modules/private/vpn/default.nix

   1 { config, pkgs, lib, ... }:
   2 let
   3   cfg = config.myServices.vpn;
   4 in
   5 {
   6   options.myServices = {
   7     vpn.enable = lib.mkEnableOption "Enable vpn service";
   8   };
   9
  10   config = lib.mkIf cfg.enable {
  11     secrets.keys = [
  12       {
  13         dest = "tinc/key.priv";
  14         user = "root";
  15         group = "root";
  16         permissions = "0400";
  17         text = config.myEnv.vpn.eldiron.privateKey;
  18       }
  19       {
  20         dest = "tinc/key.pub";
  21         user = "root";
  22         group = "root";
  23         permissions = "0400";
  24         text = config.myEnv.vpn.eldiron.publicKey;
  25       }
  26     ];
  27     networking.firewall.allowedTCPPorts = [ 655 1194 ];
  28     system.activationScripts.tinc = let
  29       configFiles = pkgs.runCommand "tinc-files" {
  30         mainInterface = "eth0";
  31         hostName = "ImmaeEu";
  32         network = "Immae";
  33         keyFile = config.secrets.fullPaths."tinc/key.priv";
  34       } ''
  35         mkdir -p $out
  36         for i in ${./tinc}/*; do
  37           substituteAll $i $out/$(basename $i)
  38         done
  39       '';
  40     in ''
  41       install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
  42       install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*}
  43       install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
  44       if [ ! -d /var/lib/tinc/Immae/hosts ]; then
  45         ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
  46       fi
  47     '';
  48
  49     systemd.slices.tinc = {
  50       description = "Tinc slice";
  51     };
  52
  53     systemd.services.tinc-Immae = {
  54       description = "Tinc Daemon - Immae";
  55       wantedBy = [ "multi-user.target" ];
  56       after = [ "network.target" ];
  57       path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
  58       serviceConfig = {
  59         Slice = "tinc.slice";
  60         Type = "simple";
  61         Restart = "always";
  62         RestartSec = "3";
  63         ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
  64       };
  65     };
  66   };
  67 }