]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - systems/eldiron/vpn/default.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Squash changes containing private information
[perso/Immae/Config/Nix.git] / systems / eldiron / vpn / default.nix
diff --git a/systems/eldiron/vpn/default.nix b/systems/eldiron/vpn/default.nix
new file mode 100644 (file)
index 0000000..df56249
--- /dev/null
+++ b/systems/eldiron/vpn/default.nix
@@ -0,0 +1,92 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.myServices.vpn;
+in
+{
+  options.myServices = {
+    vpn.enable = lib.mkEnableOption "Enable vpn service";
+  };
+
+  config = lib.mkIf cfg.enable {
+    myServices.dns.zones."immae.eu".subdomains.vpn = with config.myServices.dns.helpers;
+      ips servers.eldiron.ips.main // {
+        subdomains.gw.AAAA = [ "${config.myEnv.vpn.eldiron.prefix}:0:ffff:1" ];
+        # Fake address to designate the subnet
+        subdomains.sn.AAAA = [ "${config.myEnv.vpn.eldiron.prefix}::" ];
+      };
+    myServices.chatonsProperties.hostings.vpn = {
+      file.datetime = "2022-08-27T18:00:00";
+      hosting = {
+        name = "VPN";
+        description = "VPN";
+        website = "https://vpn.immae.eu";
+        logo = "https://tinc-vpn.org/favicon.ico";
+        status.level = "OK";
+        status.description = "OK";
+        registration.load = "FULL";
+        install.type = "PACKAGE";
+      };
+      software = {
+        name = "tinc";
+        website = "https://tinc-vpn.org/";
+        license.url = "https://www.gnu.org/licenses/old-licenses/gpl-2.0.html";
+        license.name = "GNU General Public License v2.0";
+        version = pkgs.tinc.version;
+        source.url = "https://tinc-vpn.org/git/browse?p=tinc";
+      };
+    };
+    secrets.keys = {
+      "tinc/key.priv" = {
+        user = "root";
+        group = "root";
+        permissions = "0400";
+        text = config.myEnv.vpn.eldiron.privateKey;
+      };
+      "tinc/key.pub" = {
+        user = "root";
+        group = "root";
+        permissions = "0400";
+        text = config.myEnv.vpn.eldiron.publicKey;
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 655 1194 ];
+    system.activationScripts.tinc = let
+      configFiles = pkgs.runCommand "tinc-files" {
+        mainInterface = "eth0";
+        hostName = "ImmaeEu";
+        network = "Immae";
+        keyFile = config.secrets.fullPaths."tinc/key.priv";
+      } ''
+        mkdir -p $out
+        for i in ${./tinc}/*; do
+          substituteAll $i $out/$(basename $i)
+        done
+      '';
+    in ''
+      install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
+      install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*}
+      install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
+      if [ ! -d /var/lib/tinc/Immae/hosts ]; then
+        ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
+      fi
+    '';
+
+    systemd.slices.tinc = {
+      description = "Tinc slice";
+    };
+
+    systemd.services.tinc-Immae = {
+      description = "Tinc Daemon - Immae";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      path = [ pkgs.getent pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
+      serviceConfig = {
+        Slice = "tinc.slice";
+        Type = "simple";
+        Restart = "always";
+        RestartSec = "3";
+        ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
+      };
+    };
+  };
+}
My infrastructure configuration