},
"locked": {
"lastModified": 1,
- "narHash": "sha256-nEhIk4RloOuTKmJxzvJP3l4Ap1kqjg5YjnpjKHyE1N0=",
+ "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=",
"path": "../flakes",
"type": "path"
},
},
"locked": {
"lastModified": 1,
- "narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=",
+ "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
"path": "../systems/eldiron",
"type": "path"
},
"nixpkgs": "nixpkgs_106"
},
"locked": {
- "lastModified": 1696596844,
- "narHash": "sha256-qtQL21ZF1N3EMqGo5RJq4ytWngsKYOv5mE/pSSxaJJM=",
+ "lastModified": 1697062813,
+ "narHash": "sha256-pbS3ZgZzCkbL3XO0DpoqQU4JHOMd980vTPX4seMH+U8=",
"ref": "master",
- "rev": "ac58ff30d8f1712ef115d3c8aaf8da2211662e90",
- "revCount": 698,
+ "rev": "6f65e826f8baaf08a651366f8e05b58d6a7326ad",
+ "revCount": 701,
"type": "git",
"url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"
},
},
"locked": {
"lastModified": 1,
- "narHash": "sha256-nEhIk4RloOuTKmJxzvJP3l4Ap1kqjg5YjnpjKHyE1N0=",
+ "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=",
"path": "./flakes",
"type": "path"
},
},
"locked": {
"lastModified": 1,
- "narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=",
+ "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
"path": "../systems/eldiron",
"type": "path"
},
},
"locked": {
"lastModified": 1,
- "narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=",
+ "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
"path": "../systems/eldiron",
"type": "path"
},
{ config, pkgs, lib, ... }:
let
cfg = config.myServices.vpn;
+ configFiles = pkgs.runCommand "tinc-files" {
+ mainInterface = "eth0";
+ hostName = "ImmaeEu";
+ network = "Immae";
+ keyFile = config.secrets.fullPaths."tinc/key.priv";
+ } ''
+ mkdir -p $out
+ for i in ${./tinc}/*; do
+ substituteAll $i $out/$(basename $i)
+ done
+ '';
+ keyPaths = lib.flatten (lib.mapAttrsToList
+ (ns: lib.mapAttrsToList
+ (name: s:
+ lib.nameValuePair
+ "${ns}${name}"
+ (if builtins.isPath s then s else pkgs.writeText "${ns}${name}" s)
+ )
+ ) config.myServices.vpn.keys);
+ keysDir = pkgs.runCommand "tinc-config" {} (''
+ install -m755 -d $out $out/hosts
+ install -m755 -t $out ${configFiles}/{host-*,tinc-*}
+ install -m444 -t $out ${configFiles}/tinc.conf
+ install -m755 -t $out/hosts ${configFiles}/ImmaeEu-*
+ install -m444 -t $out/hosts ${configFiles}/ImmaeEu
+ '' + builtins.concatStringsSep "\n" (builtins.map (p: "cp ${p.value} $out/hosts/${p.name}") keyPaths) + ''
+
+ cd $out
+ tar -czf $out/hosts.tar.gz hosts/
+ '');
in
{
options.myServices = {
vpn.enable = lib.mkEnableOption "Enable vpn service";
+ vpn.keys = lib.mkOption {
+ type = lib.types.attrsOf (lib.types.attrsOf (lib.types.either lib.types.path lib.types.str));
+ description = "Keys sorted by namespaces and names";
+ default = {};
+ };
+ vpn.hostsPath = lib.mkOption {
+ type = lib.types.path;
+ default = "${keysDir}/hosts.tar.gz";
+ readOnly = true;
+ };
};
config = lib.mkIf cfg.enable {
};
};
networking.firewall.allowedTCPPorts = [ 655 1194 ];
- system.activationScripts.tinc = let
- configFiles = pkgs.runCommand "tinc-files" {
- mainInterface = "eth0";
- hostName = "ImmaeEu";
- network = "Immae";
- keyFile = config.secrets.fullPaths."tinc/key.priv";
- } ''
