + "";
   key-cert = "/run/openvpn-${netns}/key+cert.pem";
@@ -15,9 +18,10 @@ in
   services.openvpn.servers.${netns} = {
     inherit netns;
     settings = {
+      # See: https://gitlab.com/nitrohorse/bitmask-openvpn-generator
       remote =
-        # new-york
-        [ "162.247.73.193" ] ++
+        #  new-york (vpn2.calyx.net)
+        [ "162.247.72.193" ] ++
         [ ];
       remote-random = true;
       port = "443";
@@ -27,7 +31,6 @@ in
       cert = key-cert;
 
       auth = "SHA1";
-      cipher = "AES-128-CBC";
       client = true;
       dev = "ov-${netns}";
       dev-type = "tun";
@@ -49,7 +52,7 @@ in
     preStart = ''
       (
       set -ex
-      ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -Ls ${apiUrl}
+      ${pkgs.curl}/bin/curl -X POST --cacert ${ca} -o ${key-cert} -vLs ${apiUrl}
       chmod 700 ${key-cert}
       )
     '';
-- 
2.47.2