Add tinc configuration

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-10 00:54:30 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-12 00:24:39 +0200
commit: 450e0db1a1ad900f93519c00f0ef132ec42a3728 (patch)
tree: a50ad5306b6c44238edc9d18fdcd09a7b94be4c1
parent: a59f486863020816cbc0d3fc69ac7926134215d0 (diff)
download: Nix-450e0db1a1ad900f93519c00f0ef132ec42a3728.tar.gz
Nix-450e0db1a1ad900f93519c00f0ef132ec42a3728.tar.zst
Nix-450e0db1a1ad900f93519c00f0ef132ec42a3728.zip
8 files changed, 107 insertions, 28 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock
index 07a5473..5cdf632 100644
--- a/deploy/flake.lock
+++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-nEhIk4RloOuTKmJxzvJP3l4Ap1kqjg5YjnpjKHyE1N0=",
+        "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=",
        "path": "../flakes",
        "type": "path"
      },
@@ -3903,7 +3903,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=",
+        "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
        "path": "../systems/eldiron",
        "type": "path"
      },
@@ -8888,11 +8888,11 @@
        "nixpkgs": "nixpkgs_106"
      },
      "locked": {
-        "lastModified": 1696596844,
+        "lastModified": 1697062813,
-        "narHash": "sha256-qtQL21ZF1N3EMqGo5RJq4ytWngsKYOv5mE/pSSxaJJM=",
+        "narHash": "sha256-pbS3ZgZzCkbL3XO0DpoqQU4JHOMd980vTPX4seMH+U8=",
        "ref": "master",
-        "rev": "ac58ff30d8f1712ef115d3c8aaf8da2211662e90",
+        "rev": "6f65e826f8baaf08a651366f8e05b58d6a7326ad",
-        "revCount": 698,
+        "revCount": 701,
        "type": "git",
        "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"
      },
diff --git a/flake.lock b/flake.lock
index 61d7371..6cc709e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2664,7 +2664,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-nEhIk4RloOuTKmJxzvJP3l4Ap1kqjg5YjnpjKHyE1N0=",
+        "narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=",
        "path": "./flakes",
        "type": "path"
      },
@@ -3919,7 +3919,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=",
+        "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
        "path": "../systems/eldiron",
        "type": "path"
      },
diff --git a/flakes/flake.lock b/flakes/flake.lock
index 677625d..751316c 100644
--- a/flakes/flake.lock
+++ b/flakes/flake.lock
@@ -3824,7 +3824,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=",
+        "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
        "path": "../systems/eldiron",
        "type": "path"
      },
diff --git a/systems/eldiron/vpn/default.nix b/systems/eldiron/vpn/default.nix
index df56249..a5cc423 100644
--- a/systems/eldiron/vpn/default.nix
+++ b/systems/eldiron/vpn/default.nix
@@ -1,10 +1,50 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.myServices.vpn;
+  configFiles = pkgs.runCommand "tinc-files" {
+    mainInterface = "eth0";
+    hostName = "ImmaeEu";
+    network = "Immae";
+    keyFile = config.secrets.fullPaths."tinc/key.priv";
+  } ''
+    mkdir -p $out
+    for i in ${./tinc}/*; do
+      substituteAll $i $out/$(basename $i)
+    done
+  '';
+  keyPaths = lib.flatten (lib.mapAttrsToList
+    (ns: lib.mapAttrsToList
+      (name: s:
+        lib.nameValuePair
+          "${ns}${name}"
+          (if builtins.isPath s then s else pkgs.writeText "${ns}${name}" s)
+      )
+    ) config.myServices.vpn.keys);
+  keysDir = pkgs.runCommand "tinc-config" {} (''
+    install -m755 -d $out $out/hosts
+    install -m755 -t $out ${configFiles}/{host-*,tinc-*}
+    install -m444 -t $out ${configFiles}/tinc.conf
