VEGAS: add OpenVPN
This commit is contained in:
parent
32e41ddcd9
commit
3c15c90258
6 changed files with 160 additions and 0 deletions
54
data/vpn-ca-bundle.crt
Normal file
54
data/vpn-ca-bundle.crt
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIElzCCAv+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA6MRgwFgYDVQQKDA9QUklW
|
||||||
|
QVRFVk9JRC5ORVQxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x
|
||||||
|
OTA4MTcxMzQ3NThaFw0zOTA4MTcxMzQ3NThaMDoxGDAWBgNVBAoMD1BSSVZBVEVW
|
||||||
|
T0lELk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBojANBgkq
|
||||||
|
hkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA24YctyMKaCy4gYaWw5O28GW45OML8PAC
|
||||||
|
DZjeV6fksrI2VlaYYQgQgRrSpFc/f5PL/vl+tlqUmMkVgwkHfA1E0HDS5yl4/13J
|
||||||
|
nbkbvhLpaXB7ex0kox17dY7c/ZQuN4/DQHh6R5TT9pCKJBPc7za4GnDuv/s6ww/3
|
||||||
|
Vn4ath3m8WfaPpIXd1/HG3z9Dz3hmH0fww9vsiDXhGxHzZjxjiNaeM9EMh2297E3
|
||||||
|
yA8wZ4gwCB3wuMKUS/tSJgLOGcRaZgAc+cUIUK6lHqLN8JP7ACpkf1czfEGSTksu
|
||||||
|
RFNNW2XihXdcE+zh5925buLGpNOQzNwmzdQLrzGPm/IHRluqA361IfqUmR3Oxxr6
|
||||||
|
vxVG2E9spbRodSKR5884Cg18frAnWk+2HPvW9bsxJpd/GX4sLgjwKDZ43eZ0HoBW
|
||||||
|
kzfmowJidMB710O5MQOr7Urzl3Qef735Vbc8siKk0gwZasQap59APk5meDtIX7yP
|
||||||
|
BkwiSUpCR6ynsUck7FliJ2wt022REFcDAgMBAAGjgacwgaQwHwYDVR0jBBgwFoAU
|
||||||
|
8LCS6AW2IgDn+b4+nfst+CiFO88wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
|
||||||
|
BAMCAcYwHQYDVR0OBBYEFPCwkugFtiIA5/m+Pp37LfgohTvPMEEGCCsGAQUFBwEB
|
||||||
|
BDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lwYS1jYS5wcml2YXRldm9pZC5uZXQv
|
||||||
|
Y2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAFpue77wmQIF7WMVdrmAmB2fBJSTH
|
||||||
|
qoRTcP5enPIVoS5fi/bhMeIW4iADKRtCo9YezLqAPWoQ+UzDOObmAa3yx/pfJqhV
|
||||||
|
wMt7E2FvQXkef9v9wcsXSSNE4SWD4UefDBFiTtGcNR4SVAqWAJF4Yym6kjE0OLs7
|
||||||
|
it4kpvQBC9uxTcBHHIWMhJ85hZbMbTQ1GG1iluhxJFOpl2Zm7GBax2E3a+Fs/msx
|
||||||
|
yUIGe7ugVKiWX2Cx4e/kEmWogGESeNVEXYnDPxztr+mu5rbzRNU32FzWRlxG1qg3
|
||||||
|
e77KjTrHC63w230t/Pw7wuYQJzX25bkqIaQat9Xfw/ODtZqrStVwJAooD8z5zpYG
|
||||||
|
ul9ndmXfM6okRy7eJoSF1nijHNo9p4k+IsAu8j2UShjfTglBTjWA6ZHWuji4AArw
|
||||||
|
qCdKu2v/DqnGhNAt6zRTmOMW7tct/VBwJtpDdB4IzG+EvH6JdIxQpDew5LuPwbk5
|
||||||
|
c7VzeA8sxGbslFyLO3Oa1Yy87uQSes+uBHhq
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIEnDCCAwSgAwIBAgIBHzANBgkqhkiG9w0BAQsFADA6MRgwFgYDVQQKDA9QUklW
|
||||||
|
QVRFVk9JRC5ORVQxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0y
|
||||||
|
MDA0MjcxMjI3MDBaFw00MDA0MjcxMjI3MDBaMD8xGDAWBgNVBAoMD1BSSVZBVEVW
|
||||||
|
