nixpkgs/nixos/modules/services/networking/ocserv.nix

{ config, pkgs, lib, ... }:

with lib;

let

  cfg = config.services.ocserv;

in

{
  options.services.ocserv = {
    enable = mkEnableOption "ocserv";

    config = mkOption {
      type = types.lines;

      description = ''
        Configuration content to start an OCServ server.

        For a full configuration reference,please refer to the online documentation
        (https://ocserv.gitlab.io/www/manual.html), the openconnect
        recipes (https://github.com/openconnect/recipes) or `man ocserv`.
      '';

      example = ''
        # configuration examples from $out/doc without explanatory comments.
        # for a full reference please look at the installed man pages.
        auth = "plain[passwd=./sample.passwd]"
        tcp-port = 443
        udp-port = 443
        run-as-user = nobody
        run-as-group = nogroup
        socket-file = /run/ocserv-socket
        server-cert = certs/server-cert.pem
        server-key = certs/server-key.pem
        keepalive = 32400
        dpd = 90
        mobile-dpd = 1800
        switch-to-tcp-timeout = 25
        try-mtu-discovery = false
        cert-user-oid = 0.9.2342.19200300.100.1.1
        tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
        auth-timeout = 240
        min-reauth-time = 300
        max-ban-score = 80
        ban-reset-time = 1200
        cookie-timeout = 300
        deny-roaming = false
        rekey-time = 172800
        rekey-method = ssl
        use-occtl = true
        pid-file = /run/ocserv.pid
        device = vpns
        predictable-ips = true
        default-domain = example.com
        ipv4-network = 192.168.1.0
        ipv4-netmask = 255.255.255.0
        dns = 192.168.1.2
        ping-leases = false
        route = 10.10.10.0/255.255.255.0
        route = 192.168.0.0/255.255.0.0
        no-route = 192.168.5.0/255.255.255.0
        cisco-client-compat = true
        dtls-legacy = true

        [vhost:www.example.com]
        auth = "certificate"
        ca-cert = certs/ca.pem
        server-cert = certs/server-cert-secp521r1.pem
        server-key = cersts/certs/server-key-secp521r1.pem
        ipv4-network = 192.168.2.0
        ipv4-netmask = 255.255.255.0
        cert-user-oid = 0.9.2342.19200300.100.1.1
      '';
    };
  };

  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.ocserv ];
    environment.etc."ocserv/ocserv.conf".text = cfg.config;

    security.pam.services.ocserv = {};

    systemd.services.ocserv = {
      description = "OpenConnect SSL VPN server";
      documentation = [ "man:ocserv(8)" ];
      after = [ "dbus.service" "network-online.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        PrivateTmp = true;
        PIDFile = "/run/ocserv.pid";
        ExecStart = "${pkgs.ocserv}/bin/ocserv --foreground --pid-file /run/ocesrv.pid --config /etc/ocserv/ocserv.conf";
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
      };
    };
  };
}
ocserv: init at 0.12.1 (#42871) `ocserv` is a VPN server which follows the openconnect protocol (https://github.com/openconnect/protocol). The packaging is slightly inspired by the AUR version (https://aur.archlinux.org/packages/ocserv/). This patch initializes the package written in C, the man pages and a module for a simple systemd unit to run the VPN server. The package supports the following authentication methods for the server: * `plain` (mostly username/password) * `pam` The third method (`radius`) is currently not supported since `nixpkgs` misses a packaged client. The module can be used like this: ``` nix { services.ocserv = { enable = true; config = '' ... ''; }; } ``` The option `services.ocserv.config` is required on purpose to ensure that nobody just enables the service and experiences unexpected side-effects on the system. For a full reference, please refer to the man pages, the online docs or the example value. The docs recommend to simply use `nobody` as user, so no extra user has been added to the internal user list. Instead a configuration like this can be used: ``` run-as-user = nobody run-as-group = nogroup ``` /cc @tenten8401 Fixes #42594 2018-08-01 21:39:09 +02:00			`{ config, pkgs, lib, ... }:`

			`with lib;`

			`let`

			`cfg = config.services.ocserv;`

			`in`

			`{`
			`options.services.ocserv = {`
			`enable = mkEnableOption "ocserv";`

			`config = mkOption {`
			`type = types.lines;`

			`description = ''`
			`Configuration content to start an OCServ server.`

			`For a full configuration reference,please refer to the online documentation`
			`(https://ocserv.gitlab.io/www/manual.html), the openconnect`
			recipes (https://github.com/openconnect/recipes) or `man ocserv`.
			`'';`

