diff options
author | Sandro <sandro.jaeckel@gmail.com> | 2023-04-19 00:57:19 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-19 00:57:19 +0200 |
commit | ce4159b4cd37f189720c41abbd0624593c3c36a5 (patch) | |
tree | c0737135cb99bc0ea721bc99ccf9684c176e9396 /nixos | |
parent | e0ac8942bda5df1ccfbec8acaa581d230a42aee0 (diff) | |
parent | 706060e47d0808244bd33a27287cc53e21318666 (diff) |
Merge pull request #226514 from AtaraxiaSjel/update/ivpn
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2305.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/ivpn.nix | 51 |
3 files changed, 54 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 9f54ff6ab1810..6b01475718477 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -117,6 +117,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [hardware.ipu6](#opt-hardware.ipu6.enable) adds support for ipu6 based webcams on intel tiger lake and alder lake. +- [ivpn](https://www.ivpn.net/), a secure, private VPN with fast WireGuard connections. Available as [services.ivpn](#opt-services.ivpn.enable). + ## Backward Incompatibilities {#sec-release-23.05-incompatibilities} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c1dbb30679e45..b6ac23c10d06b 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -885,6 +885,7 @@ ./services/networking/iscsi/initiator.nix ./services/networking/iscsi/root-initiator.nix ./services/networking/iscsi/target.nix + ./services/networking/ivpn.nix ./services/networking/iwd.nix ./services/networking/jibri/default.nix ./services/networking/jicofo.nix diff --git a/nixos/modules/services/networking/ivpn.nix b/nixos/modules/services/networking/ivpn.nix new file mode 100644 index 0000000000000..6df630c1f1947 --- /dev/null +++ b/nixos/modules/services/networking/ivpn.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.ivpn; +in +with lib; +{ + options.services.ivpn = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + This option enables iVPN daemon. + This sets {option}`networking.firewall.checkReversePath` to "loose", which might be undesirable for security. + ''; + }; + }; + + config = mkIf cfg.enable { + boot.kernelModules = [ "tun" ]; + + environment.systemPackages = with pkgs; [ ivpn ivpn-service ]; + + # iVPN writes to /etc/iproute2/rt_tables + networking.iproute2.enable = true; + networking.firewall.checkReversePath = "loose"; + + systemd.services.ivpn-service = { + description = "iVPN daemon"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network.target" ]; + after = [ + "network-online.target" + "NetworkManager.service" + "systemd-resolved.service" + ]; + path = [ + # Needed for mount + "/run/wrappers" + ]; + startLimitBurst = 5; + startLimitIntervalSec = 20; + serviceConfig = { + ExecStart = "${pkgs.ivpn-service}/bin/ivpn-service --logging"; + Restart = "always"; + RestartSec = 1; + }; + }; + }; + + meta.maintainers = with maintainers; [ ataraxiasjel ]; +} |