nixos/modules/services/networking/ocserv.nix

   1 {
   2   config,
   3   pkgs,
   4   lib,
   5   ...
   6 }:
   7
   8 with lib;
   9
  10 let
  11
  12   cfg = config.services.ocserv;
  13
  14 in
  15
  16 {
  17   options.services.ocserv = {
  18     enable = mkEnableOption "ocserv";
  19
  20     config = mkOption {
  21       type = types.lines;
  22
  23       description = ''
  24         Configuration content to start an OCServ server.
  25
  26         For a full configuration reference,please refer to the online documentation
  27         (https://ocserv.gitlab.io/www/manual.html), the openconnect
  28         recipes (https://github.com/openconnect/recipes) or `man ocserv`.
  29       '';
  30
  31       example = ''
  32         # configuration examples from $out/doc without explanatory comments.
  33         # for a full reference please look at the installed man pages.
  34         auth = "plain[passwd=./sample.passwd]"
  35         tcp-port = 443
  36         udp-port = 443
  37         run-as-user = nobody
  38         run-as-group = nogroup
  39         socket-file = /run/ocserv-socket
  40         server-cert = certs/server-cert.pem
  41         server-key = certs/server-key.pem
  42         keepalive = 32400
  43         dpd = 90
  44         mobile-dpd = 1800
  45         switch-to-tcp-timeout = 25
  46         try-mtu-discovery = false
  47         cert-user-oid = 0.9.2342.19200300.100.1.1
  48         tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
  49         auth-timeout = 240
  50         min-reauth-time = 300
  51         max-ban-score = 80
  52         ban-reset-time = 1200
  53         cookie-timeout = 300
  54         deny-roaming = false
  55         rekey-time = 172800
  56         rekey-method = ssl
  57         use-occtl = true
  58         pid-file = /run/ocserv.pid
  59         device = vpns
  60         predictable-ips = true
  61         default-domain = example.com
  62         ipv4-network = 192.168.1.0
  63         ipv4-netmask = 255.255.255.0
  64         dns = 192.168.1.2
  65         ping-leases = false
  66         route = 10.10.10.0/255.255.255.0
  67         route = 192.168.0.0/255.255.0.0
  68         no-route = 192.168.5.0/255.255.255.0
  69         cisco-client-compat = true
  70         dtls-legacy = true
  71
  72         [vhost:www.example.com]
  73         auth = "certificate"
  74         ca-cert = certs/ca.pem
  75         server-cert = certs/server-cert-secp521r1.pem
  76         server-key = cersts/certs/server-key-secp521r1.pem
  77         ipv4-network = 192.168.2.0
  78         ipv4-netmask = 255.255.255.0
  79         cert-user-oid = 0.9.2342.19200300.100.1.1
  80       '';
  81     };
  82   };
  83
  84   config = mkIf cfg.enable {
  85     environment.systemPackages = [ pkgs.ocserv ];
  86     environment.etc."ocserv/ocserv.conf".text = cfg.config;
  87
  88     security.pam.services.ocserv = { };
  89
  90     systemd.services.ocserv = {
  91       description = "OpenConnect SSL VPN server";
  92       documentation = [ "man:ocserv(8)" ];
  93       wants = [ "network-online.target" ];
  94       after = [
  95         "dbus.service"
  96         "network-online.target"
  97       ];
  98       wantedBy = [ "multi-user.target" ];
  99
 100       serviceConfig = {
 101         PrivateTmp = true;
 102         PIDFile = "/run/ocserv.pid";
 103         ExecStart = "${pkgs.ocserv}/bin/ocserv --foreground --pid-file /run/ocesrv.pid --config /etc/ocserv/ocserv.conf";
 104         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
 105       };
 106     };
 107   };
 108 }