pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / ocserv.nix
at 23.11-pre 3.0 kB view raw
1{ config, pkgs, lib, ... }: 2 3with lib; 4 5let 6 7 cfg = config.services.ocserv; 8 9in 10 11{ 12 options.services.ocserv = { 13 enable = mkEnableOption (lib.mdDoc "ocserv"); 14 15 config = mkOption { 16 type = types.lines; 17 18 description = lib.mdDoc '' 19 Configuration content to start an OCServ server. 20 21 For a full configuration reference,please refer to the online documentation 22 (https://ocserv.gitlab.io/www/manual.html), the openconnect 23 recipes (https://github.com/openconnect/recipes) or `man ocserv`. 24 ''; 25 26 example = '' 27 # configuration examples from $out/doc without explanatory comments. 28 # for a full reference please look at the installed man pages. 29 auth = "plain[passwd=./sample.passwd]" 30 tcp-port = 443 31 udp-port = 443 32 run-as-user = nobody 33 run-as-group = nogroup 34 socket-file = /run/ocserv-socket 35 server-cert = certs/server-cert.pem 36 server-key = certs/server-key.pem 37 keepalive = 32400 38 dpd = 90 39 mobile-dpd = 1800 40 switch-to-tcp-timeout = 25 41 try-mtu-discovery = false 42 cert-user-oid = 0.9.2342.19200300.100.1.1 43 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" 44 auth-timeout = 240 45 min-reauth-time = 300 46 max-ban-score = 80 47 ban-reset-time = 1200 48 cookie-timeout = 300 49 deny-roaming = false 50 rekey-time = 172800 51 rekey-method = ssl 52 use-occtl = true 53 pid-file = /run/ocserv.pid 54 device = vpns 55 predictable-ips = true 56 default-domain = example.com 57 ipv4-network = 192.168.1.0 58 ipv4-netmask = 255.255.255.0 59 dns = 192.168.1.2 60 ping-leases = false 61 route = 10.10.10.0/255.255.255.0 62 route = 192.168.0.0/255.255.0.0 63 no-route = 192.168.5.0/255.255.255.0 64 cisco-client-compat = true 65 dtls-legacy = true 66 67 [vhost:www.example.com] 68 auth = "certificate" 69 ca-cert = certs/ca.pem 70 server-cert = certs/server-cert-secp521r1.pem 71 server-key = cersts/certs/server-key-secp521r1.pem 72 ipv4-network = 192.168.2.0 73 ipv4-netmask = 255.255.255.0 74 cert-user-oid = 0.9.2342.19200300.100.1.1 75 ''; 76 }; 77 }; 78 79 config = mkIf cfg.enable { 80 environment.systemPackages = [ pkgs.ocserv ]; 81 environment.etc."ocserv/ocserv.conf".text = cfg.config; 82 83 security.pam.services.ocserv = {}; 84 85 systemd.services.ocserv = { 86 description = "OpenConnect SSL VPN server"; 87 documentation = [ "man:ocserv(8)" ]; 88 after = [ "dbus.service" "network-online.target" ]; 89 wantedBy = [ "multi-user.target" ]; 90 91 serviceConfig = { 92 PrivateTmp = true; 93 PIDFile = "/run/ocserv.pid"; 94 ExecStart = "${pkgs.ocserv}/bin/ocserv --foreground --pid-file /run/ocesrv.pid --config /etc/ocserv/ocserv.conf"; 95 ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 96 }; 97 }; 98 }; 99}