mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect.git
synced 2024-11-25 21:11:27 +00:00
Added OpenConnect deployment
This commit is contained in:
parent
df5ba808ba
commit
530ca13812
70
nixos-infect
70
nixos-infect
|
@ -20,7 +20,7 @@ makeConf() {
|
||||||
mkdir /etc/nixos/nextcloud
|
mkdir /etc/nixos/nextcloud
|
||||||
mkdir /etc/nixos/resources
|
mkdir /etc/nixos/resources
|
||||||
mkdir /etc/nixos/videomeet
|
mkdir /etc/nixos/videomeet
|
||||||
mkdir /etc/nixos/openconnect
|
mkdir /etc/nixos/vpn
|
||||||
|
|
||||||
# Prevent grep for sending error code 1 (and halting execution) when no lines are selected : https://www.unix.com/man-page/posix/1P/grep
|
# Prevent grep for sending error code 1 (and halting execution) when no lines are selected : https://www.unix.com/man-page/posix/1P/grep
|
||||||
local IFS=$'\n'
|
local IFS=$'\n'
|
||||||
|
@ -41,7 +41,7 @@ makeConf() {
|
||||||
$NIXOS_IMPORT
|
$NIXOS_IMPORT
|
||||||
./files.nix
|
./files.nix
|
||||||
./mailserver/system/mailserver.nix
|
./mailserver/system/mailserver.nix
|
||||||
./openconnect/shadowsocks.nix
|
./vpn/ocserv.nix
|
||||||
./api/api.nix
|
./api/api.nix
|
||||||
./api/api-service.nix
|
./api/api-service.nix
|
||||||
./letsencrypt/acme.nix
|
./letsencrypt/acme.nix
|
||||||
|
@ -58,8 +58,8 @@ makeConf() {
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "$(hostname)";
|
hostName = "$(hostname)";
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = lib.mkForce [ 22 443 80 143 587 8388 ];
|
allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 587 8443 ];
|
||||||
allowedUDPPorts = lib.mkForce [ 22 443 80 143 587 8388 ];
|
allowedUDPPorts = lib.mkForce [ 443 ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
time.timeZone = "Europe/Uzhgorod";
|
time.timeZone = "Europe/Uzhgorod";
|
||||||
|
@ -259,6 +259,10 @@ EOF
|
||||||
group = "acmerecievers";
|
group = "acmerecievers";
|
||||||
webroot = "/var/lib/acme/acme-challenge";
|
webroot = "/var/lib/acme/acme-challenge";
|
||||||
};
|
};
|
||||||
|
"vpn.$DOMAIN" = {
|
||||||
|
group = "acmerecievers";
|
||||||
|
webroot = "/var/lib/acme/acme-challenge";
|
||||||
|
};
|
||||||
"git.$DOMAIN" = {
|
"git.$DOMAIN" = {
|
||||||
group = "acmerecievers";
|
group = "acmerecievers";
|
||||||
webroot = "/var/lib/acme/acme-challenge";
|
webroot = "/var/lib/acme/acme-challenge";
|
||||||
|
@ -350,6 +354,11 @@ EOF
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
};
|
};
|
||||||
|
"vpn.$DOMAIN" = {
|
||||||
|
listen = [{ addr = "0.0.0.0"; port = 8443; ssl = true; }];
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
"git.$DOMAIN" = {
|
"git.$DOMAIN" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
@ -659,19 +668,52 @@ in
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
cat > /etc/nixos/openconnect/shadowsocks.nix << EOF
|
cat > /etc/nixos/vpn/ocserv.nix << EOF
|
||||||
{ pkgs, ...}:
|
{ pkgs, ...}:
|
||||||
{
|
{
|
||||||
services = {
|
users.groups.ocserv = {
|
||||||
shadowsocks = {
|
members = [ "ocserv" ];
|
||||||
enable = true;
|
|
||||||
localAddress = [ "[::0]" "0.0.0.0" ];
|
|
||||||
port = 8388;
|
|
||||||
passwordFile = "/var/shadowsocks-password";
|
|
||||||
mode = "tcp_and_udp";
|
|
||||||
fastOpen = true;
|
|
||||||
encryptionMethod = "chacha20-ietf-poly1305";
|
|
||||||
};
|
};
|
||||||
|
users.users.ocserv = {
|
||||||
|
isNormalUser = false;
|
||||||
|
extraGroups = [ "ocserv" "acmerecievers" ];
|
||||||
|
};
|
||||||
|
services.ocserv = {
|
||||||
|
enable = true;
|
||||||
|
config = ''
|
||||||
|
socket-file = /var/run/ocserv-socket
|
||||||
|
|
||||||
|
auth = "pam"
|
||||||
|
|
||||||
|
tcp-port = 443
|
||||||
|
udp-port = 443
|
||||||
|
|
||||||
|
server-cert = /var/lib/acme/vpn.$DOMAIN/fullchain.pem
|
||||||
|
server-key = /var/lib/acme/vpn.$DOMAIN/key.pem
|
||||||
|
|
||||||
|
compression = true
|
||||||
|
|
||||||
|
max-clients = 0
|
||||||
|
max-same-clients = 6
|
||||||
|
|
||||||
|
try-mtu-discovery = true
|
||||||
|
|
||||||
|
idle-timeout=1200
|
||||||
|
mobile-idle-timeout=2400
|
||||||
|
|
||||||
|
default-domain = vpn.$DOMAIN
|
||||||
|
|
||||||
|
device = vpn0
|
||||||
|
|
||||||
|
ipv4-network = 10.10.10.0
|
||||||
|
ipv4-netmask = 255.255.255.0
|
||||||
|
|
||||||
|
tunnel-all-dns = true
|
||||||
|
dns = 1.1.1.1
|
||||||
|
dns = 1.0.0.1
|
||||||
|
|
||||||
|
route = default
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
Loading…
Reference in a new issue