			`example = ''`
			`# configuration examples from $out/doc without explanatory comments.`
			`# for a full reference please look at the installed man pages.`
			`auth = "plain[passwd=./sample.passwd]"`
			`tcp-port = 443`
			`udp-port = 443`
			`run-as-user = nobody`
			`run-as-group = nogroup`
nixos/ocserv: /var/run -> /run 2018-12-19 22:40:29 +01:00			`socket-file = /run/ocserv-socket`
ocserv: init at 0.12.1 (#42871) `ocserv` is a VPN server which follows the openconnect protocol (https://github.com/openconnect/protocol). The packaging is slightly inspired by the AUR version (https://aur.archlinux.org/packages/ocserv/). This patch initializes the package written in C, the man pages and a module for a simple systemd unit to run the VPN server. The package supports the following authentication methods for the server: * `plain` (mostly username/password) * `pam` The third method (`radius`) is currently not supported since `nixpkgs` misses a packaged client. The module can be used like this: ``` nix { services.ocserv = { enable = true; config = '' ... ''; }; } ``` The option `services.ocserv.config` is required on purpose to ensure that nobody just enables the service and experiences unexpected side-effects on the system. For a full reference, please refer to the man pages, the online docs or the example value. The docs recommend to simply use `nobody` as user, so no extra user has been added to the internal user list. Instead a configuration like this can be used: ``` run-as-user = nobody run-as-group = nogroup ``` /cc @tenten8401 Fixes #42594 2018-08-01 21:39:09 +02:00			`server-cert = certs/server-cert.pem`
			`server-key = certs/server-key.pem`
			`keepalive = 32400`
			`dpd = 90`
			`mobile-dpd = 1800`
			`switch-to-tcp-timeout = 25`
			`try-mtu-discovery = false`
			`cert-user-oid = 0.9.2342.19200300.100.1.1`
			`tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"`
			`auth-timeout = 240`
			`min-reauth-time = 300`
			`max-ban-score = 80`
			`ban-reset-time = 1200`
			`cookie-timeout = 300`
			`deny-roaming = false`
			`rekey-time = 172800`
			`rekey-method = ssl`
			`use-occtl = true`
nixos/ocserv: /var/run -> /run 2018-12-19 22:40:29 +01:00			`pid-file = /run/ocserv.pid`
ocserv: init at 0.12.1 (#42871) `ocserv` is a VPN server which follows the openconnect protocol (https://github.com/openconnect/protocol). The packaging is slightly inspired by the AUR version (https://aur.archlinux.org/packages/ocserv/). This patch initializes the package written in C, the man pages and a module for a simple systemd unit to run the VPN server. The package supports the following authentication methods for the server: * `plain` (mostly username/password) * `pam` The third method (`radius`) is currently not supported since `nixpkgs` misses a packaged client. The module can be used like this: ``` nix { services.ocserv = { enable = true; config = '' ... ''; }; } ``` The option `services.ocserv.config` is required on purpose to ensure that nobody just enables the service and experiences unexpected side-effects on the system. For a full reference, please refer to the man pages, the online docs or the example value. The docs recommend to simply use `nobody` as user, so no extra user has been added to the internal user list. Instead a configuration like this can be used: ``` run-as-user = nobody run-as-group = nogroup ``` /cc @tenten8401 Fixes #42594 2018-08-01 21:39:09 +02:00			`device = vpns`
			`predictable-ips = true`
			`default-domain = example.com`
			`ipv4-network = 192.168.1.0`
			`ipv4-netmask = 255.255.255.0`
			`dns = 192.168.1.2`
			`ping-leases = false`
			`route = 10.10.10.0/255.255.255.0`
			`route = 192.168.0.0/255.255.0.0`
			`no-route = 192.168.5.0/255.255.255.0`
			`cisco-client-compat = true`
			`dtls-legacy = true`

			`[vhost:www.example.com]`
			`auth = "certificate"`
			`ca-cert = certs/ca.pem`
			`server-cert = certs/server-cert-secp521r1.pem`
			`server-key = cersts/certs/server-key-secp521r1.pem`
			`ipv4-network = 192.168.2.0`
			`ipv4-netmask = 255.255.255.0`
			`cert-user-oid = 0.9.2342.19200300.100.1.1`
			`'';`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`environment.systemPackages = [ pkgs.ocserv ];`
			`environment.etc."ocserv/ocserv.conf".text = cfg.config;`

			`security.pam.services.ocserv = {};`

			`systemd.services.ocserv = {`
			`description = "OpenConnect SSL VPN server";`
			`documentation = [ "man:ocserv(8)" ];`
			`after = [ "dbus.service" "network-online.target" ];`
			`wantedBy = [ "multi-user.target" ];`

			`serviceConfig = {`
			`PrivateTmp = true;`
nixos/ocserv: /var/run -> /run 2018-12-19 22:40:29 +01:00			`PIDFile = "/run/ocserv.pid";`
			`ExecStart = "${pkgs.ocserv}/bin/ocserv --foreground --pid-file /run/ocesrv.pid --config /etc/ocserv/ocserv.conf";`
ocserv: init at 0.12.1 (#42871) `ocserv` is a VPN server which follows the openconnect protocol (https://github.com/openconnect/protocol). The packaging is slightly inspired by the AUR version (https://aur.archlinux.org/packages/ocserv/). This patch initializes the package written in C, the man pages and a module for a simple systemd unit to run the VPN server. The package supports the following authentication methods for the server: * `plain` (mostly username/password) * `pam` The third method (`radius`) is currently not supported since `nixpkgs` misses a packaged client. The module can be used like this: ``` nix { services.ocserv = { enable = true; config = '' ... ''; }; } ``` The option `services.ocserv.config` is required on purpose to ensure that nobody just enables the service and experiences unexpected side-effects on the system. For a full reference, please refer to the man pages, the online docs or the example value. The docs recommend to simply use `nobody` as user, so no extra user has been added to the internal user list. Instead a configuration like this can be used: ``` run-as-user = nobody run-as-group = nogroup ``` /cc @tenten8401 Fixes #42594 2018-08-01 21:39:09 +02:00			`ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";`
			`};`
			`};`
			`};`
			`}`