Add openvpn server.HEADmagister

1 files changed, 109 insertions, 0 deletions

diff --git a/salamina.scm b/salamina.scm
index b02d862..a10b232 100644
--- a/salamina.scm
+++ b/salamina.scm
@@ -18,6 +18,7 @@
              ((gnu packages dns) #:select (knot-resolver))
              ((gnu packages koszko-services) #:prefix ks:)
              ((gnu packages python) #:select (guix-pythonpath-search-path))
+             ((gnu packages tls) #:select (openssl))
              ((gnu packages web) #:select (httpd mod-wsgi))
              ((gnu packages version-control) #:select (git cgit))
 
@@ -27,6 +28,7 @@
               (guix-service-type guix-extension %base-services))
              ((gnu services ssh) #:select
               (openssh-service-type openssh-configuration))
+             ((gnu services sysctl) #:select (sysctl-service-type))
              ((gnu services networking) #:prefix net:)
              ((gnu services overlayfs) #:select
               (overlayfs-service-type overlayfs-mount-configuration))
@@ -39,6 +41,7 @@
              ((gnu services version-control) #:prefix vc:)
              ((gnu services databases) #:select
               (postgresql-service-type postgresql-configuration))
+             ((gnu services vpn) #:prefix vpn:)
 
              ((gnu system) #:select (%base-packages operating-system))
              ((gnu system file-systems) #:prefix fs:)
@@ -63,6 +66,11 @@
 
 
 (prepend %services
+  (simple-service 'allow-ip-forwarding sysctl-service-type
+                  '(("net.ipv4.ip_forward" . "1"))))
+
+
+(prepend %services
   (simple-service 'always-forbid-root-login activation-service-type
     #~(system "/run/setuid-programs/passwd -l root > /dev/null")))
 
@@ -499,6 +507,27 @@
     #~(mkdir-p "/var/certbot-validation")))
 
 
+(prepend %services
+  (service net:iptables-service-type
+           (net:iptables-configuration
+            (ipv4-rules (plain-file "iptables.rules" (format #f "\
+*filter
+
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+
+COMMIT
+
+*nat
+
+~:{-A ~a -p ~a --destination 10.8.0.1 --dport 53 \
+    -j DNAT --to-destination 10.8.0.1:5353~%~}\
+
+COMMIT
+" '((OUTPUT udp) (OUTPUT tcp) (PREROUTING udp) (PREROUTING tcp))))))))
+
+
 (define %salamina-v4-addr
   "188.68.237.248")
 
@@ -698,6 +727,86 @@ view:addr('0.0.0.0/0', policy.all(policy.DENY))
      (port-number 10022))))
 
 
+(define %openvpn-cert-subj
+  (format #f "~{/~{~a=~a~}~}" '((C PL)
+                                (ST PL)
+                                (L Krakow)
+                                (O koszko.org)
+                                (OU koszko.org)
+                                (CN koszko.org)
+                                (emailAddress koszko@koszko.org))))
+
+(prepend %services
+  (simple-service 'prepare-openvpn-certs activation-service-type
+    #~(let ((openssl #$(file-append openssl "/bin/openssl"))
+            (initial-umask (umask)))
+        (dynamic-wind
+
+          (lambda ()
+            (umask #o077))
+
+          (lambda ()
+            (mkdir-p "/etc/openvpn"))
+
+          (lambda ()
+            (umask initial-umask)))
+
+        (with-directory-excursion "/etc/openvpn"
+          (unless (and-map file-exists? '("ca.crt" "server.crt" "server.key"))
+            (with-output-to-file "x509.ext"
+              (lambda ()
+                (display "\
+[ ca ]
+# X509 extensions for a ca
+keyUsage                = critical, cRLSign, keyCertSign
+basicConstraints        = CA:TRUE, pathlen:0
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+
+[ server ]
+# X509 extensions for a server
+keyUsage                = critical,digitalSignature,keyEncipherment
+extendedKeyUsage        = serverAuth,clientAuth
+basicConstraints        = critical,CA:FALSE
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid,issuer:always
+")))
+
+            (invoke/quiet
+             openssl "genpkey" "-genparam" "-algorithm" "ec"
+             "-pkeyopt" "ec_paramgen_curve:P-384" "-out" "ecparam.pem")
+
+            (invoke/quiet
+             openssl "req" "-new" "-sha256" "-nodes" "-newkey" "ec:ecparam.pem"
+             "-keyout" "server.key" "-out" "server.csr"
+             "-subj" #$%openvpn-cert-subj)
+
+            (invoke/quiet
+             openssl "x509" "-req" "-sha256" "-extfile" "x509.ext"
+             "-extensions" "ca" "-in" "server.csr" "-signkey" "server.key"
+             "-days" "10095" "-out" "server.crt")
+
+            (unless (file-exists? "dh4096.pem")
+              (invoke/quiet openssl "dhparam" "-out" "dh4096.pem" "4096")))))))
+
+(prepend %services
+  (service vpn:openvpn-server-service-type
+    (vpn:openvpn-server-configuration
+     (ca "/etc/openvpn/ca.crt")
+     (cert "/etc/openvpn/server.crt")
+     (key "/etc/openvpn/server.key")
+     (comp-lzo? #f)
+     (port 1195)
+     (server "10.8.0.0 255.255.255.0")
+     (dh "/etc/openvpn/dh4096.pem")
+     (redirect-gateway? #t)
+     (client-to-client? #t)
+     (client-config-dir (list (vpn:openvpn-ccd-configuration
+                               (name "koszko.org-pafos-client")
+                               (iroute "10.8.0.36 255.255.255.255")
+                               (ifconfig-push "10.8.0.36 10.8.0.1")))))))
+
+
 (prepend %services
   (service vc:gitolite-service-type
     (vc:gitolite-configuration