selfprivacy-nixos-config/sp-modules/ocserv/module.nix

{ config, lib, ... }:
let
  domain = config.selfprivacy.domain;
  cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
  key = "${config.security.acme.certs.${domain}.directory}/key.pem";
  cfg = config.selfprivacy.modules.ocserv;
in
{
  options.selfprivacy.modules.ocserv = {
    enable = lib.mkOption {
      default = false;
      type = lib.types.bool;
    };
    subdomain = lib.mkOption {
      default = "vpn";
      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
    };
  };

  config = lib.mkIf cfg.enable {
    users.groups.ocserv.members = [ "ocserv" ];
    users.users.ocserv = {
      isNormalUser = false;
      isSystemUser = true;
      extraGroups = [ "acmereceivers" ];
      group = "ocserv";
    };
    services.ocserv = {
      enable = true;
      config = ''
        socket-file = /var/run/ocserv-socket

        auth = "pam"

        tcp-port = 8443
        udp-port = 8443

        server-cert = ${cert}
        server-key = ${key}

        compression = true

        max-clients = 0
        max-same-clients = 6

        try-mtu-discovery = true

        idle-timeout=1200
        mobile-idle-timeout=2400

        default-domain = ${cfg.subdomain}.${domain}

        device = vpn0

        ipv4-network = 10.10.10.0
        ipv4-netmask = 255.255.255.0

        tunnel-all-dns = true
        dns = 1.1.1.1
        dns = 1.0.0.1

        route = default
      '';
    };
    services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
      useACMEHost = domain;
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
        expires 10m;
      '';
    };
    systemd.services.ocserv.unitConfig.ConditionPathExists = [ cert key ];
  };
}
move ocserv to SP module 2023-12-01 06:42:03 +02:00			`{ config, lib, ... }:`
			`let`
			`domain = config.selfprivacy.domain;`
useACMEHost for all services 2023-12-22 17:57:48 +02:00			`cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";`
			`key = "${config.security.acme.certs.${domain}.directory}/key.pem";`
modules: parameterize all subdomains 2024-02-15 11:56:12 +02:00			`cfg = config.selfprivacy.modules.ocserv;`
move ocserv to SP module 2023-12-01 06:42:03 +02:00			`in`
			`{`
			`options.selfprivacy.modules.ocserv = {`
			`enable = lib.mkOption {`
			`default = false;`
sp-modules: refactor options types 2023-12-28 10:54:59 +02:00			`type = lib.types.bool;`
move ocserv to SP module 2023-12-01 06:42:03 +02:00			`};`
modules: parameterize all subdomains 2024-02-15 11:56:12 +02:00			`subdomain = lib.mkOption {`
			`default = "vpn";`
			`type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";`
			`};`
move ocserv to SP module 2023-12-01 06:42:03 +02:00			`};`

modules: parameterize all subdomains 2024-02-15 11:56:12 +02:00			`config = lib.mkIf cfg.enable {`
move ocserv to SP module 2023-12-01 06:42:03 +02:00			`users.groups.ocserv.members = [ "ocserv" ];`
			`users.users.ocserv = {`
			`isNormalUser = false;`
			`isSystemUser = true;`
			`extraGroups = [ "acmereceivers" ];`
			`group = "ocserv";`
			`};`
			`services.ocserv = {`
			`enable = true;`
			`config = ''`
			`socket-file = /var/run/ocserv-socket`

			`auth = "pam"`

			`tcp-port = 8443`
			`udp-port = 8443`

useACMEHost for all services 2023-12-22 17:57:48 +02:00			`server-cert = ${cert}`
			`server-key = ${key}`
move ocserv to SP module 2023-12-01 06:42:03 +02:00
			`compression = true`

			`max-clients = 0`
			`max-same-clients = 6`

			`try-mtu-discovery = true`

			`idle-timeout=1200`
			`mobile-idle-timeout=2400`

modules: parameterize all subdomains 2024-02-15 11:56:12 +02:00			`default-domain = ${cfg.subdomain}.${domain}`
move ocserv to SP module 2023-12-01 06:42:03 +02:00
			`device = vpn0`

			`ipv4-network = 10.10.10.0`
			`ipv4-netmask = 255.255.255.0`

			`tunnel-all-dns = true`
			`dns = 1.1.1.1`
			`dns = 1.0.0.1`

			`route = default`
			`'';`
			`};`
modules: parameterize all subdomains 2024-02-15 11:56:12 +02:00			`services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {`
useACMEHost for all services 2023-12-22 17:57:48 +02:00			`useACMEHost = domain;`
move nginx exclusive virtualHosts to SP modules 2023-12-18 17:02:54 +02:00			`forceSSL = true;`
			`extraConfig = ''`
			`add_header Strict-Transport-Security $hsts_header;`
			`#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`
			`add_header 'Referrer-Policy' 'origin-when-cross-origin';`
			`add_header X-Frame-Options DENY;`
			`add_header X-Content-Type-Options nosniff;`
			`add_header X-XSS-Protection "1; mode=block";`
			`proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";`
			`expires 10m;`
			`'';`
			`};`
useACMEHost for all services 2023-12-22 17:57:48 +02:00			`systemd.services.ocserv.unitConfig.ConditionPathExists = [ cert key ];`
move ocserv to SP module 2023-12-01 06:42:03 +02:00			`};`
			`}`