VEGAS: add OpenVPN
This commit is contained in:
parent
32e41ddcd9
commit
3c15c90258
6 changed files with 160 additions and 0 deletions
54
data/vpn-ca-bundle.crt
Normal file
54
data/vpn-ca-bundle.crt
Normal file
|
@ -0,0 +1,54 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIElzCCAv+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA6MRgwFgYDVQQKDA9QUklW
|
||||
QVRFVk9JRC5ORVQxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x
|
||||
OTA4MTcxMzQ3NThaFw0zOTA4MTcxMzQ3NThaMDoxGDAWBgNVBAoMD1BSSVZBVEVW
|
||||
T0lELk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBojANBgkq
|
||||
hkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA24YctyMKaCy4gYaWw5O28GW45OML8PAC
|
||||
DZjeV6fksrI2VlaYYQgQgRrSpFc/f5PL/vl+tlqUmMkVgwkHfA1E0HDS5yl4/13J
|
||||
nbkbvhLpaXB7ex0kox17dY7c/ZQuN4/DQHh6R5TT9pCKJBPc7za4GnDuv/s6ww/3
|
||||
Vn4ath3m8WfaPpIXd1/HG3z9Dz3hmH0fww9vsiDXhGxHzZjxjiNaeM9EMh2297E3
|
||||
yA8wZ4gwCB3wuMKUS/tSJgLOGcRaZgAc+cUIUK6lHqLN8JP7ACpkf1czfEGSTksu
|
||||
RFNNW2XihXdcE+zh5925buLGpNOQzNwmzdQLrzGPm/IHRluqA361IfqUmR3Oxxr6
|
||||
vxVG2E9spbRodSKR5884Cg18frAnWk+2HPvW9bsxJpd/GX4sLgjwKDZ43eZ0HoBW
|
||||
kzfmowJidMB710O5MQOr7Urzl3Qef735Vbc8siKk0gwZasQap59APk5meDtIX7yP
|
||||
BkwiSUpCR6ynsUck7FliJ2wt022REFcDAgMBAAGjgacwgaQwHwYDVR0jBBgwFoAU
|
||||
8LCS6AW2IgDn+b4+nfst+CiFO88wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
|
||||
BAMCAcYwHQYDVR0OBBYEFPCwkugFtiIA5/m+Pp37LfgohTvPMEEGCCsGAQUFBwEB
|
||||
BDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lwYS1jYS5wcml2YXRldm9pZC5uZXQv
|
||||
Y2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAFpue77wmQIF7WMVdrmAmB2fBJSTH
|
||||
qoRTcP5enPIVoS5fi/bhMeIW4iADKRtCo9YezLqAPWoQ+UzDOObmAa3yx/pfJqhV
|
||||
wMt7E2FvQXkef9v9wcsXSSNE4SWD4UefDBFiTtGcNR4SVAqWAJF4Yym6kjE0OLs7
|
||||
it4kpvQBC9uxTcBHHIWMhJ85hZbMbTQ1GG1iluhxJFOpl2Zm7GBax2E3a+Fs/msx
|
||||
yUIGe7ugVKiWX2Cx4e/kEmWogGESeNVEXYnDPxztr+mu5rbzRNU32FzWRlxG1qg3
|
||||
e77KjTrHC63w230t/Pw7wuYQJzX25bkqIaQat9Xfw/ODtZqrStVwJAooD8z5zpYG
|
||||
ul9ndmXfM6okRy7eJoSF1nijHNo9p4k+IsAu8j2UShjfTglBTjWA6ZHWuji4AArw
|
||||
qCdKu2v/DqnGhNAt6zRTmOMW7tct/VBwJtpDdB4IzG+EvH6JdIxQpDew5LuPwbk5
|
||||
c7VzeA8sxGbslFyLO3Oa1Yy87uQSes+uBHhq
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEnDCCAwSgAwIBAgIBHzANBgkqhkiG9w0BAQsFADA6MRgwFgYDVQQKDA9QUklW
|
||||