+    install -m755 -t $out/hosts ${configFiles}/ImmaeEu-*
+    install -m444 -t $out/hosts ${configFiles}/ImmaeEu
+  '' + builtins.concatStringsSep "\n" (builtins.map (p: "cp ${p.value} $out/hosts/${p.name}") keyPaths) + ''
+    cd $out
+    tar -czf $out/hosts.tar.gz hosts/
+  '');
 in
 {
  options.myServices = {
    vpn.enable = lib.mkEnableOption "Enable vpn service";
+    vpn.keys = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.attrsOf (lib.types.either lib.types.path lib.types.str));
+      description = "Keys sorted by namespaces and names";
+      default = {};
+    };
+    vpn.hostsPath = lib.mkOption {
+      type = lib.types.path;
+      default = "${keysDir}/hosts.tar.gz";
+      readOnly = true;
+    };
  };
  config = lib.mkIf cfg.enable {
@@ -50,25 +90,8 @@ in
      };
    };
    networking.firewall.allowedTCPPorts = [ 655 1194 ];
-    system.activationScripts.tinc = let
+    system.activationScripts.tinc = ''
-      configFiles = pkgs.runCommand "tinc-files" {
-        mainInterface = "eth0";
-        hostName = "ImmaeEu";
-        network = "Immae";
-        keyFile = config.secrets.fullPaths."tinc/key.priv";
-      } ''
-        mkdir -p $out
-        for i in ${./tinc}/*; do
-          substituteAll $i $out/$(basename $i)
-        done
-      '';
-    in ''
      install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
-      install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*}
-      install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
-      if [ ! -d /var/lib/tinc/Immae/hosts ]; then
-        ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
-      fi
    '';
    systemd.slices.tinc = {
@@ -85,7 +108,7 @@ in
        Type = "simple";
        Restart = "always";
        RestartSec = "3";
-        ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
+        ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c ${keysDir} --pidfile /run/tinc.Immae.pid";
      };
    };
  };
diff --git a/systems/eldiron/vpn/tinc/ImmaeEu b/systems/eldiron/vpn/tinc/ImmaeEu
new file mode 100644
index 0000000..db9949b
--- /dev/null
+++ b/systems/eldiron/vpn/tinc/ImmaeEu
@@ -0,0 +1,10 @@
+Address = vpn.immae.eu
+Address = vpn.immae.eu 1194
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA6sJagBYTGUNjtiaPm3Se3BAa1nWbnHS7feTQ1C+L9WifgGkQICkr
+TXkQpGKIN+1mVD3Tl/Mx3BWtGGUMNgJhZ3p7rJgEXNuiWptEpG7BmujW61gVxQ2v
+0FJuGwgT8GvNI9s2BeWtxQKdmX6MOOdtRMmd33F8Zffw6TdJtPuj1dvTwGmkBl71
+RNd6TXi5LR5r1A01Z88TPeZJo1BNkl8P9qkMGv+fTYmX9lnd9brQ0MDVNldJwGhI
+/KU7J7tW20KizhgOdkYJU75JgWX+7QKJMjvOc6nv8ORWk5jLfv6MNKoG3UirBV4t
+ariPo+Gb/u7BU3R2mPHhxKMrC7NVdp+JNQIDAQAB
+-----END RSA PUBLIC KEY-----
diff --git a/systems/eldiron/vpn/tinc/ImmaeEu-down b/systems/eldiron/vpn/tinc/ImmaeEu-down
new file mode 100755
index 0000000..d983a3b
--- /dev/null
+++ b/systems/eldiron/vpn/tinc/ImmaeEu-down
@@ -0,0 +1,14 @@
+#!/bin/sh
+# This file closes down the tap device.
+[ -e /tmp/tinc_$NETNAME ] && . /tmp/tinc_$NETNAME
+[ -e /run/tinc_$NETNAME.vars ] && . /run/tinc_$NETNAME.vars
+rm -f /tmp/tinc_$NETNAME /run/tinc_$NETNAME.vars || true
+[ -n "$GWIP" ] && ip -6 route del default via $GWIP table 655
+for MYIP in $MYIPS; do
+  ip -6 addr del $MYIP/96 dev $INTERFACE
+  ip -6 rule del from $MYIP/96 table 655
+  ip -6 rule del to $MYIP/96 table 655
+done
+ip -6 link set $INTERFACE down
diff --git a/systems/eldiron/vpn/tinc/ImmaeEu-up b/systems/eldiron/vpn/tinc/ImmaeEu-up
new file mode 100755
index 0000000..e14fd5a
--- /dev/null
+++ b/systems/eldiron/vpn/tinc/ImmaeEu-up
@@ -0,0 +1,27 @@
+#!/bin/sh
+# This file sets up the tap device.
