]>
Commit | Line | Data |
---|---|---|
ea9c6fe8 IB |
1 | { config, pkgs, lib, ... }: |
2 | let | |
3 | cfg = config.myServices.vpn; | |
450e0db1 IB |
4 | configFiles = pkgs.runCommand "tinc-files" { |
5 | mainInterface = "eth0"; | |
6 | hostName = "ImmaeEu"; | |
7 | network = "Immae"; | |
8 | keyFile = config.secrets.fullPaths."tinc/key.priv"; | |
9 | } '' | |
10 | mkdir -p $out | |
11 | for i in ${./tinc}/*; do | |
12 | substituteAll $i $out/$(basename $i) | |
13 | done | |
14 | ''; | |
15 | keyPaths = lib.flatten (lib.mapAttrsToList | |
16 | (ns: lib.mapAttrsToList | |
17 | (name: s: | |
18 | lib.nameValuePair | |
19 | "${ns}${name}" | |
20 | (if builtins.isPath s then s else pkgs.writeText "${ns}${name}" s) | |
21 | ) | |
22 | ) config.myServices.vpn.keys); | |
23 | keysDir = pkgs.runCommand "tinc-config" {} ('' | |
24 | install -m755 -d $out $out/hosts | |
25 | install -m755 -t $out ${configFiles}/{host-*,tinc-*} | |
26 | install -m444 -t $out ${configFiles}/tinc.conf | |
27 | install -m755 -t $out/hosts ${configFiles}/ImmaeEu-* | |
28 | install -m444 -t $out/hosts ${configFiles}/ImmaeEu | |
29 | '' + builtins.concatStringsSep "\n" (builtins.map (p: "cp ${p.value} $out/hosts/${p.name}") keyPaths) + '' | |
30 | ||
31 | cd $out | |
32 | tar -czf $out/hosts.tar.gz hosts/ | |
33 | ''); | |
ea9c6fe8 IB |
34 | in |
35 | { | |
36 | options.myServices = { | |
37 | vpn.enable = lib.mkEnableOption "Enable vpn service"; | |
450e0db1 IB |
38 | vpn.keys = lib.mkOption { |
39 | type = lib.types.attrsOf (lib.types.attrsOf (lib.types.either lib.types.path lib.types.str)); | |
40 | description = "Keys sorted by namespaces and names"; | |
41 | default = {}; | |
42 | }; | |
43 | vpn.hostsPath = lib.mkOption { | |
44 | type = lib.types.path; | |
45 | default = "${keysDir}/hosts.tar.gz"; | |
46 | readOnly = true; | |
47 | }; | |
ea9c6fe8 IB |
48 | }; |
49 | ||
50 | config = lib.mkIf cfg.enable { | |
1a64deeb IB |
51 | myServices.dns.zones."immae.eu".subdomains.vpn = with config.myServices.dns.helpers; |
52 | ips servers.eldiron.ips.main // { | |
53 | subdomains.gw.AAAA = [ "${config.myEnv.vpn.eldiron.prefix}:0:ffff:1" ]; | |
54 | # Fake address to designate the subnet | |
55 | subdomains.sn.AAAA = [ "${config.myEnv.vpn.eldiron.prefix}::" ]; | |
56 | }; | |
57 | myServices.chatonsProperties.hostings.vpn = { | |
58 | file.datetime = "2022-08-27T18:00:00"; | |
59 | hosting = { | |
60 | name = "VPN"; | |
61 | description = "VPN"; | |
62 | website = "https://vpn.immae.eu"; | |
63 | logo = "https://tinc-vpn.org/favicon.ico"; | |
64 | status.level = "OK"; | |
65 | status.description = "OK"; | |
66 | registration.load = "FULL"; | |
67 | install.type = "PACKAGE"; | |
68 | }; | |
69 | software = { | |
70 | name = "tinc"; | |
71 | website = "https://tinc-vpn.org/"; | |
72 | license.url = "https://www.gnu.org/licenses/old-licenses/gpl-2.0.html"; | |
73 | license.name = "GNU General Public License v2.0"; | |
74 | version = pkgs.tinc.version; | |
75 | source.url = "https://tinc-vpn.org/git/browse?p=tinc"; | |
76 | }; | |
77 | }; | |
4c4652aa IB |
78 | secrets.keys = { |
79 | "tinc/key.priv" = { | |
ea9c6fe8 IB |
80 | user = "root"; |
81 | group = "root"; | |
82 | permissions = "0400"; | |
83 | text = config.myEnv.vpn.eldiron.privateKey; | |
4c4652aa IB |
84 | }; |
85 | "tinc/key.pub" = { | |
ea9c6fe8 IB |
86 | user = "root"; |
87 | group = "root"; | |
88 | permissions = "0400"; | |
89 | text = config.myEnv.vpn.eldiron.publicKey; | |
4c4652aa IB |
90 | }; |
91 | }; | |
ea9c6fe8 | 92 | networking.firewall.allowedTCPPorts = [ 655 1194 ]; |
450e0db1 | 93 | system.activationScripts.tinc = '' |
ea9c6fe8 | 94 | install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae |
ea9c6fe8 IB |
95 | ''; |
96 | ||
850adcf4 IB |
97 | systemd.slices.tinc = { |
98 | description = "Tinc slice"; | |
99 | }; | |
100 | ||
ea9c6fe8 IB |
101 | systemd.services.tinc-Immae = { |
102 | description = "Tinc Daemon - Immae"; | |
103 | wantedBy = [ "multi-user.target" ]; | |
104 | after = [ "network.target" ]; | |
1a64deeb | 105 | path = [ pkgs.getent pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ]; |
ea9c6fe8 | 106 | serviceConfig = { |
850adcf4 | 107 | Slice = "tinc.slice"; |
ea9c6fe8 IB |
108 | Type = "simple"; |
109 | Restart = "always"; | |
110 | RestartSec = "3"; | |
450e0db1 | 111 | ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c ${keysDir} --pidfile /run/tinc.Immae.pid"; |
ea9c6fe8 IB |
112 | }; |
113 | }; | |
114 | }; | |
115 | } |