blob: a9051afeed3cee193f13f04907846fe50fe22405 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
{ config, pkgs, lib, ... }:
let
cfg = config.myServices.vpn;
in
{
options.myServices = {
vpn.enable = lib.mkEnableOption "Enable vpn service";
};
config = lib.mkIf cfg.enable {
secrets.keys = [
{
dest = "tinc/key.priv";
user = "root";
group = "root";
permissions = "0400";
text = config.myEnv.vpn.eldiron.privateKey;
}
{
dest = "tinc/key.pub";
user = "root";
group = "root";
permissions = "0400";
text = config.myEnv.vpn.eldiron.publicKey;
}
];
networking.firewall.allowedTCPPorts = [ 655 1194 ];
system.activationScripts.tinc = let
configFiles = pkgs.runCommand "tinc-files" {
mainInterface = "eth0";
hostName = "ImmaeEu";
network = "Immae";
keyFile = config.secrets.fullPaths."tinc/key.priv";
} ''
mkdir -p $out
for i in ${./tinc}/*; do
substituteAll $i $out/$(basename $i)
done
'';
in ''
install -m750 -o root -g root -d /var/lib/tinc/ /var/lib/tinc/Immae
install -m700 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/{host-*,tinc-*}
install -m400 -o root -g root -t /var/lib/tinc/Immae ${configFiles}/tinc.conf
if [ ! -d /var/lib/tinc/Immae/hosts ]; then
${pkgs.git}/bin/git clone -b master https://git.immae.eu/perso/Immae/Config/tinc/hosts /var/lib/tinc/Immae/hosts
fi
'';
systemd.slices.tinc = {
description = "Tinc slice";
};
systemd.services.tinc-Immae = {
description = "Tinc Daemon - Immae";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
path = [ pkgs.tinc pkgs.bashInteractive pkgs.iproute pkgs.gnused pkgs.gawk pkgs.git pkgs.glibc ];
serviceConfig = {
Slice = "tinc.slice";
Type = "simple";
Restart = "always";
RestartSec = "3";
ExecStart = "${pkgs.tinc}/bin/tincd -d1 -D -c /var/lib/tinc/Immae --pidfile /run/tinc.Immae.pid";
};
};
};
}
|