selfprivacy-nixos-config/sp-modules/ocserv/module.nix

91 lines
2.3 KiB
Nix
Raw Permalink Normal View History

2023-12-01 04:42:03 +00:00
{ config, lib, ... }:
let
domain = config.selfprivacy.domain;
2023-12-22 15:57:48 +00:00
cert = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
key = "${config.security.acme.certs.${domain}.directory}/key.pem";
2024-02-15 09:56:12 +00:00
cfg = config.selfprivacy.modules.ocserv;
2023-12-01 04:42:03 +00:00
in
{
options.selfprivacy.modules.ocserv = {
enable = lib.mkOption {
default = false;
2023-12-28 08:54:59 +00:00
type = lib.types.bool;
2023-12-01 04:42:03 +00:00
};
2024-02-15 09:56:12 +00:00
subdomain = lib.mkOption {
default = "vpn";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
2023-12-01 04:42:03 +00:00
};
2024-02-15 09:56:12 +00:00
config = lib.mkIf cfg.enable {
2023-12-01 04:42:03 +00:00
users.groups.ocserv.members = [ "ocserv" ];
users.users.ocserv = {
isNormalUser = false;
isSystemUser = true;
extraGroups = [ "acmereceivers" ];
group = "ocserv";
};
services.ocserv = {
enable = true;
config = ''
socket-file = /var/run/ocserv-socket
auth = "pam"
tcp-port = 8443
udp-port = 8443
2023-12-22 15:57:48 +00:00
server-cert = ${cert}
server-key = ${key}
2023-12-01 04:42:03 +00:00
compression = true
max-clients = 0
max-same-clients = 6
try-mtu-discovery = true
idle-timeout=1200
mobile-idle-timeout=2400
2024-02-15 09:56:12 +00:00
default-domain = ${cfg.subdomain}.${domain}
2023-12-01 04:42:03 +00:00
device = vpn0
ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0
tunnel-all-dns = true
dns = 1.1.1.1
dns = 1.0.0.1
route = default
'';
};
2024-02-15 09:56:12 +00:00
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
2023-12-22 15:57:48 +00:00
useACMEHost = domain;
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
};
systemd = {
services = {
ocserv = {
unitConfig.ConditionPathExists = [ cert key ];
serviceConfig.Slice = "ocserv.slice";
};
};
slices.ocserv = {
description = "ocserv service slice";
};
};
2023-12-01 04:42:03 +00:00
};
}