cd5e01edd9
`ocserv` is a VPN server which follows the openconnect protocol (https://github.com/openconnect/protocol). The packaging is slightly inspired by the AUR version (https://aur.archlinux.org/packages/ocserv/). This patch initializes the package written in C, the man pages and a module for a simple systemd unit to run the VPN server. The package supports the following authentication methods for the server: * `plain` (mostly username/password) * `pam` The third method (`radius`) is currently not supported since `nixpkgs` misses a packaged client. The module can be used like this: ``` nix { services.ocserv = { enable = true; config = '' ... ''; }; } ``` The option `services.ocserv.config` is required on purpose to ensure that nobody just enables the service and experiences unexpected side-effects on the system. For a full reference, please refer to the man pages, the online docs or the example value. The docs recommend to simply use `nobody` as user, so no extra user has been added to the internal user list. Instead a configuration like this can be used: ``` run-as-user = nobody run-as-group = nogroup ``` /cc @tenten8401 Fixes #42594
100 lines
2.9 KiB
Nix
100 lines
2.9 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.services.ocserv;
|
|
|
|
in
|
|
|
|
{
|
|
options.services.ocserv = {
|
|
enable = mkEnableOption "ocserv";
|
|
|
|
config = mkOption {
|
|
type = types.lines;
|
|
|
|
description = ''
|
|
Configuration content to start an OCServ server.
|
|
|
|
For a full configuration reference,please refer to the online documentation
|
|
(https://ocserv.gitlab.io/www/manual.html), the openconnect
|
|
recipes (https://github.com/openconnect/recipes) or `man ocserv`.
|
|
'';
|
|
|
|
example = ''
|
|
# configuration examples from $out/doc without explanatory comments.
|
|
# for a full reference please look at the installed man pages.
|
|
auth = "plain[passwd=./sample.passwd]"
|
|
tcp-port = 443
|
|
udp-port = 443
|
|
run-as-user = nobody
|
|
run-as-group = nogroup
|
|
socket-file = /var/run/ocserv-socket
|
|
server-cert = certs/server-cert.pem
|
|
server-key = certs/server-key.pem
|
|
keepalive = 32400
|
|
dpd = 90
|
|
mobile-dpd = 1800
|
|
switch-to-tcp-timeout = 25
|
|
try-mtu-discovery = false
|
|
cert-user-oid = 0.9.2342.19200300.100.1.1
|
|
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
|
|
auth-timeout = 240
|
|
min-reauth-time = 300
|
|
max-ban-score = 80
|
|
ban-reset-time = 1200
|
|
cookie-timeout = 300
|
|
deny-roaming = false
|
|
rekey-time = 172800
|
|
rekey-method = ssl
|
|
use-occtl = true
|
|
pid-file = /var/run/ocserv.pid
|
|
device = vpns
|
|
predictable-ips = true
|
|
default-domain = example.com
|
|
ipv4-network = 192.168.1.0
|
|
ipv4-netmask = 255.255.255.0
|
|
dns = 192.168.1.2
|
|
ping-leases = false
|
|
route = 10.10.10.0/255.255.255.0
|
|
route = 192.168.0.0/255.255.0.0
|
|
no-route = 192.168.5.0/255.255.255.0
|
|
cisco-client-compat = true
|
|
dtls-legacy = true
|
|
|
|
[vhost:www.example.com]
|
|
auth = "certificate"
|
|
ca-cert = certs/ca.pem
|
|
server-cert = certs/server-cert-secp521r1.pem
|
|
server-key = cersts/certs/server-key-secp521r1.pem
|
|
ipv4-network = 192.168.2.0
|
|
ipv4-netmask = 255.255.255.0
|
|
cert-user-oid = 0.9.2342.19200300.100.1.1
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
environment.systemPackages = [ pkgs.ocserv ];
|
|
environment.etc."ocserv/ocserv.conf".text = cfg.config;
|
|
|
|
security.pam.services.ocserv = {};
|
|
|
|
systemd.services.ocserv = {
|
|
description = "OpenConnect SSL VPN server";
|
|
documentation = [ "man:ocserv(8)" ];
|
|
after = [ "dbus.service" "network-online.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
PrivateTmp = true;
|
|
PIDFile = "/var/run/ocserv.pid";
|
|
ExecStart = "${pkgs.ocserv}/bin/ocserv --foreground --pid-file /var/run/ocesrv.pid --config /etc/ocserv/ocserv.conf";
|
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
|
};
|
|
};
|
|
};
|
|
}
|