+# It gives you the freedom to do anything you want with it.
+# Use the correct name for the tap device:
+# The environment variable $INTERFACE is set to the right name
+# on most platforms, but if it doesn't work try to set it manually.
+# Give it the right ip and netmask. Remember, the subnet of the
+# tap device must be larger than that of the individual Subnets
+# as defined in the host configuration file!
+SCRIPT_DIR=$(dirname -- "$( readlink -f -- "$0"; )")
+SUBDOMAIN=$(echo "$NAME" | sed -e "s/\([A-Z][a-z0-9]*\)/\L\1 /g;" | awk '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1; }')
+while [ -z "$MYIPS" -o -z "$GWIP" ]; do
+  MYIPS=`getent hosts ${SUBDOMAIN}.immae.eu | cut -d' ' -f1 | tr "\\n" ' '`
+  GWIP=`getent hosts gw.vpn.immae.eu | head -n1 | cut -d' ' -f1`
+  sleep 5
+done
+rm -f /run/tinc_$NETNAME.vars
+echo -e "MYIPS=\"$MYIPS\"\nGWIP=\"$GWIP\"" > /run/tinc_$NETNAME.vars
+ip -6 link set $INTERFACE up mtu 1280
+for MYIP in $MYIPS; do
+  ip -6 addr add $MYIP/96 dev $INTERFACE
+  ip -6 rule add from $MYIP/96 table 655
+  ip -6 rule add to $MYIP/96 table 655
+done
+ip -6 route add default via $GWIP dev $INTERFACE table 655
+(cd "$SCRIPT_DIR" && (curl -s https://vpn.immae.eu/hosts.tar.gz | tar -xz --strip-components=1)) || true
diff --git a/systems/eldiron/websites/vpn/default.nix b/systems/eldiron/websites/vpn/default.nix
index ea54691..3ee0a20 100644
--- a/systems/eldiron/websites/vpn/default.nix
+++ b/systems/eldiron/websites/vpn/default.nix
@@ -8,6 +8,11 @@ in {
      certName    = "eldiron";
      hosts       = [ "vpn.immae.eu" ];
      root        = ./www;
+      extraConfig = [
+        ''
+          Alias /hosts.tar.gz "${config.myServices.vpn.hostsPath}"
+        ''
+      ];
    };
  };
 }
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-10 00:54:30 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-12 00:24:39 +0200
commit	450e0db1a1ad900f93519c00f0ef132ec42a3728 (patch)
tree	a50ad5306b6c44238edc9d18fdcd09a7b94be4c1
parent	a59f486863020816cbc0d3fc69ac7926134215d0 (diff)
download	Nix-450e0db1a1ad900f93519c00f0ef132ec42a3728.tar.gz Nix-450e0db1a1ad900f93519c00f0ef132ec42a3728.tar.zst Nix-450e0db1a1ad900f93519c00f0ef132ec42a3728.zip

diff --git a/deploy/flake.lock b/deploy/flake.lock index 07a5473..5cdf632 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
2783	},	2783	},
2784	"locked": {	2784	"locked": {
2785	"lastModified": 1,	2785	"lastModified": 1,
2786	"narHash": "sha256-nEhIk4RloOuTKmJxzvJP3l4Ap1kqjg5YjnpjKHyE1N0=",	2786	"narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=",
2787	"path": "../flakes",	2787	"path": "../flakes",
2788	"type": "path"	2788	"type": "path"
2789	},	2789	},
@@ -3903,7 +3903,7 @@
3903	},	3903	},
3904	"locked": {	3904	"locked": {
3905	"lastModified": 1,	3905	"lastModified": 1,
3906	"narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=",	3906	"narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
3907	"path": "../systems/eldiron",	3907	"path": "../systems/eldiron",
3908	"type": "path"	3908	"type": "path"
3909	},	3909	},
@@ -8888,11 +8888,11 @@
8888	"nixpkgs": "nixpkgs_106"	8888	"nixpkgs": "nixpkgs_106"
8889	},	8889	},
