From b458458c30f715862997cc7490637dff757f97cc Mon Sep 17 00:00:00 2001
From: Alexander Tomokhov <alexoundos@gmail.com>
Date: Fri, 1 Dec 2023 08:42:03 +0400
Subject: [PATCH] move ocserv to SP module

---
 configuration.nix                          |  1 -
 letsencrypt/acme.nix                       |  2 +-
 sp-modules/ocserv/config-paths-needed.json |  4 ++
 sp-modules/ocserv/flake.nix                |  9 ++++
 sp-modules/ocserv/module.nix               | 59 ++++++++++++++++++++++
 userdata-variables.nix                     |  3 --
 variables-module.nix                       |  6 ---
 vpn/ocserv.nix                             | 52 -------------------
 8 files changed, 73 insertions(+), 63 deletions(-)
 create mode 100644 sp-modules/ocserv/config-paths-needed.json
 create mode 100644 sp-modules/ocserv/flake.nix
 create mode 100644 sp-modules/ocserv/module.nix
 delete mode 100644 vpn/ocserv.nix

diff --git a/configuration.nix b/configuration.nix
index 9da0f58..cde5e67 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -5,7 +5,6 @@
     ./files.nix
     ./volumes.nix
     ./users.nix
-    ./vpn/ocserv.nix
     ./social/pleroma.nix
     ./letsencrypt/acme.nix
     ./letsencrypt/resolve.nix
diff --git a/letsencrypt/acme.nix b/letsencrypt/acme.nix
index bf89aca..f419178 100644
--- a/letsencrypt/acme.nix
+++ b/letsencrypt/acme.nix
@@ -3,7 +3,7 @@ let
   cfg = config.selfprivacy;
 in
 {
-  users.groups.acmereceivers.members = [ "nginx" "ocserv" ];
+  users.groups.acmereceivers.members = [ "nginx" ];
   security.acme = {
     acceptTerms = true;
     defaults = {
diff --git a/sp-modules/ocserv/config-paths-needed.json b/sp-modules/ocserv/config-paths-needed.json
new file mode 100644
index 0000000..a433c68
--- /dev/null
+++ b/sp-modules/ocserv/config-paths-needed.json
@@ -0,0 +1,4 @@
+[
+  [ "selfprivacy", "domain" ],
+  [ "selfprivacy", "modules", "ocserv" ]
+]
diff --git a/sp-modules/ocserv/flake.nix b/sp-modules/ocserv/flake.nix
new file mode 100644
index 0000000..d08ad70
--- /dev/null
+++ b/sp-modules/ocserv/flake.nix
@@ -0,0 +1,9 @@
+{
+  description = "PoC SP module for OpenConnect VPN server (ocserv)";
+
+  outputs = { self }: {
+    nixosModules.default = import ./module.nix;
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+  };
+}
diff --git a/sp-modules/ocserv/module.nix b/sp-modules/ocserv/module.nix
new file mode 100644
index 0000000..9cf4fb5
--- /dev/null
+++ b/sp-modules/ocserv/module.nix
@@ -0,0 +1,59 @@
+{ config, lib, ... }:
+let
+  domain = config.selfprivacy.domain;
+in
+{
+  options.selfprivacy.modules.ocserv = {
+    enable = lib.mkOption {
+      default = false;
+      type = with lib; types.nullOr types.bool;
+    };
+  };
+
+  config = lib.mkIf config.selfprivacy.modules.ocserv.enable {
+    users.groups.ocserv.members = [ "ocserv" ];
+    users.users.ocserv = {
+      isNormalUser = false;
+      isSystemUser = true;
+      extraGroups = [ "acmereceivers" ];
+      group = "ocserv";
+    };
+    services.ocserv = {
+      enable = true;
+      config = ''
+        socket-file = /var/run/ocserv-socket
+
+        auth = "pam"
+
+        tcp-port = 8443
+        udp-port = 8443
+
+        server-cert = /var/lib/acme/${domain}/fullchain.pem
+        server-key = /var/lib/acme/${domain}/key.pem
+
+        compression = true
+
+        max-clients = 0
+        max-same-clients = 6
+
+        try-mtu-discovery = true
+
+        idle-timeout=1200
+        mobile-idle-timeout=2400
+
+        default-domain = vpn.${domain}
+
+        device = vpn0
+
+        ipv4-network = 10.10.10.0
+        ipv4-netmask = 255.255.255.0
+
+        tunnel-all-dns = true
+        dns = 1.1.1.1
+        dns = 1.0.0.1
+
+        route = default
+      '';
+    };
+  };
+}
diff --git a/userdata-variables.nix b/userdata-variables.nix
index b20a619..764f0c1 100644
--- a/userdata-variables.nix
+++ b/userdata-variables.nix
@@ -33,9 +33,6 @@ jsonData: { lib, ... }:
     jitsi = {
       enable = lib.attrsets.attrByPath [ "jitsi" "enable" ] false jsonData;
     };
-    ocserv = {
-      enable = lib.attrsets.attrByPath [ "ocserv" "enable" ] false jsonData;
-    };
     ssh = {
       enable = lib.attrsets.attrByPath [ "ssh" "enable" ] true jsonData;
       rootKeys = lib.attrsets.attrByPath [ "ssh" "rootKeys" ] [ "" ] jsonData;
diff --git a/variables-module.nix b/variables-module.nix
index acdb77c..0044b58 100644
--- a/variables-module.nix
+++ b/variables-module.nix
@@ -151,12 +151,6 @@ with lib;
         type = types.nullOr types.bool;
       };
     };
-    ocserv = {
-      enable = mkOption {
-        default = true;
-        type = types.nullOr types.bool;
-      };
-    };
     #########
     #  SSH  #
     #########
diff --git a/vpn/ocserv.nix b/vpn/ocserv.nix
deleted file mode 100644
index a92c6e0..0000000
--- a/vpn/ocserv.nix
+++ /dev/null
@@ -1,52 +0,0 @@
-{ config, ... }:
-let
-  domain = config.selfprivacy.domain;
-in
-{
-  users.groups.ocserv = {
-    members = [ "ocserv" ];
-  };
-  users.users.ocserv = {
-    isNormalUser = false;
-    isSystemUser = true;
-    extraGroups = [ "ocserv" "acmereceivers" ];
-    group = "ocserv";
-  };
-  services.ocserv = {
-    enable = config.selfprivacy.ocserv.enable;
-    config = ''
-      socket-file = /var/run/ocserv-socket
-
-      auth = "pam"
-
-      tcp-port = 8443
-      udp-port = 8443
-
-      server-cert = /var/lib/acme/${domain}/fullchain.pem
-      server-key = /var/lib/acme/${domain}/key.pem
-
-      compression = true
-
-      max-clients = 0
-      max-same-clients = 6
-
-      try-mtu-discovery = true
-
-      idle-timeout=1200
-      mobile-idle-timeout=2400
-
-      default-domain = vpn.${domain}
-
-      device = vpn0
-
-      ipv4-network = 10.10.10.0
-      ipv4-netmask = 255.255.255.0
-
-      tunnel-all-dns = true
-      dns = 1.1.1.1
-      dns = 1.0.0.1
-
-      route = default
-    '';
-  };
-}