nixos/modules/services/networking/ocserv.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / ocserv.nix
at 25.11-pre 3.1 kB view raw
  1{
  2  config,
  3  pkgs,
  4  lib,
  5  ...
  6}:
  7
  8with lib;
  9
 10let
 11
 12  cfg = config.services.ocserv;
 13
 14in
 15
 16{
 17  options.services.ocserv = {
 18    enable = mkEnableOption "ocserv";
 19
 20    config = mkOption {
 21      type = types.lines;
 22
 23      description = ''
 24        Configuration content to start an OCServ server.
 25
 26        For a full configuration reference,please refer to the online documentation
 27        (https://ocserv.gitlab.io/www/manual.html), the openconnect
 28        recipes (https://github.com/openconnect/recipes) or `man ocserv`.
 29      '';
 30
 31      example = ''
 32        # configuration examples from $out/doc without explanatory comments.
 33        # for a full reference please look at the installed man pages.
 34        auth = "plain[passwd=./sample.passwd]"
 35        tcp-port = 443
 36        udp-port = 443
 37        run-as-user = nobody
 38        run-as-group = nogroup
 39        socket-file = /run/ocserv-socket
 40        server-cert = certs/server-cert.pem
 41        server-key = certs/server-key.pem
 42        keepalive = 32400
 43        dpd = 90
 44        mobile-dpd = 1800
 45        switch-to-tcp-timeout = 25
 46        try-mtu-discovery = false
 47        cert-user-oid = 0.9.2342.19200300.100.1.1
 48        tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
 49        auth-timeout = 240
 50        min-reauth-time = 300
 51        max-ban-score = 80
 52        ban-reset-time = 1200
 53        cookie-timeout = 300
 54        deny-roaming = false
 55        rekey-time = 172800
 56        rekey-method = ssl
 57        use-occtl = true
 58        pid-file = /run/ocserv.pid
 59        device = vpns
 60        predictable-ips = true
 61        default-domain = example.com
 62        ipv4-network = 192.168.1.0
 63        ipv4-netmask = 255.255.255.0
 64        dns = 192.168.1.2
 65        ping-leases = false
 66        route = 10.10.10.0/255.255.255.0
 67        route = 192.168.0.0/255.255.0.0
 68        no-route = 192.168.5.0/255.255.255.0
 69        cisco-client-compat = true
 70        dtls-legacy = true
 71
 72        [vhost:www.example.com]
 73        auth = "certificate"
 74        ca-cert = certs/ca.pem
 75        server-cert = certs/server-cert-secp521r1.pem
 76        server-key = cersts/certs/server-key-secp521r1.pem
 77        ipv4-network = 192.168.2.0
 78        ipv4-netmask = 255.255.255.0
 79        cert-user-oid = 0.9.2342.19200300.100.1.1
 80      '';
 81    };
 82  };
 83
 84  config = mkIf cfg.enable {
 85    environment.systemPackages = [ pkgs.ocserv ];
 86    environment.etc."ocserv/ocserv.conf".text = cfg.config;
 87
 88    security.pam.services.ocserv = { };
 89
 90    systemd.services.ocserv = {
 91      description = "OpenConnect SSL VPN server";
 92      documentation = [ "man:ocserv(8)" ];
 93      wants = [ "network-online.target" ];
 94      after = [
 95        "dbus.service"
 96        "network-online.target"
 97      ];
 98      wantedBy = [ "multi-user.target" ];
 99
100      serviceConfig = {
101        PrivateTmp = true;
102        PIDFile = "/run/ocserv.pid";
103        ExecStart = "${pkgs.ocserv}/bin/ocserv --foreground --pid-file /run/ocesrv.pid --config /etc/ocserv/ocserv.conf";
104        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
105      };
106    };
107  };
108}