nix/container/Vpn.nix

123 lines
3.1 KiB
Nix
Raw Normal View History

2024-11-27 02:42:39 +03:00
# easyrsa --days=36500 init-pki
# easyrsa --days=36500 build-ca
# easyrsa --days=36500 build-server-full <SERVER_NAME> nopass
# easyrsa --days=36500 build-client-full <CLIENT_NAME> nopass
2024-11-27 02:50:09 +03:00
# easyrsa gen-crl
2024-11-24 03:03:01 +03:00
# openssl dhparam -out dh2048.pem 2048
# Don't forget to set tls hostname on the client to match SERVER_NAME *AND* disable ipv6 ?
2024-11-27 02:46:45 +03:00
# easyrsa revoke <CLIENT_NAME>
# easyrsa gen-crl
# restart container
2024-11-24 03:03:01 +03:00
# SEE: https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf
# SRC: https://github.com/TinCanTech/easy-tls
{
2024-11-04 04:37:29 +03:00
config,
container,
lib,
pkgs,
2024-11-24 03:03:01 +03:00
util,
2024-11-04 04:37:29 +03:00
...
}: let
cfg = config.container.module.vpn;
in {
options.container.module.vpn = {
enable = lib.mkEnableOption "the vpn server.";
address = lib.mkOption {
default = "10.1.0.23";
type = lib.types.str;
};
port = lib.mkOption {
2024-11-24 03:03:01 +03:00
default = 22145;
2024-11-04 04:37:29 +03:00
type = lib.types.int;
};
storage = lib.mkOption {
default = "${config.container.storage}/vpn";
type = lib.types.str;
};
2024-11-24 04:41:06 +03:00
clients = lib.mkOption {
default = "10.1.1.0/24";
type = lib.types.str;
};
2024-11-04 04:37:29 +03:00
};
2024-06-25 04:04:39 +03:00
2024-11-04 04:37:29 +03:00
config = lib.mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"data"
];
2024-06-25 04:04:39 +03:00
2024-11-29 01:44:48 +03:00
# HACK: I have no idea how to fully manage the container interface via networkd, so just add a route manually.
2024-11-24 04:41:06 +03:00
systemd.services.vpn-route = util.mkStaticSystemdService {
2024-11-24 03:03:01 +03:00
enable = true;
description = "Hack vpn routes on host";
after = [ "container@vpn.service" ];
wants = [ "container@vpn.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
2024-11-29 01:44:48 +03:00
Type = "oneshot";
2024-11-24 03:03:01 +03:00
};
2024-11-29 01:44:48 +03:00
script = ''
${pkgs.iproute2}/bin/ip route add ${cfg.clients} via ${cfg.address} dev ve-vpn || true
'';
2024-11-24 03:03:01 +03:00
};
2024-11-04 04:37:29 +03:00
containers.vpn = container.mkContainer cfg {
bindMounts = {
2024-11-24 03:03:01 +03:00
"/data" = {
2024-11-04 04:37:29 +03:00
hostPath = "${cfg.storage}/data";
2024-11-24 03:03:01 +03:00
isReadOnly = true;
2024-11-04 04:37:29 +03:00
};
};
2024-08-08 01:59:00 +03:00
2024-11-04 04:37:29 +03:00
config = { ... }: container.mkContainerConfig cfg {
boot.kernel.sysctl = {
"net.ipv4.conf.all.src_valid_mark" = 1;
"net.ipv4.ip_forward" = 1;
};
environment.systemPackages = with pkgs; [
2024-11-24 03:03:01 +03:00
easyrsa
openvpn
2024-11-04 04:37:29 +03:00
];
2024-11-24 03:03:01 +03:00
users = {
groups.openvpn = {};
users.openvpn = {
group = "openvpn";
isSystemUser = true;
uid = 1000;
2024-11-04 04:37:29 +03:00
};
};
2024-11-24 04:44:07 +03:00
# NOTE: Change the `server` to match `cfg.clients` or write a substring here.
2024-11-24 03:03:01 +03:00
services.openvpn.servers.vpn = {
autoStart = true;
config = util.trimTabs ''
ca /data/pki/ca.crt
cert /data/pki/issued/home.crt
client-to-client
2024-11-27 02:50:09 +03:00
crl-verify /data/pki/crl.pem
2024-11-24 03:03:01 +03:00
dev tun
dh /data/dh2048.pem
explicit-exit-notify 1
group openvpn
ifconfig-pool-persist ipp.txt
keepalive 10 120
key /data/pki/private/home.key
persist-tun
port ${toString cfg.port}
proto udp
push "dhcp-option DNS 10.0.0.1"
push "dhcp-option DNS 10.0.0.1"
push "route 10.0.0.0 255.0.0.0"
push "route 192.168.1.0 255.255.255.0"
server 10.1.1.0 255.255.255.0
status openvpn-status.log
topology subnet
user openvpn
verb 4
'';
};
2024-11-04 04:37:29 +03:00
};
};
};
2024-06-09 23:35:53 +03:00
}