T0lELk5FVDEjMCEGA1UEAwwaUHJpdmF0ZSBWb2lkIFZQTiBBdXRob3JpdHkwggGi
|
||||||
|
MA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCv/EZR+YWCMwrfb5gMyFe/257a
|
||||||
|
rIrClOz8omD1qmKEk/oj7mKqROV20LBELMV52tAXJOVEIUSDi9OhQ8qryWZyRGa9
|
||||||
|
4iQ9DvzlP8BER2NP2xjuT8NRMo7yzl2ge0PlLD6si8N1rkXKlfrvKkFEgqlPNnl0
|
||||||
|
AScM0SfSkG7y1g+bnsfF2uSj/p3i+FO0zoEIfBC8oKWgcmmV7p/HCdCjVEY7CBfR
|
||||||
|
KR6gbRxK+hxSsH8SfCV/MZev9jFCV+vWO5YvATGCrZjqVaaPp34fBGWSLLzQ3yLj
|
||||||
|
2OvVD8fgxyKPdNHgao7PmTh5QrzrXpichjSxUvGbm/Hz+xhr3uW+sTnCtXogchHm
|
||||||
|
0+CAhmNdfCr4ctR7WcY146YUhVcO+T/If7KgMhQBejkGqOBuRgrxLQ2xHL6G9oQx
|
||||||
|
278b/BIDl1jWvZccmhpanDa8Mc9JWINd5enOiBN+J+i6YDnnuG3ociTu7nJs3mPo
|
||||||
|
HJfOgKqTV0SkdrCeunKpjuBi5M46pK5XuvzJgFsCAwEAAaOBpzCBpDAfBgNVHSME
|
||||||
|
GDAWgBTwsJLoBbYiAOf5vj6d+y34KIU7zzAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
|
||||||
|
DwEB/wQEAwIBxjAdBgNVHQ4EFgQUpBtWTMOD6IeCH+JEnywzzLgtYzEwQQYIKwYB
|
||||||
|
BQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vaXBhLWNhLnByaXZhdGV2b2lk
|
||||||
|
Lm5ldC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBgQB+jXOnP4BO69Z1+/S42/O6
|
||||||
|
hjjs7kxtYTRNfDKONhB3MD2pSxn2qiwRiH+jL1LJZEmkFkqWV05jMpn8qBeA+yXf
|
||||||
|
WUbF5Iiupb5IfF8GXqXkFeDIP4kiVCY7/XHF5JrjCBT0csaiI9fNiDDBseRoU/b4
|
||||||
|
LWAGGlgvE7jnQpgVu4/7/MW1yNw2JgetoZFGSNh12AVe1UWjy1DmLHCkWAbjWka+
|
||||||
|
iArEtm0EZ1Ypjy0l9A/sCZLmhWtYJrjHNiETvzRlv8UNjUg1Lv7IxWQI7TvZJp7T
|
||||||
|
DBghFt/i6w/fdOc5r73lZT3/PDGLO9/NpbQVzT8LiJkwlF5uJB3avdlb3pMWjqPy
|
||||||
|
1ty2mbX9eNKZUeEAGb4crEGlWIcLqnr0aFtaISlOB2dmOonMo26uCXNtLG61Yw9I
|
||||||
|
MhHsvnmrPXU9rjuHUtBt9HgEO7RwXZYEehuf8pz8Ur11S7x/7PxOypv4KBUBusDe
|
||||||
|
+hLcS5acpktYNkr2IiZ3NXDihVN65hxzMM6rUb6Sojc=
|
||||||
|
-----END CERTIFICATE-----
|
31
data/vpn-host-VEGAS.crt
Normal file
31
data/vpn-host-VEGAS.crt
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIFaDCCA9CgAwIBAgIBIjANBgkqhkiG9w0BAQsFADA/MRgwFgYDVQQKDA9QUklW
|
||||||
|
QVRFVk9JRC5ORVQxIzAhBgNVBAMMGlByaXZhdGUgVm9pZCBWUE4gQXV0aG9yaXR5
|
||||||
|
MB4XDTIwMDQyNzEzMDYxNloXDTIyMDQyODEzMDYxNlowODEYMBYGA1UECgwPUFJJ
|
||||||
|
VkFURVZPSUQuTkVUMRwwGgYDVQQDDBN2cG4ucHJpdmF0ZXZvaWQubmV0MIIBIjAN
|
||||||
|
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt3BQDphcpY+Qrrfc//QinB8/Qux5
|
||||||
|
fJCDMgnIeFsk/S/Ow2R/FDbcJpHw74vt06eVqvtnOAIE5e95sCgpeOKl0MDiRSyJ
|
||||||
|
qt+4X8SAYkLXGk7zx60Z5iynmfdZpikwc6P6GYNBoExVMh6+lcJRuAFcrbR/Fu4K
|
||||||
|
tFAFSJVhtDq0v+ceiawa80nQuecECUo9/dwfOcrFrXHYRKn3oSv6wMt8zp8EMUuj
|
||||||
|
