aboutsummaryrefslogtreecommitdiff
path: root/systems/eldiron/vpn/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'systems/eldiron/vpn/default.nix')
-rw-r--r--systems/eldiron/vpn/default.nix61
1 files changed, 42 insertions, 19 deletions
diff --git a/systems/eldiron/vpn/default.nix b/systems/eldiron/vpn/default.nix
index df56249..a5cc423 100644
--- a/systems/eldiron/vpn/default.nix
+++ b/systems/eldiron/vpn/default.nix
@@ -1,10 +1,50 @@
1{ config, pkgs, lib, ... }: 1{ config, pkgs, lib, ... }:
2let 2let
3 cfg = config.myServices.vpn; 3 cfg = config.myServices.vpn;
4 configFiles = pkgs.runCommand "tinc-files" {
5 mainInterface = "eth0";
6 hostName = "ImmaeEu";
7 network = "Immae";
8 keyFile = config.secrets.fullPaths."tinc/key.priv";
9 } ''
10 mkdir -p $out
11 for i in ${./tinc}/*; do
12 substituteAll $i $out/$(basename $i)
13 done
14 '';
15 keyPaths = lib.flatten (lib.mapAttrsToList
16 (ns: lib.mapAttrsToList
17 (name: s:
18 lib.nameValuePair
19 "${ns}${name}"
20 (if builtins.isPath s then s else pkgs.writeText "${ns}${name}" s)
21 )
22 ) config.myServices.vpn.keys);
23 keysDir = pkgs.runCommand "tinc-config" {} (''
24 install -m755 -d $out $out/hosts
25 install -m755 -t $out ${configFiles}/{host-*,tinc-*}
26 install -m444 -t $out ${configFiles}/tinc.conf
27 install -m755 -t $out/hosts ${configFiles}/ImmaeEu-*
28 install -m444 -t $out/hosts ${configFiles}/ImmaeEu
29 '' + builtins.concatStringsSep "\n" (builtins.map (p: "cp ${p.value} $out/hosts/${p.name}") keyPaths) + ''
30
31 cd $out
32 tar -czf $out/hosts.tar.gz hosts/
33 '');
4in 34in
5{ 35{
6 options.myServices = { 36 options.myServices = {
7 vpn.enable = lib.mkEnableOption "Enable vpn service"; 37 vpn.enable = lib.mkEnableOption "Enable vpn service";
38 vpn.keys = lib.mkOption {
39 type = lib.types.attrsOf (lib.types.attrsOf (lib.types.either lib.types.path lib.types.str));
40 description = "Keys sorted by namespaces and names";
41 default = {};
42 };
43 vpn.hostsPath = lib.mkOption {
44 type = lib.types.path;
45 default = "${keysDir}/hosts.tar.gz";
46 readOnly = true;
47 };
8 }; 48 };
9 49
10 config = lib.mkIf cfg.enable { 50 config = lib.mkIf cfg.enable {
@@ -50,25 +90,8 @@ in
50 }; 90 };
51 }; 91 };
52 networking.firewall.allowedTCPPorts = [ 655 1194 ]; 92 networking.firewall.allowedTCPPorts = [ 655 1194 ];
53 system.activationScripts.tinc = let 93 system.activationScripts.tinc = ''
54 configFiles = pkgs.runCommand "tinc-files" {
55 mainInterface = "eth0";
56 hostName = "ImmaeEu";
57 network = "Immae";
58 keyFile = config.secrets.fullPaths."tinc/key.priv";
59 } ''
60 mkdir -p $out
61 for i in ${./tinc}/*; do
62 substituteAll $i $out/$(basename $i)
63 done
64 '';
65 in ''
66 install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae 94 install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
67 install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*}
68 install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
69 if [ ! -d /var/lib/tinc/Immae/hosts ]; then
70 ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
71 fi
72 ''; 95 '';
73 96
74 systemd.slices.tinc = { 97 systemd.slices.tinc = {
@@ -85,7 +108,7 @@ in
85 Type = "simple"; 108 Type = "simple";
86 Restart = "always"; 109 Restart = "always";
87 RestartSec = "3"; 110 RestartSec = "3";
88 ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid"; 111 ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c ${keysDir} --pidfile /run/tinc.Immae.pid";
89 }; 112 };
90 }; 113 };
91 }; 114 };
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-22 11:55:56 +0000