{pkgs, options, ... }: let pkg = pkgs.vpn-ws; uid = "nginx"; gid = "nginx"; ip = "${pkgs.iproute}/bin/ip"; socket = "/run/vpn.sock"; htpasswd = (toString <secrets>) + "/vpn-ws-auth"; nginx-prepared-secrets = "/var/spool/nginx/vpn-ws-auth"; in { systemd.services.vpn-ws-auth-prepare = { wantedBy = [ "multi-user.target" ]; before = [ "nginx.service" ]; script = "install -m700 -o${uid} -g${gid} ${htpasswd} ${nginx-prepared-secrets}"; }; services.nginx.virtualHosts."euer.krebsco.de".locations."/vpn" = { extraConfig = '' auth_basic "please stand by..."; auth_basic_user_file ${nginx-prepared-secrets}; uwsgi_pass unix:${socket}; include ${pkgs.nginx}/conf/uwsgi_params; ''; }; networking.interfaces.vpnws = { virtual = true; virtualType = "tap"; }; systemd.services.vpnws = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { Restart = "always"; PrivateTmp = true; ExecStartPre = pkgs.writeDash "vpnws-pre" '' ${ip} link set vpnws up ${ip} addr add 10.244.1.1/24 dev vpnws || : ''; ExecStart = "${pkg}/bin/vpn-ws --uid ${uid} --gid ${gid} --tuntap vpnws ${socket}"; }; }; }