hWZ/97u17ZvsBIUFFs7tk9KgMbPsSYoM64L+uHVynzaPC3rp4BMTyaESx4ifgort
|
||||||
|
VtkbBDH79DBwcjnr+jFSJWfJcA1J2XAtiu9hUoscygxVLsZXnENYobSOFwIDAQAB
|
||||||
|
o4IB9DCCAfAwHwYDVR0jBBgwFoAUpBtWTMOD6IeCH+JEnywzzLgtYzEwQQYIKwYB
|
||||||
|
BQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vaXBhLWNhLnByaXZhdGV2b2lk
|
||||||
|
Lm5ldC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcD
|
||||||
|
AQYIKwYBBQUHAwIwegYDVR0fBHMwcTBvoDegNYYzaHR0cDovL2lwYS1jYS5wcml2
|
||||||
|
YXRldm9pZC5uZXQvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQK
|
||||||
|
DAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQW
|
||||||
|
BBRA1NlyyOaU/BqBqaIcZVi1/ziGYDCBvwYDVR0RBIG3MIG0oEYGCisGAQQBgjcU
|
||||||
|
AgOgOAw2dnBuaG9zdC92ZWdhcy5iYWNrYm9uZS5wcml2YXRldm9pZC5uZXRAUFJJ
|
||||||
|
VkFURVZPSUQuTkVUoFUGBisGAQUCAqBLMEmgERsPUFJJVkFURVZPSUQuTkVUoTQw
|
||||||
|
MqADAgEBoSswKRsHdnBuaG9zdBsedmVnYXMuYmFja2JvbmUucHJpdmF0ZXZvaWQu
|
||||||
|
bmV0ghN2cG4ucHJpdmF0ZXZvaWQubmV0MA0GCSqGSIb3DQEBCwUAA4IBgQBpYdmX
|
||||||
|
dxZTV1/iBcVQl3W93ted08jpvpLdRvDX2qcB6c9L2CB7UZ5UDBYgfU9XZetaYg6E
|
||||||
|
Wje4VIq+Kwd+69bv0HIbGKb+6i2yfw3Yx8yvWOse79JqW5OvJ96fDiOYfEuDxbOH
|
||||||
|
79hKfJ/F5HAToSXW+XWpdNQDDlfWFgippZqqcXZUkOujhwMubYGMXAgXwe9oulgp
|
||||||
|
wmjzqH95eajOLItYFF4/v1L5CArzYBV6JBcY2TWZRyuAo6Kw94ve9zCfnQvxzLaj
|
||||||
|
nSc98u0sj6bmYCHGLJNER4W+85UlZu3uZRo0GPqmfz/CWwDjI2ODQxJQcQ7KFVbH
|
||||||
|
y8qEtddkRBd4cb4Fr9Ag2HJc1zm4I7vG6+Rx6fP6oAltpYK7GOUrkQ13R6PXOpZr
|
||||||
|
M9j3Qmm5JK/DsGltNwo0sCX9OzdCOql/ZNoQ1wK1dFqaLl25HkpI6I0xw2lvgQDi
|
||||||
|
qDXn5eY8Ip0gZ2Wbeyc6ssoE54T3Ta1fpD3wOHSTLK5MjeL3a0zURvzNf2o=
|
||||||
|
-----END CERTIFICATE-----
|
73
hosts/VEGAS/services/openvpn/default.nix
Normal file
73
hosts/VEGAS/services/openvpn/default.nix
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
{ config, hosts, lib, pkgs, tools, ... }:
|
||||||
|
let
|
||||||
|
inherit (hosts.${config.networking.hostName}) interfaces;
|
||||||
|
inherit (interfaces) vstub;
|
||||||
|
inherit (config.networking) hostName;
|
||||||
|
|
||||||
|
sharedConfig = pkgs.writeText "openvpn-shared.conf" ''
|
||||||
|
port 51194
|
||||||
|
float
|
||||||
|
mssfix 1340
|
||||||
|
|
||||||
|
topology subnet
|
||||||
|
client-to-client
|
||||||
|
persist-key
|
||||||
|
persist-tun
|
||||||
|
|
||||||
|
# vpn supernet
|
||||||
|
push "route 10.100.0.0 255.255.0.0"
|
||||||
|
# internal services supernet
|
||||||
|
push "route 10.10.0.0 255.255.0.0"
|
||||||
|
# host machine virtual stub
|
||||||
|
push "route ${vstub.addr} 255.255.255.255"
|
||||||
|
|
