Added OpenConnect deployment
Illia Chub
parent
df5ba808ba
commit
530ca13812
72
nixos-infect
72
nixos-infect
|
|
@ -20,7 +20,7 @@ makeConf() {
|
|||
mkdir /etc/nixos/nextcloud
|
||||
mkdir /etc/nixos/resources
|
||||
mkdir /etc/nixos/videomeet
|
||||
mkdir /etc/nixos/openconnect
|
||||
mkdir /etc/nixos/vpn
|
||||
|
||||
# Prevent grep for sending error code 1 (and halting execution) when no lines are selected : https://www.unix.com/man-page/posix/1P/grep
|
||||
local IFS=$'\n'
|
||||
|
|
@ -41,7 +41,7 @@ makeConf() {
|
|||
$NIXOS_IMPORT
|
||||
./files.nix
|
||||
./mailserver/system/mailserver.nix
|
||||
./openconnect/shadowsocks.nix
|
||||
./vpn/ocserv.nix
|
||||
./api/api.nix
|
||||
./api/api-service.nix
|
||||
./letsencrypt/acme.nix
|
||||
|
|
@ -58,8 +58,8 @@ makeConf() {
|
|||
networking = {
|
||||
hostName = "$(hostname)";
|
||||
firewall = {
|
||||
allowedTCPPorts = lib.mkForce [ 22 443 80 143 587 8388 ];
|
||||
allowedUDPPorts = lib.mkForce [ 22 443 80 143 587 8388 ];
|
||||
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 587 8443 ];
|
||||
allowedUDPPorts = lib.mkForce [ 443 ];
|
||||
};
|
||||
};
|
||||
time.timeZone = "Europe/Uzhgorod";
|
||||
|
|
@ -259,6 +259,10 @@ EOF
|
|||
group = "acmerecievers";
|
||||
webroot = "/var/lib/acme/acme-challenge";
|
||||
};
|
||||
"vpn.$DOMAIN" = {
|
||||
group = "acmerecievers";
|
||||
webroot = "/var/lib/acme/acme-challenge";
|
||||
};
|
||||
"git.$DOMAIN" = {
|
||||
group = "acmerecievers";
|
||||
webroot = "/var/lib/acme/acme-challenge";
|
||||
|
|
@ -350,6 +354,11 @@ EOF
|
|||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
"vpn.$DOMAIN" = {
|
||||
listen = [{ addr = "0.0.0.0"; port = 8443; ssl = true; }];
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
"git.$DOMAIN" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
|
@ -659,19 +668,52 @@ in
|
|||
}
|
||||
EOF
|
||||
|
||||
cat > /etc/nixos/openconnect/shadowsocks.nix << EOF
|
||||
cat > /etc/nixos/vpn/ocserv.nix << EOF
|
||||
{ pkgs, ...}:
|
||||
{
|
||||
services = {
|
||||
shadowsocks = {
|
||||
enable = true;
|
||||
localAddress = [ "[::0]" "0.0.0.0" ];
|
||||
port = 8388;
|
||||
passwordFile = "/var/shadowsocks-password";
|
||||
mode = "tcp_and_udp";
|
||||
fastOpen = true;
|
||||
encryptionMethod = "chacha20-ietf-poly1305";
|
||||
};
|
||||
users.groups.ocserv = {
|
||||
members = [ "ocserv" ];
|
||||
};
|
||||
users.users.ocserv = {
|
||||
isNormalUser = false;
|
||||
extraGroups = [ "ocserv" "acmerecievers" ];
|
||||
};
|
||||
services.ocserv = {
|
||||
enable = true;
|
||||
config = ''
|
||||
socket-file = /var/run/ocserv-socket
|
||||
|
||||
auth = "pam"
|
||||
|
||||
tcp-port = 443
|
||||
udp-port = 443
|
||||
|
||||
server-cert = /var/lib/acme/vpn.$DOMAIN/fullchain.pem
|
||||
server-key = /var/lib/acme/vpn.$DOMAIN/key.pem
|
||||
|
||||
compression = true
|
||||
|
||||
max-clients = 0
|
||||
max-same-clients = 6
|
||||
|
||||
try-mtu-discovery = true
|
||||
|
||||
idle-timeout=1200
|
||||
mobile-idle-timeout=2400
|
||||
|
||||
default-domain = vpn.$DOMAIN
|
||||
|
||||
device = vpn0
|
||||
|
||||
ipv4-network = 10.10.10.0
|
||||
ipv4-netmask = 255.255.255.0
|
||||
|
||||
tunnel-all-dns = true
|
||||
dns = 1.1.1.1
|
||||
dns = 1.0.0.1
|
||||
|
||||
route = default
|
||||
'';
|
||||
};
|
||||
}
|
||||
EOF
|
||||
|
|
|
|||
Loading…
Reference in New Issue