Added OpenConnect deployment

This commit is contained in:
Illia Chub 2021-01-25 14:54:54 +02:00
parent df5ba808ba
commit 530ca13812

View file

@ -20,7 +20,7 @@ makeConf() {
mkdir /etc/nixos/nextcloud mkdir /etc/nixos/nextcloud
mkdir /etc/nixos/resources mkdir /etc/nixos/resources
mkdir /etc/nixos/videomeet mkdir /etc/nixos/videomeet
mkdir /etc/nixos/openconnect mkdir /etc/nixos/vpn
# Prevent grep for sending error code 1 (and halting execution) when no lines are selected : https://www.unix.com/man-page/posix/1P/grep # Prevent grep for sending error code 1 (and halting execution) when no lines are selected : https://www.unix.com/man-page/posix/1P/grep
local IFS=$'\n' local IFS=$'\n'
@ -41,7 +41,7 @@ makeConf() {
$NIXOS_IMPORT $NIXOS_IMPORT
./files.nix ./files.nix
./mailserver/system/mailserver.nix ./mailserver/system/mailserver.nix
./openconnect/shadowsocks.nix ./vpn/ocserv.nix
./api/api.nix ./api/api.nix
./api/api-service.nix ./api/api-service.nix
./letsencrypt/acme.nix ./letsencrypt/acme.nix
@ -58,8 +58,8 @@ makeConf() {
networking = { networking = {
hostName = "$(hostname)"; hostName = "$(hostname)";
firewall = { firewall = {
allowedTCPPorts = lib.mkForce [ 22 443 80 143 587 8388 ]; allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 587 8443 ];
allowedUDPPorts = lib.mkForce [ 22 443 80 143 587 8388 ]; allowedUDPPorts = lib.mkForce [ 443 ];
}; };
}; };
time.timeZone = "Europe/Uzhgorod"; time.timeZone = "Europe/Uzhgorod";
@ -259,6 +259,10 @@ EOF
group = "acmerecievers"; group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge"; webroot = "/var/lib/acme/acme-challenge";
}; };
"vpn.$DOMAIN" = {
group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge";
};
"git.$DOMAIN" = { "git.$DOMAIN" = {
group = "acmerecievers"; group = "acmerecievers";
webroot = "/var/lib/acme/acme-challenge"; webroot = "/var/lib/acme/acme-challenge";
@ -350,6 +354,11 @@ EOF
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
}; };
"vpn.$DOMAIN" = {
listen = [{ addr = "0.0.0.0"; port = 8443; ssl = true; }];
enableACME = true;
forceSSL = true;
};
"git.$DOMAIN" = { "git.$DOMAIN" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -659,19 +668,52 @@ in
} }
EOF EOF
cat > /etc/nixos/openconnect/shadowsocks.nix << EOF cat > /etc/nixos/vpn/ocserv.nix << EOF
{ pkgs, ...}: { pkgs, ...}:
{ {
services = { users.groups.ocserv = {
shadowsocks = { members = [ "ocserv" ];
enable = true;
localAddress = [ "[::0]" "0.0.0.0" ];
port = 8388;
passwordFile = "/var/shadowsocks-password";
mode = "tcp_and_udp";
fastOpen = true;
encryptionMethod = "chacha20-ietf-poly1305";
}; };
users.users.ocserv = {
isNormalUser = false;
extraGroups = [ "ocserv" "acmerecievers" ];
};
services.ocserv = {
enable = true;
config = ''
socket-file = /var/run/ocserv-socket
auth = "pam"
tcp-port = 443
udp-port = 443
server-cert = /var/lib/acme/vpn.$DOMAIN/fullchain.pem
server-key = /var/lib/acme/vpn.$DOMAIN/key.pem
compression = true
max-clients = 0
max-same-clients = 6
try-mtu-discovery = true
idle-timeout=1200
mobile-idle-timeout=2400
default-domain = vpn.$DOMAIN
device = vpn0
ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0
tunnel-all-dns = true
dns = 1.1.1.1
dns = 1.0.0.1
route = default
'';
}; };
} }
EOF EOF