--- /dev/null
+{ config, pkgs, lib, ... }:
+let
+ cfg = config.myServices.vpn;
+in
+{
+ options.myServices = {
+ vpn.enable = lib.mkEnableOption "Enable vpn service";
+ };
+
+ config = lib.mkIf cfg.enable {
+ myServices.dns.zones."immae.eu".subdomains.vpn = with config.myServices.dns.helpers;
+ ips servers.eldiron.ips.main // {
+ subdomains.gw.AAAA = [ "${config.myEnv.vpn.eldiron.prefix}:0:ffff:1" ];
+ # Fake address to designate the subnet
+ subdomains.sn.AAAA = [ "${config.myEnv.vpn.eldiron.prefix}::" ];
+ };
+ myServices.chatonsProperties.hostings.vpn = {
+ file.datetime = "2022-08-27T18:00:00";
+ hosting = {
+ name = "VPN";
+ description = "VPN";
+ website = "https://vpn.immae.eu";
+ logo = "https://tinc-vpn.org/favicon.ico";
+ status.level = "OK";
+ status.description = "OK";
+ registration.load = "FULL";
+ install.type = "PACKAGE";
+ };
+ software = {
+ name = "tinc";
+ website = "https://tinc-vpn.org/";
+ license.url = "https://www.gnu.org/licenses/old-licenses/gpl-2.0.html";
+ license.name = "GNU General Public License v2.0";
+ version = pkgs.tinc.version;
+ source.url = "https://tinc-vpn.org/git/browse?p=tinc";
+ };
+ };
+ secrets.keys = {
+ "tinc/key.priv" = {
+ user = "root";
+ group = "root";
+ permissions = "0400";
+ text = config.myEnv.vpn.eldiron.privateKey;
+ };
+ "tinc/key.pub" = {
+ user = "root";
+ group = "root";
+ permissions = "0400";
+ text = config.myEnv.vpn.eldiron.publicKey;
+ };
+ };
+ networking.firewall.allowedTCPPorts = [ 655 1194 ];
+ system.activationScripts.tinc = let
+ configFiles = pkgs.runCommand "tinc-files" {
+ mainInterface = "eth0";
+ hostName = "ImmaeEu";
+ network = "Immae";
+ keyFile = config.secrets.fullPaths."tinc/key.priv";
+ } ''
+ mkdir -p $out
+ for i in ${./tinc}/*; do
+ substituteAll $i $out/$(basename $i)
+ done
+ '';
+ in ''
+ install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
+ install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*}
+ install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
+ if [ ! -d /var/lib/tinc/Immae/hosts ]; then
+ ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
+ fi
+ '';
+
+ systemd.slices.tinc = {
+ description = "Tinc slice";
+ };
+
+ systemd.services.tinc-Immae = {
+ description = "Tinc Daemon - Immae";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+ path = [ pkgs.getent pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
+ serviceConfig = {
+ Slice = "tinc.slice";
+ Type = "simple";
+ Restart = "always";
+ RestartSec = "3";
+ ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
+ };
+ };
+ };
+}