8890	"locked": {	8890	"locked": {
8891	"lastModified": 1696596844,	8891	"lastModified": 1697062813,
8892	"narHash": "sha256-qtQL21ZF1N3EMqGo5RJq4ytWngsKYOv5mE/pSSxaJJM=",	8892	"narHash": "sha256-pbS3ZgZzCkbL3XO0DpoqQU4JHOMd980vTPX4seMH+U8=",
8893	"ref": "master",	8893	"ref": "master",
8894	"rev": "ac58ff30d8f1712ef115d3c8aaf8da2211662e90",	8894	"rev": "6f65e826f8baaf08a651366f8e05b58d6a7326ad",
8895	"revCount": 698,	8895	"revCount": 701,
8896	"type": "git",	8896	"type": "git",
8897	"url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"	8897	"url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"
8898	},	8898	},


diff --git a/flake.lock b/flake.lock index 61d7371..6cc709e 100644 --- a/flake.lock +++ b/flake.lock
@@ -2664,7 +2664,7 @@
2664	},	2664	},
2665	"locked": {	2665	"locked": {
2666	"lastModified": 1,	2666	"lastModified": 1,
2667	"narHash": "sha256-nEhIk4RloOuTKmJxzvJP3l4Ap1kqjg5YjnpjKHyE1N0=",	2667	"narHash": "sha256-nTSS6oSOmi4T40fXl2o8wfw1/6o2/PP4f8rHtVTGw2s=",
2668	"path": "./flakes",	2668	"path": "./flakes",
2669	"type": "path"	2669	"type": "path"
2670	},	2670	},
@@ -3919,7 +3919,7 @@
3919	},	3919	},
3920	"locked": {	3920	"locked": {
3921	"lastModified": 1,	3921	"lastModified": 1,
3922	"narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=",	3922	"narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
3923	"path": "../systems/eldiron",	3923	"path": "../systems/eldiron",
3924	"type": "path"	3924	"type": "path"
3925	},	3925	},


diff --git a/flakes/flake.lock b/flakes/flake.lock index 677625d..751316c 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock
@@ -3824,7 +3824,7 @@
3824	},	3824	},
3825	"locked": {	3825	"locked": {
3826	"lastModified": 1,	3826	"lastModified": 1,
3827	"narHash": "sha256-5Cvss4/y9e4l3QMI3azrsjfqnKnKJcW79IviACOVpX8=",	3827	"narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
3828	"path": "../systems/eldiron",	3828	"path": "../systems/eldiron",
3829	"type": "path"	3829	"type": "path"
3830	},	3830	},


diff --git a/systems/eldiron/vpn/default.nix b/systems/eldiron/vpn/default.nix index df56249..a5cc423 100644 --- a/systems/eldiron/vpn/default.nix +++ b/systems/eldiron/vpn/default.nix
@@ -1,10 +1,50 @@
1	{ config, pkgs, lib, ... }:	1	{ config, pkgs, lib, ... }:
2	let	2	let
3	cfg = config.myServices.vpn;	3	cfg = config.myServices.vpn;
		4	configFiles = pkgs.runCommand "tinc-files" {
		5	mainInterface = "eth0";
		6	hostName = "ImmaeEu";
		7	network = "Immae";
		8	keyFile = config.secrets.fullPaths."tinc/key.priv";
		9	} ''
		10	mkdir -p $out
		11	for i in ${./tinc}/*; do
		12	substituteAll $i $out/$(basename $i)
		13	done
		14	'';
		15	keyPaths = lib.flatten (lib.mapAttrsToList
		16	(ns: lib.mapAttrsToList
		17	(name: s:
		18	lib.nameValuePair
		19	"${ns}${name}"
		20	(if builtins.isPath s then s else pkgs.writeText "${ns}${name}" s)
		21	)
		22	) config.myServices.vpn.keys);
		23	keysDir = pkgs.runCommand "tinc-config" {} (''
		24	install -m755 -d $out $out/hosts
		25	install -m755 -t $out ${configFiles}/{host-,tinc-}
		26	install -m444 -t $out ${configFiles}/tinc.conf
		27	install -m755 -t $out/hosts ${configFiles}/ImmaeEu-*
