SelfPrivacy
/
selfprivacy-nixos-config
6
3
Fork 6
Code Issues 19 Pull Requests 1 Projects Releases Wiki Activity

move ocserv to SP module

pull/55/head
Alexander Tomokhov 2023-12-01 08:42:03 +04:00
parent 4cbe63ac64
commit b458458c30
8 changed files with 73 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
configuration.nix
View File

@ -5,7 +5,6 @@
./files.nix
./volumes.nix
./users.nix
./vpn/ocserv.nix
./social/pleroma.nix
./letsencrypt/acme.nix
./letsencrypt/resolve.nix

2
letsencrypt/acme.nix
View File

@ -3,7 +3,7 @@ let
cfg = config.selfprivacy;
in
{
users.groups.acmereceivers.members = [ "nginx" "ocserv" ];
users.groups.acmereceivers.members = [ "nginx" ];
security.acme = {
acceptTerms = true;
defaults = {

4
sp-modules/ocserv/config-paths-needed.json Normal file
View File

@ -0,0 +1,4 @@
[
[ "selfprivacy", "domain" ],
[ "selfprivacy", "modules", "ocserv" ]
]

9
sp-modules/ocserv/flake.nix Normal file
View File

@ -0,0 +1,9 @@
{
description = "PoC SP module for OpenConnect VPN server (ocserv)";
outputs = { self }: {
nixosModules.default = import ./module.nix;
configPathsNeeded =
builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
};
}

59
sp-modules/ocserv/module.nix Normal file
View File

@ -0,0 +1,59 @@
{ config, lib, ... }:
let
domain = config.selfprivacy.domain;
in
{
options.selfprivacy.modules.ocserv = {
enable = lib.mkOption {
default = false;
type = with lib; types.nullOr types.bool;
};
};
config = lib.mkIf config.selfprivacy.modules.ocserv.enable {
users.groups.ocserv.members = [ "ocserv" ];
users.users.ocserv = {
isNormalUser = false;
isSystemUser = true;
extraGroups = [ "acmereceivers" ];
group = "ocserv";
};
services.ocserv = {
enable = true;
config = ''
socket-file = /var/run/ocserv-socket
auth = "pam"
tcp-port = 8443
udp-port = 8443
server-cert = /var/lib/acme/${domain}/fullchain.pem
server-key = /var/lib/acme/${domain}/key.pem
compression = true
max-clients = 0
max-same-clients = 6
try-mtu-discovery = true
idle-timeout=1200
mobile-idle-timeout=2400
default-domain = vpn.${domain}
device = vpn0
ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0
tunnel-all-dns = true
dns = 1.1.1.1
dns = 1.0.0.1
route = default
'';
};
};
}

3
userdata-variables.nix
View File

@ -33,9 +33,6 @@ jsonData: { lib, ... }:
jitsi = {
enable = lib.attrsets.attrByPath [ "jitsi" "enable" ] false jsonData;
};
ocserv = {
enable = lib.attrsets.attrByPath [ "ocserv" "enable" ] false jsonData;
};
ssh = {
enable = lib.attrsets.attrByPath [ "ssh" "enable" ] true jsonData;
rootKeys = lib.attrsets.attrByPath [ "ssh" "rootKeys" ] [ "" ] jsonData;

6
variables-module.nix
View File

@ -151,12 +151,6 @@ with lib;
type = types.nullOr types.bool;
};
};
ocserv = {
enable = mkOption {
default = true;
type = types.nullOr types.bool;
};
};
#########
# SSH #
#########

52
vpn/ocserv.nix
View File

@ -1,52 +0,0 @@
{ config, ... }:
let
domain = config.selfprivacy.domain;
in
{
users.groups.ocserv = {
members = [ "ocserv" ];
};
users.users.ocserv = {
isNormalUser = false;
isSystemUser = true;
extraGroups = [ "ocserv" "acmereceivers" ];
group = "ocserv";
};
services.ocserv = {
enable = config.selfprivacy.ocserv.enable;
config = ''
socket-file = /var/run/ocserv-socket
auth = "pam"
tcp-port = 8443
udp-port = 8443
server-cert = /var/lib/acme/${domain}/fullchain.pem
server-key = /var/lib/acme/${domain}/key.pem
compression = true
max-clients = 0
max-same-clients = 6
try-mtu-discovery = true
idle-timeout=1200
mobile-idle-timeout=2400
default-domain = vpn.${domain}
device = vpn0
ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0
tunnel-all-dns = true
dns = 1.1.1.1
dns = 1.0.0.1
route = default
'';
};
}