dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #272895 from xanderio/wg-access-server-0.10.1

Browse Source 
wg-access-server: init at 0.12.1
This commit is contained in:
Sandro 2024-06-25 21:21:19 +02:00 committed by GitHub
commit 1813936aff
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 227 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -21,6 +21,8 @@
- [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).
- [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at [services.wg-access-server](#opt-services.wg-access-server.enable).
## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
- `transmission` package has been aliased with a `trace` warning to `transmission_3`. Since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0), and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The `services.transmission.package` defaults to `transmission_3` as well because the upgrade can cause data loss in certain specific usage patterns (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory per your usage:

1
nixos/modules/module-list.nix
View File

@ -1225,6 +1225,7 @@
./services/networking/vsftpd.nix
./services/networking/wasabibackend.nix
./services/networking/websockify.nix
./services/networking/wg-access-server.nix
./services/networking/wg-netmanager.nix
./services/networking/webhook.nix
./services/networking/wg-quick.nix

124
nixos/modules/services/networking/wg-access-server.nix Normal file
View File

@ -0,0 +1,124 @@
{ config, pkgs, lib, ... }:
let
inherit (lib) mkEnableOption mkPackageOption mkOption types;
cfg = config.services.wg-access-server;
settingsFormat = pkgs.formats.yaml { };
configFile = settingsFormat.generate "config.yaml" cfg.settings;
in
{
options.services.wg-access-server = {
enable = mkEnableOption "wg-access-server";
package = mkPackageOption pkgs "wg-access-server" { };
settings = mkOption {
type = lib.types.submodule {
freeformType = settingsFormat.type;
options = {
dns.enable = mkOption {
type = types.bool;
default = true;
description = ''
Enable/disable the embedded DNS proxy server.
This is enabled by default and allows VPN clients to avoid DNS leaks by sending all DNS requests to wg-access-server itself.
'';
};
storage = mkOption {
type = types.str;
default = "sqlite3://db.sqlite";
description = "A storage backend connection string. See [storage docs](https://www.freie-netze.org/wg-access-server/3-storage/)";
};
};
};
description = "See https://www.freie-netze.org/wg-access-server/2-configuration/ for possible options";
};
secretsFile = mkOption {
type = types.path;
description = ''
yaml file containing all secrets. this needs to be in the same structure as the configuration.
This must to contain the admin password and wireguard private key.
As well as the secrets for your auth backend.
Example:
```yaml
adminPassword: <admin password>
wireguard:
privateKey: <wireguard private key>
auth:
oidc:
clientSecret: <client secret>
```
'';
};
};
config = lib.mkIf cfg.enable {
assertions =
map
(attrPath:
{
assertion = !lib.hasAttrByPath attrPath config.services.wg-access-server.settings;
message = ''
{option}`services.wg-access-server.settings.${lib.concatStringsSep "." attrPath}` must definded
in {option}`services.wg-access-server.secretsFile`.
'';
})
[
[ "adminPassword" ]
[ "wireguard" "privateKey" ]
[ "auth" "sessionStore" ]
[ "auth" "oidc" "clientSecret" ]
[ "auth" "gitlab" "clientSecret" ]
];
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = "1";
"net.ipv6.conf.all.forwarding" = "1";
};
systemd.services.wg-access-server = {
description = "WG access server";
wantedBy = [ "multi-user.target" ];
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
script = ''
# merge secrets into main config
yq eval-all "select(fileIndex == 0) * select(fileIndex == 1)" ${configFile} $CREDENTIALS_DIRECTORY/SECRETS_FILE \
> "$STATE_DIRECTORY/config.yml"
${lib.getExe cfg.package} serve --config "$STATE_DIRECTORY/config.yml"
'';
path = with pkgs; [
iptables
# needed by startup script
yq-go
];
serviceConfig =
let
capabilities = [
"CAP_NET_ADMIN"
] ++ lib.optional cfg.settings.dns.enabled "CAP_NET_BIND_SERVICE";
in
{
WorkingDirectory = "/var/lib/wg-access-server";
StateDirectory = "wg-access-server";
LoadCredential = [
"SECRETS_FILE:${cfg.secretsFile}"
];
# Hardening
DynamicUser = true;
AmbientCapabilities = capabilities;
CapabilityBoundingSet = capabilities;
};
};
};
}

1
nixos/tests/all-tests.nix
View File

@ -1042,6 +1042,7 @@ in {
wiki-js = handleTest ./wiki-js.nix {};
wine = handleTest ./wine.nix {};
wireguard = handleTest ./wireguard {};
wg-access-server = handleTest ./wg-access-server.nix {};
without-nix = handleTest ./without-nix.nix {};
wmderland = handleTest ./wmderland.nix {};
workout-tracker = handleTest ./workout-tracker.nix {};

28
nixos/tests/wg-access-server.nix Normal file
View File

@ -0,0 +1,28 @@
import ./make-test-python.nix ({ pkgs, lib, kernelPackages ? null, ... }:
{
name = "wg-access-server";
meta = with pkgs.lib.maintainers; {
maintainers = [ xanderio ];
};
nodes = {
server = {
services.wg-access-server = {
enable = true;
settings = {
adminUsername = "admin";
};
secretsFile = (pkgs.writers.writeYAML "secrets.yaml" {
adminPassword = "hunter2";
});
};
};
};
testScript = ''
start_all()
server.wait_for_unit("wg-access-server.service")
'';
}
)

71
pkgs/by-name/wg/wg-access-server/package.nix Normal file
View File

@ -0,0 +1,71 @@
{ lib
, buildGoModule
, buildNpmPackage
, fetchFromGitHub
, makeWrapper
, iptables
, nixosTests
}:
buildGoModule rec {
pname = "wg-access-server";
version = "0.12.1";
src = fetchFromGitHub {
owner = "freifunkMUC";
repo = "wg-access-server";
rev = "v${version}";
hash = "sha256-AhFqEmHrx9MCdjnB/YA3qU7KsaMyLO+vo53VWUrcL8I=";
};
proxyVendor = true; # darwin/linux hash mismatch
vendorHash = "sha256-YwFq0KxUctU3ElZBo/b68pyp4lJnFGL9ClKIwUzdngM=";
CGO_ENABLED = 1;
ldflags = [ "-s" "-w" ];
nativeBuildInputs = [ makeWrapper ];
checkFlags = [ "-skip=TestDNSProxy_ServeDNS" ];
ui = buildNpmPackage {
inherit version src;
pname = "wg-access-server-ui";
npmDepsHash = "sha256-04AkSDSKsr20Jbx5BJy36f8kWNlzzplu/xnoDTkU8OQ=";
sourceRoot = "${src.name}/website";
installPhase = ''
mv build $out
'';
};
postPatch = ''
substituteInPlace internal/services/website_router.go \
--replace-fail 'website/build' "${ui}"
'';
preBuild = ''
VERSION=v${version} go generate buildinfo/buildinfo.go
'';
postInstall = ''
mkdir -p $out/
wrapProgram $out/bin/wg-access-server \
--prefix PATH : ${lib.makeBinPath [ iptables ]}
'';
passthru = {
tests = { inherit (nixosTests) wg-access-server; };
};
meta = with lib; {
description = "An all-in-one WireGuard VPN solution with a web ui for connecting devices";
homepage = "https://github.com/freifunkMUC/wg-access-server";
license = licenses.mit;
maintainers = with maintainers; [ xanderio ];
mainProgram = "wg-access-server";
};
}