		28	install -m444 -t $out/hosts ${configFiles}/ImmaeEu
		29	'' + builtins.concatStringsSep "\n" (builtins.map (p: "cp ${p.value} $out/hosts/${p.name}") keyPaths) + ''
		30
		31	cd $out
		32	tar -czf $out/hosts.tar.gz hosts/
		33	'');
4	in	34	in
5	{	35	{
6	options.myServices = {	36	options.myServices = {
7	vpn.enable = lib.mkEnableOption "Enable vpn service";	37	vpn.enable = lib.mkEnableOption "Enable vpn service";
		38	vpn.keys = lib.mkOption {
		39	type = lib.types.attrsOf (lib.types.attrsOf (lib.types.either lib.types.path lib.types.str));
		40	description = "Keys sorted by namespaces and names";
		41	default = {};
		42	};
		43	vpn.hostsPath = lib.mkOption {
		44	type = lib.types.path;
		45	default = "${keysDir}/hosts.tar.gz";
		46	readOnly = true;
		47	};
8	};	48	};
9		49
10	config = lib.mkIf cfg.enable {	50	config = lib.mkIf cfg.enable {
@@ -50,25 +90,8 @@ in
50	};	90	};
51	};	91	};
52	networking.firewall.allowedTCPPorts = [ 655 1194 ];	92	networking.firewall.allowedTCPPorts = [ 655 1194 ];
53	system.activationScripts.tinc = let	93	system.activationScripts.tinc = ''
54	configFiles = pkgs.runCommand "tinc-files" {
55	mainInterface = "eth0";
56	hostName = "ImmaeEu";
57	network = "Immae";
58	keyFile = config.secrets.fullPaths."tinc/key.priv";
59	} ''
60	mkdir -p $out
61	for i in ${./tinc}/*; do
62	substituteAll $i $out/$(basename $i)
63	done
64	'';
65	in ''
66	install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae	94	install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
67	install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-,tinc-}
68	install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
69	if [ ! -d /var/lib/tinc/Immae/hosts ]; then
70	${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
71	fi
72	'';	95	'';
73		96
74	systemd.slices.tinc = {	97	systemd.slices.tinc = {
@@ -85,7 +108,7 @@ in
85	Type = "simple";	108	Type = "simple";
86	Restart = "always";	109	Restart = "always";
87	RestartSec = "3";	110	RestartSec = "3";
88	ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";	111	ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c ${keysDir} --pidfile /run/tinc.Immae.pid";
89	};	112	};
90	};	113	};
91	};	114	};


diff --git a/systems/eldiron/vpn/tinc/ImmaeEu b/systems/eldiron/vpn/tinc/ImmaeEu new file mode 100644 index 0000000..db9949b --- /dev/null +++ b/systems/eldiron/vpn/tinc/ImmaeEu
@@ -0,0 +1,10 @@
		1	Address = vpn.immae.eu
		2	Address = vpn.immae.eu 1194
		3	-----BEGIN RSA PUBLIC KEY-----
		4	MIIBCgKCAQEA6sJagBYTGUNjtiaPm3Se3BAa1nWbnHS7feTQ1C+L9WifgGkQICkr
		5	TXkQpGKIN+1mVD3Tl/Mx3BWtGGUMNgJhZ3p7rJgEXNuiWptEpG7BmujW61gVxQ2v
		6	0FJuGwgT8GvNI9s2BeWtxQKdmX6MOOdtRMmd33F8Zffw6TdJtPuj1dvTwGmkBl71
		7	RNd6TXi5LR5r1A01Z88TPeZJo1BNkl8P9qkMGv+fTYmX9lnd9brQ0MDVNldJwGhI
		8	/KU7J7tW20KizhgOdkYJU75JgWX+7QKJMjvOc6nv8ORWk5jLfv6MNKoG3UirBV4t
		9	ariPo+Gb/u7BU3R2mPHhxKMrC7NVdp+JNQIDAQAB
		10	-----END RSA PUBLIC KEY-----


diff --git a/systems/eldiron/vpn/tinc/ImmaeEu-down b/systems/eldiron/vpn/tinc/ImmaeEu-down new file mode 100755 index 0000000..d983a3b --- /dev/null +++ b/systems/eldiron/vpn/tinc/ImmaeEu-down
@@ -0,0 +1,14 @@
		1	#!/bin/sh
		2	# This file closes down the tap device.