QVRFVk9JRC5ORVQxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0y
|
||||
MDA0MjcxMjI3MDBaFw00MDA0MjcxMjI3MDBaMD8xGDAWBgNVBAoMD1BSSVZBVEVW
|
||||
T0lELk5FVDEjMCEGA1UEAwwaUHJpdmF0ZSBWb2lkIFZQTiBBdXRob3JpdHkwggGi
|
||||
MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCv/EZR+YWCMwrfb5gMyFe/257a
|
||||
rIrClOz8omD1qmKEk/oj7mKqROV20LBELMV52tAXJOVEIUSDi9OhQ8qryWZyRGa9
|
||||
4iQ9DvzlP8BER2NP2xjuT8NRMo7yzl2ge0PlLD6si8N1rkXKlfrvKkFEgqlPNnl0
|
||||
AScM0SfSkG7y1g+bnsfF2uSj/p3i+FO0zoEIfBC8oKWgcmmV7p/HCdCjVEY7CBfR
|
||||
KR6gbRxK+hxSsH8SfCV/MZev9jFCV+vWO5YvATGCrZjqVaaPp34fBGWSLLzQ3yLj
|
||||
2OvVD8fgxyKPdNHgao7PmTh5QrzrXpichjSxUvGbm/Hz+xhr3uW+sTnCtXogchHm
|
||||
0+CAhmNdfCr4ctR7WcY146YUhVcO+T/If7KgMhQBejkGqOBuRgrxLQ2xHL6G9oQx
|
||||
278b/BIDl1jWvZccmhpanDa8Mc9JWINd5enOiBN+J+i6YDnnuG3ociTu7nJs3mPo
|
||||
HJfOgKqTV0SkdrCeunKpjuBi5M46pK5XuvzJgFsCAwEAAaOBpzCBpDAfBgNVHSME
|
||||
GDAWgBTwsJLoBbYiAOf5vj6d+y34KIU7zzAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
|
||||
DwEB/wQEAwIBxjAdBgNVHQ4EFgQUpBtWTMOD6IeCH+JEnywzzLgtYzEwQQYIKwYB
|
||||
BQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vaXBhLWNhLnByaXZhdGV2b2lk
|
||||
Lm5ldC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBgQB+jXOnP4BO69Z1+/S42/O6
|
||||
hjjs7kxtYTRNfDKONhB3MD2pSxn2qiwRiH+jL1LJZEmkFkqWV05jMpn8qBeA+yXf
|
||||
WUbF5Iiupb5IfF8GXqXkFeDIP4kiVCY7/XHF5JrjCBT0csaiI9fNiDDBseRoU/b4
|
||||
LWAGGlgvE7jnQpgVu4/7/MW1yNw2JgetoZFGSNh12AVe1UWjy1DmLHCkWAbjWka+
|
||||
iArEtm0EZ1Ypjy0l9A/sCZLmhWtYJrjHNiETvzRlv8UNjUg1Lv7IxWQI7TvZJp7T
|
||||
DBghFt/i6w/fdOc5r73lZT3/PDGLO9/NpbQVzT8LiJkwlF5uJB3avdlb3pMWjqPy
|
||||
1ty2mbX9eNKZUeEAGb4crEGlWIcLqnr0aFtaISlOB2dmOonMo26uCXNtLG61Yw9I
|
||||
MhHsvnmrPXU9rjuHUtBt9HgEO7RwXZYEehuf8pz8Ur11S7x/7PxOypv4KBUBusDe
|
||||
+hLcS5acpktYNkr2IiZ3NXDihVN65hxzMM6rUb6Sojc=
|
||||
-----END CERTIFICATE-----
|
31
data/vpn-host-VEGAS.crt
Normal file
31
data/vpn-host-VEGAS.crt
Normal file
|
@ -0,0 +1,31 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFaDCCA9CgAwIBAgIBIjANBgkqhkiG9w0BAQsFADA/MRgwFgYDVQQKDA9QUklW
|
||||
QVRFVk9JRC5ORVQxIzAhBgNVBAMMGlByaXZhdGUgVm9pZCBWUE4gQXV0aG9yaXR5
|
||||
MB4XDTIwMDQyNzEzMDYxNloXDTIyMDQyODEzMDYxNlowODEYMBYGA1UECgwPUFJJ
|
||||
VkFURVZPSUQuTkVUMRwwGgYDVQQDDBN2cG4ucHJpdmF0ZXZvaWQubmV0MIIBIjAN
|
||||
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt3BQDphcpY+Qrrfc//QinB8/Qux5
