[perso/Immae/Config/Nix.git] / modules / private / vpn / default.nix

{ config, pkgs, lib, ... }:
let
  cfg = config.myServices.vpn;
in
{
  options.myServices = {
    vpn.enable = lib.mkEnableOption "Enable vpn service";
  };

  config = lib.mkIf cfg.enable {
    secrets.keys = {
      "tinc/key.priv" = {
        user = "root";
        group = "root";
        permissions = "0400";
        text = config.myEnv.vpn.eldiron.privateKey;
      };
      "tinc/key.pub" = {
        user = "root";
        group = "root";
        permissions = "0400";
        text = config.myEnv.vpn.eldiron.publicKey;
      };
    };
    networking.firewall.allowedTCPPorts = [ 655 1194 ];
    system.activationScripts.tinc = let
      configFiles = pkgs.runCommand "tinc-files" {
        mainInterface = "eth0";
        hostName = "ImmaeEu";
        network = "Immae";
        keyFile = config.secrets.fullPaths."tinc/key.priv";
      } ''
        mkdir -p $out
        for i in ${./tinc}/*; do
          substituteAll $i $out/$(basename $i)
        done
      '';
    in ''
      install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
      install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*}
      install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
      if [ ! -d /var/lib/tinc/Immae/hosts ]; then
        ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
      fi
    '';

    systemd.slices.tinc = {
      description = "Tinc slice";
    };

    systemd.services.tinc-Immae = {
      description = "Tinc Daemon - Immae";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
      serviceConfig = {
        Slice = "tinc.slice";
        Type = "simple";
        Restart = "always";
        RestartSec = "3";
        ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
      };
    };
  };
}
Commit	Line	Data
ea9c6fe8 IB	1	{ config, pkgs, lib, ... }:
	2	let
	3	cfg = config.myServices.vpn;
	4	in
	5	{
	6	options.myServices = {
	7	vpn.enable = lib.mkEnableOption "Enable vpn service";
	8	};
	9
	10	config = lib.mkIf cfg.enable {
4c4652aa IB	11	secrets.keys = {
4c4652aa IB	12	"tinc/key.priv" = {
ea9c6fe8 IB	13	user = "root";
	14	group = "root";
	15	permissions = "0400";
	16	text = config.myEnv.vpn.eldiron.privateKey;
4c4652aa IB	17	};
4c4652aa IB	18	"tinc/key.pub" = {
ea9c6fe8 IB	19	user = "root";
	20	group = "root";
	21	permissions = "0400";
	22	text = config.myEnv.vpn.eldiron.publicKey;
4c4652aa IB	23	};
4c4652aa IB	24	};
ea9c6fe8 IB	25	networking.firewall.allowedTCPPorts = [ 655 1194 ];
	26	system.activationScripts.tinc = let
	27	configFiles = pkgs.runCommand "tinc-files" {
	28	mainInterface = "eth0";
	29	hostName = "ImmaeEu";
	30	network = "Immae";
	31	keyFile = config.secrets.fullPaths."tinc/key.priv";
	32	} ''
	33	mkdir -p $out
	34	for i in ${./tinc}/*; do
	35	substituteAll $i $out/$(basename $i)
	36	done
	37	'';
	38	in ''
	39	install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
	40	install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-,tinc-}
	41	install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
	42	if [ ! -d /var/lib/tinc/Immae/hosts ]; then
	43	${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
	44	fi
	45	'';
	46
850adcf4 IB	47	systemd.slices.tinc = {
	48	description = "Tinc slice";
	49	};
	50
ea9c6fe8 IB	51	systemd.services.tinc-Immae = {
	52	description = "Tinc Daemon - Immae";
	53	wantedBy = [ "multi-user.target" ];
	54	after = [ "network.target" ];
	55	path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
	56	serviceConfig = {
850adcf4	57	Slice = "tinc.slice";
ea9c6fe8 IB	58	Type = "simple";
	59	Restart = "always";
	60	RestartSec = "3";
	61	ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
	62	};
	63	};
	64	};
	65	}