depot/hosts/VEGAS/services/openvpn/default.nix

{ config, hosts, lib, pkgs, tools, ... }:
let
  inherit (hosts.${config.networking.hostName}) interfaces;
  inherit (interfaces) vstub;
  inherit (config.networking) hostName;

  sharedConfig = pkgs.writeText "openvpn-shared.conf" ''
    port 51194
    float
    mssfix 1340

    topology subnet
    client-to-client
    persist-key
    persist-tun

    # vpn supernet
    push "route 10.100.0.0 255.255.0.0"
    # internal services supernet
    push "route 10.10.0.0 255.255.0.0"
    # host machine virtual stub
    push "route ${vstub.addr} 255.255.255.255"

    # dns config
    push "dhcp-option DOMAIN vpn.${tools.meta.domain}"
    push "dhcp-option DNS ${vstub.addr}"

    ca ${../../../../data/vpn-ca-bundle.crt}
    cert ${../../../../data + "/vpn-host-${hostName}.crt"}
    key ${config.age.secrets.vpn-host-key.path}
    dh ${config.security.dhparams.params.vpn.path}
  '';
in
{
  age.secrets.vpn-host-key = {
    file = ../../../../secrets + "/vpn-host-key-${hostName}.age";
    mode = "0400";
  };
  security.dhparams.params.vpn.bits = 4096;
  networking.firewall = {
    allowedTCPPorts = [ 51194 ];
    allowedUDPPorts = [ 51194 ];
  };
  networking.nat.internalInterfaces = [
    "tun-storm"
    "tun-cyclone"
  ];

  services.openvpn.servers = {
    storm = {
      autoStart = true;
      config = ''
        proto udp4
        dev tun-storm
        server 10.100.0.0 255.255.255.0
        config ${sharedConfig}
      '';
    };
    cyclone = {
      autoStart = true;
      config = ''
        proto tcp4
        dev tun-cyclone
        server 10.100.1.0 255.255.255.0
        config ${sharedConfig}
      '';
    };
  };
  systemd.services = lib.genAttrs (map (x: "openvpn-${x}") (builtins.attrNames config.services.openvpn.servers)) (_: {
    wants = [ "dhparams-gen-vpn.service" ];
    after = [ "dhparams-gen-vpn.service" ];
  });
}
VEGAS: add OpenVPN 2021-10-16 20:59:19 +03:00			`{ config, hosts, lib, pkgs, tools, ... }:`
			`let`
			`inherit (hosts.${config.networking.hostName}) interfaces;`
			`inherit (interfaces) vstub;`
			`inherit (config.networking) hostName;`

			`sharedConfig = pkgs.writeText "openvpn-shared.conf" ''`
			`port 51194`
			`float`
			`mssfix 1340`

			`topology subnet`
			`client-to-client`
			`persist-key`
			`persist-tun`

			`# vpn supernet`
			`push "route 10.100.0.0 255.255.0.0"`
			`# internal services supernet`
			`push "route 10.10.0.0 255.255.0.0"`
			`# host machine virtual stub`
			`push "route ${vstub.addr} 255.255.255.255"`

			`# dns config`
			`push "dhcp-option DOMAIN vpn.${tools.meta.domain}"`
			`push "dhcp-option DNS ${vstub.addr}"`

			`ca ${../../../../data/vpn-ca-bundle.crt}`
			`cert ${../../../../data + "/vpn-host-${hostName}.crt"}`
			`key ${config.age.secrets.vpn-host-key.path}`
			`dh ${config.security.dhparams.params.vpn.path}`
			`'';`
			`in`
			`{`
			`age.secrets.vpn-host-key = {`
			`file = ../../../../secrets + "/vpn-host-key-${hostName}.age";`
			`mode = "0400";`
			`};`
			`security.dhparams.params.vpn.bits = 4096;`
			`networking.firewall = {`
			`allowedTCPPorts = [ 51194 ];`
			`allowedUDPPorts = [ 51194 ];`
			`};`
			`networking.nat.internalInterfaces = [`
			`"tun-storm"`
			`"tun-cyclone"`
			`];`

			`services.openvpn.servers = {`
			`storm = {`
			`autoStart = true;`
			`config = ''`
			`proto udp4`
			`dev tun-storm`
			`server 10.100.0.0 255.255.255.0`
			`config ${sharedConfig}`
			`'';`
			`};`
			`cyclone = {`
			`autoStart = true;`
			`config = ''`
			`proto tcp4`
			`dev tun-cyclone`
			`server 10.100.1.0 255.255.255.0`
			`config ${sharedConfig}`
			`'';`
			`};`
			`};`
			`systemd.services = lib.genAttrs (map (x: "openvpn-${x}") (builtins.attrNames config.services.openvpn.servers)) (_: {`
			`wants = [ "dhparams-gen-vpn.service" ];`
			`after = [ "dhparams-gen-vpn.service" ];`
			`});`
			`}`