modules/private/vpn/default.nix

   1 { config, pkgs, lib, ... }:
   2 let
   3   cfg = config.myServices.vpn;
   4 in
   5 {
   6   options.myServices = {
   7     vpn.enable = lib.mkEnableOption "Enable vpn service";
   8   };
   9
  10   config = lib.mkIf cfg.enable {
  11     myServices.chatonsProperties.hostings.vpn = {
  12       file.datetime = "2022-08-27T18:00:00";
  13       hosting = {
  14         name = "VPN";
  15         description = "VPN";
  16         website = "https://vpn.immae.eu";
  17         logo = "https://tinc-vpn.org/favicon.ico";
  18         status.level = "OK";
  19         status.description = "OK";
  20         registration.load = "FULL";
  21         install.type = "PACKAGE";
  22       };
  23       software = {
  24         name = "tinc";
  25         website = "https://tinc-vpn.org/";
  26         license.url = "https://www.gnu.org/licenses/old-licenses/gpl-2.0.html";
  27         license.name = "GNU General Public License v2.0";
  28         version = pkgs.tinc.version;
  29         source.url = "https://tinc-vpn.org/git/browse?p=tinc";
  30       };
  31     };
  32     secrets.keys = {
  33       "tinc/key.priv" = {
  34         user = "root";
  35         group = "root";
  36         permissions = "0400";
  37         text = config.myEnv.vpn.eldiron.privateKey;
  38       };
  39       "tinc/key.pub" = {
  40         user = "root";
  41         group = "root";
  42         permissions = "0400";
  43         text = config.myEnv.vpn.eldiron.publicKey;
  44       };
  45     };
  46     networking.firewall.allowedTCPPorts = [ 655 1194 ];
  47     system.activationScripts.tinc = let
  48       configFiles = pkgs.runCommand "tinc-files" {
  49         mainInterface = "eth0";
  50         hostName = "ImmaeEu";
  51         network = "Immae";
  52         keyFile = config.secrets.fullPaths."tinc/key.priv";
  53       } ''
  54         mkdir -p $out
  55         for i in ${./tinc}/*; do
  56           substituteAll $i $out/$(basename $i)
  57         done
  58       '';
  59     in ''
  60       install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
  61       install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*}
  62       install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
  63       if [ ! -d /var/lib/tinc/Immae/hosts ]; then
  64         ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
  65       fi
  66     '';
  67
  68     systemd.slices.tinc = {
  69       description = "Tinc slice";
  70     };
  71
  72     systemd.services.tinc-Immae = {
  73       description = "Tinc Daemon - Immae";
  74       wantedBy = [ "multi-user.target" ];
  75       after = [ "network.target" ];
  76       path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
  77       serviceConfig = {
  78         Slice = "tinc.slice";
  79         Type = "simple";
  80         Restart = "always";
  81         RestartSec = "3";
  82         ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
  83       };
  84     };
  85   };
  86 }