nix-dotfiles/hosts/tsuki/services/openvpn.nix

{ config, pkgs, secrets, ... }:
let
  inherit (secrets) ips ports;
in {
  services = {
    openvpn.servers = let
      inherit (secrets.keys.certificates) openvpn CA server;
      inherit (secrets.openvpn) ip-range;
    in {
      tsuki = {
        config = ''
          dev tap
          server-bridge ${ips.tsuki} 255.255.255.0 ${ip-range.start} ${ip-range.end} 
          local 0.0.0.0
          port ${toString ports.openvpn}
          user nobody
          group nogroup
          comp-lzo no
          push 'comp-lzo no'
          persist-key
          persist-tun
          keepalive 10 120
          topology subnet
          push "dhcp-option DNS 1.1.1.1"
          push "dhcp-option DNS 8.8.8.8"
          dh none
          ecdh-curve prime256v1
          tls-crypt ${openvpn.tls-crypt}
          ca ${CA.crt}
          cert ${server.crt}
          key ${server.key}
          auth SHA256
          cipher AES-128-GCM
          ncp-ciphers AES-128-GCM
          tls-server
          tls-version-min 1.2
          tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
          status /var/openvpn/status.log
          verb 3
        '';
        autoStart = false;
        updateResolvConf = true;
      };
    };
  };

  networking.firewall = {
    allowedUDPPorts = [ ports.openvpn ];
    allowedTCPPorts = [ ports.openvpn ];
  };

  # networking.bridges.br0.interfaces = [ "tap0" "ens18" ];
}
Initial commit 2022-03-07 16:01:52 +01:00			`{ config, pkgs, secrets, ... }:`
			`let`
			`inherit (secrets) ips ports;`
			`in {`
			`services = {`
			`openvpn.servers = let`
			`inherit (secrets.keys.certificates) openvpn CA server;`
			`inherit (secrets.openvpn) ip-range;`
			`in {`
			`tsuki = {`
			`config = ''`
			`dev tap`
			`server-bridge ${ips.tsuki} 255.255.255.0 ${ip-range.start} ${ip-range.end}`
			`local 0.0.0.0`
			`port ${toString ports.openvpn}`
			`user nobody`
			`group nogroup`
			`comp-lzo no`
			`push 'comp-lzo no'`
			`persist-key`
			`persist-tun`
			`keepalive 10 120`
			`topology subnet`
			`push "dhcp-option DNS 1.1.1.1"`
			`push "dhcp-option DNS 8.8.8.8"`
			`dh none`
			`ecdh-curve prime256v1`
			`tls-crypt ${openvpn.tls-crypt}`
			`ca ${CA.crt}`
			`cert ${server.crt}`
			`key ${server.key}`
			`auth SHA256`
			`cipher AES-128-GCM`
			`ncp-ciphers AES-128-GCM`
			`tls-server`
			`tls-version-min 1.2`
			`tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256`
			`status /var/openvpn/status.log`
			`verb 3`
			`'';`
			`autoStart = false;`
			`updateResolvConf = true;`
			`};`
			`};`
			`};`

			`networking.firewall = {`
			`allowedUDPPorts = [ ports.openvpn ];`
			`allowedTCPPorts = [ ports.openvpn ];`
			`};`

			`# networking.bridges.br0.interfaces = [ "tap0" "ens18" ];`
			`}`