diff options
Diffstat (limited to 'modules/private/vpn/default.nix')
-rw-r--r-- | modules/private/vpn/default.nix | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/modules/private/vpn/default.nix b/modules/private/vpn/default.nix new file mode 100644 index 0000000..fbcba2f --- /dev/null +++ b/modules/private/vpn/default.nix | |||
@@ -0,0 +1,62 @@ | |||
1 | { config, pkgs, lib, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.vpn; | ||
4 | in | ||
5 | { | ||
6 | options.myServices = { | ||
7 | vpn.enable = lib.mkEnableOption "Enable vpn service"; | ||
8 | }; | ||
9 | |||
10 | config = lib.mkIf cfg.enable { | ||
11 | secrets.keys = [ | ||
12 | { | ||
13 | dest = "tinc/key.priv"; | ||
14 | user = "root"; | ||
15 | group = "root"; | ||
16 | permissions = "0400"; | ||
17 | text = config.myEnv.vpn.eldiron.privateKey; | ||
18 | } | ||
19 | { | ||
20 | dest = "tinc/key.pub"; | ||
21 | user = "root"; | ||
22 | group = "root"; | ||
23 | permissions = "0400"; | ||
24 | text = config.myEnv.vpn.eldiron.publicKey; | ||
25 | } | ||
26 | ]; | ||
27 | networking.firewall.allowedTCPPorts = [ 655 1194 ]; | ||
28 | system.activationScripts.tinc = let | ||
29 | configFiles = pkgs.runCommand "tinc-files" { | ||
30 | mainInterface = "eth0"; | ||
31 | hostName = "ImmaeEu"; | ||
32 | network = "Immae"; | ||
33 | keyFile = config.secrets.fullPaths."tinc/key.priv"; | ||
34 | } '' | ||
35 | mkdir -p $out | ||
36 | for i in ${./tinc}/*; do | ||
37 | substituteAll $i $out/$(basename $i) | ||
38 | done | ||
39 | ''; | ||
40 | in '' | ||
41 | install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae | ||
42 | install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*} | ||
43 | install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf | ||
44 | if [ ! -d /var/lib/tinc/Immae/hosts ]; then | ||
45 | ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts | ||
46 | fi | ||
47 | ''; | ||
48 | |||
49 | systemd.services.tinc-Immae = { | ||
50 | description = "Tinc Daemon - Immae"; | ||
51 | wantedBy = [ "multi-user.target" ]; | ||
52 | after = [ "network.target" ]; | ||
53 | path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ]; | ||
54 | serviceConfig = { | ||
55 | Type = "simple"; | ||
56 | Restart = "always"; | ||
57 | RestartSec = "3"; | ||
58 | ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid"; | ||
59 | }; | ||
60 | }; | ||
61 | }; | ||
62 | } | ||