diff options
Diffstat (limited to 'systems/eldiron/vpn/default.nix')
-rw-r--r-- | systems/eldiron/vpn/default.nix | 61 |
1 files changed, 42 insertions, 19 deletions
diff --git a/systems/eldiron/vpn/default.nix b/systems/eldiron/vpn/default.nix index df56249..a5cc423 100644 --- a/systems/eldiron/vpn/default.nix +++ b/systems/eldiron/vpn/default.nix | |||
@@ -1,10 +1,50 @@ | |||
1 | { config, pkgs, lib, ... }: | 1 | { config, pkgs, lib, ... }: |
2 | let | 2 | let |
3 | cfg = config.myServices.vpn; | 3 | cfg = config.myServices.vpn; |
4 | configFiles = pkgs.runCommand "tinc-files" { | ||
5 | mainInterface = "eth0"; | ||
6 | hostName = "ImmaeEu"; | ||
7 | network = "Immae"; | ||
8 | keyFile = config.secrets.fullPaths."tinc/key.priv"; | ||
9 | } '' | ||
10 | mkdir -p $out | ||
11 | for i in ${./tinc}/*; do | ||
12 | substituteAll $i $out/$(basename $i) | ||
13 | done | ||
14 | ''; | ||
15 | keyPaths = lib.flatten (lib.mapAttrsToList | ||
16 | (ns: lib.mapAttrsToList | ||
17 | (name: s: | ||
18 | lib.nameValuePair | ||
19 | "${ns}${name}" | ||
20 | (if builtins.isPath s then s else pkgs.writeText "${ns}${name}" s) | ||
21 | ) | ||
22 | ) config.myServices.vpn.keys); | ||
23 | keysDir = pkgs.runCommand "tinc-config" {} ('' | ||
24 | install -m755 -d $out $out/hosts | ||
25 | install -m755 -t $out ${configFiles}/{host-*,tinc-*} | ||
26 | install -m444 -t $out ${configFiles}/tinc.conf | ||
27 | install -m755 -t $out/hosts ${configFiles}/ImmaeEu-* | ||
28 | install -m444 -t $out/hosts ${configFiles}/ImmaeEu | ||
29 | '' + builtins.concatStringsSep "\n" (builtins.map (p: "cp ${p.value} $out/hosts/${p.name}") keyPaths) + '' | ||
30 | |||
31 | cd $out | ||
32 | tar -czf $out/hosts.tar.gz hosts/ | ||
33 | ''); | ||
4 | in | 34 | in |
5 | { | 35 | { |
6 | options.myServices = { | 36 | options.myServices = { |
7 | vpn.enable = lib.mkEnableOption "Enable vpn service"; | 37 | vpn.enable = lib.mkEnableOption "Enable vpn service"; |
38 | vpn.keys = lib.mkOption { | ||
39 | type = lib.types.attrsOf (lib.types.attrsOf (lib.types.either lib.types.path lib.types.str)); | ||
40 | description = "Keys sorted by namespaces and names"; | ||
41 | default = {}; | ||
42 | }; | ||
43 | vpn.hostsPath = lib.mkOption { | ||
44 | type = lib.types.path; | ||
45 | default = "${keysDir}/hosts.tar.gz"; | ||
46 | readOnly = true; | ||
47 | }; | ||
8 | }; | 48 | }; |
9 | 49 | ||
10 | config = lib.mkIf cfg.enable { | 50 | config = lib.mkIf cfg.enable { |
@@ -50,25 +90,8 @@ in | |||
50 | }; | 90 | }; |
51 | }; | 91 | }; |
52 | networking.firewall.allowedTCPPorts = [ 655 1194 ]; | 92 | networking.firewall.allowedTCPPorts = [ 655 1194 ]; |
53 | system.activationScripts.tinc = let | 93 | system.activationScripts.tinc = '' |
54 | configFiles = pkgs.runCommand "tinc-files" { | ||
55 | mainInterface = "eth0"; | ||
56 | hostName = "ImmaeEu"; | ||
57 | network = "Immae"; | ||
58 | keyFile = config.secrets.fullPaths."tinc/key.priv"; | ||
59 | } '' | ||
60 | mkdir -p $out | ||
61 | for i in ${./tinc}/*; do | ||
62 | substituteAll $i $out/$(basename $i) | ||
63 | done | ||
64 | ''; | ||
65 | in '' | ||
66 | install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae | 94 | install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae |
67 | install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*} | ||
68 | install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf | ||
69 | if [ ! -d /var/lib/tinc/Immae/hosts ]; then | ||
70 | ${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts | ||
71 | fi | ||
72 | ''; | 95 | ''; |
73 | 96 | ||
74 | systemd.slices.tinc = { | 97 | systemd.slices.tinc = { |
@@ -85,7 +108,7 @@ in | |||
85 | Type = "simple"; | 108 | Type = "simple"; |
86 | Restart = "always"; | 109 | Restart = "always"; |
87 | RestartSec = "3"; | 110 | RestartSec = "3"; |
88 | ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid"; | 111 | ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c ${keysDir} --pidfile /run/tinc.Immae.pid"; |
89 | }; | 112 | }; |
90 | }; | 113 | }; |
91 | }; | 114 | }; |