--- /dev/null
+{ config, pkgs, lib, ... }:
+let
+ cfg = config.myServices.vpn;
+in
+{
+ options.myServices = {
+ vpn.enable = lib.mkEnableOption "Enable vpn service";
+ };
+
+ config = lib.mkIf cfg.enable {
+ secrets.keys = [
+ {
+ dest = "tinc/key.priv";
+ user = "root";
+ group = "root";
+ permissions = "0400";
+ text = config.myEnv.vpn.eldiron.privateKey;
+ }
+ {
+ dest = "tinc/key.pub";
+ user = "root";
+ group = "root";
+ permissions = "0400";
+ text = config.myEnv.vpn.eldiron.publicKey;
+ }
+ ];
+ networking.firewall.allowedTCPPorts = [ 655 1194 ];
+ system.activationScripts.tinc = let
+ configFiles = pkgs.runCommand "tinc-files" {
+ mainInterface = "eth0";
+ hostName = "ImmaeEu";
+ network = "Immae";
+ keyFile = config.secrets.fullPaths."tinc/key.priv";
+ } ''
+ mkdir -p $out
+ for i in ${./tinc}/*; do
+ substituteAll $i $out/$(basename $i)
+ done
+ '';
+ in ''
+ install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
+ install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*}
+ install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
+ if [ ! -d /var/lib/tinc/Immae/hosts ]; then
+ ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
+ fi
+ '';
+
+ systemd.services.tinc-Immae = {
+ description = "Tinc Daemon - Immae";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+ path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
+ serviceConfig = {
+ Type = "simple";
+ Restart = "always";
+ RestartSec = "3";
+ ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
+ };
+ };
+ };
+}