		3
		4	[ -e /tmp/tinc_$NETNAME ] && . /tmp/tinc_$NETNAME
		5	[ -e /run/tinc_$NETNAME.vars ] && . /run/tinc_$NETNAME.vars
		6	rm -f /tmp/tinc_$NETNAME /run/tinc_$NETNAME.vars \|\| true
		7	[ -n "$GWIP" ] && ip -6 route del default via $GWIP table 655
		8	for MYIP in $MYIPS; do
		9	ip -6 addr del $MYIP/96 dev $INTERFACE
		10	ip -6 rule del from $MYIP/96 table 655
		11	ip -6 rule del to $MYIP/96 table 655
		12	done
		13	ip -6 link set $INTERFACE down
		14


diff --git a/systems/eldiron/vpn/tinc/ImmaeEu-up b/systems/eldiron/vpn/tinc/ImmaeEu-up new file mode 100755 index 0000000..e14fd5a --- /dev/null +++ b/systems/eldiron/vpn/tinc/ImmaeEu-up
@@ -0,0 +1,27 @@
		1	#!/bin/sh
		2	# This file sets up the tap device.
		3	# It gives you the freedom to do anything you want with it.
		4	# Use the correct name for the tap device:
		5	# The environment variable $INTERFACE is set to the right name
		6	# on most platforms, but if it doesn't work try to set it manually.
		7
		8	# Give it the right ip and netmask. Remember, the subnet of the
		9	# tap device must be larger than that of the individual Subnets
		10	# as defined in the host configuration file!
		11	SCRIPT_DIR=$(dirname -- "$( readlink -f -- "$0"; )")
		12	SUBDOMAIN=$(echo "$NAME" \| sed -e "s/\([A-Z][a-z0-9]*\)/\L\1 /g;" \| awk '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1; }')
		13	while [ -z "$MYIPS" -o -z "$GWIP" ]; do
		14	MYIPS=`getent hosts ${SUBDOMAIN}.immae.eu \| cut -d' ' -f1 \| tr "\\n" ' '`
		15	GWIP=`getent hosts gw.vpn.immae.eu \| head -n1 \| cut -d' ' -f1`
		16	sleep 5
		17	done
		18	rm -f /run/tinc_$NETNAME.vars
		19	echo -e "MYIPS=\"$MYIPS\"\nGWIP=\"$GWIP\"" > /run/tinc_$NETNAME.vars
		20	ip -6 link set $INTERFACE up mtu 1280
		21	for MYIP in $MYIPS; do
		22	ip -6 addr add $MYIP/96 dev $INTERFACE
		23	ip -6 rule add from $MYIP/96 table 655
		24	ip -6 rule add to $MYIP/96 table 655
		25	done
		26	ip -6 route add default via $GWIP dev $INTERFACE table 655
		27	(cd "$SCRIPT_DIR" && (curl -s https://vpn.immae.eu/hosts.tar.gz \| tar -xz --strip-components=1)) \|\| true


diff --git a/systems/eldiron/websites/vpn/default.nix b/systems/eldiron/websites/vpn/default.nix index ea54691..3ee0a20 100644 --- a/systems/eldiron/websites/vpn/default.nix +++ b/systems/eldiron/websites/vpn/default.nix
@@ -8,6 +8,11 @@ in {
8	certName = "eldiron";	8	certName = "eldiron";
9	hosts = [ "vpn.immae.eu" ];	9	hosts = [ "vpn.immae.eu" ];
10	root = ./www;	10	root = ./www;
		11	extraConfig = [
		12	''
		13	Alias /hosts.tar.gz "${config.myServices.vpn.hostsPath}"
		14	''
		15	];
11	};	16	};
12	};	17	};
13	}	18	}