]>
Commit | Line | Data |
---|---|---|
1 | { config, pkgs, lib, ... }: | |
2 | let | |
3 | cfg = config.myServices.vpn; | |
4 | in | |
5 | { | |
6 | options.myServices = { | |
7 | vpn.enable = lib.mkEnableOption "Enable vpn service"; | |
8 | }; | |
9 | ||
10 | config = lib.mkIf cfg.enable { | |
11 | myServices.dns.zones."immae.eu".subdomains.vpn = with config.myServices.dns.helpers; | |
12 | ips servers.eldiron.ips.main // { | |
13 | subdomains.gw.AAAA = [ "${config.myEnv.vpn.eldiron.prefix}:0:ffff:1" ]; | |
14 | # Fake address to designate the subnet | |
15 | subdomains.sn.AAAA = [ "${config.myEnv.vpn.eldiron.prefix}::" ]; | |
16 | }; | |
17 | myServices.chatonsProperties.hostings.vpn = { | |
18 | file.datetime = "2022-08-27T18:00:00"; | |
19 | hosting = { | |
20 | name = "VPN"; | |
21 | description = "VPN"; | |
22 | website = "https://vpn.immae.eu"; | |
23 | logo = "https://tinc-vpn.org/favicon.ico"; | |
24 | status.level = "OK"; | |
25 | status.description = "OK"; | |
26 | registration.load = "FULL"; | |
27 | install.type = "PACKAGE"; | |
28 | }; | |
29 | software = { | |
30 | name = "tinc"; | |
31 | website = "https://tinc-vpn.org/"; | |
32 | license.url = "https://www.gnu.org/licenses/old-licenses/gpl-2.0.html"; | |
33 | license.name = "GNU General Public License v2.0"; | |
34 | version = pkgs.tinc.version; | |
35 | source.url = "https://tinc-vpn.org/git/browse?p=tinc"; | |
36 | }; | |
37 | }; | |
38 | secrets.keys = { | |
39 | "tinc/key.priv" = { | |
40 | user = "root"; | |
41 | group = "root"; | |
42 | permissions = "0400"; | |
43 | text = config.myEnv.vpn.eldiron.privateKey; | |
44 | }; | |
45 | "tinc/key.pub" = { | |
46 | user = "root"; | |
47 | group = "root"; | |
48 | permissions = "0400"; | |
49 | text = config.myEnv.vpn.eldiron.publicKey; | |
50 | }; | |
51 | }; | |
52 | networking.firewall.allowedTCPPorts = [ 655 1194 ]; | |
53 | system.activationScripts.tinc = let | |
54 | configFiles = pkgs.runCommand "tinc-files" { | |
55 | mainInterface = "eth0"; | |
56 | hostName = "ImmaeEu"; | |
57 | network = "Immae"; | |
58 | keyFile = config.secrets.fullPaths."tinc/key.priv"; | |
59 | } '' | |
60 | mkdir -p $out | |
61 | for i in ${./tinc}/*; do | |
62 | substituteAll $i $out/$(basename $i) | |
63 | done | |
64 | ''; | |
65 | in '' | |
66 | install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae | |
67 | install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*} | |
68 | install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf | |
69 | if [ ! -d /var/lib/tinc/Immae/hosts ]; then | |
70 | ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts | |
71 | fi | |
72 | ''; | |
73 | ||
74 | systemd.slices.tinc = { | |
75 | description = "Tinc slice"; | |
76 | }; | |
77 | ||
78 | systemd.services.tinc-Immae = { | |
79 | description = "Tinc Daemon - Immae"; | |
80 | wantedBy = [ "multi-user.target" ]; | |
81 | after = [ "network.target" ]; | |
82 | path = [ pkgs.getent pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ]; | |
83 | serviceConfig = { | |
84 | Slice = "tinc.slice"; | |
85 | Type = "simple"; | |
86 | Restart = "always"; | |
87 | RestartSec = "3"; | |
88 | ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid"; | |
89 | }; | |
90 | }; | |
91 | }; | |
92 | } |