move ocserv to SP module

2023-12-01 08:42:03 +04:00
parent 4cbe63ac64
commit b458458c30
8 changed files with 73 additions and 63 deletions
--- a/sp-modules/ocserv/config-paths-needed.json
+++ b/sp-modules/ocserv/config-paths-needed.json
@@ -0,0 +1,4 @@
+[
+  [ "selfprivacy", "domain" ],
+  [ "selfprivacy", "modules", "ocserv" ]
+]
--- a/sp-modules/ocserv/flake.nix
+++ b/sp-modules/ocserv/flake.nix
@@ -0,0 +1,9 @@
+{
+  description = "PoC SP module for OpenConnect VPN server (ocserv)";
+
+  outputs = { self }: {
+    nixosModules.default = import ./module.nix;
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+  };
+}
--- a/sp-modules/ocserv/module.nix
+++ b/sp-modules/ocserv/module.nix
@@ -0,0 +1,59 @@
+{ config, lib, ... }:
+let
+  domain = config.selfprivacy.domain;
+in
+{
+  options.selfprivacy.modules.ocserv = {
+    enable = lib.mkOption {
+      default = false;
+      type = with lib; types.nullOr types.bool;
+    };
+  };
+
+  config = lib.mkIf config.selfprivacy.modules.ocserv.enable {
+    users.groups.ocserv.members = [ "ocserv" ];
+    users.users.ocserv = {
+      isNormalUser = false;
+      isSystemUser = true;
+      extraGroups = [ "acmereceivers" ];
+      group = "ocserv";
+    };
+    services.ocserv = {
+      enable = true;
+      config = ''
+        socket-file = /var/run/ocserv-socket
+
+        auth = "pam"
+
+        tcp-port = 8443
+        udp-port = 8443
+
+        server-cert = /var/lib/acme/${domain}/fullchain.pem
+        server-key = /var/lib/acme/${domain}/key.pem
+
+        compression = true
+
+        max-clients = 0
+        max-same-clients = 6
+
+        try-mtu-discovery = true
+
+        idle-timeout=1200
+        mobile-idle-timeout=2400
+
+        default-domain = vpn.${domain}
+
+        device = vpn0
+
+        ipv4-network = 10.10.10.0
+        ipv4-netmask = 255.255.255.0
+
+        tunnel-all-dns = true
+        dns = 1.1.1.1
+        dns = 1.0.0.1
+
+        route = default
+      '';
+    };
+  };
+}