|
||||
fJCDMgnIeFsk/S/Ow2R/FDbcJpHw74vt06eVqvtnOAIE5e95sCgpeOKl0MDiRSyJ
|
||||
qt+4X8SAYkLXGk7zx60Z5iynmfdZpikwc6P6GYNBoExVMh6+lcJRuAFcrbR/Fu4K
|
||||
tFAFSJVhtDq0v+ceiawa80nQuecECUo9/dwfOcrFrXHYRKn3oSv6wMt8zp8EMUuj
|
||||
hWZ/97u17ZvsBIUFFs7tk9KgMbPsSYoM64L+uHVynzaPC3rp4BMTyaESx4ifgort
|
||||
VtkbBDH79DBwcjnr+jFSJWfJcA1J2XAtiu9hUoscygxVLsZXnENYobSOFwIDAQAB
|
||||
o4IB9DCCAfAwHwYDVR0jBBgwFoAUpBtWTMOD6IeCH+JEnywzzLgtYzEwQQYIKwYB
|
||||
BQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vaXBhLWNhLnByaXZhdGV2b2lk
|
||||
Lm5ldC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcD
|
||||
AQYIKwYBBQUHAwIwegYDVR0fBHMwcTBvoDegNYYzaHR0cDovL2lwYS1jYS5wcml2
|
||||
YXRldm9pZC5uZXQvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQK
|
||||
DAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQW
|
||||
BBRA1NlyyOaU/BqBqaIcZVi1/ziGYDCBvwYDVR0RBIG3MIG0oEYGCisGAQQBgjcU
|
||||
AgOgOAw2dnBuaG9zdC92ZWdhcy5iYWNrYm9uZS5wcml2YXRldm9pZC5uZXRAUFJJ
|
||||
VkFURVZPSUQuTkVUoFUGBisGAQUCAqBLMEmgERsPUFJJVkFURVZPSUQuTkVUoTQw
|
||||
MqADAgEBoSswKRsHdnBuaG9zdBsedmVnYXMuYmFja2JvbmUucHJpdmF0ZXZvaWQu
|
||||
bmV0ghN2cG4ucHJpdmF0ZXZvaWQubmV0MA0GCSqGSIb3DQEBCwUAA4IBgQBpYdmX
|
||||
dxZTV1/iBcVQl3W93ted08jpvpLdRvDX2qcB6c9L2CB7UZ5UDBYgfU9XZetaYg6E
|
||||
Wje4VIq+Kwd+69bv0HIbGKb+6i2yfw3Yx8yvWOse79JqW5OvJ96fDiOYfEuDxbOH
|
||||
79hKfJ/F5HAToSXW+XWpdNQDDlfWFgippZqqcXZUkOujhwMubYGMXAgXwe9oulgp
|
||||
wmjzqH95eajOLItYFF4/v1L5CArzYBV6JBcY2TWZRyuAo6Kw94ve9zCfnQvxzLaj
|
||||
nSc98u0sj6bmYCHGLJNER4W+85UlZu3uZRo0GPqmfz/CWwDjI2ODQxJQcQ7KFVbH
|
||||
y8qEtddkRBd4cb4Fr9Ag2HJc1zm4I7vG6+Rx6fP6oAltpYK7GOUrkQ13R6PXOpZr
|
||||
M9j3Qmm5JK/DsGltNwo0sCX9OzdCOql/ZNoQ1wK1dFqaLl25HkpI6I0xw2lvgQDi
|
||||
qDXn5eY8Ip0gZ2Wbeyc6ssoE54T3Ta1fpD3wOHSTLK5MjeL3a0zURvzNf2o=
|
||||
-----END CERTIFICATE-----
|
73
hosts/VEGAS/services/openvpn/default.nix
Normal file
73
hosts/VEGAS/services/openvpn/default.nix
Normal file
|
@ -0,0 +1,73 @@
|
|||
{ config, hosts, lib, pkgs, tools, ... }:
|
||||
let
|
||||
inherit (hosts.${config.networking.hostName}) interfaces;
|
||||
inherit (interfaces) vstub;
|
||||
inherit (config.networking) hostName;
|
||||
|
||||
sharedConfig = pkgs.writeText "openvpn-shared.conf" ''
|
||||
port 51194
|
||||
float
|
||||
mssfix 1340
|
||||
|
||||
topology subnet
|
||||
