nixpkgs/nixos/modules/services/networking/ocserv.nix
Maximilian Bosch cd5e01edd9 ocserv: init at 0.12.1 (#42871)
`ocserv` is a VPN server which follows the openconnect protocol
(https://github.com/openconnect/protocol). The packaging is slightly
inspired by the AUR version
(https://aur.archlinux.org/packages/ocserv/).

This patch initializes the package written in C, the man pages and a
module for a simple systemd unit to run the VPN server. The package
supports the following authentication methods for the server:

* `plain` (mostly username/password)
* `pam`

The third method (`radius`) is currently not supported since `nixpkgs`
misses a packaged client.

The module can be used like this:

``` nix
{
  services.ocserv = {
    enable = true;
    config = ''
      ...
    '';
  };
}
```

The option `services.ocserv.config` is required on purpose to
ensure that nobody just enables the service and experiences unexpected
side-effects on the system. For a full reference, please refer to the
man pages, the online docs or the example value.

The docs recommend to simply use `nobody` as user, so no extra user has
been added to the internal user list. Instead a configuration like
this can be used:

```
run-as-user = nobody
run-as-group = nogroup
```

/cc @tenten8401
Fixes #42594
2018-08-01 21:39:09 +02:00

99 lines
2.9 KiB
Nix

{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.ocserv;
in
{
options.services.ocserv = {
enable = mkEnableOption "ocserv";
config = mkOption {
type = types.lines;
description = ''
Configuration content to start an OCServ server.
For a full configuration reference,please refer to the online documentation
(https://ocserv.gitlab.io/www/manual.html), the openconnect
recipes (https://github.com/openconnect/recipes) or `man ocserv`.
'';
example = ''
# configuration examples from $out/doc without explanatory comments.
# for a full reference please look at the installed man pages.
auth = "plain[passwd=./sample.passwd]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = nogroup
socket-file = /var/run/ocserv-socket
server-cert = certs/server-cert.pem
server-key = certs/server-key.pem
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
dns = 192.168.1.2
ping-leases = false
route = 10.10.10.0/255.255.255.0
route = 192.168.0.0/255.255.0.0
no-route = 192.168.5.0/255.255.255.0
cisco-client-compat = true
dtls-legacy = true
[vhost:www.example.com]
auth = "certificate"
ca-cert = certs/ca.pem
server-cert = certs/server-cert-secp521r1.pem
server-key = cersts/certs/server-key-secp521r1.pem
ipv4-network = 192.168.2.0
ipv4-netmask = 255.255.255.0
cert-user-oid = 0.9.2342.19200300.100.1.1
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.ocserv ];
environment.etc."ocserv/ocserv.conf".text = cfg.config;
security.pam.services.ocserv = {};
systemd.services.ocserv = {
description = "OpenConnect SSL VPN server";
documentation = [ "man:ocserv(8)" ];
after = [ "dbus.service" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
PrivateTmp = true;
PIDFile = "/var/run/ocserv.pid";
ExecStart = "${pkgs.ocserv}/bin/ocserv --foreground --pid-file /var/run/ocesrv.pid --config /etc/ocserv/ocserv.conf";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
};
};
};
}