ocserv: init at 0.12.1 (#42871)
`ocserv` is a VPN server which follows the openconnect protocol (https://github.com/openconnect/protocol). The packaging is slightly inspired by the AUR version (https://aur.archlinux.org/packages/ocserv/). This patch initializes the package written in C, the man pages and a module for a simple systemd unit to run the VPN server. The package supports the following authentication methods for the server: * `plain` (mostly username/password) * `pam` The third method (`radius`) is currently not supported since `nixpkgs` misses a packaged client. The module can be used like this: ``` nix { services.ocserv = { enable = true; config = '' ... ''; }; } ``` The option `services.ocserv.config` is required on purpose to ensure that nobody just enables the service and experiences unexpected side-effects on the system. For a full reference, please refer to the man pages, the online docs or the example value. The docs recommend to simply use `nobody` as user, so no extra user has been added to the internal user list. Instead a configuration like this can be used: ``` run-as-user = nobody run-as-group = nogroup ``` /cc @tenten8401 Fixes #42594wip/yesman
parent
e4ca48c224
commit
cd5e01edd9
@ -0,0 +1,99 @@ |
||||
{ config, pkgs, lib, ... }: |
||||
|
||||
with lib; |
||||
|
||||
let |
||||
|
||||
cfg = config.services.ocserv; |
||||
|
||||
in |
||||
|
||||
{ |
||||
options.services.ocserv = { |
||||
enable = mkEnableOption "ocserv"; |
||||
|
||||
config = mkOption { |
||||
type = types.lines; |
||||
|
||||
description = '' |
||||
Configuration content to start an OCServ server. |
||||
|
||||
For a full configuration reference,please refer to the online documentation |
||||
(https://ocserv.gitlab.io/www/manual.html), the openconnect |
||||
recipes (https://github.com/openconnect/recipes) or `man ocserv`. |
||||
''; |
||||
|
||||
example = '' |
||||
# configuration examples from $out/doc without explanatory comments. |
||||
# for a full reference please look at the installed man pages. |
||||
auth = "plain[passwd=./sample.passwd]" |
||||
tcp-port = 443 |
||||
udp-port = 443 |
||||
run-as-user = nobody |
||||
run-as-group = nogroup |
||||
socket-file = /var/run/ocserv-socket |
||||
server-cert = certs/server-cert.pem |
||||
server-key = certs/server-key.pem |
||||
keepalive = 32400 |
||||
dpd = 90 |
||||
mobile-dpd = 1800 |
||||
switch-to-tcp-timeout = 25 |
||||
try-mtu-discovery = false |
||||
cert-user-oid = 0.9.2342.19200300.100.1.1 |
||||
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" |
||||
auth-timeout = 240 |
||||
min-reauth-time = 300 |
||||
max-ban-score = 80 |
||||
ban-reset-time = 1200 |
||||
cookie-timeout = 300 |
||||
deny-roaming = false |
||||
rekey-time = 172800 |
||||
rekey-method = ssl |
||||
use-occtl = true |
||||
pid-file = /var/run/ocserv.pid |
||||
device = vpns |
||||
predictable-ips = true |
||||
default-domain = example.com |
||||
ipv4-network = 192.168.1.0 |
||||
ipv4-netmask = 255.255.255.0 |
||||
dns = 192.168.1.2 |
||||
ping-leases = false |
||||
route = 10.10.10.0/255.255.255.0 |
||||
route = 192.168.0.0/255.255.0.0 |
||||
no-route = 192.168.5.0/255.255.255.0 |
||||
cisco-client-compat = true |
||||
dtls-legacy = true |
||||
|
||||
[vhost:www.example.com] |
||||
auth = "certificate" |
||||
ca-cert = certs/ca.pem |
||||
server-cert = certs/server-cert-secp521r1.pem |
||||
server-key = cersts/certs/server-key-secp521r1.pem |
||||
ipv4-network = 192.168.2.0 |
||||
ipv4-netmask = 255.255.255.0 |
||||
cert-user-oid = 0.9.2342.19200300.100.1.1 |
||||
''; |
||||
}; |
||||
}; |
||||
|
||||
config = mkIf cfg.enable { |
||||
environment.systemPackages = [ pkgs.ocserv ]; |
||||
environment.etc."ocserv/ocserv.conf".text = cfg.config; |
||||
|
||||
security.pam.services.ocserv = {}; |
||||
|
||||
systemd.services.ocserv = { |
||||
description = "OpenConnect SSL VPN server"; |
||||
documentation = [ "man:ocserv(8)" ]; |
||||
after = [ "dbus.service" "network-online.target" ]; |
||||
wantedBy = [ "multi-user.target" ]; |
||||
|
||||
serviceConfig = { |
||||
PrivateTmp = true; |
||||
PIDFile = "/var/run/ocserv.pid"; |
||||
ExecStart = "${pkgs.ocserv}/bin/ocserv --foreground --pid-file /var/run/ocesrv.pid --config /etc/ocserv/ocserv.conf"; |
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |
||||
}; |
||||
}; |
||||
}; |
||||
} |
@ -0,0 +1,26 @@ |
||||
{ stdenv, fetchFromGitLab, autoreconfHook, pkgconfig, nettle, gnutls |
||||
, libev, protobufc, guile, geoip, libseccomp, gperf, readline |
||||
, lz4, libgssglue, ronn, coreutils, pam |
||||
}: |
||||
|
||||
stdenv.mkDerivation rec { |
||||
name = "ocserv-${version}"; |
||||
version = "0.12.1"; |
||||
|
||||
src = fetchFromGitLab { |
||||
owner = "openconnect"; |
||||
repo = "ocserv"; |
||||
rev = "ocserv_${stdenv.lib.replaceStrings [ "." ] [ "_" ] version}"; |
||||
sha256 = "0jn91a50r3ryj1ph9fzxwy2va877b0b37ahargxzn7biccd8nh0y"; |
||||
}; |
||||
|
||||
nativeBuildInputs = [ autoreconfHook pkgconfig ]; |
||||
buildInputs = [ nettle gnutls libev protobufc guile geoip libseccomp gperf readline lz4 libgssglue ronn pam ]; |
||||
|
||||
meta = with stdenv.lib; { |
||||
homepage = https://gitlab.com/openconnect/ocserv; |
||||
license = licenses.gpl2; |
||||
description = "This program is openconnect VPN server (ocserv), a server for the openconnect VPN client."; |
||||
maintainers = with maintainers; [ ma27 ]; |
||||
}; |
||||
} |
Loading…
Reference in new issue