makefu/2configs/nginx/euer.blog.vpn.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

{pkgs, options, ... }:
let
  pkg = pkgs.vpn-ws;
  uid = "nginx";
  gid = "nginx";
  ip = "${pkgs.iproute}/bin/ip";
in {
  services.nginx.virtualHosts."euer.krebsco.de".locations."/vpn" = {
    # TODO client auth
    extraConfig = ''
      uwsgi_pass   unix:/run/vpn.sock;
      include      ${pkgs.nginx}/conf/uwsgi_params;
    '';
  };

  networking.interfaces.vpnws = {
    virtual = true;
    virtualType = "tap";
  };
  systemd.services.vpnws = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    serviceConfig = {
      Restart = "always";
      PrivateTmp = true;
      ExecStartPre = pkgs.writeDash "vpnws-pre" ''
        ${ip} link set vpnws up
        ${ip} addr add 10.244.1.1/24 dev vpnws || :
      '';
      ExecStart = pkgs.writeDash "vpnws-start" ''
        ${pkg}/bin/vpn-ws --tuntap vpnws /run/vpn.sock
      '';
    };
  };
}