client-to-client
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
# vpn supernet
|
||||
push "route 10.100.0.0 255.255.0.0"
|
||||
# internal services supernet
|
||||
push "route 10.10.0.0 255.255.0.0"
|
||||
# host machine virtual stub
|
||||
push "route ${vstub.addr} 255.255.255.255"
|
||||
|
||||
# dns config
|
||||
push "dhcp-option DOMAIN vpn.${tools.meta.domain}"
|
||||
push "dhcp-option DNS ${vstub.addr}"
|
||||
|
||||
ca ${../../../../data/vpn-ca-bundle.crt}
|
||||
cert ${../../../../data + "/vpn-host-${hostName}.crt"}
|
||||
key ${config.age.secrets.vpn-host-key.path}
|
||||
dh ${config.security.dhparams.params.vpn.path}
|
||||
'';
|
||||
in
|
||||
{
|
||||
age.secrets.vpn-host-key = {
|
||||
file = ../../../../secrets + "/vpn-host-key-${hostName}.age";
|
||||
mode = "0400";
|
||||
};
|
||||
security.dhparams.params.vpn.bits = 4096;
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ 51194 ];
|
||||
allowedUDPPorts = [ 51194 ];
|
||||
};
|
||||
networking.nat.internalInterfaces = [
|
||||
"tun-storm"
|
||||
"tun-cyclone"
|
||||
];
|
||||
|
||||
services.openvpn.servers = {
|
||||
storm = {
|
||||
autoStart = true;
|
||||
config = ''
|
||||
proto udp4
|
||||
dev tun-storm
|
||||
server 10.100.0.0 255.255.255.0
|
||||
config ${sharedConfig}
|
||||
'';
|
||||
};
|
||||
cyclone = {
|
||||
autoStart = true;
|
||||
config = ''
|
||||
proto tcp4
|
||||
dev tun-cyclone
|
||||
server 10.100.1.0 255.255.255.0
|
||||
config ${sharedConfig}
|
||||
'';
|
||||
};
|
||||
};
|
||||
systemd.services = lib.genAttrs (map (x: "openvpn-${x}") (builtins.attrNames config.services.openvpn.servers)) (_: {
|
||||
wants = [ "dhparams-gen-vpn.service" ];
|
||||
after = [ "dhparams-gen-vpn.service" ];
|
||||
});
|
||||
}
|
|
@ -32,6 +32,7 @@
|
|||
./services/nix/binary-cache.nix
|
||||
./services/nix/nar-serve.nix
|
||||
./services/object-storage
|
||||
./services/openvpn
|
||||
./services/warehouse
|
||||
./services/websites
|
||||
]
|
||||
|
|
|
@ -22,4 +22,5 @@ in with hosts;
|
|||
"synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"vpn-host-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
}
|
||||
|
|
BIN
secrets/vpn-host-key-VEGAS.age
Normal file
BIN
secrets/vpn-host-key-VEGAS.age
Normal file
Binary file not shown.
Loading…
Reference in a new issue