- mkdir -p $out
- for i in ${./tinc}/*; do
- substituteAll $i $out/$(basename $i)
- done
- '';
- in ''
+ system.activationScripts.tinc = ''
install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
- install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*}
- install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
- if [ ! -d /var/lib/tinc/Immae/hosts ]; then
- ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
- fi
'';
systemd.slices.tinc = {
Type = "simple";
Restart = "always";
RestartSec = "3";
- ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
+ ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c ${keysDir} --pidfile /run/tinc.Immae.pid";
};
};
};
--- /dev/null
+Address = vpn.immae.eu
+Address = vpn.immae.eu 1194
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA6sJagBYTGUNjtiaPm3Se3BAa1nWbnHS7feTQ1C+L9WifgGkQICkr
+TXkQpGKIN+1mVD3Tl/Mx3BWtGGUMNgJhZ3p7rJgEXNuiWptEpG7BmujW61gVxQ2v
+0FJuGwgT8GvNI9s2BeWtxQKdmX6MOOdtRMmd33F8Zffw6TdJtPuj1dvTwGmkBl71
+RNd6TXi5LR5r1A01Z88TPeZJo1BNkl8P9qkMGv+fTYmX9lnd9brQ0MDVNldJwGhI
+/KU7J7tW20KizhgOdkYJU75JgWX+7QKJMjvOc6nv8ORWk5jLfv6MNKoG3UirBV4t
+ariPo+Gb/u7BU3R2mPHhxKMrC7NVdp+JNQIDAQAB
+-----END RSA PUBLIC KEY-----
--- /dev/null
+#!/bin/sh
+# This file closes down the tap device.
+
+[ -e /tmp/tinc_$NETNAME ] && . /tmp/tinc_$NETNAME
+[ -e /run/tinc_$NETNAME.vars ] && . /run/tinc_$NETNAME.vars
+rm -f /tmp/tinc_$NETNAME /run/tinc_$NETNAME.vars || true
+[ -n "$GWIP" ] && ip -6 route del default via $GWIP table 655
+for MYIP in $MYIPS; do
+ ip -6 addr del $MYIP/96 dev $INTERFACE
+ ip -6 rule del from $MYIP/96 table 655
+ ip -6 rule del to $MYIP/96 table 655
+done
+ip -6 link set $INTERFACE down
+
--- /dev/null
+#!/bin/sh
+# This file sets up the tap device.
+# It gives you the freedom to do anything you want with it.
+# Use the correct name for the tap device:
+# The environment variable $INTERFACE is set to the right name
+# on most platforms, but if it doesn't work try to set it manually.
+
+# Give it the right ip and netmask. Remember, the subnet of the
+# tap device must be larger than that of the individual Subnets
+# as defined in the host configuration file!
+SCRIPT_DIR=$(dirname -- "$( readlink -f -- "$0"; )")
+SUBDOMAIN=$(echo "$NAME" | sed -e "s/\([A-Z][a-z0-9]*\)/\L\1 /g;" | awk '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1; }')
+while [ -z "$MYIPS" -o -z "$GWIP" ]; do
+ MYIPS=`getent hosts ${SUBDOMAIN}.immae.eu | cut -d' ' -f1 | tr "\\n" ' '`
+ GWIP=`getent hosts gw.vpn.immae.eu | head -n1 | cut -d' ' -f1`
+ sleep 5
+done
+rm -f /run/tinc_$NETNAME.vars
+echo -e "MYIPS=\"$MYIPS\"\nGWIP=\"$GWIP\"" > /run/tinc_$NETNAME.vars
+ip -6 link set $INTERFACE up mtu 1280
+for MYIP in $MYIPS; do
+ ip -6 addr add $MYIP/96 dev $INTERFACE
+ ip -6 rule add from $MYIP/96 table 655
+ ip -6 rule add to $MYIP/96 table 655
+done
+ip -6 route add default via $GWIP dev $INTERFACE table 655
+(cd "$SCRIPT_DIR" && (curl -s https://vpn.immae.eu/hosts.tar.gz | tar -xz --strip-components=1)) || true
certName = "eldiron";
hosts = [ "vpn.immae.eu" ];
root = ./www;
+ extraConfig = [
+ ''
+ Alias /hosts.tar.gz "${config.myServices.vpn.hostsPath}"
+ ''
+ ];
};
};
}
projects / perso / Immae / Config / Nix.git / commitdiff