||||||
|
# dns config
|
||||||
|
push "dhcp-option DOMAIN vpn.${tools.meta.domain}"
|
||||||
|
push "dhcp-option DNS ${vstub.addr}"
|
||||||
|
|
||||||
|
ca ${../../../../data/vpn-ca-bundle.crt}
|
||||||
|
cert ${../../../../data + "/vpn-host-${hostName}.crt"}
|
||||||
|
key ${config.age.secrets.vpn-host-key.path}
|
||||||
|
dh ${config.security.dhparams.params.vpn.path}
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
{
|
||||||
|
age.secrets.vpn-host-key = {
|
||||||
|
file = ../../../../secrets + "/vpn-host-key-${hostName}.age";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
security.dhparams.params.vpn.bits = 4096;
|
||||||
|
networking.firewall = {
|
||||||
|
allowedTCPPorts = [ 51194 ];
|
||||||
|
allowedUDPPorts = [ 51194 ];
|
||||||
|
};
|
||||||
|
networking.nat.internalInterfaces = [
|
||||||
|
"tun-storm"
|
||||||
|
"tun-cyclone"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.openvpn.servers = {
|
||||||
|
storm = {
|
||||||
|
autoStart = true;
|
||||||
|
config = ''
|
||||||
|
proto udp4
|
||||||
|
dev tun-storm
|
||||||
|
server 10.100.0.0 255.255.255.0
|
||||||
|
config ${sharedConfig}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
cyclone = {
|
||||||
|
autoStart = true;
|
||||||
|
config = ''
|
||||||
|
proto tcp4
|
||||||
|
dev tun-cyclone
|
||||||
|
server 10.100.1.0 255.255.255.0
|
||||||
|
config ${sharedConfig}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services = lib.genAttrs (map (x: "openvpn-${x}") (builtins.attrNames config.services.openvpn.servers)) (_: {
|
||||||
|
wants = [ "dhparams-gen-vpn.service" ];
|
||||||
|
after = [ "dhparams-gen-vpn.service" ];
|
||||||
|
});
|
||||||
|
}
|
|
@ -32,6 +32,7 @@
|
||||||
./services/nix/binary-cache.nix
|
./services/nix/binary-cache.nix
|
||||||
./services/nix/nar-serve.nix
|
./services/nix/nar-serve.nix
|
||||||
./services/object-storage
|
./services/object-storage
|
||||||
|
./services/openvpn
|
||||||
./services/warehouse
|
./services/warehouse
|
||||||
./services/websites
|
./services/websites
|
||||||
]
|
]
|
||||||
|
|
|
@ -22,4 +22,5 @@ in with hosts;
|
||||||
"synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
"wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
"wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
|
"vpn-host-key-VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||||
}
|
}
|
||||||
|
|
BIN
secrets/vpn-host-key-VEGAS.age
Normal file
BIN
secrets/vpn-host-key-VEGAS.age
Normal file
Binary file not shown.
Loading…
Reference in a new issue